Ubuntu Manpage: ip_allow.config - Traffic Server IP access control configuration file

Provided by: trafficserver_8.1.1+ds-1.1_amd64

NAME

       ip_allow.config - Traffic Server IP access control configuration file

       The  ip_allow.config  file  controls  client  access  to Traffic Server and Traffic Server
       connections to the servers.  You can specify ranges of IP addresses that  are  allowed  to
       connect  to Traffic Server or that are allowed to be remapped by Traffic Server. After you
       modify the ip_allow.config file, navigate to the Traffic Server bin directory and run  the
       traffic_ctl config reload command to apply changes.

FORMAT

       Each line in ip_allow.config file must have on of the following formats format:

          src_ip=<range of IP addresses> action=<action> [method=<list of methods separated by '|'>]
          dest_ip=<range of IP addresses> action=<action> [method=<list of methods separated by '|'>]

       For  src_ip  the  remote inbound connection address, i.e. the IP address of the client, is
       checked against the specified range of  IP  addresses.  For  dst_ip  the  outbound  remote
       address  (i.e.  the  IP  address  to which Traffic Server connects) is checked against the
       specified IP address range.

       Range specifications can be IPv4 or IPv6, but any single range must be one or  the  other.
       Ranges  can  be  specified  by  two  addresses,  the  lower address and the upper address,
       separated by a dash, -.  Such a range inclusive and contains the  lower,  upper  addresses
       and  all addresses inbetween. A range can also be specified by an address and a CIDR mask,
       separated by a slash, /. This case is converted  to  a  range  of  the  previous  case  by
       retaining  only  the  left  most  mask  bits,  clearing the rest for the lower address and
       setting them for the upper address. For instance, a mask of 23 would mean the left most 23
       bits  are  kept  and  all bits to the right are cleared or set.  Finally, a range can be a
       single IP address which matches exactly that address (the equivalent of a range  with  the
       lower and upper values equal to that IP address).

       The  value  of method is a string which must consist of either HTTP method names separated
       by the character '|' or the keyword literal ALL. This keyword may omitted in which case it
       is  treated  as  if  it  were method=ALL. Methods can also be specified by having multiple
       instances of the method keyword, each specifying a single method. E.g., method=GET|HEAD is
       the  same  as  method=GET  method=HEAD.  The  method  names  are not validated which means
       non-standard method names can be specified.

       The action must be either ip_allow or ip_deny. This controls what Traffic Server  does  if
       the  address  is  in the range and the method matches. If there is a match, Traffic Server
       allows the connection (for ip_allow) or denies it (ip_deny).

       For each inbound or outbound connection the applicable rule is selectd by first  match  on
       the  IP  address.  The  rule  is  then  applied (if the method matches) or its opposite is
       applied (if the method doesn't match). If no rule is matched access is allowed. This makes
       each  rule  both an accept and deny, one explicit and the other implicit. The src_ip rules
       are checked when a host connects to Traffic Server. The  dst_ip  rules  are  checked  when
       Traffic Server connects to another host.

       By default the ip_allow.config file contains the following lines, which allows all methods
       to connections from localhost and denies the PUSH, PURGE and DELETE methods to  all  other
       IP addresses (note this allows all other methods to all IP addresses):

          src_ip=127.0.0.1                                  action=ip_allow method=ALL
          src_ip=::1                                        action=ip_allow method=ALL
          src_ip=0.0.0.0-255.255.255.255                    action=ip_deny  method=PUSH|PURGE|DELETE
          src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny  method=PUSH|PURGE|DELETE

       This could also be specified as:

          src_ip=127.0.0.1   action=ip_allow method=ALL
          src_ip=::1         action=ip_allow method=ALL
          src_ip=0/0         action=ip_deny  method=PUSH|PURGE|DELETE
          src_ip=::/0        action=ip_deny  method=PUSH|PURGE|DELETE

EXAMPLES

       The following example enables all clients access.:

          src_ip=0.0.0.0-255.255.255.255 action=ip_allow

       The following example allows access to all clients on addresses in a subnet:

          src_ip=123.12.3.000-123.12.3.123 action=ip_allow

       The following example denies access all clients on addresses in a subnet:

          src_ip=123.45.6.0-123.45.6.123 action=ip_deny

       If the entire subnet were to be denied, that would be:

          src_ip=123.45.6.0/24 action=ip_deny

       The following example allows one to any upstream servers:

          dest_ip=0.0.0.0-255.255.255.255 action=ip_allow

       Alternatively this can be done with:

          dest_ip=0/0 action=ip_allow

       The following example denies to access all servers on a specific subnet:

          dest_ip=10.0.0.0-10.0.255.255 action=ip_deny

       Alternatively:

          dest_ip=10.0.0.0/16 action=ip_deny

       If the goal is to allow only GET and HEAD requests to those servers, it would be:

          dest_ip=10.0.0.0/16 action=ip_allow method=GET method=HEAD

       or:

          dest_ip=10.0.0.0/16 action=ip_allow method=GET|HEAD

       This will match the IP address for the targer servers on the outbound connection. Then, if
       the method is GET or HEAD the connection will be allowed, otherwise the connection will be
       denied.

COPYRIGHT

       2021, dev@trafficserver.apache.org