[Freeswitch-users] ACLs through proxy

Metik freeswitch-users-list at metik.com
Sat Dec 19 08:41:06 PST 2009


Bill,

I think you would add this to the user profile in the directory. The 
"brian.xml" example (located in ${confdir}/directory/) provided with the 
default/sample configuration files demonstrates how to to do this by 
introducing a "cidr" attribute to the the "user" element.

Example:

<user id="7105551212" cidr="127.0.0.0/8//">
    <params>
      <param name="password" value="opensaysme"/>
      <param name="vm-password" value="14916"/>
    </params>
    <variables>
      <variable name="user_context" value="default"/>
    </variables>
  </user>

"http://wiki.freeswitch.org/wiki/Acl" contains some great info 
(including a relevant example).

-metik

Bill W. wrote:
> Hey Metik,
>
> Thanks so much for your insights and your help.  And yes, I was able to
> append the X-AUTH-IP header with no problem.   But that didn't solve the
> issue.  After some more research, it appears that the problem isn't with
> auth-calls at all.
>
> I disabled all auth-call directives in every sip profile and the
> registration through a proxy is still being rejected.
>
> I looked in sofia_reg.c and if auth_acl is defined, sofia_reg checks the
> ip variable against the auth_acl cidr.
>
> if (auth_acl) {
> 	if (!switch_check_network_list_ip(ip, auth_acl)) {
>                         switch_log_printf(SWITCH_CHANNEL_LOG,
> SWITCH_LOG_WARNING, "IP %s Rejected by user acl %s\n", ip, auth_acl);
>                         ret = AUTH_FORBIDDEN;
>                         goto end;
>                 }
>
> So I guess the question is, is it possible to control what gets put into
> the ip variable?
>
> Thanks,
> Bill
>
>
> Metik wrote:
>   
>> Honestly, several years ago I accomplished this by mod'ing SER (which 
>> became OpenSER which was then forked to OpenSIPS and Kamalio) and using 
>> one cluster of proxies for subscriber endpoints and another for 
>> infrastructure (so that I could keep RTP flows optimized yet support 
>> double NAT when required by an endpoint). Although the network looks 
>> different today.
>>
>> However, we were never quite happy about the lack of media failover 
>> (complicated NAT) and evaluated several commercial solutions until 
>> finding Covergence (which is now, for better or for worse since the jury 
>> is still out, owned by ACME Packet).  At the time, they offered the best 
>> mix of security (their forte) yet scaled very well in comparison to 
>> their competitors that I had tested in our lab (ACME Packet, Kagoor, 
>> Netrake, NexTone, Kagoor, and Jasomi).  In fact, they made a great 
>> decision, not unlike that of the FS developers, to implement a 
>> proven/stable SIP protocol stack.  Nothing is perfect and that does not 
>> mean that we did not spend a considerable amount of time documenting 
>> bugs so that they could be addressed and it would work as it should
>>
>> We still use OpenSIPS for certain CSCF functionality (due to its speed 
>> and flexibility since it is not a B2BUA).
>>
>> Based on Mathieu's response (and he is definitely someone that would 
>> know), it looks like you should be able to easily append a X-AUTH-IP 
>> header (via OpenSIPS) containing the IP address of the endpoint and call 
>> it a day.
>>
>> -metik
>>
>>
>> Bill W wrote:
>>     
>>> Hey Metik,
>>>
>>> That's exactly what I'm trying to do... load balance across multiple FS 
>>> boxes, and have any machine in the cluster be able to reach a device 
>>> behind a NAT firewall.  Hence the need for the proxy.  Also, I'm trying 
>>> to keep the proxy relatively "dumb" and put all the logic in the FS boxes.
>>>
>>> True I could do the auth on the proxies as well, but then I'm setting up 
>>> another authentication scheme in addition to what is on the FS boxes, 
>>> and then integrating the databases so everything is consistent.
>>>
>>> I also have hosts that talk to the FS boxes directly, rather than 
>>> through the proxy.  So I can't get rid of auth_acl on FS either, even if 
>>> I do implement it on the proxies.   So my setup becomes much more 
>>> complex and potentially brittle.
>>>
>>> And all we're really talking about for FreeSWITCH, conceptually 
>>> speaking, is populating a variable with a different IP.  We could even 
>>> make it configurable, as to which IP is to be used for the auth-acl.
>>>
>>> What are you using for SBCs? (if you are allowed to divulge that)  I'm 
>>> currently using OpenSIPS for my proxy.
>>>
>>> Thanks,
>>> Bill
>>>
>>> Metik wrote:
>>>   
>>>       
>>>> Why not simply implement this feature in the PROXY itself?
>>>>
>>>> FS has a pretty comprehensive security feature set for endpoints that 
>>>> directly register with it.
>>>>
>>>> Don't get me wrong, I do agree this is useful especially if you are 
>>>> going to be using your proxies to load balance across multiple FS boxes 
>>>> to create an ad-hoc cluster.  I actually have session border controllers 
>>>> that have this feature and use it quite often.
>>>>
>>>> -metik
>>>>
>>>> Bill W wrote:
>>>>     
>>>>         
>>>>> Hey Metik,
>>>>>
>>>>> Thanks for the reply, and the pointers for doing it with xml_curl.
>>>>>
>>>>> I'll guess have to do that in the short term, but in my opinion, having 
>>>>> auth-acl be able to work through a proxy is very important as it is a 
>>>>> vital part of a comprehensive security feature set.  And it would be 
>>>>> much simpler to implement from an end-user perspective than the 
>>>>> alternative of doing it in xml_curl.
>>>>>
>>>>> As a matter of fact, I'm considering offering a bounty for that feature. 
>>>>>   What is the going rate for that kind of thing?
>>>>>
>>>>> Is anyone out there interested in coding this feature? Or chipping in 
>>>>> for the bounty?
>>>>>
>>>>>
>>>>> Thanks,
>>>>> Bill
>>>>>
>>>>>
>>>>> Metik wrote:
>>>>>   
>>>>>       
>>>>>           
>>>>>> This may be difficult considering that ACL needs to consider the 
>>>>>> original src IP/URI.  To do that it, freeswitch would need to do so 
>>>>>> using a header that retains that information (i.e. From, Via, Contact, 
>>>>>> etc.). Which I do not believe is currently possible using auth-acl or 
>>>>>> apply-proxy-acl. 
>>>>>>
>>>>>> However, you should be able to emulate the behavior using mod_xml_curl  
>>>>>> (and validating against appropriate variables available when using it to 
>>>>>> authenticate the request).
>>>>>>
>>>>>> see: http://wiki.freeswitch.org/wiki/Mod_xml_curl#Authorization
>>>>>>
>>>>>> -metik
>>>>>>
>>>>>>
>>>>>> Bill W wrote:
>>>>>>     
>>>>>>         
>>>>>>             
>>>>>>> Hey Brian,
>>>>>>>
>>>>>>>
>>>>>>> I've been doing some testing and I am unable to get auth-calls to work 
>>>>>>> through a proxy the way I want them to, even with setting 
>>>>>>> apply-proxy-acl to either the endpoint IP or the proxy IP.
>>>>>>>
>>>>>>> I have a multi-tenant system with multiple domains with multiple users 
>>>>>>> in each domain.  And I want to restrict a user to an arbitrary CIDR and 
>>>>>>> challenge them for a password.  The arbitrary CIDR will vary from UA to 
>>>>>>> UA, and is specified in the directory via the auth-acl parameter.
>>>>>>>
>>>>>>> TL,DR; I want to get auth-calls to use the IP of the UA endpoint, not of 
>>>>>>> the proxy.
>>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Bill
>>>>>>>
>>>>>>> Brian West wrote:
>>>>>>>   
>>>>>>>       
>>>>>>>           
>>>>>>>               
>>>>>>>> it needs to be an ACL from acl.conf or a ip/cidr
>>>>>>>>
>>>>>>>> /b
>>>>>>>>
>>>>>>>> On Dec 17, 2009, at 5:41 AM, Bill W wrote:
>>>>>>>>
>>>>>>>>     
>>>>>>>>         
>>>>>>>>             
>>>>>>>>                 
>>>>>>>>> Okay, I added: <param name="apply-proxy-acl" value="true"/> to my sofia 
>>>>>>>>> profile and restarted sofia, and still no joy.
>>>>>>>>>
>>>>>>>>> I'm on FreeSWITCH Version 1.0.trunk (15764)
>>>>>>>>> I've got <param name="auth-acl" value="190.218.103.12/32"></param> in 
>>>>>>>>> the directory, but I'm still being rejected by the acl:
>>>>>>>>>
>>>>>>>>> 2009-12-17 06:04:59.920517 [WARNING] sofia_reg.c:1928 IP 64.135.119.105 
>>>>>>>>> Rejected by user acl 190.218.103.12/32
>>>>>>>>>
>>>>>>>>> Here's what I believe is the appropriate snippet of the debug output:
>>>>>>>>> http://pastebin.freeswitch.org/11531
>>>>>>>>>
>>>>>>>>> Thoughts?
>>>>>>>>> Thanks,
>>>>>>>>> Bill
>>>>>>>>>       
>>>>>>>>>           
>>>>>>>>>               
>>>>>>>>>                   
>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> FreeSWITCH-users mailing list
>>>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>>>> http://www.freeswitch.org
>>>>>>>>     
>>>>>>>>         
>>>>>>>>             
>>>>>>>>                 
>>>>>>> _______________________________________________
>>>>>>> FreeSWITCH-users mailing list
>>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>>> http://www.freeswitch.org
>>>>>>>
>>>>>>>   
>>>>>>>       
>>>>>>>           
>>>>>>>               
>>>>>> _______________________________________________
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>> http://www.freeswitch.org
>>>>>>     
>>>>>>         
>>>>>>             
>>>>> _______________________________________________
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>>   
>>>>>       
>>>>>           
>>>> _______________________________________________
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>     
>>>>         
>>> _______________________________________________
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>   
>>>       
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>     
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>   





More information about the FreeSWITCH-users mailing list