Hello Mathieu, I assumed that apply-proxy-acl was a modifier of auth-calls, so in my quick tests I just hard-coded the UA IP in the profile.
<param name="auth-calls" value="true"/> <param name="apply-proxy-acl" value="190.218.97.83"/> <!-- IP of UA --> And I get: 2009-12-18 09:14:28.250929 [WARNING] sofia_reg.c:1928 IP 64.135.119.105 Rejected by user acl 190.218.97.83/32 Where 64.135.119.105 is the IP of my proxy. And actually this is a REGISTER, not an INVITE. I did a tcpdump, and I'm not seeing the X-AUTH-IP header in the register packet. I will be incommunicado for the rest of today, but when I get back online, I'll see if I can get my proxy to add the X-AUTH-IP to the REGISTER packet and see if that makes a difference. Thanks for your help! Bill Mathieu Rene wrote: > From looking at sofia.c, if the ip address of the caller is in apply- > proxy-acl, it'll look for the X-AUTH-IP header in the INVITE packet, > and use that one for authentication. > Is that what you did in your previous tests? > > Mathieu Rene > Avant-Garde Solutions Inc > Office: + 1 (514) 664-1044 x100 > Cell: +1 (514) 664-1044 x200 > mr...@avgs.ca > > > > > On 17-Dec-09, at 11:02 PM, Bill W wrote: > >> Hey Metik, >> >> Thanks for the reply, and the pointers for doing it with xml_curl. >> >> I'll guess have to do that in the short term, but in my opinion, >> having >> auth-acl be able to work through a proxy is very important as it is a >> vital part of a comprehensive security feature set. And it would be >> much simpler to implement from an end-user perspective than the >> alternative of doing it in xml_curl. >> >> As a matter of fact, I'm considering offering a bounty for that >> feature. >> What is the going rate for that kind of thing? >> >> Is anyone out there interested in coding this feature? Or chipping in >> for the bounty? >> >> >> Thanks, >> Bill >> >> >> Metik wrote: >>> This may be difficult considering that ACL needs to consider the >>> original src IP/URI. To do that it, freeswitch would need to do so >>> using a header that retains that information (i.e. From, Via, >>> Contact, >>> etc.). Which I do not believe is currently possible using auth-acl or >>> apply-proxy-acl. >>> >>> However, you should be able to emulate the behavior using >>> mod_xml_curl >>> (and validating against appropriate variables available when using >>> it to >>> authenticate the request). >>> >>> see: http://wiki.freeswitch.org/wiki/Mod_xml_curl#Authorization >>> >>> -metik >>> >>> >>> Bill W wrote: >>>> Hey Brian, >>>> >>>> >>>> I've been doing some testing and I am unable to get auth-calls to >>>> work >>>> through a proxy the way I want them to, even with setting >>>> apply-proxy-acl to either the endpoint IP or the proxy IP. >>>> >>>> I have a multi-tenant system with multiple domains with multiple >>>> users >>>> in each domain. And I want to restrict a user to an arbitrary >>>> CIDR and >>>> challenge them for a password. The arbitrary CIDR will vary from >>>> UA to >>>> UA, and is specified in the directory via the auth-acl parameter. >>>> >>>> TL,DR; I want to get auth-calls to use the IP of the UA endpoint, >>>> not of >>>> the proxy. >>>> >>>> >>>> Thanks, >>>> Bill >>>> >>>> Brian West wrote: >>>> >>>>> it needs to be an ACL from acl.conf or a ip/cidr >>>>> >>>>> /b >>>>> >>>>> On Dec 17, 2009, at 5:41 AM, Bill W wrote: >>>>> >>>>> >>>>>> Okay, I added: <param name="apply-proxy-acl" value="true"/> to >>>>>> my sofia >>>>>> profile and restarted sofia, and still no joy. >>>>>> >>>>>> I'm on FreeSWITCH Version 1.0.trunk (15764) >>>>>> I've got <param name="auth-acl" value="190.218.103.12/32"></ >>>>>> param> in >>>>>> the directory, but I'm still being rejected by the acl: >>>>>> >>>>>> 2009-12-17 06:04:59.920517 [WARNING] sofia_reg.c:1928 IP >>>>>> 64.135.119.105 >>>>>> Rejected by user acl 190.218.103.12/32 >>>>>> >>>>>> Here's what I believe is the appropriate snippet of the debug >>>>>> output: >>>>>> http://pastebin.freeswitch.org/11531 >>>>>> >>>>>> Thoughts? >>>>>> Thanks, >>>>>> Bill >>>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> FreeSWITCH-users mailing list >>>>> FreeSWITCH-users@lists.freeswitch.org >>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >>>>> http://www.freeswitch.org >>>>> >>>> _______________________________________________ >>>> FreeSWITCH-users mailing list >>>> FreeSWITCH-users@lists.freeswitch.org >>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >>>> http://www.freeswitch.org >>>> >>>> >>> >>> _______________________________________________ >>> FreeSWITCH-users mailing list >>> FreeSWITCH-users@lists.freeswitch.org >>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >>> http://www.freeswitch.org >> _______________________________________________ >> FreeSWITCH-users mailing list >> FreeSWITCH-users@lists.freeswitch.org >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >> http://www.freeswitch.org > > > _______________________________________________ > FreeSWITCH-users mailing list > FreeSWITCH-users@lists.freeswitch.org > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users > http://www.freeswitch.org _______________________________________________ FreeSWITCH-users mailing list FreeSWITCH-users@lists.freeswitch.org http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org