[Freeswitch-users] ACL: auth_calls + apply-inbound-acl/auth-acl

Wed Dec 6 18:19:28 UTC 2017

Hi Vallimamod,

Thanks a lot! My supposition was wrong. Quite non-trivial behavior 
again. Your explanation definitely should be added to the documentation.

Regards,
Anatoli

*From:* Vallimamod Abdullah
*Sent:* Wednesday, December 06, 2017 08:19
*To:* Freeswitch Users Help
*Subject:* Re: [Freeswitch-users] ACL: auth_calls + 
apply-inbound-acl/auth-acl

Hi Anatoli,

Just saw your email.

The auth-acl is always checked first. If it passes, the call is accepted with no further check. Only if it fails:
- If auth-calls is true, digest auth is tried (that's why in logs you have: "Rejected by acl "xxx". Falling back to Digest auth.")
- else, call is rejected.

Hope this helps to make things clearer!

Best Regards,
-- Vallimamod Abdullah SIP Solutions vma at sipsolutions.fr .

> On 23 Nov 2017, at 22:48, Anatoli<me at anatoli.ws>  wrote:
>
> Hi Vallimamod,
>
> Thanks a lot for your detailed explanation, sure it helps! It would be great to add these details to the documentation (not sure whom to ask about this). IMO the behavior you describe can't be inferred from the current documentation and it deals with security/authentication.
>
> Could you please explain what would be the effect of auth-calls=true + auth-acl=<ip_range>?
> I suppose if the IP matches, it goes through the digest auth. If the IP doesn't match, sofia responds with 403 forbidden, right?
>
> Thanks,
> Anatoli
>
> From: Vallimamod Abdullah
> Sent: Tuesday, November 21, 2017 09:35
> To: Freeswitch Users Help
> Subject: Re: [Freeswitch-users] ACL: auth_calls + apply-inbound-acl/auth-acl
>
> Hi,
>
> Your mail is dense, I will try to answer at my best from my understanding of the source code:
>
> - the default value for auth-call is false.
>
> - When a call arrives, the apply-inbound-acl is checked first:
>    * If the IP is approved by the acl, the access is granted
>    * If the IP is rejected by the acl and auth-call is false, sofia responds with 403 forbidden (I skip the proxy-acl and X-AUTH-IP checks for simplicity)
>    * If the IP is rejected by the acl and auth-call is true, it falls back to digest auth.
>
> - If accept-blind-auth is set with auth-call, freeswitch only checks if the From user is defined in directory. If so, user is authorized (without any password check)
>
> - If auth-cal is set without the acl, the call go through digest authentication
>
> - If neither is set, the call is accepted.
>
> In your case, even if you can define directly a cidr in the apply-inbound-acl param value, it would be best to set it to a list name defined in autoload_configs/acl.conf.xml.
>
> Hope this helps!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20171206/6614ad47/attachment.html>