Why not simply implement this feature in the PROXY itself? FS has a pretty comprehensive security feature set for endpoints that directly register with it.
Don't get me wrong, I do agree this is useful especially if you are going to be using your proxies to load balance across multiple FS boxes to create an ad-hoc cluster. I actually have session border controllers that have this feature and use it quite often. -metik Bill W wrote: > Hey Metik, > > Thanks for the reply, and the pointers for doing it with xml_curl. > > I'll guess have to do that in the short term, but in my opinion, having > auth-acl be able to work through a proxy is very important as it is a > vital part of a comprehensive security feature set. And it would be > much simpler to implement from an end-user perspective than the > alternative of doing it in xml_curl. > > As a matter of fact, I'm considering offering a bounty for that feature. > What is the going rate for that kind of thing? > > Is anyone out there interested in coding this feature? Or chipping in > for the bounty? > > > Thanks, > Bill > > > Metik wrote: > >> This may be difficult considering that ACL needs to consider the >> original src IP/URI. To do that it, freeswitch would need to do so >> using a header that retains that information (i.e. From, Via, Contact, >> etc.). Which I do not believe is currently possible using auth-acl or >> apply-proxy-acl. >> >> However, you should be able to emulate the behavior using mod_xml_curl >> (and validating against appropriate variables available when using it to >> authenticate the request). >> >> see: http://wiki.freeswitch.org/wiki/Mod_xml_curl#Authorization >> >> -metik >> >> >> Bill W wrote: >> >>> Hey Brian, >>> >>> >>> I've been doing some testing and I am unable to get auth-calls to work >>> through a proxy the way I want them to, even with setting >>> apply-proxy-acl to either the endpoint IP or the proxy IP. >>> >>> I have a multi-tenant system with multiple domains with multiple users >>> in each domain. And I want to restrict a user to an arbitrary CIDR and >>> challenge them for a password. The arbitrary CIDR will vary from UA to >>> UA, and is specified in the directory via the auth-acl parameter. >>> >>> TL,DR; I want to get auth-calls to use the IP of the UA endpoint, not of >>> the proxy. >>> >>> >>> Thanks, >>> Bill >>> >>> Brian West wrote: >>> >>> >>>> it needs to be an ACL from acl.conf or a ip/cidr >>>> >>>> /b >>>> >>>> On Dec 17, 2009, at 5:41 AM, Bill W wrote: >>>> >>>> >>>> >>>>> Okay, I added: <param name="apply-proxy-acl" value="true"/> to my sofia >>>>> profile and restarted sofia, and still no joy. >>>>> >>>>> I'm on FreeSWITCH Version 1.0.trunk (15764) >>>>> I've got <param name="auth-acl" value="190.218.103.12/32"></param> in >>>>> the directory, but I'm still being rejected by the acl: >>>>> >>>>> 2009-12-17 06:04:59.920517 [WARNING] sofia_reg.c:1928 IP 64.135.119.105 >>>>> Rejected by user acl 190.218.103.12/32 >>>>> >>>>> Here's what I believe is the appropriate snippet of the debug output: >>>>> http://pastebin.freeswitch.org/11531 >>>>> >>>>> Thoughts? >>>>> Thanks, >>>>> Bill >>>>> >>>>> >>>> ------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> FreeSWITCH-users mailing list >>>> FreeSWITCH-users@lists.freeswitch.org >>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >>>> http://www.freeswitch.org >>>> >>>> >>> _______________________________________________ >>> FreeSWITCH-users mailing list >>> FreeSWITCH-users@lists.freeswitch.org >>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >>> http://www.freeswitch.org >>> >>> >>> >> _______________________________________________ >> FreeSWITCH-users mailing list >> FreeSWITCH-users@lists.freeswitch.org >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >> http://www.freeswitch.org >> > > _______________________________________________ > FreeSWITCH-users mailing list > FreeSWITCH-users@lists.freeswitch.org > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users > http://www.freeswitch.org > > _______________________________________________ FreeSWITCH-users mailing list FreeSWITCH-users@lists.freeswitch.org http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org