[Freeswitch-users] ACLs through proxy
Bill W
freeswitch at aastral.net
Thu Dec 17 20:02:48 PST 2009
Hey Metik,
Thanks for the reply, and the pointers for doing it with xml_curl.
I'll guess have to do that in the short term, but in my opinion, having
auth-acl be able to work through a proxy is very important as it is a
vital part of a comprehensive security feature set. And it would be
much simpler to implement from an end-user perspective than the
alternative of doing it in xml_curl.
As a matter of fact, I'm considering offering a bounty for that feature.
What is the going rate for that kind of thing?
Is anyone out there interested in coding this feature? Or chipping in
for the bounty?
Thanks,
Bill
Metik wrote:
> This may be difficult considering that ACL needs to consider the
> original src IP/URI. To do that it, freeswitch would need to do so
> using a header that retains that information (i.e. From, Via, Contact,
> etc.). Which I do not believe is currently possible using auth-acl or
> apply-proxy-acl.
>
> However, you should be able to emulate the behavior using mod_xml_curl
> (and validating against appropriate variables available when using it to
> authenticate the request).
>
> see: http://wiki.freeswitch.org/wiki/Mod_xml_curl#Authorization
>
> -metik
>
>
> Bill W wrote:
>> Hey Brian,
>>
>>
>> I've been doing some testing and I am unable to get auth-calls to work
>> through a proxy the way I want them to, even with setting
>> apply-proxy-acl to either the endpoint IP or the proxy IP.
>>
>> I have a multi-tenant system with multiple domains with multiple users
>> in each domain. And I want to restrict a user to an arbitrary CIDR and
>> challenge them for a password. The arbitrary CIDR will vary from UA to
>> UA, and is specified in the directory via the auth-acl parameter.
>>
>> TL,DR; I want to get auth-calls to use the IP of the UA endpoint, not of
>> the proxy.
>>
>>
>> Thanks,
>> Bill
>>
>> Brian West wrote:
>>
>>> it needs to be an ACL from acl.conf or a ip/cidr
>>>
>>> /b
>>>
>>> On Dec 17, 2009, at 5:41 AM, Bill W wrote:
>>>
>>>
>>>> Okay, I added: <param name="apply-proxy-acl" value="true"/> to my sofia
>>>> profile and restarted sofia, and still no joy.
>>>>
>>>> I'm on FreeSWITCH Version 1.0.trunk (15764)
>>>> I've got <param name="auth-acl" value="190.218.103.12/32"></param> in
>>>> the directory, but I'm still being rejected by the acl:
>>>>
>>>> 2009-12-17 06:04:59.920517 [WARNING] sofia_reg.c:1928 IP 64.135.119.105
>>>> Rejected by user acl 190.218.103.12/32
>>>>
>>>> Here's what I believe is the appropriate snippet of the debug output:
>>>> http://pastebin.freeswitch.org/11531
>>>>
>>>> Thoughts?
>>>> Thanks,
>>>> Bill
>>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
More information about the FreeSWITCH-users
mailing list