From miconda@gmail.com Mon Jun 17 12:49:29 2019
From: Daniel-Constantin Mierla <miconda@gmail.com>
To: sr-users@lists.kamailio.org
Subject: Re: [SR-Users] Authenticating xhttp request
Date: Mon, 17 Jun 2019 12:49:20 +0200
Message-ID: <0e7ab6da-f528-f6ca-44fc-28562e55596a@gmail.com>
In-Reply-To:
 <CAC6gnm8PXwvJPTMZbZssP9RdJtNU-YC0hCMGKPxLeikX8tk3pg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1125710969=="

--===============1125710969==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Hello,

you can use permissions module with address table for IP based access
policies.

Cheers,
Daniel

On 16.06.19 19:58, Olli Attila wrote:
> Hello,
>
> After reading comments from Daniel and Alex I decided to proceed with
> the design model that uses a middleware server (eg. not exposing
> kamailio straight to users) which will be the node taking to Kamailio
> JSONRPC API.
>
> That being said... I could go for the ip address authentication. Are
> there any best practice guides for this?
>
> Cheer,
> Olli
>
> pe 14. kesäk. 2019 klo 16.21 Daniel-Constantin Mierla
> (miconda(a)gmail.com) kirjoitti:
>> Hello,
>>
>> I would not expose the kamailio to API interactions triggered by the end
>> users, be careful not to block its activity.
>>
>> Anyhow, you can use the www_challenge()/www_authenticate() function from
>> auth/auth_db modules that are using the records from subscriber table
>> perform HTTP digest authentication.
>>
>> Cheers,
>> Daniel
>>
>> On 14.06.19 09:14, Olli Attila wrote:
>>> Hello,
>>>
>>> I think it would be better to do the authentication with
>>> username/password. We are developing a web interface which will be
>>> used to alter dialplan & htable entries and after changes have been
>>> made, user would command the sip proxies to reload new data from the
>>> database via jasonrpc. With this design, user authentication would be
>>> more suitable.
>>>
>>> Cheers,
>>> Olli Attila
>>>
>>> pe 14. kesäk. 2019 klo 10.04 Daniel-Constantin Mierla
>>> (miconda(a)gmail.com) kirjoitti:
>>>> Hello,
>>>>
>>>> do you want to authenticate with ip addresses stored in database or with
>>>> username/password?
>>>>
>>>> Cheers,
>>>> Daniel
>>>>
>>>> On 13.06.19 08:12, Olli Attila wrote:
>>>>> Hello,
>>>>>
>>>>> I have this xhttp event_route on Kamailio that I am using to signal
>>>>> the proxy to reload dialplans and htable when necessary:
>>>>>
>>>>> event_route[xhttp:request] {
>>>>>     if(src_ip!=127.0.0.1) {
>>>>>         xhttp_reply("403", "Forbidden", "text/html",
>>>>>             "<html><body>Not allowed from $si</body></html>");
>>>>>         exit;
>>>>>         }
>>>>>         if ($hu =~ "^/RPC") {
>>>>>                 jsonrpc_dispatch();
>>>>>         } else {
>>>>>         xhttp_reply("200", "OK", "text/html",
>>>>>             "<html><body>Wrong URL $hu</body></html>");
>>>>>     }
>>>>>     return;
>>>>> }
>>>>>
>>>>> Now instead of returning 403 forbidden for requests coming from other
>>>>> src_ip than proxy itsef, I would like to authenticate the http request
>>>>> via proxy database. How can this be done if possible?
>>>>>
>>>>> Cheers,
>>>>> Olli
>>>>>
>>>>> _______________________________________________
>>>>> Kamailio (SER) - Users Mailing List
>>>>> sr-users(a)lists.kamailio.org
>>>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>> --
>>>> Daniel-Constantin Mierla -- www.asipto.com
>>>> www.twitter.com/miconda -- www.linkedin.com/in/miconda
>>>>
>> --
>> Daniel-Constantin Mierla -- www.asipto.com
>> www.twitter.com/miconda -- www.linkedin.com/in/miconda
>>
>
-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda



--===============1125710969==--