Apache Traffic Server (ATS) Returning 403 For DELETE HTTP Requests

Apache Traffic Server (ATS) Returning 403 For DELETE HTTP Requests

Category : How-to

Get Social!

Here is a quick snippet which solves an issue I ran into today. I’ve recently set up Apache Traffic Server to reverse proxy requests to various Docker containers. It all works great and runs itself in Docker.

One thing, however, with a default install of Apache Traffic Server is that it doesn’t allow DELETE HTTP requests from any source other than localhost. Instead, the 403 Forbidden status code is returned which can cause some curious side effects for front end web applications.

The fix is simple enough, when you know where to look. ATS has a config file called ip_allow.config that controls, believe it or not, which http methods are allowed for different source IP addresses. The default file looks like this:

#
# ip_allow.config
#
# Documentation:
#    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ip_allow.config.en.html
#
# Rules:
# src_ip=<range of IP addresses> action=<action> [method=<list of methods separated by '|'>]
#
# Actions: ip_allow, ip_deny
#
# Multiple method keywords can be specified (method=GET method=HEAD), or
# multiple methods can be separated by an '|' (method=GET|HEAD).  The method
# keyword is optional and it is defaulted to ALL.
# Available methods: ALL, GET, CONNECT, DELETE, HEAD, OPTIONS,
# POST, PURGE, PUT, TRACE, PUSH
#
# Rules are applied in the order listed starting from the top.
# That means you generally want to append your rules after the ones listed here.
#
# Allow anything on localhost (this is the default configuration based on the
# deprecated CONFIG proxy.config.http.quick_filter.mask INT 0x482)
src_ip=127.0.0.1                                  action=ip_allow method=ALL
src_ip=::1                                        action=ip_allow method=ALL
# Deny PURGE, DELETE, and PUSH for all (this implies allow other methods for all)
src_ip=0.0.0.0-255.255.255.255                    action=ip_deny  method=PUSH|PURGE|DELETE
src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny  method=PUSH|PURGE|DELETE

Take a look at the bottom few lines. They state that PUSH, PURGE and DELETE should all be denied to all IP ranges.

To enable the DELETE http method from all IPs, simply remove the DELETE method from the bottom 2 lines. You should be left with something looking like this:

src_ip=127.0.0.1                                  action=ip_allow method=ALL
src_ip=::1                                        action=ip_allow method=ALL
# Deny PURGE, DELETE, and PUSH for all (this implies allow other methods for all)
src_ip=0.0.0.0-255.255.255.255                    action=ip_deny  method=PUSH|PURGE
src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny  method=PUSH|PURGE

It’s a curious default to have, but it could stop destructive API calls being made if endpoints were accidentally made public.


Dockerfile for Apache Traffic Server (ATS)

Get Social!

Apache Traffic Server is an enterprise-grade proxy and caching server initially developed by Yahoo, then later made open source and managed by the Apache Foundation.

The below code is a Dockerfile that will download and build ATS on the latest Ubuntu base image. Currently, we’re using Apache Traffic Server version 8.0.5, but if you’d like to use a different version or check for a later version then you’ll need to replace the curl command with one of the downloads available from here.

Create a new folder on your Docker host and add the below text to the dockerfile.

mkdir ats
vi ats/dockerfile
FROM ubuntu:latest
# Update the package repository
RUN set -x \
 && DEBIAN_FRONTEND=noninteractive apt-get update \
 && DEBIAN_FRONTEND=noninteractive apt-get upgrade -y \
 && DEBIAN_FRONTEND=noninteractive apt-get install -y \
        curl \
        locales \
        build-essential \
        bzip2 \
        libssl-dev \
        libxml2 \
        libxml2-dev \
        libpcre3 \
        libpcre3-dev \
        tcl \
        tcl-dev \
        libboost-dev \
    # Configure locale
 && export LANGUAGE=en_US.UTF-8 \
 && export LANG=en_US.UTF-8 \
 && export LC_ALL=en_US.UTF-8 \
 && locale-gen en_US.UTF-8 \
 && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
    # Get ATS and build
    # http://www-eu.apache.org/dist/trafficserver/
RUN  mkdir /tmp/trafficserver \
 && cd /tmp/trafficserver \
 && curl -L http://www-eu.apache.org/dist/trafficserver/trafficserver-8.0.5.tar.bz2 | tar -xj --strip-components 1 \
 && ./configure \
 && make install \
 && make distclean \
 && cd / \
    # Clean-up
 && apt-get purge --auto-remove -y \
        curl \
        build-essential \
        bzip2 \
        libssl-dev \
        libxml2-dev \
        libpcre3-dev \
        tcl-dev \
        libboost-dev \
 && apt-get clean \
 && rm -rf /tmp/* /var/lib/apt/lists/*

RUN ln -s /usr/local/etc/trafficserver /etc/trafficserver
EXPOSE 8080

ENTRYPOINT ["/usr/local/bin/traffic_server"]

To build the Apache Traffic Server image, cd into the ats directory and issue the build command. The period (.) at the end of the build command is there on purpose – make sure you include it in your build command.

cd ats
docker build -t ats .

The build will take a few minutes, depending on your hardware, but will return you to the command line once completed.

Run your dockerfile and ATS will be available on port 8080, however, you’ll need to configure it as required. The config, such as remap.conf, is contained in /etc/trafficserver


Visit our advertisers

Quick Poll

What type of VPN protocol do you use?

Visit our advertisers