You need to add that header manually in your OpenSIPS config, FreeSWITCH wont look in record-route/via to try to guess it.
Mathieu Rene Avant-Garde Solutions Inc Office: + 1 (514) 664-1044 x100 Cell: +1 (514) 664-1044 x200 mr...@avgs.ca On 18-Dec-09, at 10:53 AM, Bill W wrote: > Hello Mathieu, > > I assumed that apply-proxy-acl was a modifier of auth-calls, so in my > quick tests I just hard-coded the UA IP in the profile. > > <param name="auth-calls" value="true"/> > <param name="apply-proxy-acl" value="190.218.97.83"/> <!-- IP of UA > --> > > And I get: > 2009-12-18 09:14:28.250929 [WARNING] sofia_reg.c:1928 IP > 64.135.119.105 > Rejected by user acl 190.218.97.83/32 > > Where 64.135.119.105 is the IP of my proxy. And actually this is a > REGISTER, not an INVITE. > > I did a tcpdump, and I'm not seeing the X-AUTH-IP header in the > register > packet. > > I will be incommunicado for the rest of today, but when I get back > online, I'll see if I can get my proxy to add the X-AUTH-IP to the > REGISTER packet and see if that makes a difference. > > > Thanks for your help! > Bill > > > Mathieu Rene wrote: >> From looking at sofia.c, if the ip address of the caller is in apply- >> proxy-acl, it'll look for the X-AUTH-IP header in the INVITE packet, >> and use that one for authentication. >> Is that what you did in your previous tests? >> >> Mathieu Rene >> Avant-Garde Solutions Inc >> Office: + 1 (514) 664-1044 x100 >> Cell: +1 (514) 664-1044 x200 >> mr...@avgs.ca >> >> >> >> >> On 17-Dec-09, at 11:02 PM, Bill W wrote: >> >>> Hey Metik, >>> >>> Thanks for the reply, and the pointers for doing it with xml_curl. >>> >>> I'll guess have to do that in the short term, but in my opinion, >>> having >>> auth-acl be able to work through a proxy is very important as it >>> is a >>> vital part of a comprehensive security feature set. And it would be >>> much simpler to implement from an end-user perspective than the >>> alternative of doing it in xml_curl. >>> >>> As a matter of fact, I'm considering offering a bounty for that >>> feature. >>> What is the going rate for that kind of thing? >>> >>> Is anyone out there interested in coding this feature? Or chipping >>> in >>> for the bounty? >>> >>> >>> Thanks, >>> Bill >>> >>> >>> Metik wrote: >>>> This may be difficult considering that ACL needs to consider the >>>> original src IP/URI. To do that it, freeswitch would need to do so >>>> using a header that retains that information (i.e. From, Via, >>>> Contact, >>>> etc.). Which I do not believe is currently possible using auth- >>>> acl or >>>> apply-proxy-acl. >>>> >>>> However, you should be able to emulate the behavior using >>>> mod_xml_curl >>>> (and validating against appropriate variables available when using >>>> it to >>>> authenticate the request). >>>> >>>> see: http://wiki.freeswitch.org/wiki/Mod_xml_curl#Authorization >>>> >>>> -metik >>>> >>>> >>>> Bill W wrote: >>>>> Hey Brian, >>>>> >>>>> >>>>> I've been doing some testing and I am unable to get auth-calls to >>>>> work >>>>> through a proxy the way I want them to, even with setting >>>>> apply-proxy-acl to either the endpoint IP or the proxy IP. >>>>> >>>>> I have a multi-tenant system with multiple domains with multiple >>>>> users >>>>> in each domain. And I want to restrict a user to an arbitrary >>>>> CIDR and >>>>> challenge them for a password. The arbitrary CIDR will vary from >>>>> UA to >>>>> UA, and is specified in the directory via the auth-acl parameter. >>>>> >>>>> TL,DR; I want to get auth-calls to use the IP of the UA endpoint, >>>>> not of >>>>> the proxy. >>>>> >>>>> >>>>> Thanks, >>>>> Bill >>>>> >>>>> Brian West wrote: >>>>> >>>>>> it needs to be an ACL from acl.conf or a ip/cidr >>>>>> >>>>>> /b >>>>>> >>>>>> On Dec 17, 2009, at 5:41 AM, Bill W wrote: >>>>>> >>>>>> >>>>>>> Okay, I added: <param name="apply-proxy-acl" value="true"/> to >>>>>>> my sofia >>>>>>> profile and restarted sofia, and still no joy. >>>>>>> >>>>>>> I'm on FreeSWITCH Version 1.0.trunk (15764) >>>>>>> I've got <param name="auth-acl" value="190.218.103.12/32"></ >>>>>>> param> in >>>>>>> the directory, but I'm still being rejected by the acl: >>>>>>> >>>>>>> 2009-12-17 06:04:59.920517 [WARNING] sofia_reg.c:1928 IP >>>>>>> 64.135.119.105 >>>>>>> Rejected by user acl 190.218.103.12/32 >>>>>>> >>>>>>> Here's what I believe is the appropriate snippet of the debug >>>>>>> output: >>>>>>> http://pastebin.freeswitch.org/11531 >>>>>>> >>>>>>> Thoughts? >>>>>>> Thanks, >>>>>>> Bill >>>>>>> >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> _______________________________________________ >>>>>> FreeSWITCH-users mailing list >>>>>> FreeSWITCH-users@lists.freeswitch.org >>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >>>>>> http://www.freeswitch.org >>>>>> >>>>> _______________________________________________ >>>>> FreeSWITCH-users mailing list >>>>> FreeSWITCH-users@lists.freeswitch.org >>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >>>>> http://www.freeswitch.org >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> FreeSWITCH-users mailing list >>>> FreeSWITCH-users@lists.freeswitch.org >>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >>>> http://www.freeswitch.org >>> _______________________________________________ >>> FreeSWITCH-users mailing list >>> FreeSWITCH-users@lists.freeswitch.org >>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >>> http://www.freeswitch.org >> >> >> _______________________________________________ >> FreeSWITCH-users mailing list >> FreeSWITCH-users@lists.freeswitch.org >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >> http://www.freeswitch.org > > _______________________________________________ > FreeSWITCH-users mailing list > FreeSWITCH-users@lists.freeswitch.org > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users > http://www.freeswitch.org _______________________________________________ FreeSWITCH-users mailing list FreeSWITCH-users@lists.freeswitch.org http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org
