freeswitch-users at li...
Guest
|
 Posted: Mon Aug 23, 2021 9:05 am Post subject: [Freeswitch-users] Dynamic users (from Curl XML) CIDR not me |
 |
|
------ Start of attached email. Subject: Dynamic users (from Curl XML) CIDR not merged to ACL ------
Hello,
My goal is to have dynamic (through CURL XML) defined users AND gateways; to be able to accept incoming calls from gateways, having those calls authenticated as the user that the gateway belongs to, and to be able to send outgoing calls to those gateways.
Below is detailed description of my testing setup which works with static configuration and does not work with dynamic configuration. Kindly asking for advice!
I have configuration in which ACL “domains” is defined as:
acl.conf:
<configuration name="acl.conf" description="Network Lists">
<network-lists>
<list name="domains" default="deny">
<node type="allow" domain="$${domain}"/>
</list>
</network-lists>
</configuration>
It is used to allow and accept calls from specific IPs without authentication, having those IPs matched to users. Sofia profile (important part of it):
<param name="apply-inbound-acl" value="domains”/>
<param name="auth-calls" value="false"/>
Matching is done by parameter “cidr” in user definition. According to the documentation each user “cidr” is added to the above list.
https://freeswitch.org/confluence/pages/viewpage.action?pageId=3965687 <https://freeswitch.org/confluence/pages/viewpage.action?pageId=3965687>
| Quote: | domain
Scans the user definitions of the specified domain from the directory, and if your domain's users have cidr attributes, the ACL will be automatically built.
Example usage:
<node type="allow" domain="$${domain}"/>
|
Those gateway IPs are defined using <gateway> configurations and are currently visible in the CLI:
freeswitch@zz-freeswitch-test> sofia status
Name Type Data State
=================================================================================================
authenticated profile sip:mod_sofia@194.153.118.45:5060 RUNNING (0)
trunks profile sip:mod_sofia@194.153.118.45:5070 RUNNING (0)
trunks::1347a7ad-ff67-11eb-9528-9a306e6cb08d_2 gateway sip:FreeSWITCH@194.153.118.34 NOREG
trunks::1347a7ad-ff67-11eb-9528-9a306e6cb08d_1 gateway sip:FreeSWITCH@194.153.118.28 NOREG
=================================================================================================
2 profiles 0 aliases
When I define users in static XML files, then incoming calls are properly authenticated (this is file that is included in the directory xml files):
User definition:
<include>
<user id="1347a7ad-ff67-11eb-9528-9a306e6cb08d" cidr="194.153.118.28/32,194.153.118.34/32">
<params>
<param name="a1-hash" value="97f2bba16d30623aa245353ff8ae2513"/>
<param name="auth-acl" value="195.230.3.104/32"/>
</params>
<variables>
<variable name="accountcode" value="1347a7ad-ff67-11eb-9528-9a306e6cb08d"/>
<variable name="user_context" value="context_1"/>
</variables>
</user>
</include>
Inbound accepted call:
2021-08-21 21:23:35.432769 [NOTICE] switch_channel.c:1118 New Channel sofia/trunks/35924373333@194.153.118.28 [0e67c277-00b5-4584-9b31-b9e86f42aace]
2021-08-21 21:23:35.432769 [DEBUG] switch_core_state_machine.c:585 (sofia/trunks/35924373333@194.153.118.2 Running State Change CS_NEW (Cur 1 Tot 1)
2021-08-21 21:23:35.432769 [INFO] sofia.c:10362 sofia/trunks/35924373333@194.153.118.28 receiving invite from 194.153.118.28:5060 version: 1.10.6 -release 64bit call-id: 0faf6dcb69db75f945f753561b0dd6ad@194.153.118.28:5060
2021-08-21 21:23:35.432769 [DEBUG] sofia.c:10456 verifying acl "domains" for ip/port 194.153.118.28:0.
2021-08-21 21:23:35.512752 [DEBUG] sofia.c:10658 Authenticating user 1347a7ad-ff67-11eb-9528-9a306e6cb08d@194.153.118.45
When I define those using CURL XML (returning the same content as the static file, this is XML response) user is able to successfully register:
<document type="freeswitch/xml">
<section name="directory">
<domain name="194.153.118.45">
<params>
</params>
<groups>
<group name="contract_1">
<users>
<user id="1347a7ad-ff67-11eb-9528-9a306e6cb08d" cidr="194.153.118.28/32,194.153.118.34/32">
<params>
<param name="a1-hash" value="97f2bba16d30623aa245353ff8ae2513"/>
<param name="auth-acl" value="195.230.3.104/32"/>
</params>
<variables>
<variable name="accountcode" value="1347a7ad-ff67-11eb-9528-9a306e6cb08d"/>
<variable name="user_context" value="context_1"/>
</variables>
</user>
</users>
</group>
</groups>
</domain>
</section>
</document>
But then incoming calls are not authenticated /please note “cidr” parameter in user definition/:
2021-08-21 21:36:57.884309 [NOTICE] switch_channel.c:1118 New Channel sofia/trunks/35924373333@194.153.118.28 [dd9bd835-de7a-43e7-9521-bc48b22336b6]
2021-08-21 21:36:57.884309 [DEBUG] switch_core_state_machine.c:585 (sofia/trunks/35924373333@194.153.118.2 Running State Change CS_NEW (Cur 1 Tot 1)
2021-08-21 21:36:57.884309 [INFO] sofia.c:10362 sofia/trunks/35924373333@194.153.118.28 receiving invite from 194.153.118.28:5060 version: 1.10.6 -release 64bit call-id: 665047ab59dcb3576dc5e23f21cb4cff@194.153.118.28:5060
2021-08-21 21:36:57.884309 [DEBUG] sofia.c:10456 verifying acl "domains" for ip/port 194.153.118.28:0.
2021-08-21 21:36:57.884309 [WARNING] sofia.c:10569 IP 194.153.118.28 Rejected by acl "domains"
Digging this for a few days, came to conclusion that the ACL “domains” is not properly updated when a user registers.
------ End of attached email ------
_________________________________________________________________________
The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
Enhance your FreeSWITCH install with disruptive priced SMS and PSTN services.
Build your next product on our scalable cloud platform.
Join our online community to chat in real time https://signalwire.community
Professional FreeSWITCH Services
sales@freeswitch.com
https://freeswitch.com
Official FreeSWITCH Sites
https://freeswitch.com/oss
https://freeswitch.org/confluence
https://cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
https://freeswitch.com |
|
Search
