10 Oct
2019
10 Oct
'19
1:33 a.m.
It looks pretty clear to me. I think whenever kamailio “sees” that protocol
specification it will switch to that. Have you tried forcing the socket?
Just wondering whether that would work.
On Wed, 9 Oct 2019 at 20:33, Joel Serrano <joel(a)textplus.com> wrote:
Hi everyone,
I was giving a try to setup Kamailio with a Cloud TCP load balancer in
front, taking advantage of the newly added proxy protocol compatibility and
my initial tests went very well.
Flow: client -> (tcp) -> load balancer -> (tcp) -> Kamailio TCP socket
I then did another quick test and enabled TLS, also with good results:
Flow: client -> (tls) -> load balancer -> (tls) -> Kamailio TLS socket
So far so good, proxy protocol works as expected.
I wanted to go one step further and see if I could somehow offload SSL
operations at the load balancer level, and leave kamailio handling plain
tcp.
Flow: client -> (tls) -> load balancer -> (tcp) -> Kamailio TCP socket
This partially worked, and before I start digging into what I have to do
to get it completely working, I'd like to know if anyone already has a
similar setup, or even if Kamailio is able to handle such a scenario, the
reason I'm asking is because of the headers, etc.
In this last scenario, I receive in a TCP socket, a request with TLS
headers all over the place..
INVITE sip:14a84f2016944eb0854ef0e9b71bfa10@app.mydomain.com:60655 SIP/2.0
Via: SIP/2.0/TLS 192.168.1.16:60717;branch=z9hG4bK.KmUpamn5P;rport
From: ...
To: ...
CSeq: 21 INVITE
Call-ID: -j1QSnam9o
Max-Forwards: 70
Route: <sip:sbc-test2.mydomain.com:443;lr>
Supported: replaces, outbound
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO,
UPDATE
Content-Type: application/sdp
Content-Length: 436
Contact:
<sip:linphone@A.B.C.D:60717;transport=tls>;+sip.instance="<urn:uuid:fabcb441-a348-49a7-948d-72448d6840eb>"
I then forward this request via UDP to subsequent proxies for further
processing, on the replies, my payload information back to the client
should be TLS, although sent via a TCP socket..
Is this something that will not work by design? Is there any hack I can
take advantage of?
The goal would be for Kamailio to handle TLS headers via TCP socket, as
the client expects TLS information, but the actual traffic should go in
plan TCP, and the load balancer will take care of re-encrypting before
replying to the client.
Any ideas/suggestions/comments?
I hope this email is understandable, I find it complicated to detail the
exact problem, feel free to ask any questions if you don't understand
anything.
Thanks,
Joel.
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Regards,
David Villasmil
email: david.villasmil.work(a)gmail.com
phone: +34669448337