13 Jun
2019
13 Jun
'19
9:12 a.m.
Hello,
I have this xhttp event_route on Kamailio that I am using to signal
the proxy to reload dialplans and htable when necessary:
event_route[xhttp:request] {
if(src_ip!=127.0.0.1) {
xhttp_reply("403", "Forbidden", "text/html",
"<html><body>Not allowed from
$si</body></html>");
exit;
}
if ($hu =~ "^/RPC") {
jsonrpc_dispatch();
} else {
xhttp_reply("200", "OK", "text/html",
"<html><body>Wrong URL $hu</body></html>");
}
return;
}
Now instead of returning 403 forbidden for requests coming from other
src_ip than proxy itsef, I would like to authenticate the http request
via proxy database. How can this be done if possible?
Cheers,
Olli
14 Jun
14 Jun
10:04 a.m.
Hello,
do you want to authenticate with ip addresses stored in database or with
username/password?
Cheers,
Daniel
On 13.06.19 08:12, Olli Attila wrote:
Hello,
I have this xhttp event_route on Kamailio that I am using to signal
the proxy to reload dialplans and htable when necessary:
event_route[xhttp:request] {
if(src_ip!=127.0.0.1) {
xhttp_reply("403", "Forbidden", "text/html",
"<html><body>Not allowed from
$si</body></html>");
exit;
}
if ($hu =~ "^/RPC") {
jsonrpc_dispatch();
} else {
xhttp_reply("200", "OK", "text/html",
"<html><body>Wrong URL
$hu</body></html>");
}
return;
}
Now instead of returning 403 forbidden for requests coming from other
src_ip than proxy itsef, I would like to authenticate the http request
via proxy database. How can this be done if possible?
Cheers,
Olli
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
10:14 a.m.
Hello,
I think it would be better to do the authentication with
username/password. We are developing a web interface which will be
used to alter dialplan & htable entries and after changes have been
made, user would command the sip proxies to reload new data from the
database via jasonrpc. With this design, user authentication would be
more suitable.
Cheers,
Olli Attila
pe 14. kesäk. 2019 klo 10.04 Daniel-Constantin Mierla
(miconda(a)gmail.com) kirjoitti:
Hello,
do you want to authenticate with ip addresses stored in database or with
username/password?
Cheers,
Daniel
On 13.06.19 08:12, Olli Attila wrote:
--
"Logic is the art of going wrong with confidence."
Hello,
I have this xhttp event_route on Kamailio that I am using to signal
the proxy to reload dialplans and htable when necessary:
event_route[xhttp:request] {
if(src_ip!=127.0.0.1) {
xhttp_reply("403", "Forbidden", "text/html",
"<html><body>Not allowed from
$si</body></html>");
exit;
}
if ($hu =~ "^/RPC") {
jsonrpc_dispatch();
} else {
xhttp_reply("200", "OK", "text/html",
"<html><body>Wrong URL
$hu</body></html>");
}
return;
}
Now instead of returning 403 forbidden for requests coming from other
src_ip than proxy itsef, I would like to authenticate the http request
via proxy database. How can this be done if possible?
Cheers,
Olli
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
4:20 p.m.
Hello,
I would not expose the kamailio to API interactions triggered by the end
users, be careful not to block its activity.
Anyhow, you can use the www_challenge()/www_authenticate() function from
auth/auth_db modules that are using the records from subscriber table
perform HTTP digest authentication.
Cheers,
Daniel
On 14.06.19 09:14, Olli Attila wrote:
Hello,
I think it would be better to do the authentication with
username/password. We are developing a web interface which will be
used to alter dialplan & htable entries and after changes have been
made, user would command the sip proxies to reload new data from the
database via jasonrpc. With this design, user authentication would be
more suitable.
Cheers,
Olli Attila
pe 14. kesäk. 2019 klo 10.04 Daniel-Constantin Mierla
(miconda(a)gmail.com) kirjoitti:
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Hello,
do you want to authenticate with ip addresses stored in database or with
username/password?
Cheers,
Daniel
On 13.06.19 08:12, Olli Attila wrote:
Hello,
I have this xhttp event_route on Kamailio that I am using to signal
the proxy to reload dialplans and htable when necessary:
event_route[xhttp:request] {
if(src_ip!=127.0.0.1) {
xhttp_reply("403", "Forbidden", "text/html",
"<html><body>Not allowed from
$si</body></html>");
exit;
}
if ($hu =~ "^/RPC") {
jsonrpc_dispatch();
} else {
xhttp_reply("200", "OK", "text/html",
"<html><body>Wrong URL
$hu</body></html>");
}
return;
}
Now instead of returning 403 forbidden for requests coming from other
src_ip than proxy itsef, I would like to authenticate the http request
via proxy database. How can this be done if possible?
Cheers,
Olli
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
10:45 p.m.
On Fri, Jun 14, 2019 at 03:20:59PM +0200, Daniel-Constantin Mierla wrote:
I would not expose the kamailio to API interactions
triggered by the end
users, be careful not to block its activity.
I strongly agree with this. Kamailio's JSONRPC API is way too low-level
for that, and too barren. It really needs some sort of middleware in
front of it that compiles the operations into higher-level ones mediated
by your business logic.
It will also make the development on the UI side a lot easier, since the
API middleware can do more of the heavy lifting as far as collating data
from multiple places and serialising it into a format more readily
consumable by your front-end framework.
-- Alex
--
Alex Balashov | Principal | Evariste Systems LLC
Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
16 Jun
16 Jun
8:58 p.m.
Hello,
After reading comments from Daniel and Alex I decided to proceed with
the design model that uses a middleware server (eg. not exposing
kamailio straight to users) which will be the node taking to Kamailio
JSONRPC API.
That being said... I could go for the ip address authentication. Are
there any best practice guides for this?
Cheer,
Olli
pe 14. kesäk. 2019 klo 16.21 Daniel-Constantin Mierla
(miconda(a)gmail.com) kirjoitti:
Hello,
I would not expose the kamailio to API interactions triggered by the end
users, be careful not to block its activity.
Anyhow, you can use the www_challenge()/www_authenticate() function from
auth/auth_db modules that are using the records from subscriber table
perform HTTP digest authentication.
Cheers,
Daniel
On 14.06.19 09:14, Olli Attila wrote:
--
"Logic is the art of going wrong with confidence."
Hello,
I think it would be better to do the authentication with
username/password. We are developing a web interface which will be
used to alter dialplan & htable entries and after changes have been
made, user would command the sip proxies to reload new data from the
database via jasonrpc. With this design, user authentication would be
more suitable.
Cheers,
Olli Attila
pe 14. kesäk. 2019 klo 10.04 Daniel-Constantin Mierla
(miconda(a)gmail.com) kirjoitti:
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Hello,
do you want to authenticate with ip addresses stored in database or with
username/password?
Cheers,
Daniel
On 13.06.19 08:12, Olli Attila wrote:
Hello,
I have this xhttp event_route on Kamailio that I am using to signal
the proxy to reload dialplans and htable when necessary:
event_route[xhttp:request] {
if(src_ip!=127.0.0.1) {
xhttp_reply("403", "Forbidden", "text/html",
"<html><body>Not allowed from
$si</body></html>");
exit;
}
if ($hu =~ "^/RPC") {
jsonrpc_dispatch();
} else {
xhttp_reply("200", "OK", "text/html",
"<html><body>Wrong URL
$hu</body></html>");
}
return;
}
Now instead of returning 403 forbidden for requests coming from other
src_ip than proxy itsef, I would like to authenticate the http request
via proxy database. How can this be done if possible?
Cheers,
Olli
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
17 Jun
17 Jun
1:49 p.m.
Hello,
you can use permissions module with address table for IP based access
policies.
Cheers,
Daniel
On 16.06.19 19:58, Olli Attila wrote:
Hello,
After reading comments from Daniel and Alex I decided to proceed with
the design model that uses a middleware server (eg. not exposing
kamailio straight to users) which will be the node taking to Kamailio
JSONRPC API.
That being said... I could go for the ip address authentication. Are
there any best practice guides for this?
Cheer,
Olli
pe 14. kesäk. 2019 klo 16.21 Daniel-Constantin Mierla
(miconda(a)gmail.com) kirjoitti:
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Hello,
I would not expose the kamailio to API interactions triggered by the end
users, be careful not to block its activity.
Anyhow, you can use the www_challenge()/www_authenticate() function from
auth/auth_db modules that are using the records from subscriber table
perform HTTP digest authentication.
Cheers,
Daniel
On 14.06.19 09:14, Olli Attila wrote:
Hello,
I think it would be better to do the authentication with
username/password. We are developing a web interface which will be
used to alter dialplan & htable entries and after changes have been
made, user would command the sip proxies to reload new data from the
database via jasonrpc. With this design, user authentication would be
more suitable.
Cheers,
Olli Attila
pe 14. kesäk. 2019 klo 10.04 Daniel-Constantin Mierla
(miconda(a)gmail.com) kirjoitti:
> Hello,
>
> do you want to authenticate with ip addresses stored in database or with
> username/password?
>
> Cheers,
> Daniel
>
> On 13.06.19 08:12, Olli Attila wrote:
>> Hello,
>>
>> I have this xhttp event_route on Kamailio that I am using to signal
>> the proxy to reload dialplans and htable when necessary:
>>
>> event_route[xhttp:request] {
>> if(src_ip!=127.0.0.1) {
>> xhttp_reply("403", "Forbidden",
"text/html",
>> "<html><body>Not allowed from
$si</body></html>");
>> exit;
>> }
>> if ($hu =~ "^/RPC") {
>> jsonrpc_dispatch();
>> } else {
>> xhttp_reply("200", "OK", "text/html",
>> "<html><body>Wrong URL
$hu</body></html>");
>> }
>> return;
>> }
>>
>> Now instead of returning 403 forbidden for requests coming from other
>> src_ip than proxy itsef, I would like to authenticate the http request
>> via proxy database. How can this be done if possible?
>>
>> Cheers,
>> Olli
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users(a)lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
> --
> Daniel-Constantin Mierla -- www.asipto.com
> www.twitter.com/miconda -- www.linkedin.com/in/miconda
>
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
18 Jun
18 Jun
7:42 a.m.
Hello,
Ok I loaded the permissions module, and used the allow_trusted()
function call to test if the request is coming from a trusted address.
Works very well and I also used the caching option of the module so
that the database is not queried every time src ip has to be verified.
Cheers,
Olli
ma 17. kesäk. 2019 klo 13.49 Daniel-Constantin Mierla
(miconda(a)gmail.com) kirjoitti:
Hello,
you can use permissions module with address table for IP based access
policies.
Cheers,
Daniel
On 16.06.19 19:58, Olli Attila wrote:
--
"Logic is the art of going wrong with confidence."
Hello,
After reading comments from Daniel and Alex I decided to proceed with
the design model that uses a middleware server (eg. not exposing
kamailio straight to users) which will be the node taking to Kamailio
JSONRPC API.
That being said... I could go for the ip address authentication. Are
there any best practice guides for this?
Cheer,
Olli
pe 14. kesäk. 2019 klo 16.21 Daniel-Constantin Mierla
(miconda(a)gmail.com) kirjoitti:
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Hello,
I would not expose the kamailio to API interactions triggered by the end
users, be careful not to block its activity.
Anyhow, you can use the www_challenge()/www_authenticate() function from
auth/auth_db modules that are using the records from subscriber table
perform HTTP digest authentication.
Cheers,
Daniel
On 14.06.19 09:14, Olli Attila wrote:
Hello,
I think it would be better to do the authentication with
username/password. We are developing a web interface which will be
used to alter dialplan & htable entries and after changes have been
made, user would command the sip proxies to reload new data from the
database via jasonrpc. With this design, user authentication would be
more suitable.
Cheers,
Olli Attila
pe 14. kesäk. 2019 klo 10.04 Daniel-Constantin Mierla
(miconda(a)gmail.com) kirjoitti:
> Hello,
>
> do you want to authenticate with ip addresses stored in database or with
> username/password?
>
> Cheers,
> Daniel
>
> On 13.06.19 08:12, Olli Attila wrote:
>> Hello,
>>
>> I have this xhttp event_route on Kamailio that I am using to signal
>> the proxy to reload dialplans and htable when necessary:
>>
>> event_route[xhttp:request] {
>> if(src_ip!=127.0.0.1) {
>> xhttp_reply("403", "Forbidden",
"text/html",
>> "<html><body>Not allowed from
$si</body></html>");
>> exit;
>> }
>> if ($hu =~ "^/RPC") {
>> jsonrpc_dispatch();
>> } else {
>> xhttp_reply("200", "OK", "text/html",
>> "<html><body>Wrong URL
$hu</body></html>");
>> }
>> return;
>> }
>>
>> Now instead of returning 403 forbidden for requests coming from other
>> src_ip than proxy itsef, I would like to authenticate the http request
>> via proxy database. How can this be done if possible?
>>
>> Cheers,
>> Olli
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users(a)lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
> --
> Daniel-Constantin Mierla -- www.asipto.com
> www.twitter.com/miconda -- www.linkedin.com/in/miconda
>
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
1984
days inactive
1989
days old
7 comments
3 participants
participants (3)
-
Alex Balashov -
Daniel-Constantin Mierla -
Olli Attila