[Freeswitch-users] ACLs through proxy
Mathieu Rene
mrene_lists at avgs.ca
Fri Dec 18 07:55:52 PST 2009
You need to add that header manually in your OpenSIPS config,
FreeSWITCH wont look in record-route/via to try to guess it.
Mathieu Rene
Avant-Garde Solutions Inc
Office: + 1 (514) 664-1044 x100
Cell: +1 (514) 664-1044 x200
mrene at avgs.ca
On 18-Dec-09, at 10:53 AM, Bill W wrote:
> Hello Mathieu,
>
> I assumed that apply-proxy-acl was a modifier of auth-calls, so in my
> quick tests I just hard-coded the UA IP in the profile.
>
> <param name="auth-calls" value="true"/>
> <param name="apply-proxy-acl" value="190.218.97.83"/> <!-- IP of UA
> -->
>
> And I get:
> 2009-12-18 09:14:28.250929 [WARNING] sofia_reg.c:1928 IP
> 64.135.119.105
> Rejected by user acl 190.218.97.83/32
>
> Where 64.135.119.105 is the IP of my proxy. And actually this is a
> REGISTER, not an INVITE.
>
> I did a tcpdump, and I'm not seeing the X-AUTH-IP header in the
> register
> packet.
>
> I will be incommunicado for the rest of today, but when I get back
> online, I'll see if I can get my proxy to add the X-AUTH-IP to the
> REGISTER packet and see if that makes a difference.
>
>
> Thanks for your help!
> Bill
>
>
> Mathieu Rene wrote:
>> From looking at sofia.c, if the ip address of the caller is in apply-
>> proxy-acl, it'll look for the X-AUTH-IP header in the INVITE packet,
>> and use that one for authentication.
>> Is that what you did in your previous tests?
>>
>> Mathieu Rene
>> Avant-Garde Solutions Inc
>> Office: + 1 (514) 664-1044 x100
>> Cell: +1 (514) 664-1044 x200
>> mrene at avgs.ca
>>
>>
>>
>>
>> On 17-Dec-09, at 11:02 PM, Bill W wrote:
>>
>>> Hey Metik,
>>>
>>> Thanks for the reply, and the pointers for doing it with xml_curl.
>>>
>>> I'll guess have to do that in the short term, but in my opinion,
>>> having
>>> auth-acl be able to work through a proxy is very important as it
>>> is a
>>> vital part of a comprehensive security feature set. And it would be
>>> much simpler to implement from an end-user perspective than the
>>> alternative of doing it in xml_curl.
>>>
>>> As a matter of fact, I'm considering offering a bounty for that
>>> feature.
>>> What is the going rate for that kind of thing?
>>>
>>> Is anyone out there interested in coding this feature? Or chipping
>>> in
>>> for the bounty?
>>>
>>>
>>> Thanks,
>>> Bill
>>>
>>>
>>> Metik wrote:
>>>> This may be difficult considering that ACL needs to consider the
>>>> original src IP/URI. To do that it, freeswitch would need to do so
>>>> using a header that retains that information (i.e. From, Via,
>>>> Contact,
>>>> etc.). Which I do not believe is currently possible using auth-
>>>> acl or
>>>> apply-proxy-acl.
>>>>
>>>> However, you should be able to emulate the behavior using
>>>> mod_xml_curl
>>>> (and validating against appropriate variables available when using
>>>> it to
>>>> authenticate the request).
>>>>
>>>> see: http://wiki.freeswitch.org/wiki/Mod_xml_curl#Authorization
>>>>
>>>> -metik
>>>>
>>>>
>>>> Bill W wrote:
>>>>> Hey Brian,
>>>>>
>>>>>
>>>>> I've been doing some testing and I am unable to get auth-calls to
>>>>> work
>>>>> through a proxy the way I want them to, even with setting
>>>>> apply-proxy-acl to either the endpoint IP or the proxy IP.
>>>>>
>>>>> I have a multi-tenant system with multiple domains with multiple
>>>>> users
>>>>> in each domain. And I want to restrict a user to an arbitrary
>>>>> CIDR and
>>>>> challenge them for a password. The arbitrary CIDR will vary from
>>>>> UA to
>>>>> UA, and is specified in the directory via the auth-acl parameter.
>>>>>
>>>>> TL,DR; I want to get auth-calls to use the IP of the UA endpoint,
>>>>> not of
>>>>> the proxy.
>>>>>
>>>>>
>>>>> Thanks,
>>>>> Bill
>>>>>
>>>>> Brian West wrote:
>>>>>
>>>>>> it needs to be an ACL from acl.conf or a ip/cidr
>>>>>>
>>>>>> /b
>>>>>>
>>>>>> On Dec 17, 2009, at 5:41 AM, Bill W wrote:
>>>>>>
>>>>>>
>>>>>>> Okay, I added: <param name="apply-proxy-acl" value="true"/> to
>>>>>>> my sofia
>>>>>>> profile and restarted sofia, and still no joy.
>>>>>>>
>>>>>>> I'm on FreeSWITCH Version 1.0.trunk (15764)
>>>>>>> I've got <param name="auth-acl" value="190.218.103.12/32"></
>>>>>>> param> in
>>>>>>> the directory, but I'm still being rejected by the acl:
>>>>>>>
>>>>>>> 2009-12-17 06:04:59.920517 [WARNING] sofia_reg.c:1928 IP
>>>>>>> 64.135.119.105
>>>>>>> Rejected by user acl 190.218.103.12/32
>>>>>>>
>>>>>>> Here's what I believe is the appropriate snippet of the debug
>>>>>>> output:
>>>>>>> http://pastebin.freeswitch.org/11531
>>>>>>>
>>>>>>> Thoughts?
>>>>>>> Thanks,
>>>>>>> Bill
>>>>>>>
>>>>>> ------------------------------------------------------------------------
>>>>>>
>>>>>> _______________________________________________
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>> http://www.freeswitch.org
>>>>>>
>>>>> _______________________________________________
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>> _______________________________________________
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>
>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
More information about the FreeSWITCH-users
mailing list