From looking at sofia.c, if the ip address of the caller is in apply- proxy-acl, it'll look for the X-AUTH-IP header in the INVITE packet, and use that one for authentication. Is that what you did in your previous tests?
Mathieu Rene Avant-Garde Solutions Inc Office: + 1 (514) 664-1044 x100 Cell: +1 (514) 664-1044 x200 mr...@avgs.ca On 17-Dec-09, at 11:02 PM, Bill W wrote: > Hey Metik, > > Thanks for the reply, and the pointers for doing it with xml_curl. > > I'll guess have to do that in the short term, but in my opinion, > having > auth-acl be able to work through a proxy is very important as it is a > vital part of a comprehensive security feature set. And it would be > much simpler to implement from an end-user perspective than the > alternative of doing it in xml_curl. > > As a matter of fact, I'm considering offering a bounty for that > feature. > What is the going rate for that kind of thing? > > Is anyone out there interested in coding this feature? Or chipping in > for the bounty? > > > Thanks, > Bill > > > Metik wrote: >> This may be difficult considering that ACL needs to consider the >> original src IP/URI. To do that it, freeswitch would need to do so >> using a header that retains that information (i.e. From, Via, >> Contact, >> etc.). Which I do not believe is currently possible using auth-acl or >> apply-proxy-acl. >> >> However, you should be able to emulate the behavior using >> mod_xml_curl >> (and validating against appropriate variables available when using >> it to >> authenticate the request). >> >> see: http://wiki.freeswitch.org/wiki/Mod_xml_curl#Authorization >> >> -metik >> >> >> Bill W wrote: >>> Hey Brian, >>> >>> >>> I've been doing some testing and I am unable to get auth-calls to >>> work >>> through a proxy the way I want them to, even with setting >>> apply-proxy-acl to either the endpoint IP or the proxy IP. >>> >>> I have a multi-tenant system with multiple domains with multiple >>> users >>> in each domain. And I want to restrict a user to an arbitrary >>> CIDR and >>> challenge them for a password. The arbitrary CIDR will vary from >>> UA to >>> UA, and is specified in the directory via the auth-acl parameter. >>> >>> TL,DR; I want to get auth-calls to use the IP of the UA endpoint, >>> not of >>> the proxy. >>> >>> >>> Thanks, >>> Bill >>> >>> Brian West wrote: >>> >>>> it needs to be an ACL from acl.conf or a ip/cidr >>>> >>>> /b >>>> >>>> On Dec 17, 2009, at 5:41 AM, Bill W wrote: >>>> >>>> >>>>> Okay, I added: <param name="apply-proxy-acl" value="true"/> to >>>>> my sofia >>>>> profile and restarted sofia, and still no joy. >>>>> >>>>> I'm on FreeSWITCH Version 1.0.trunk (15764) >>>>> I've got <param name="auth-acl" value="190.218.103.12/32"></ >>>>> param> in >>>>> the directory, but I'm still being rejected by the acl: >>>>> >>>>> 2009-12-17 06:04:59.920517 [WARNING] sofia_reg.c:1928 IP >>>>> 64.135.119.105 >>>>> Rejected by user acl 190.218.103.12/32 >>>>> >>>>> Here's what I believe is the appropriate snippet of the debug >>>>> output: >>>>> http://pastebin.freeswitch.org/11531 >>>>> >>>>> Thoughts? >>>>> Thanks, >>>>> Bill >>>>> >>>> ------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> FreeSWITCH-users mailing list >>>> FreeSWITCH-users@lists.freeswitch.org >>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >>>> http://www.freeswitch.org >>>> >>> _______________________________________________ >>> FreeSWITCH-users mailing list >>> FreeSWITCH-users@lists.freeswitch.org >>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >>> http://www.freeswitch.org >>> >>> >> >> >> _______________________________________________ >> FreeSWITCH-users mailing list >> FreeSWITCH-users@lists.freeswitch.org >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >> http://www.freeswitch.org > > _______________________________________________ > FreeSWITCH-users mailing list > FreeSWITCH-users@lists.freeswitch.org > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users > http://www.freeswitch.org _______________________________________________ FreeSWITCH-users mailing list FreeSWITCH-users@lists.freeswitch.org http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org