[Freeswitch-users] ACLs through proxy
Mathieu Rene
mrene_lists at avgs.ca
Thu Dec 17 22:08:16 PST 2009
From looking at sofia.c, if the ip address of the caller is in apply-
proxy-acl, it'll look for the X-AUTH-IP header in the INVITE packet,
and use that one for authentication.
Is that what you did in your previous tests?
Mathieu Rene
Avant-Garde Solutions Inc
Office: + 1 (514) 664-1044 x100
Cell: +1 (514) 664-1044 x200
mrene at avgs.ca
On 17-Dec-09, at 11:02 PM, Bill W wrote:
> Hey Metik,
>
> Thanks for the reply, and the pointers for doing it with xml_curl.
>
> I'll guess have to do that in the short term, but in my opinion,
> having
> auth-acl be able to work through a proxy is very important as it is a
> vital part of a comprehensive security feature set. And it would be
> much simpler to implement from an end-user perspective than the
> alternative of doing it in xml_curl.
>
> As a matter of fact, I'm considering offering a bounty for that
> feature.
> What is the going rate for that kind of thing?
>
> Is anyone out there interested in coding this feature? Or chipping in
> for the bounty?
>
>
> Thanks,
> Bill
>
>
> Metik wrote:
>> This may be difficult considering that ACL needs to consider the
>> original src IP/URI. To do that it, freeswitch would need to do so
>> using a header that retains that information (i.e. From, Via,
>> Contact,
>> etc.). Which I do not believe is currently possible using auth-acl or
>> apply-proxy-acl.
>>
>> However, you should be able to emulate the behavior using
>> mod_xml_curl
>> (and validating against appropriate variables available when using
>> it to
>> authenticate the request).
>>
>> see: http://wiki.freeswitch.org/wiki/Mod_xml_curl#Authorization
>>
>> -metik
>>
>>
>> Bill W wrote:
>>> Hey Brian,
>>>
>>>
>>> I've been doing some testing and I am unable to get auth-calls to
>>> work
>>> through a proxy the way I want them to, even with setting
>>> apply-proxy-acl to either the endpoint IP or the proxy IP.
>>>
>>> I have a multi-tenant system with multiple domains with multiple
>>> users
>>> in each domain. And I want to restrict a user to an arbitrary
>>> CIDR and
>>> challenge them for a password. The arbitrary CIDR will vary from
>>> UA to
>>> UA, and is specified in the directory via the auth-acl parameter.
>>>
>>> TL,DR; I want to get auth-calls to use the IP of the UA endpoint,
>>> not of
>>> the proxy.
>>>
>>>
>>> Thanks,
>>> Bill
>>>
>>> Brian West wrote:
>>>
>>>> it needs to be an ACL from acl.conf or a ip/cidr
>>>>
>>>> /b
>>>>
>>>> On Dec 17, 2009, at 5:41 AM, Bill W wrote:
>>>>
>>>>
>>>>> Okay, I added: <param name="apply-proxy-acl" value="true"/> to
>>>>> my sofia
>>>>> profile and restarted sofia, and still no joy.
>>>>>
>>>>> I'm on FreeSWITCH Version 1.0.trunk (15764)
>>>>> I've got <param name="auth-acl" value="190.218.103.12/32"></
>>>>> param> in
>>>>> the directory, but I'm still being rejected by the acl:
>>>>>
>>>>> 2009-12-17 06:04:59.920517 [WARNING] sofia_reg.c:1928 IP
>>>>> 64.135.119.105
>>>>> Rejected by user acl 190.218.103.12/32
>>>>>
>>>>> Here's what I believe is the appropriate snippet of the debug
>>>>> output:
>>>>> http://pastebin.freeswitch.org/11531
>>>>>
>>>>> Thoughts?
>>>>> Thanks,
>>>>> Bill
>>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>> _______________________________________________
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
More information about the FreeSWITCH-users
mailing list