GeoIP ACLs Plugin

This is a simple ATS plugin for denying (or allowing) requests based on the source IP geo-location. Currently only the Maxmind APIs are supported, but we’d be happy to other other (open) APIs if you let us know. This plugin comes with the standard distribution of Apache Traffic Server, and should be installed as part of the normal build process.

Configuration

Once installed, there are three primary use cases, which we will discuss in details. Note that in all configurations, the first plugin parameter must specify what the matches should be applied to. Currently, only one rule set is supported, for Country ISO codes. This is specified with a parameter of

@pparam=country

Future additions to this plugin could include other regions, such as city, state, continent etc.

The three typical use cases are as follows:

  1. Per remap configurations, applicable to the entire remap rule. This is useful when you can partition your content so that entire prefix paths should be filtered. For example, lets assume that http://example.com/music is restricted to US customers only, and everything else is world wide accessible. In remap.config, you would have something like

    map http://example.com/music http://music.example.com \
      @plugin=geoip_acl.so @pparam=country @pparam=allow @pparam=US
    map http://example.com http://other.example.com
    
  2. If you can not partition the data with a path prefix, you can specify a separate regex mapping filter. The remap.config file might then look like

    map http://example.com http://music.example.com \
      @plugin=geoip_acl.so @pparam=country \
      @pparam=regex::/etc/music.regex
    

where music.regex is a format with PCRE (perl compatible) regular expressions, and unique rules for match. E.g.:

.*\.mp3  allow  US
.*\.ogg  deny   US

Note that the default in the case of no matches on the regular expressions is to “allow” the request. This can be overriden, see next use case.

  1. You can also combine 1) and 2), and provide defaults in the remap.config configuration, which then applies for the cases where no regular expressions matches at all. This would be useful to override the default which is to allow all requests that don’t match. For example

    map http://example.com http://music.example.com \
      @plugin=geoip_acl.so @pparam=country @pparam=allow @pparam=US \
      @pparam=regex::/etc/music.regex
    

This tells the plugin that in the situation where there is no matching regular expression, only allow requests originating from the US.

Finally, there’s one additional parameter option that can be used

@pparam=html::/some/path.html

This will override the default reponse body for the denied responses with a custom piece of HTML. This can be useful to explain to your users why they are getting denied access to a particular piece of content. This configuration can be used with any of the use cases described above.