[ https://issues.apache.org/jira/browse/TS-3485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15270083#comment-15270083 ]
ASF GitHub Bot commented on TS-3485: ------------------------------------ Github user jpeach commented on a diff in the pull request: https://github.com/apache/trafficserver/pull/614#discussion_r61987839 --- Diff: proxy/http2/Http2SessionAccept.cc --- @@ -38,9 +39,22 @@ Http2SessionAccept::~Http2SessionAccept() void Http2SessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferReader *reader) { + AclRecord *session_acl_record = NULL; + sockaddr const *client_ip = netvc->get_remote_addr(); + IpAllow::scoped_config ipallow; + if (ipallow && (((session_acl_record = ipallow->match(client_ip)) == NULL) || (session_acl_record->isEmpty()))) { + ip_port_text_buffer ipb; + Warning("http2 client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb, sizeof(ipb))); --- End diff -- Oh so this is fail-closed when there is no config? If that is the case, then HTTP/1 should do the same thing. We should have a single function that does this check for both protocols to avoid this kind of drift. > We should honor ip_allow.config ACLs for HTTP/2 streams > ------------------------------------------------------- > > Key: TS-3485 > URL: https://issues.apache.org/jira/browse/TS-3485 > Project: Traffic Server > Issue Type: Bug > Components: HTTP/2 > Reporter: Leif Hedstrom > Assignee: Susan Hinrichs > Fix For: 7.0.0 > > > From the comments: > {code} > // XXX we need to refactor the ACL checks from HttpSessionAccept so that we > can invoke them here, and also in > // the SPDY protocol layer ... > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)