trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Van Doorn, Jan R" <Jan_VanDo...@cable.comcast.com>
Subject Re: Restricting access to stats_over_http?
Date Wed, 02 May 2012 00:59:02 GMT
On 05/01/2012 05:34 PM, Leif Hedstrom wrote:
> On 5/1/12 5:29 PM, tom ryan wrote:
>>>> Hello,
>>>>
>>>> I looked in the documentation, tried some different remap configs, but
>>>> can't make it do what I want...
>>>>
>>>> I'd like to use the stats_over_http plugin, but restrict the clients
>>>> that can get to it to just a couple of addresses. Is that possible? 
>>>> What
>>>> is the best way to that?
>>>>
>>> No way at this point.
>> -snip-
>>
>> What's about the doc reference to rules like:
>>
>> map http://localhost/stat/ http://{stat}
>>
>> as seen in
>> https://cwiki.apache.org/TS/faq.html#FAQ-httpui
>>
>
> I don't think that will work, since this is a server intercept plugin 
> (and therefore, doesn't require a remap). You can try it, and see what 
> happens.
>
I tried a couple of variations like that, and couldn't make it work. I 
really just need a simple client IP address check, so, I think I'm just  
going to reuse some of the code from the redirect-1 plugin sample, like 
in the diff below.

Leif: your config suggestions with the X-TS-Stats-Auth* header seem 
pretty cool to me, but, like I said - I just need a quick IP check for 
now, and I would think the below is a safe and simple hack?

Rgds,
JvD

--
diff:
36,45d35
< #if !defined (_WIN32)
< #  include <unistd.h>
< #  include <netinet/in.h>
< #  include <arpa/inet.h>
< #else
< #  include <windows.h>
< #endif
<
< static char *allow_ip;
<
238,261d227
<   const struct sockaddr *addr = TSHttpTxnClientAddrGet(txnp);
<
<   if (addr) {
<     socklen_t addr_size = 0;
<
<     if (addr->sa_family == AF_INET)
<       addr_size = sizeof(struct sockaddr_in);
<     else if (addr->sa_family == AF_INET6)
<       addr_size = sizeof(struct sockaddr_in6);
<     if (addr_size > 0) {
<       char clientstring[INET6_ADDRSTRLEN];
<
<       /* there's gotta be a better way than strcmp...  Should really 
be a addres/mask check thing. */
<       if (NULL != inet_ntop(addr->sa_family, &(((struct sockaddr_in 
*)addr)->sin_addr), clientstring, addr_size) &&
<               !strcmp(allow_ip, clientstring) ) {
<          TSDebug("istats", "clientip is %s --> PASS", clientstring);
<       }
<       else {
<          TSDebug("istats", "clientip is %s --> FAIL", clientstring);
<          goto notforme;
<       }
<     }
<   }
<
329,332d294
<   if (argc == 2)
<     allow_ip = TSstrdup(argv[1]);
<
Mime
View raw message