Configure Anonymous Blocking

Note

Anonymous Blocking is only supported for HTTP delivery services. You will need access to a database that provides anonymous IP statistics (Maxmind’s database is recommended, as this functionality was built specifically to work with it.)

  1. Prepare the Anonymous Blocking configuration file. Anonymous Blocking uses a configuration file in JSON format to define blocking rules for Delivery Services. The file needs to be put on an HTTP server accessible to Traffic Router.

    #50 Example Configuration JSON
    {
            "customer": "YourCompany",
            "version": "1",
            "date" : "2017-05-23 03:28:25",
            "name": "Anonymous IP Blocking Policy",
    
            "anonymousIp": { "blockAnonymousVPN": true,
                             "blockHostingProvider": true,
                             "blockPublicProxy": true,
                             "blockTorExitNode": true},
    
            "ip4Whitelist": ["192.168.30.0/24", "10.0.2.0/24", "10.1.1.1/32"],
            "ip6Whitelist": ["2001:550:90a::/48", "::1/128"],
            "redirectUrl": "http://youvebeenblocked.com"
    }
    
    anonymousIp

    Contains the types of IPs which can be checked against the Anonymous IP Database. There are 4 types of IPs which can be checked: VPNs, Hosting Providers, Public Proxies, and TOR “Exit Nodes”. Each type of IP can be enabled or disabled. If the value is true, IPs matching this type will be blocked when the feature is enabled in the Delivery Service. If the value is false, IPs which match this type will not be blocked. If an IP matches more than 1 type and any type is enabled, the IP will be blocked.

    redirectUrl

    The URL that will be returned to the blocked clients. Without a redirectUrl, the clients will receive an HTTP response code 403 Forbidden. With a redirectUrl, the clients will be redirected with an HTTP response code 302 Found.

    ipWhiteList

    An optional element. It includes a list of CIDR blocks indicating the IPv4 and IPv6 subnets that are allowed by the rule. If this list exists and the value is not null, client IPs will be matched against the CIDR list, and if there is any match, the request will be allowed. If there is no match in the white list, further anonymous blocking logic will continue.

  2. Add the following three Anonymous Blocking parameters in Traffic Portal into CRConfig.json:

    anonymousip.policy.configuration

    The HTTP URL of the Anonymous Blocking configuration file. Traffic Router will fetch the file from this URL.

    anonymousip.polling.url

    The HTTP URL of the Anonymous IP Database. Traffic Router will fetch the file from this URL.

    anonymousip.polling.interval

    The interval that Traffic Router polls the Anonymous Blocking configuration file and Anonymous IP Database.

    ../../_images/01.png
  3. Enable Anonmyous Blocking for a Delivery Service

    ../../_images/02.png
  4. Go to Tools ‣ Snapshot CRConfig, perform Diff CRConfig and click Write CRConfig.

    ../../_images/03.png

Traffic Router Access Log

Anonymous Blocking extends the field of rtype and adds a new field ANON_BLOCK in the Traffic Router access.log file to help monitor this feature. If the rtype in an access log is ANON_BLOCK then the client’s IP was found in the Anonymous IP Database and was blocked.