From attiolli@gmail.com Thu Jun 13 08:12:49 2019 From: Olli Attila To: sr-users@lists.kamailio.org Subject: [SR-Users] Authenticating xhttp request Date: Thu, 13 Jun 2019 09:12:30 +0300 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0554528748==" --===============0554528748== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hello, I have this xhttp event_route on Kamailio that I am using to signal the proxy to reload dialplans and htable when necessary: event_route[xhttp:request] { if(src_ip!=127.0.0.1) { xhttp_reply("403", "Forbidden", "text/html", "Not allowed from $si"); exit; } if ($hu =~ "^/RPC") { jsonrpc_dispatch(); } else { xhttp_reply("200", "OK", "text/html", "Wrong URL $hu"); } return; } Now instead of returning 403 forbidden for requests coming from other src_ip than proxy itsef, I would like to authenticate the http request via proxy database. How can this be done if possible? Cheers, Olli --===============0554528748==-- From miconda@gmail.com Fri Jun 14 09:04:30 2019 From: Daniel-Constantin Mierla To: sr-users@lists.kamailio.org Subject: Re: [SR-Users] Authenticating xhttp request Date: Fri, 14 Jun 2019 09:04:21 +0200 Message-ID: <359780cd-1abd-3561-3738-8e0613ae5287@gmail.com> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0614322898==" --===============0614322898== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hello, do you want to authenticate with ip addresses stored in database or with username/password? Cheers, Daniel On 13.06.19 08:12, Olli Attila wrote: > Hello, > > I have this xhttp event_route on Kamailio that I am using to signal > the proxy to reload dialplans and htable when necessary: > > event_route[xhttp:request] { > if(src_ip!=127.0.0.1) { > xhttp_reply("403", "Forbidden", "text/html", > "Not allowed from $si"); > exit; > } > if ($hu =~ "^/RPC") { > jsonrpc_dispatch(); > } else { > xhttp_reply("200", "OK", "text/html", > "Wrong URL $hu"); > } > return; > } > > Now instead of returning 403 forbidden for requests coming from other > src_ip than proxy itsef, I would like to authenticate the http request > via proxy database. How can this be done if possible? > > Cheers, > Olli > > _______________________________________________ > Kamailio (SER) - Users Mailing List > sr-users(a)lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users -- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda --===============0614322898==-- From attiolli@gmail.com Fri Jun 14 09:14:25 2019 From: Olli Attila To: sr-users@lists.kamailio.org Subject: Re: [SR-Users] Authenticating xhttp request Date: Fri, 14 Jun 2019 10:14:06 +0300 Message-ID: In-Reply-To: <359780cd-1abd-3561-3738-8e0613ae5287@gmail.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0068177164==" --===============0068177164== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hello, I think it would be better to do the authentication with username/password. We are developing a web interface which will be used to alter dialplan & htable entries and after changes have been made, user would command the sip proxies to reload new data from the database via jasonrpc. With this design, user authentication would be more suitable. Cheers, Olli Attila pe 14. kesäk. 2019 klo 10.04 Daniel-Constantin Mierla (miconda(a)gmail.com) kirjoitti: > > Hello, > > do you want to authenticate with ip addresses stored in database or with > username/password? > > Cheers, > Daniel > > On 13.06.19 08:12, Olli Attila wrote: > > Hello, > > > > I have this xhttp event_route on Kamailio that I am using to signal > > the proxy to reload dialplans and htable when necessary: > > > > event_route[xhttp:request] { > > if(src_ip!=127.0.0.1) { > > xhttp_reply("403", "Forbidden", "text/html", > > "Not allowed from $si"); > > exit; > > } > > if ($hu =~ "^/RPC") { > > jsonrpc_dispatch(); > > } else { > > xhttp_reply("200", "OK", "text/html", > > "Wrong URL $hu"); > > } > > return; > > } > > > > Now instead of returning 403 forbidden for requests coming from other > > src_ip than proxy itsef, I would like to authenticate the http request > > via proxy database. How can this be done if possible? > > > > Cheers, > > Olli > > > > _______________________________________________ > > Kamailio (SER) - Users Mailing List > > sr-users(a)lists.kamailio.org > > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > > -- > Daniel-Constantin Mierla -- www.asipto.com > www.twitter.com/miconda -- www.linkedin.com/in/miconda > -- "Logic is the art of going wrong with confidence." --===============0068177164==-- From miconda@gmail.com Fri Jun 14 15:21:09 2019 From: Daniel-Constantin Mierla To: sr-users@lists.kamailio.org Subject: Re: [SR-Users] Authenticating xhttp request Date: Fri, 14 Jun 2019 15:20:59 +0200 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0250598555==" --===============0250598555== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hello, I would not expose the kamailio to API interactions triggered by the end users, be careful not to block its activity. Anyhow, you can use the www_challenge()/www_authenticate() function from auth/auth_db modules that are using the records from subscriber table perform HTTP digest authentication. Cheers, Daniel On 14.06.19 09:14, Olli Attila wrote: > Hello, > > I think it would be better to do the authentication with > username/password. We are developing a web interface which will be > used to alter dialplan & htable entries and after changes have been > made, user would command the sip proxies to reload new data from the > database via jasonrpc. With this design, user authentication would be > more suitable. > > Cheers, > Olli Attila > > pe 14. kesäk. 2019 klo 10.04 Daniel-Constantin Mierla > (miconda(a)gmail.com) kirjoitti: >> Hello, >> >> do you want to authenticate with ip addresses stored in database or with >> username/password? >> >> Cheers, >> Daniel >> >> On 13.06.19 08:12, Olli Attila wrote: >>> Hello, >>> >>> I have this xhttp event_route on Kamailio that I am using to signal >>> the proxy to reload dialplans and htable when necessary: >>> >>> event_route[xhttp:request] { >>> if(src_ip!=127.0.0.1) { >>> xhttp_reply("403", "Forbidden", "text/html", >>> "Not allowed from $si"); >>> exit; >>> } >>> if ($hu =~ "^/RPC") { >>> jsonrpc_dispatch(); >>> } else { >>> xhttp_reply("200", "OK", "text/html", >>> "Wrong URL $hu"); >>> } >>> return; >>> } >>> >>> Now instead of returning 403 forbidden for requests coming from other >>> src_ip than proxy itsef, I would like to authenticate the http request >>> via proxy database. How can this be done if possible? >>> >>> Cheers, >>> Olli >>> >>> _______________________________________________ >>> Kamailio (SER) - Users Mailing List >>> sr-users(a)lists.kamailio.org >>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> -- >> Daniel-Constantin Mierla -- www.asipto.com >> www.twitter.com/miconda -- www.linkedin.com/in/miconda >> > -- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda --===============0250598555==-- From abalashov@evaristesys.com Fri Jun 14 21:45:38 2019 From: Alex Balashov To: sr-users@lists.kamailio.org Subject: Re: [SR-Users] Authenticating xhttp request Date: Fri, 14 Jun 2019 15:45:30 -0400 Message-ID: <20190614194530.GA684@tlaquepaque.localdomain> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0782824854==" --===============0782824854== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On Fri, Jun 14, 2019 at 03:20:59PM +0200, Daniel-Constantin Mierla wrote: > I would not expose the kamailio to API interactions triggered by the end > users, be careful not to block its activity. I strongly agree with this. Kamailio's JSONRPC API is way too low-level for that, and too barren. It really needs some sort of middleware in front of it that compiles the operations into higher-level ones mediated by your business logic. It will also make the development on the UI side a lot easier, since the API middleware can do more of the heavy lifting as far as collating data from multiple places and serialising it into a format more readily consumable by your front-end framework. -- Alex -- Alex Balashov | Principal | Evariste Systems LLC Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free) Web: http://www.evaristesys.com/, http://www.csrpswitch.com/ --===============0782824854==-- From attiolli@gmail.com Sun Jun 16 19:58:44 2019 From: Olli Attila To: sr-users@lists.kamailio.org Subject: Re: [SR-Users] Authenticating xhttp request Date: Sun, 16 Jun 2019 20:58:22 +0300 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0931107559==" --===============0931107559== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hello, After reading comments from Daniel and Alex I decided to proceed with the design model that uses a middleware server (eg. not exposing kamailio straight to users) which will be the node taking to Kamailio JSONRPC API. That being said... I could go for the ip address authentication. Are there any best practice guides for this? Cheer, Olli pe 14. kesäk. 2019 klo 16.21 Daniel-Constantin Mierla (miconda(a)gmail.com) kirjoitti: > > Hello, > > I would not expose the kamailio to API interactions triggered by the end > users, be careful not to block its activity. > > Anyhow, you can use the www_challenge()/www_authenticate() function from > auth/auth_db modules that are using the records from subscriber table > perform HTTP digest authentication. > > Cheers, > Daniel > > On 14.06.19 09:14, Olli Attila wrote: > > Hello, > > > > I think it would be better to do the authentication with > > username/password. We are developing a web interface which will be > > used to alter dialplan & htable entries and after changes have been > > made, user would command the sip proxies to reload new data from the > > database via jasonrpc. With this design, user authentication would be > > more suitable. > > > > Cheers, > > Olli Attila > > > > pe 14. kesäk. 2019 klo 10.04 Daniel-Constantin Mierla > > (miconda(a)gmail.com) kirjoitti: > >> Hello, > >> > >> do you want to authenticate with ip addresses stored in database or with > >> username/password? > >> > >> Cheers, > >> Daniel > >> > >> On 13.06.19 08:12, Olli Attila wrote: > >>> Hello, > >>> > >>> I have this xhttp event_route on Kamailio that I am using to signal > >>> the proxy to reload dialplans and htable when necessary: > >>> > >>> event_route[xhttp:request] { > >>> if(src_ip!=127.0.0.1) { > >>> xhttp_reply("403", "Forbidden", "text/html", > >>> "Not allowed from $si"); > >>> exit; > >>> } > >>> if ($hu =~ "^/RPC") { > >>> jsonrpc_dispatch(); > >>> } else { > >>> xhttp_reply("200", "OK", "text/html", > >>> "Wrong URL $hu"); > >>> } > >>> return; > >>> } > >>> > >>> Now instead of returning 403 forbidden for requests coming from other > >>> src_ip than proxy itsef, I would like to authenticate the http request > >>> via proxy database. How can this be done if possible? > >>> > >>> Cheers, > >>> Olli > >>> > >>> _______________________________________________ > >>> Kamailio (SER) - Users Mailing List > >>> sr-users(a)lists.kamailio.org > >>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > >> -- > >> Daniel-Constantin Mierla -- www.asipto.com > >> www.twitter.com/miconda -- www.linkedin.com/in/miconda > >> > > > -- > Daniel-Constantin Mierla -- www.asipto.com > www.twitter.com/miconda -- www.linkedin.com/in/miconda > -- "Logic is the art of going wrong with confidence." --===============0931107559==-- From miconda@gmail.com Mon Jun 17 12:49:29 2019 From: Daniel-Constantin Mierla To: sr-users@lists.kamailio.org Subject: Re: [SR-Users] Authenticating xhttp request Date: Mon, 17 Jun 2019 12:49:20 +0200 Message-ID: <0e7ab6da-f528-f6ca-44fc-28562e55596a@gmail.com> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1789174401==" --===============1789174401== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hello, you can use permissions module with address table for IP based access policies. Cheers, Daniel On 16.06.19 19:58, Olli Attila wrote: > Hello, > > After reading comments from Daniel and Alex I decided to proceed with > the design model that uses a middleware server (eg. not exposing > kamailio straight to users) which will be the node taking to Kamailio > JSONRPC API. > > That being said... I could go for the ip address authentication. Are > there any best practice guides for this? > > Cheer, > Olli > > pe 14. kesäk. 2019 klo 16.21 Daniel-Constantin Mierla > (miconda(a)gmail.com) kirjoitti: >> Hello, >> >> I would not expose the kamailio to API interactions triggered by the end >> users, be careful not to block its activity. >> >> Anyhow, you can use the www_challenge()/www_authenticate() function from >> auth/auth_db modules that are using the records from subscriber table >> perform HTTP digest authentication. >> >> Cheers, >> Daniel >> >> On 14.06.19 09:14, Olli Attila wrote: >>> Hello, >>> >>> I think it would be better to do the authentication with >>> username/password. We are developing a web interface which will be >>> used to alter dialplan & htable entries and after changes have been >>> made, user would command the sip proxies to reload new data from the >>> database via jasonrpc. With this design, user authentication would be >>> more suitable. >>> >>> Cheers, >>> Olli Attila >>> >>> pe 14. kesäk. 2019 klo 10.04 Daniel-Constantin Mierla >>> (miconda(a)gmail.com) kirjoitti: >>>> Hello, >>>> >>>> do you want to authenticate with ip addresses stored in database or with >>>> username/password? >>>> >>>> Cheers, >>>> Daniel >>>> >>>> On 13.06.19 08:12, Olli Attila wrote: >>>>> Hello, >>>>> >>>>> I have this xhttp event_route on Kamailio that I am using to signal >>>>> the proxy to reload dialplans and htable when necessary: >>>>> >>>>> event_route[xhttp:request] { >>>>> if(src_ip!=127.0.0.1) { >>>>> xhttp_reply("403", "Forbidden", "text/html", >>>>> "Not allowed from $si"); >>>>> exit; >>>>> } >>>>> if ($hu =~ "^/RPC") { >>>>> jsonrpc_dispatch(); >>>>> } else { >>>>> xhttp_reply("200", "OK", "text/html", >>>>> "Wrong URL $hu"); >>>>> } >>>>> return; >>>>> } >>>>> >>>>> Now instead of returning 403 forbidden for requests coming from other >>>>> src_ip than proxy itsef, I would like to authenticate the http request >>>>> via proxy database. How can this be done if possible? >>>>> >>>>> Cheers, >>>>> Olli >>>>> >>>>> _______________________________________________ >>>>> Kamailio (SER) - Users Mailing List >>>>> sr-users(a)lists.kamailio.org >>>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>>> -- >>>> Daniel-Constantin Mierla -- www.asipto.com >>>> www.twitter.com/miconda -- www.linkedin.com/in/miconda >>>> >> -- >> Daniel-Constantin Mierla -- www.asipto.com >> www.twitter.com/miconda -- www.linkedin.com/in/miconda >> > -- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda --===============1789174401==-- From attiolli@gmail.com Tue Jun 18 06:43:12 2019 From: Olli Attila To: sr-users@lists.kamailio.org Subject: Re: [SR-Users] Authenticating xhttp request Date: Tue, 18 Jun 2019 07:42:52 +0300 Message-ID: In-Reply-To: <0e7ab6da-f528-f6ca-44fc-28562e55596a@gmail.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0184930736==" --===============0184930736== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, Ok I loaded the permissions module, and used the allow_trusted() function call to test if the request is coming from a trusted address. Works very well and I also used the caching option of the module so that the database is not queried every time src ip has to be verified. Cheers, Olli ma 17. kes=C3=A4k. 2019 klo 13.49 Daniel-Constantin Mierla (miconda(a)gmail.com) kirjoitti: > > Hello, > > you can use permissions module with address table for IP based access > policies. > > Cheers, > Daniel > > On 16.06.19 19:58, Olli Attila wrote: > > Hello, > > > > After reading comments from Daniel and Alex I decided to proceed with > > the design model that uses a middleware server (eg. not exposing > > kamailio straight to users) which will be the node taking to Kamailio > > JSONRPC API. > > > > That being said... I could go for the ip address authentication. Are > > there any best practice guides for this? > > > > Cheer, > > Olli > > > > pe 14. kes=C3=A4k. 2019 klo 16.21 Daniel-Constantin Mierla > > (miconda(a)gmail.com) kirjoitti: > >> Hello, > >> > >> I would not expose the kamailio to API interactions triggered by the end > >> users, be careful not to block its activity. > >> > >> Anyhow, you can use the www_challenge()/www_authenticate() function from > >> auth/auth_db modules that are using the records from subscriber table > >> perform HTTP digest authentication. > >> > >> Cheers, > >> Daniel > >> > >> On 14.06.19 09:14, Olli Attila wrote: > >>> Hello, > >>> > >>> I think it would be better to do the authentication with > >>> username/password. We are developing a web interface which will be > >>> used to alter dialplan & htable entries and after changes have been > >>> made, user would command the sip proxies to reload new data from the > >>> database via jasonrpc. With this design, user authentication would be > >>> more suitable. > >>> > >>> Cheers, > >>> Olli Attila > >>> > >>> pe 14. kes=C3=A4k. 2019 klo 10.04 Daniel-Constantin Mierla > >>> (miconda(a)gmail.com) kirjoitti: > >>>> Hello, > >>>> > >>>> do you want to authenticate with ip addresses stored in database or wi= th > >>>> username/password? > >>>> > >>>> Cheers, > >>>> Daniel > >>>> > >>>> On 13.06.19 08:12, Olli Attila wrote: > >>>>> Hello, > >>>>> > >>>>> I have this xhttp event_route on Kamailio that I am using to signal > >>>>> the proxy to reload dialplans and htable when necessary: > >>>>> > >>>>> event_route[xhttp:request] { > >>>>> if(src_ip!=3D127.0.0.1) { > >>>>> xhttp_reply("403", "Forbidden", "text/html", > >>>>> "Not allowed from $si"); > >>>>> exit; > >>>>> } > >>>>> if ($hu =3D~ "^/RPC") { > >>>>> jsonrpc_dispatch(); > >>>>> } else { > >>>>> xhttp_reply("200", "OK", "text/html", > >>>>> "Wrong URL $hu"); > >>>>> } > >>>>> return; > >>>>> } > >>>>> > >>>>> Now instead of returning 403 forbidden for requests coming from other > >>>>> src_ip than proxy itsef, I would like to authenticate the http request > >>>>> via proxy database. How can this be done if possible? > >>>>> > >>>>> Cheers, > >>>>> Olli > >>>>> > >>>>> _______________________________________________ > >>>>> Kamailio (SER) - Users Mailing List > >>>>> sr-users(a)lists.kamailio.org > >>>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > >>>> -- > >>>> Daniel-Constantin Mierla -- www.asipto.com > >>>> www.twitter.com/miconda -- www.linkedin.com/in/miconda > >>>> > >> -- > >> Daniel-Constantin Mierla -- www.asipto.com > >> www.twitter.com/miconda -- www.linkedin.com/in/miconda > >> > > > -- > Daniel-Constantin Mierla -- www.asipto.com > www.twitter.com/miconda -- www.linkedin.com/in/miconda > --=20 "Logic is the art of going wrong with confidence." --===============0184930736==--