[Freeswitch-users] ACL: auth_calls + apply-inbound-acl/auth-acl

Vallimamod Abdullah vma at vallimamod.org
Wed Dec 6 11:19:42 UTC 2017 

Hi Anatoli,

Just saw your email.

The auth-acl is always checked first. If it passes, the call is accepted with no further check. Only if it fails:
- If auth-calls is true, digest auth is tried (that's why in logs you have: "Rejected by acl "xxx". Falling back to Digest auth.")
- else, call is rejected.

Hope this helps to make things clearer!

Best Regards,
-- 
Vallimamod Abdullah
SIP Solutions
vma at sipsolutions.fr
.

> On 23 Nov 2017, at 22:48, Anatoli <me at anatoli.ws> wrote:
> 
> Hi Vallimamod,
> 
> Thanks a lot for your detailed explanation, sure it helps! It would be great to add these details to the documentation (not sure whom to ask about this). IMO the behavior you describe can't be inferred from the current documentation and it deals with security/authentication.
> 
> Could you please explain what would be the effect of auth-calls=true + auth-acl=<ip_range>?
> I suppose if the IP matches, it goes through the digest auth. If the IP doesn't match, sofia responds with 403 forbidden, right?
> 
> Thanks,
> Anatoli
> 
> From: Vallimamod Abdullah
> Sent: Tuesday, November 21, 2017 09:35
> To: Freeswitch Users Help
> Subject: Re: [Freeswitch-users] ACL: auth_calls + apply-inbound-acl/auth-acl
> 
> Hi,
> 
> Your mail is dense, I will try to answer at my best from my understanding of the source code:
> 
> - the default value for auth-call is false.
> 
> - When a call arrives, the apply-inbound-acl is checked first:
>   * If the IP is approved by the acl, the access is granted
>   * If the IP is rejected by the acl and auth-call is false, sofia responds with 403 forbidden (I skip the proxy-acl and X-AUTH-IP checks for simplicity)
>   * If the IP is rejected by the acl and auth-call is true, it falls back to digest auth.
> 
> - If accept-blind-auth is set with auth-call, freeswitch only checks if the From user is defined in directory. If so, user is authorized (without any password check)
> 
> - If auth-cal is set without the acl, the call go through digest authentication
> 
> - If neither is set, the call is accepted.
> 
> In your case, even if you can define directly a cidr in the apply-inbound-acl param value, it would be best to set it to a list name defined in autoload_configs/acl.conf.xml.
> 
> Hope this helps!
> 
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

More information about the FreeSWITCH-users mailing list