# # filter.config # # The purpose of this file is to specify which http # objects can be obtained through Traffic Server and which # headers should be forwarded for http requests. This file # is also used for authentication and authorization # configuration. # # Each line consists of a set of tag value pairs. The pairs # are in the format = # # Each line must include exactly one primary specifier. # # Primary destination specifiers are # dest_domain= # dest_host= # dest_ip= # url_regex= # # # Lines may include any number of the secondary specifiers but # secondary specifiers may not be duplicated on the same line # # Secondary specifiers are # port= # scheme= # prefix= # suffix= # method= # time= # src_ip= # tag= # # Note: 1. method secondary specifier is NOT supported in MIXT # 2. tag is an OPTIONAL directive which specifies a unique identifier # for the current record. This is needed for MIXT, since we may want # to select a record that is not necessarily the first one # that matches. Valid values for tag are 'RNI' and 'QT'. # # # Authorization/Authentication Specifiers: (used with ntlm, radius, ldap actions) # server=[:] # dn= # uid_filter= # bind_dn= # bind_pwd_file= # attr= # attr_val= # realm= # redirect_url= # NOTE: server=, dn=, and uid_filter= must all be specified or not at all # bind_dn= and bind_pwd_file= must both be specified or not at all # # # Each line must include exactly one action. # # 1) action=allow # 2) action=deny # # 3) keep_hdr= # 4) strip_hdr= # # 5) action=radius # radius action optional parameters: # realm= # redirect_url= # # 6) action=ntlm # ntlm authentication optional parameters: # realm= # redirect_url= # # **** action=ntlm also used for NTLM group authorization rules # Required parameters: # attr= # attr_val= # bind_dn= # bind_pwd_file= # Optional paramters: # server= # dn= # uid_filter= # realm= # redirect_url= # # 7) action=ldap # ldap action optional parameters: # server= # dn= # uid_filter= # realm= # redirect_url= # attr= # attr_val= # bind_dn= # bind_pwd_file= # # NOTE: # If one or more of the ldap action optional parameters is specified # server=, dn=, and uid_filter= must be present. # If none of the parameters are specified, the default LDAP server # from records.config will be used. # # NOTE 2: All LDAP based rules will be enabled only if LDAP authentication # is enabled in records.config. If LDAP authentication is disabled in # records.config and an LDAP based rule applies - access will be granted # without LDAP authentication. # # # NOTE: In the case of conflicting directives, the directive # that appears first applies. # # Example 1: # Next line will allow access to internal.foo.com only to users # authenticated by the LDAP server on ldap.foo.com # # dest_host=internal.foo.com action=ldap server=ldap.foo.com dn="o=foo.com" # # Example 2: # Next line will allow all users (except ones trying to access internal.foo.com) # to access domain foo.com # # dest_domain=foo.com action=allow # # Example 3: # Next line will deny access to playboy.com # # dest_domain=playboy.com action=deny # # Example 4: # Next line will allow access to foo401k.fidelity.com only to users from # "Accounting Department." org. unit (ou) authenticated by the LDAP server # on ldap.foo.com # # dest_host=foo401k.fidelity.com action=ldap server=ldap.foo.com:389 dn="o=foo.com" attr=ou attr_val="Accounting Department." # # Example 5: # Next line will require everyone not included in any of above rules to be # authenticated by the default LDAP server (see records.config for default LDAP server # definitions). # # dest_ip=0.0.0.0-255.255.255.255 action=ldap # # Example 6: # Block traffic to port 25 to prevent SMTP through the proxy/cache # dest_domain=. port=25 action=deny