Allow http DELETE method on proxy to inspect\pass rule

book

Article ID: 242378

calendar_today

Updated On:

Products

Web Isolation

Issue/Introduction

The workaround would have to be implemented, in WI 1.14, to add http DELETE method. There hasn't been a fix yet, in version 1.14, hence the need to apply the same workaround. 

Environment

Release: 1.14.50

 

Resolution

You will need to follow the below guidance. This is a sample of what's been done in the lab environment.

[email protected]:/opt/fireglass/current/ci_infra/ats/config$ sudo docker ps | grep fireproxy
2fab07a50e58        fireglass/fireproxy:1.14.33              "/run.sh"                5 months ago        Up 3 months                                                                                                                       trafficserver_mK0gF
docker exec -it  2fab07a50e58 bash
[email protected]:/opt/fireglass/current/ci_infra/ats/config$ docker exec -it  2fab07a50e58 bash
[email protected]:/# cd /etc
[email protected]:/etc# cd trafficserver/
[email protected]:/etc/trafficserver# pwd
/etc/trafficserver

Then, follow the article with the URL below.
https://docs.trafficserver.apache.org/en/7.1.x/admin-guide/files/ip_allow.config.en.html

Note 1: Take a backup of the file (ip_allow.config), before changing in 1.14, as the proxy is now in a docker

Follow the below, to list the files.

[email protected]:/etc/trafficserver# ls
body_factory      congestion.config    hosting.config    ip_allow.config_1   metrics.config    parent.config_9   records.config_8  socks.config          ssl_multicert.config_1   vaddrs.config
cache.config      congestion.config_1  hosting.config_1  logging.config      metrics.config_1  plugin.config     records.config_9  socks.config_1        storage.config           vaddrs.config_1
cache.config_1    fgl_mitm             icp.config        logging.config_1    parent.config     plugin.config_1   remap.config      splitdns.config       storage.config_1         volume.config
cluster.config    fgl_mitm.cfg         icp.config_1      log_hosts.config    parent.config_7   records.config    remap.config_1    splitdns.config_1     trafficserver.logrotate  volume.config_1
cluster.config_1  fireglass            ip_allow.config   log_hosts.config_1  parent.config_8   records.config_7  snapshots         ssl_multicert.config  trafficserver-release

See the snippet below, for how the file would look, after it's opened.

The file is highlighted above. To open the file, the "vi" vi editor command is required. See the below.

[email protected]:/etc/trafficserver# vi ip_allow.config

You should have an output similar to the below.

Note 2: This is a vi editor and you will need to utilize vi editor commands, to modify the file, save the file, and exit from the vi editor.

Modify the lines in "white" to the below. Please note that the http DELETE method is added only under the localhost (127.0.0.1). This has been allowed using the "method=ALL" allow action.


src_ip=127.0.0.1                                  action=ip_allow method=ALL
src_ip=::1                                        action=ip_allow method=ALL
src_ip=0.0.0.0-255.255.255.255                    action=ip_deny  method=PUSH|PURGE
src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny  method=PUSH|PURGE

The entries in white should be exactly as the above. The first two lines ensure that the http DELETE method is added, as requested.

These two lines, below, apply to all other IP addresses for the 3 methods → purge, delete, push

src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE

src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE