[Freeswitch-users] ACLs through proxy
Bill W
freeswitch at aastral.net
Thu Dec 17 22:30:32 PST 2009
Hey Metik,
That's exactly what I'm trying to do... load balance across multiple FS
boxes, and have any machine in the cluster be able to reach a device
behind a NAT firewall. Hence the need for the proxy. Also, I'm trying
to keep the proxy relatively "dumb" and put all the logic in the FS boxes.
True I could do the auth on the proxies as well, but then I'm setting up
another authentication scheme in addition to what is on the FS boxes,
and then integrating the databases so everything is consistent.
I also have hosts that talk to the FS boxes directly, rather than
through the proxy. So I can't get rid of auth_acl on FS either, even if
I do implement it on the proxies. So my setup becomes much more
complex and potentially brittle.
And all we're really talking about for FreeSWITCH, conceptually
speaking, is populating a variable with a different IP. We could even
make it configurable, as to which IP is to be used for the auth-acl.
What are you using for SBCs? (if you are allowed to divulge that) I'm
currently using OpenSIPS for my proxy.
Thanks,
Bill
Metik wrote:
> Why not simply implement this feature in the PROXY itself?
>
> FS has a pretty comprehensive security feature set for endpoints that
> directly register with it.
>
> Don't get me wrong, I do agree this is useful especially if you are
> going to be using your proxies to load balance across multiple FS boxes
> to create an ad-hoc cluster. I actually have session border controllers
> that have this feature and use it quite often.
>
> -metik
>
> Bill W wrote:
>> Hey Metik,
>>
>> Thanks for the reply, and the pointers for doing it with xml_curl.
>>
>> I'll guess have to do that in the short term, but in my opinion, having
>> auth-acl be able to work through a proxy is very important as it is a
>> vital part of a comprehensive security feature set. And it would be
>> much simpler to implement from an end-user perspective than the
>> alternative of doing it in xml_curl.
>>
>> As a matter of fact, I'm considering offering a bounty for that feature.
>> What is the going rate for that kind of thing?
>>
>> Is anyone out there interested in coding this feature? Or chipping in
>> for the bounty?
>>
>>
>> Thanks,
>> Bill
>>
>>
>> Metik wrote:
>>
>>> This may be difficult considering that ACL needs to consider the
>>> original src IP/URI. To do that it, freeswitch would need to do so
>>> using a header that retains that information (i.e. From, Via, Contact,
>>> etc.). Which I do not believe is currently possible using auth-acl or
>>> apply-proxy-acl.
>>>
>>> However, you should be able to emulate the behavior using mod_xml_curl
>>> (and validating against appropriate variables available when using it to
>>> authenticate the request).
>>>
>>> see: http://wiki.freeswitch.org/wiki/Mod_xml_curl#Authorization
>>>
>>> -metik
>>>
>>>
>>> Bill W wrote:
>>>
>>>> Hey Brian,
>>>>
>>>>
>>>> I've been doing some testing and I am unable to get auth-calls to work
>>>> through a proxy the way I want them to, even with setting
>>>> apply-proxy-acl to either the endpoint IP or the proxy IP.
>>>>
>>>> I have a multi-tenant system with multiple domains with multiple users
>>>> in each domain. And I want to restrict a user to an arbitrary CIDR and
>>>> challenge them for a password. The arbitrary CIDR will vary from UA to
>>>> UA, and is specified in the directory via the auth-acl parameter.
>>>>
>>>> TL,DR; I want to get auth-calls to use the IP of the UA endpoint, not of
>>>> the proxy.
>>>>
>>>>
>>>> Thanks,
>>>> Bill
>>>>
>>>> Brian West wrote:
>>>>
>>>>
>>>>> it needs to be an ACL from acl.conf or a ip/cidr
>>>>>
>>>>> /b
>>>>>
>>>>> On Dec 17, 2009, at 5:41 AM, Bill W wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Okay, I added: <param name="apply-proxy-acl" value="true"/> to my sofia
>>>>>> profile and restarted sofia, and still no joy.
>>>>>>
>>>>>> I'm on FreeSWITCH Version 1.0.trunk (15764)
>>>>>> I've got <param name="auth-acl" value="190.218.103.12/32"></param> in
>>>>>> the directory, but I'm still being rejected by the acl:
>>>>>>
>>>>>> 2009-12-17 06:04:59.920517 [WARNING] sofia_reg.c:1928 IP 64.135.119.105
>>>>>> Rejected by user acl 190.218.103.12/32
>>>>>>
>>>>>> Here's what I believe is the appropriate snippet of the debug output:
>>>>>> http://pastebin.freeswitch.org/11531
>>>>>>
>>>>>> Thoughts?
>>>>>> Thanks,
>>>>>> Bill
>>>>>>
>>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>>
>>>> _______________________________________________
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
More information about the FreeSWITCH-users
mailing list