[Freeswitch-users] ACLs through proxy
Bill W
freeswitch at aastral.net
Tue Dec 15 20:58:46 PST 2009
Hi All,
I have a FreeSWITCH cluster behind an OpenSIPS proxy/load balancer, and
I'd like to be able to use the auth-calls feature in my sip profile in
conjunction with the <param name="auth-acl" value="1.2.3.0/8"/>
parameter in the directory.
In addition to running the INVITEs through the load balancer, I also
need to run the REGISTERs through the load balancer because some of my
endpoints are behind NAT firewalls, and therefore won't accept incoming
calls from IPs other than the IP they registered to. INVITEs from the
cluster going to registered endpoints are sent back through the proxy,
thereby solving the NAT problem.
However, having the proxy in the path effectively negates using IP based
ACLS.
The functionality I require is as follows:
1. Only allow registration if the endpoint IP matches it's own unique
acl CIDR (specified in the directory).
2. Only accept INVITEs from endpoints that authenticate AND match the
acl CIDR (again, specified in the directory).
Does anyone have any recommendations on the best way to get the
auth-calls functionality using an IP other than the IP of the last hop?
If not, how hard would it be to add a feature to the auth-calls
parameter to accept a channel variable from which to obtain the actual
endpoint IP?
Thanks!
Bill
More information about the FreeSWITCH-users
mailing list