bryancall commented on issue #8176: URL: https://github.com/apache/trafficserver/issues/8176#issuecomment-4827449241
This is working as designed rather than a bug. The stats_over_http plugin is a global plugin that adds a TS_HTTP_READ_REQUEST_HDR hook and serves the stats response itself through a transaction intercept. That interception runs before remap.config is evaluated, so remap rules (including @action=deny) never apply to the stats path. On current master the plugin even explicitly skips remapping for the stats request. Access control for the endpoint is meant to be done with the plugin's own settings, the allow_ip and allow_ip6 options in the plugin config file (or an ip_allow.yaml rule), which is exactly the approach you found working. Since that is the intended way to restrict the endpoint and there is no further activity, I am closing this. Please reopen if the documented allow_ip filtering does not behave as expected. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
