Configure Anonymous Blocking

Note

Anonymous Blocking is only supported for HTTP delivery services. You will need access to a database that provides anonymous IP statistics (Maxmind’s database is recommended, as this functionality was built specifically to work with it.)

  1. Prepare the Anonymous Blocking configuration file. Anonymous Blocking uses a configuration file in JSON format to define blocking rules for Delivery Services. The file needs to be put on an HTTP server accessible to Traffic Router.

    #77 Example Configuration JSON
    {
        "customer": "YourCompany",
        "version": "1",
        "date" : "2017-05-23 03:28:25",
        "name": "Anonymous IP Blocking Policy",
    
        "anonymousIp": { "blockAnonymousVPN": true,
            "blockHostingProvider": true,
            "blockPublicProxy": true,
            "blockTorExitNode": true},
    
        "ip4Whitelist": ["192.168.30.0/24", "10.0.2.0/24", "10.1.1.1/32"],
        "ip6Whitelist": ["2001:550:90a::/48", "::1/128"],
        "redirectUrl": "http://youvebeenblocked.com"
    }
    
    anonymousIp

    Contains the types of IPs which can be checked against the Anonymous IP Database. There are 4 types of IPs which can be checked: VPNs, Hosting Providers, Public Proxies, and TOR “Exit Nodes”. Each type of IP can be enabled or disabled. If the value is true, IPs matching this type will be blocked when the feature is enabled in the Delivery Service. If the value is false, IPs which match this type will not be blocked. If an IP matches more than 1 type and any type is enabled, the IP will be blocked.

    redirectUrl

    The URL that will be returned to the blocked clients. Without a redirectUrl, the clients will receive an HTTP response code 403 Forbidden. With a redirectUrl, the clients will be redirected with an HTTP response code 302 Found.

    ipWhiteList

    An optional element. It includes a list of CIDR blocks indicating the IPv4 and IPv6 subnets that are allowed by the rule. If this list exists and the value is not null, client IPs will be matched against the CIDR list, and if there is any match, the request will be allowed. If there is no match in the white list, further anonymous blocking logic will continue.

  2. Add the following three Anonymous Blocking Parameters in Traffic Portal with the “CRConfig.json” Config File, and ensure they are assigned to all of the Traffic Routers that should perform Anonymous Blocking:

    anonymousip.policy.configuration

    The URL of the Anonymous Blocking configuration file. Traffic Router will fetch the file from this URL.

    anonymousip.polling.url

    The URL of the Anonymous IP Database. Traffic Router will fetch the file from this URL.

    anonymousip.polling.interval

    The interval that Traffic Router polls the Anonymous Blocking configuration file and Anonymous IP Database.

    ../../_images/01.png
  3. Enable Anonymous Blocking for a Delivery Service using the Delivery Services view in Traffic Portal (don’t forget to save changes!)

    ../../_images/02.png
  4. Go to the Traffic Portal CDNs view, click on Diff CDN Config Snapshot, and click Perform Snapshot.

    ../../_images/03.png

Traffic Router Access Log

Anonymous Blocking extends the field of rtype and adds a new field ANON_BLOCK in the Traffic Router access.log file to help monitor this feature. If the rtype in an access log is ANON_BLOCK then the client’s IP was found in the Anonymous IP Database and was blocked.