Hi everyone,
I was giving a try to setup Kamailio with a Cloud TCP load balancer in front, taking advantage of the newly added proxy protocol compatibility and my initial tests went very well.
Flow: client -> (tcp) -> load balancer -> (tcp) -> Kamailio TCP socket
I then did another quick test and enabled TLS, also with good results:
Flow: client -> (tls) -> load balancer -> (tls) -> Kamailio TLS socket
So far so good, proxy protocol works as expected.
I wanted to go one step further and see if I could somehow offload SSL operations at the load balancer level, and leave kamailio handling plain tcp.
Flow: client -> (tls) -> load balancer -> (tcp) -> Kamailio TCP socket
This partially worked, and before I start digging into what I have to do to get it completely working, I'd like to know if anyone already has a similar setup, or even if Kamailio is able to handle such a scenario, the reason I'm asking is because of the headers, etc.
In this last scenario, I receive in a TCP socket, a request with TLS headers all over the place..
INVITE sip:14a84f2016944eb0854ef0e9b71bfa10@app.mydomain.com:60655 SIP/2.0
Via: SIP/2.0/TLS 192.168.1.16:60717;branch=z9hG4bK.KmUpamn5P;rport
From: ...
To: ...
CSeq: 21 INVITE
Call-ID: -j1QSnam9o
Max-Forwards: 70
Route: <sip:sbc-test2.mydomain.com:443;lr>
Supported: replaces, outbound
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO, UPDATE
Content-Type: application/sdp
Content-Length: 436
Contact: <sip:linphone@A.B.C.D:60717;transport=tls>;+sip.instance="<urn:uuid:fabcb441-a348-49a7-948d-72448d6840eb>"
I then forward this request via UDP to subsequent proxies for further processing, on the replies, my payload information back to the client should be TLS, although sent via a TCP socket..
Is this something that will not work by design? Is there any hack I can take advantage of?
The goal would be for Kamailio to handle TLS headers via TCP socket, as the client expects TLS information, but the actual traffic should go in plan TCP, and the load balancer will take care of re-encrypting before replying to the client.
Any ideas/suggestions/comments?
I hope this email is understandable, I find it complicated to detail the exact problem, feel free to ask any questions if you don't understand anything.
Thanks,
Joel.
_______________________________________________