.\" Man page generated from reStructuredText. . .TH "IP_ALLOW.CONFIG" "5" "Jul 15, 2021" "8.1" "Apache Traffic Server" .SH NAME ip_allow.config \- Traffic Server IP access control configuration file . .nr rst2man-indent-level 0 . .de1 rstReportMargin \\$1 \\n[an-margin] level \\n[rst2man-indent-level] level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - \\n[rst2man-indent0] \\n[rst2man-indent1] \\n[rst2man-indent2] .. .de1 INDENT .\" .rstReportMargin pre: . RS \\$1 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] . nr rst2man-indent-level +1 .\" .rstReportMargin post: .. .de UNINDENT . RE .\" indent \\n[an-margin] .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] .nr rst2man-indent-level -1 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. .sp The \fI\%ip_allow.config\fP file controls client access to Traffic Server and Traffic Server connections to the servers. You can specify ranges of IP addresses that are allowed to connect to Traffic Server or that are allowed to be remapped by Traffic Server. After you modify the \fI\%ip_allow.config\fP file, navigate to the Traffic Server bin directory and run the \fBtraffic_ctl config reload\fP command to apply changes. .SH FORMAT .sp Each line in \fI\%ip_allow.config\fP file must have on of the following formats format: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C src_ip= action= [method=] dest_ip= action= [method=] .ft P .fi .UNINDENT .UNINDENT .sp For \fBsrc_ip\fP the remote inbound connection address, i.e. the IP address of the client, is checked against the specified range of IP addresses. For \fBdst_ip\fP the outbound remote address (i.e. the IP address to which Traffic Server connects) is checked against the specified IP address range. .sp Range specifications can be IPv4 or IPv6, but any single range must be one or the other. Ranges can be specified by two addresses, the lower address and the upper address, separated by a dash, \fB\-\fP\&. Such a range inclusive and contains the lower, upper addresses and all addresses inbetween. A range can also be specified by an address and a CIDR mask, separated by a slash, \fB/\fP\&. This case is converted to a range of the previous case by retaining only the left most \fBmask\fP bits, clearing the rest for the lower address and setting them for the upper address. For instance, a mask of \fB23\fP would mean the left most 23 bits are kept and all bits to the right are cleared or set. Finally, a range can be a single IP address which matches exactly that address (the equivalent of a range with the lower and upper values equal to that IP address). .sp The value of \fBmethod\fP is a string which must consist of either HTTP method names separated by the character \(aq|\(aq or the keyword literal \fBALL\fP\&. This keyword may omitted in which case it is treated as if it were \fBmethod=ALL\fP\&. Methods can also be specified by having multiple instances of the \fBmethod\fP keyword, each specifying a single method. E.g., \fBmethod=GET|HEAD\fP is the same as \fBmethod=GET method=HEAD\fP\&. The method names are not validated which means non\-standard method names can be specified. .sp The \fBaction\fP must be either \fBip_allow\fP or \fBip_deny\fP\&. This controls what Traffic Server does if the address is in the range and the method matches. If there is a match, Traffic Server allows the connection (for \fBip_allow\fP) or denies it (\fBip_deny\fP). .sp For each inbound or outbound connection the applicable rule is selectd by first match on the IP address. The rule is then applied (if the method matches) or its opposite is applied (if the method doesn\(aqt match). If no rule is matched access is allowed. This makes each rule both an accept and deny, one explicit and the other implicit. The \fBsrc_ip\fP rules are checked when a host connects to Traffic Server\&. The \fBdst_ip\fP rules are checked when Traffic Server connects to another host. .sp By default the \fI\%ip_allow.config\fP file contains the following lines, which allows all methods to connections from localhost and denies the \fBPUSH\fP, \fBPURGE\fP and \fBDELETE\fP methods to all other IP addresses (note this allows all other methods to all IP addresses): .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C src_ip=127.0.0.1 action=ip_allow method=ALL src_ip=::1 action=ip_allow method=ALL src_ip=0.0.0.0\-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE src_ip=::\-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE .ft P .fi .UNINDENT .UNINDENT .sp This could also be specified as: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C src_ip=127.0.0.1 action=ip_allow method=ALL src_ip=::1 action=ip_allow method=ALL src_ip=0/0 action=ip_deny method=PUSH|PURGE|DELETE src_ip=::/0 action=ip_deny method=PUSH|PURGE|DELETE .ft P .fi .UNINDENT .UNINDENT .SH EXAMPLES .sp The following example enables all clients access.: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C src_ip=0.0.0.0\-255.255.255.255 action=ip_allow .ft P .fi .UNINDENT .UNINDENT .sp The following example allows access to all clients on addresses in a subnet: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C src_ip=123.12.3.000\-123.12.3.123 action=ip_allow .ft P .fi .UNINDENT .UNINDENT .sp The following example denies access all clients on addresses in a subnet: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C src_ip=123.45.6.0\-123.45.6.123 action=ip_deny .ft P .fi .UNINDENT .UNINDENT .sp If the entire subnet were to be denied, that would be: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C src_ip=123.45.6.0/24 action=ip_deny .ft P .fi .UNINDENT .UNINDENT .sp The following example allows one to any upstream servers: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C dest_ip=0.0.0.0\-255.255.255.255 action=ip_allow .ft P .fi .UNINDENT .UNINDENT .sp Alternatively this can be done with: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C dest_ip=0/0 action=ip_allow .ft P .fi .UNINDENT .UNINDENT .sp The following example denies to access all servers on a specific subnet: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C dest_ip=10.0.0.0\-10.0.255.255 action=ip_deny .ft P .fi .UNINDENT .UNINDENT .sp Alternatively: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C dest_ip=10.0.0.0/16 action=ip_deny .ft P .fi .UNINDENT .UNINDENT .sp If the goal is to allow only \fBGET\fP and \fBHEAD\fP requests to those servers, it would be: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C dest_ip=10.0.0.0/16 action=ip_allow method=GET method=HEAD .ft P .fi .UNINDENT .UNINDENT .sp or: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C dest_ip=10.0.0.0/16 action=ip_allow method=GET|HEAD .ft P .fi .UNINDENT .UNINDENT .sp This will match the IP address for the targer servers on the outbound connection. Then, if the method is \fBGET\fP or \fBHEAD\fP the connection will be allowed, otherwise the connection will be denied. .SH COPYRIGHT 2021, dev@trafficserver.apache.org .\" Generated by docutils manpage writer. .