trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leif Hedstrom <zw...@apache.org>
Subject Re: Restricting access to stats_over_http?
Date Tue, 01 May 2012 23:08:21 GMT
On 5/1/12 3:35 PM, Van Doorn, Jan R wrote:
> Hello,
>
> I looked in the documentation, tried some different remap configs, but
> can't make it do what I want...
>
> I'd like to use the stats_over_http plugin, but restrict the clients
> that can get to it to just a couple of addresses. Is that possible? What
> is the best way to that?
>

No way at this point. I was thinking of adding a small config to this 
plugin, which could allow for various levels of strength:

     /__stats    X-TS-Stats-Auth    Secret


or (stronger)

     /__stats    X-TS-Stats-Auth-IP    Secret


Where the header value is some cryptographic checksum of secret + client IP 
(making replay attacks much harder). E.g. SHA1(secret+client-ip).

In the first case, the request would simply include e.g.

     X-TS-Stats-Auth: A-Secret-String


and in the second, e.g.

     X-TS-Stats-Auth-IP: abfd6a4da7ae42a126e915b55395838f7fe5efe2


The other option is to do some real authentication mechanisms around this, 
but the above would be pretty close to trivial to implement (i.e. a few 
hours at the most). Also, if done over HTTPS, it'd be difficult to intercept 
even the simple, token secret (and, you can pick a path and header of your 
own choosing to do more security by obscurity :).

Thoughts?

-- Leif

Mime
View raw message