< Previous by Date Date Index Next by Date >
< Previous in Thread Thread Index Next in Thread >

Re: [reSIProcate-users] Authorization by Proxy to Gateway

A proxy is not supposed to modify headers, it is supposed to only add headers involved in routing (ie: Via, Route and/or Record-Route headers).  It might also remove some headers to (ie: Identity headers) when forwarding outside of it's domain.  I suggest a good read through the proxy behaviour sections in RFC3261.  You might be able to add the Authentication headers, but you will definitely run into trouble, if you start trying to change the To and/or From headers.  If you need to modify key headers like To/From then you must write a B2BUA instead.

FYI the challenge realm/domain will be in the 407/401 response.  You could use this to find the correct user.


On Tue, Mar 27, 2018 at 12:05 PM, Roman Rybalko via resiprocate-users <resiprocate-users@xxxxxxxxxxxxxxx> wrote:
resiprocate-users mailing list
List Archive: http://list.resiprocate.org/archive/resiprocate-users/

---------- Forwarded message ----------
From: Roman Rybalko <resiprocate@xxxxxxxxxxx>
To: "resiprocate-users@xxxxxxxxxxxxxxx" <resiprocate-users@xxxxxxxxxxxxxxx>
Date: Tue, 27 Mar 2018 19:05:55 +0300
Subject: Re: [reSIProcate-users] Authorization by Proxy to Gateway
I'm thinking of writing a Lemur-plugin for that.

I will hook a response, check if it has a WWW-Authenticate/Proxy-Authenticate challenge, if it does I dig a password out of UserStore and resend the request with an Authorization header added.

It seems rather simple. What am I missing?

Though I don't know yet how to pick a user/password pair if there are several ones in UserStore for a realm.

Perhaps I will also need another rewriting plugin to fix To/From headers. May be such plugin already exists somewhere?

Roman Rybalko

*From:* Scott Godin
*Sent:*  Tuesday, March 27, 2018 4:31PM +0300
*To:* Roman Rybalko
*Cc:* Resiprocate-users
*Subject:* Re: [reSIProcate-users] Authorization by Proxy to Gateway

repro is a strict SIP Proxy, it will not provide credentials to another
server/UA, it will only pass them along.  I think you have the following
1.  Disable authentication on repro.
2.  Disable authentication on the gateway.
3.  Use an ACL/whitelist on the gateway, so that it will not challenge
any requests from the repro proxy/domain.