[Freeswitch-users] ACLs through proxy

Bill W freeswitch at aastral.net
Fri Dec 18 07:53:11 PST 2009


Hello Mathieu,

I assumed that apply-proxy-acl was a modifier of auth-calls, so in my 
quick tests I just hard-coded the UA IP in the profile.

<param name="auth-calls" value="true"/>
<param name="apply-proxy-acl" value="190.218.97.83"/> <!-- IP of UA -->

And I get:
2009-12-18 09:14:28.250929 [WARNING] sofia_reg.c:1928 IP 64.135.119.105 
Rejected by user acl 190.218.97.83/32

Where 64.135.119.105 is the IP of my proxy.  And actually this is a 
REGISTER, not an INVITE.

I did a tcpdump, and I'm not seeing the X-AUTH-IP header in the register 
packet.

I will be incommunicado for the rest of today, but when I get back 
online, I'll see if I can get my proxy to add the X-AUTH-IP to the 
REGISTER packet and see if that makes a difference.


Thanks for your help!
Bill


Mathieu Rene wrote:
>  From looking at sofia.c, if the ip address of the caller is in apply- 
> proxy-acl, it'll look for the X-AUTH-IP header in the INVITE packet,  
> and use that one for authentication.
> Is that what you did in your previous tests?
> 
> Mathieu Rene
> Avant-Garde Solutions Inc
> Office: + 1 (514) 664-1044 x100
> Cell: +1 (514) 664-1044 x200
> mrene at avgs.ca
> 
> 
> 
> 
> On 17-Dec-09, at 11:02 PM, Bill W wrote:
> 
>> Hey Metik,
>>
>> Thanks for the reply, and the pointers for doing it with xml_curl.
>>
>> I'll guess have to do that in the short term, but in my opinion,  
>> having
>> auth-acl be able to work through a proxy is very important as it is a
>> vital part of a comprehensive security feature set.  And it would be
>> much simpler to implement from an end-user perspective than the
>> alternative of doing it in xml_curl.
>>
>> As a matter of fact, I'm considering offering a bounty for that  
>> feature.
>>  What is the going rate for that kind of thing?
>>
>> Is anyone out there interested in coding this feature? Or chipping in
>> for the bounty?
>>
>>
>> Thanks,
>> Bill
>>
>>
>> Metik wrote:
>>> This may be difficult considering that ACL needs to consider the
>>> original src IP/URI.  To do that it, freeswitch would need to do so
>>> using a header that retains that information (i.e. From, Via,  
>>> Contact,
>>> etc.). Which I do not believe is currently possible using auth-acl or
>>> apply-proxy-acl.
>>>
>>> However, you should be able to emulate the behavior using  
>>> mod_xml_curl
>>> (and validating against appropriate variables available when using  
>>> it to
>>> authenticate the request).
>>>
>>> see: http://wiki.freeswitch.org/wiki/Mod_xml_curl#Authorization
>>>
>>> -metik
>>>
>>>
>>> Bill W wrote:
>>>> Hey Brian,
>>>>
>>>>
>>>> I've been doing some testing and I am unable to get auth-calls to  
>>>> work
>>>> through a proxy the way I want them to, even with setting
>>>> apply-proxy-acl to either the endpoint IP or the proxy IP.
>>>>
>>>> I have a multi-tenant system with multiple domains with multiple  
>>>> users
>>>> in each domain.  And I want to restrict a user to an arbitrary  
>>>> CIDR and
>>>> challenge them for a password.  The arbitrary CIDR will vary from  
>>>> UA to
>>>> UA, and is specified in the directory via the auth-acl parameter.
>>>>
>>>> TL,DR; I want to get auth-calls to use the IP of the UA endpoint,  
>>>> not of
>>>> the proxy.
>>>>
>>>>
>>>> Thanks,
>>>> Bill
>>>>
>>>> Brian West wrote:
>>>>
>>>>> it needs to be an ACL from acl.conf or a ip/cidr
>>>>>
>>>>> /b
>>>>>
>>>>> On Dec 17, 2009, at 5:41 AM, Bill W wrote:
>>>>>
>>>>>
>>>>>> Okay, I added: <param name="apply-proxy-acl" value="true"/> to  
>>>>>> my sofia
>>>>>> profile and restarted sofia, and still no joy.
>>>>>>
>>>>>> I'm on FreeSWITCH Version 1.0.trunk (15764)
>>>>>> I've got <param name="auth-acl" value="190.218.103.12/32"></ 
>>>>>> param> in
>>>>>> the directory, but I'm still being rejected by the acl:
>>>>>>
>>>>>> 2009-12-17 06:04:59.920517 [WARNING] sofia_reg.c:1928 IP  
>>>>>> 64.135.119.105
>>>>>> Rejected by user acl 190.218.103.12/32
>>>>>>
>>>>>> Here's what I believe is the appropriate snippet of the debug  
>>>>>> output:
>>>>>> http://pastebin.freeswitch.org/11531
>>>>>>
>>>>>> Thoughts?
>>>>>> Thanks,
>>>>>> Bill
>>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>> _______________________________________________
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>
>>> _______________________________________________
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
> 
> 
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org




More information about the FreeSWITCH-users mailing list