Hello all,
I’m having lots of problems when trying to configure Kamailio behind an AWS tls load balancer to offload tls and receive on tcp on Kamailio. Everything else inside is UDP. I found I need to manually add record-route presets every time and invite comes in. And when trying to forward an ACK to the client via tls/tcp load balancer Kamailio complaint the socket is not TLS so it fails.
Is there a simpler way of doing this via some parameters I don’t know?
Thanks for helping me with this!
David
Hello David,
the simplest way is of course to just not use the AWS load-balancer. 😉 Do you have performance concerns using Kamailio for that purpose?
As you probably know, SIP as a protocol is not really suited for this kind of cloud balancing infrastructure, which targets more HTTP and other protocols. And Kamailio in a load-balancer scenario is usually the first TLS/TCP/UDP endpoint to reach from the client point of view.
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.comhttps://gilawa.com/
From: David Villasmil david.villasmil.work@gmail.com Sent: Samstag, 12. August 2023 02:55 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: [SR-Users] Kamailio behind TLS-TCP load balancer
Hello all,
I’m having lots of problems when trying to configure Kamailio behind an AWS tls load balancer to offload tls and receive on tcp on Kamailio. Everything else inside is UDP. I found I need to manually add record-route presets every time and invite comes in. And when trying to forward an ACK to the client via tls/tcp load balancer Kamailio complaint the socket is not TLS so it fails.
Is there a simpler way of doing this via some parameters I don’t know?
Thanks for helping me with this!
David -- Regards,
David Villasmil email: david.villasmil.work@gmail.commailto:david.villasmil.work@gmail.com phone: +34669448337
Hi,
an benefit from using the AWS loadbalancer is the included DDOS prevention. Jonas Swiatek gave that as tipp to me.
He simple setup self-signed certs on the Kamailio behind the NLB loadbalancer. So it's
Internet -> TLS NLB/AWS loadbalancer -> TLS self-signed Kamailio.
Should solve your problems.
Kind regards Karsten Horsmann
Henning Westerholt hw@gilawa.com schrieb am Sa., 12. Aug. 2023, 11:09:
Hello David,
the simplest way is of course to just not use the AWS load-balancer. 😉 Do you have performance concerns using Kamailio for that purpose?
As you probably know, SIP as a protocol is not really suited for this kind of cloud balancing infrastructure, which targets more HTTP and other protocols. And Kamailio in a load-balancer scenario is usually the first TLS/TCP/UDP endpoint to reach from the client point of view.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
*From:* David Villasmil david.villasmil.work@gmail.com *Sent:* Samstag, 12. August 2023 02:55 *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject:* [SR-Users] Kamailio behind TLS-TCP load balancer
Hello all,
I’m having lots of problems when trying to configure Kamailio behind an AWS tls load balancer to offload tls and receive on tcp on Kamailio. Everything else inside is UDP.
I found I need to manually add record-route presets every time and invite comes in. And when trying to forward an ACK to the client via tls/tcp load balancer Kamailio complaint the socket is not TLS so it fails.
Is there a simpler way of doing this via some parameters I don’t know?
Thanks for helping me with this!
David
--
Regards,
David Villasmil
email: david.villasmil.work@gmail.com
phone: +34669448337 __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Oh you mean public cert on the TLS public side and a self signed cert on the inside? Meaning Kamailio would still be serving a n TLS? Record-route problem… that’s cool. I’ll try that. Thanks!
On Tue, 15 Aug 2023 at 20:49, Karsten Horsmann khorsmann@gmail.com wrote:
Hi,
an benefit from using the AWS loadbalancer is the included DDOS prevention. Jonas Swiatek gave that as tipp to me.
He simple setup self-signed certs on the Kamailio behind the NLB loadbalancer. So it's
Internet -> TLS NLB/AWS loadbalancer -> TLS self-signed Kamailio.
Should solve your problems.
Kind regards Karsten Horsmann
Henning Westerholt hw@gilawa.com schrieb am Sa., 12. Aug. 2023, 11:09:
Hello David,
the simplest way is of course to just not use the AWS load-balancer. 😉 Do you have performance concerns using Kamailio for that purpose?
As you probably know, SIP as a protocol is not really suited for this kind of cloud balancing infrastructure, which targets more HTTP and other protocols. And Kamailio in a load-balancer scenario is usually the first TLS/TCP/UDP endpoint to reach from the client point of view.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
*From:* David Villasmil david.villasmil.work@gmail.com *Sent:* Samstag, 12. August 2023 02:55 *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject:* [SR-Users] Kamailio behind TLS-TCP load balancer
Hello all,
I’m having lots of problems when trying to configure Kamailio behind an AWS tls load balancer to offload tls and receive on tcp on Kamailio. Everything else inside is UDP.
I found I need to manually add record-route presets every time and invite comes in. And when trying to forward an ACK to the client via tls/tcp load balancer Kamailio complaint the socket is not TLS so it fails.
Is there a simpler way of doing this via some parameters I don’t know?
Thanks for helping me with this!
David
--
Regards,
David Villasmil
email: david.villasmil.work@gmail.com
phone: +34669448337
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hi Karsten,
interesting scenario, thanks. Regarding TLS off-loading its of course less useful then.
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.comhttps://gilawa.com/
From: Karsten Horsmann khorsmann@gmail.com Sent: Dienstag, 15. August 2023 20:24 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: [SR-Users] Re: Kamailio behind TLS-TCP load balancer
Hi,
an benefit from using the AWS loadbalancer is the included DDOS prevention. Jonas Swiatek gave that as tipp to me.
He simple setup self-signed certs on the Kamailio behind the NLB loadbalancer. So it's
Internet -> TLS NLB/AWS loadbalancer -> TLS self-signed Kamailio.
Should solve your problems.
Kind regards Karsten Horsmann Henning Westerholt <hw@gilawa.commailto:hw@gilawa.com> schrieb am Sa., 12. Aug. 2023, 11:09: Hello David,
the simplest way is of course to just not use the AWS load-balancer. 😉 Do you have performance concerns using Kamailio for that purpose?
As you probably know, SIP as a protocol is not really suited for this kind of cloud balancing infrastructure, which targets more HTTP and other protocols. And Kamailio in a load-balancer scenario is usually the first TLS/TCP/UDP endpoint to reach from the client point of view.
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.comhttps://gilawa.com/
From: David Villasmil <david.villasmil.work@gmail.commailto:david.villasmil.work@gmail.com> Sent: Samstag, 12. August 2023 02:55 To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> Subject: [SR-Users] Kamailio behind TLS-TCP load balancer
Hello all,
I’m having lots of problems when trying to configure Kamailio behind an AWS tls load balancer to offload tls and receive on tcp on Kamailio. Everything else inside is UDP. I found I need to manually add record-route presets every time and invite comes in. And when trying to forward an ACK to the client via tls/tcp load balancer Kamailio complaint the socket is not TLS so it fails.
Is there a simpler way of doing this via some parameters I don’t know?
Thanks for helping me with this!
David -- Regards,
David Villasmil email: david.villasmil.work@gmail.commailto:david.villasmil.work@gmail.com phone: +34669448337 __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
True, but one gets a lot of benefits from being behind AWS’ load balancer.
On Wed, 16 Aug 2023 at 11:00, Henning Westerholt hw@gilawa.com wrote:
Hi Karsten,
interesting scenario, thanks. Regarding TLS off-loading its of course less useful then.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
*From:* Karsten Horsmann khorsmann@gmail.com *Sent:* Dienstag, 15. August 2023 20:24 *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject:* [SR-Users] Re: Kamailio behind TLS-TCP load balancer
Hi,
an benefit from using the AWS loadbalancer is the included DDOS prevention. Jonas Swiatek gave that as tipp to me.
He simple setup self-signed certs on the Kamailio behind the NLB loadbalancer.
So it's
Internet -> TLS NLB/AWS loadbalancer -> TLS self-signed Kamailio.
Should solve your problems.
Kind regards
Karsten Horsmann
Henning Westerholt hw@gilawa.com schrieb am Sa., 12. Aug. 2023, 11:09:
Hello David,
the simplest way is of course to just not use the AWS load-balancer. 😉 Do you have performance concerns using Kamailio for that purpose?
As you probably know, SIP as a protocol is not really suited for this kind of cloud balancing infrastructure, which targets more HTTP and other protocols. And Kamailio in a load-balancer scenario is usually the first TLS/TCP/UDP endpoint to reach from the client point of view.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
*From:* David Villasmil david.villasmil.work@gmail.com *Sent:* Samstag, 12. August 2023 02:55 *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject:* [SR-Users] Kamailio behind TLS-TCP load balancer
Hello all,
I’m having lots of problems when trying to configure Kamailio behind an AWS tls load balancer to offload tls and receive on tcp on Kamailio. Everything else inside is UDP.
I found I need to manually add record-route presets every time and invite comes in. And when trying to forward an ACK to the client via tls/tcp load balancer Kamailio complaint the socket is not TLS so it fails.
Is there a simpler way of doing this via some parameters I don’t know?
Thanks for helping me with this!
David
--
Regards,
David Villasmil
email: david.villasmil.work@gmail.com
phone: +34669448337
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hi Henning,
Yeah TLS offloading is then not an plus but the benefits from DDOS prevention and clear transport headers should compensate that.
Henning Westerholt hw@gilawa.com schrieb am Mi., 16. Aug. 2023, 10:09:
Hi Karsten,
interesting scenario, thanks. Regarding TLS off-loading its of course less useful then.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
*From:* Karsten Horsmann khorsmann@gmail.com *Sent:* Dienstag, 15. August 2023 20:24 *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject:* [SR-Users] Re: Kamailio behind TLS-TCP load balancer
Hi,
an benefit from using the AWS loadbalancer is the included DDOS prevention. Jonas Swiatek gave that as tipp to me.
He simple setup self-signed certs on the Kamailio behind the NLB loadbalancer.
So it's
Internet -> TLS NLB/AWS loadbalancer -> TLS self-signed Kamailio.
Should solve your problems.
Kind regards
Karsten Horsmann
Henning Westerholt hw@gilawa.com schrieb am Sa., 12. Aug. 2023, 11:09:
Hello David,
the simplest way is of course to just not use the AWS load-balancer. 😉 Do you have performance concerns using Kamailio for that purpose?
As you probably know, SIP as a protocol is not really suited for this kind of cloud balancing infrastructure, which targets more HTTP and other protocols. And Kamailio in a load-balancer scenario is usually the first TLS/TCP/UDP endpoint to reach from the client point of view.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
*From:* David Villasmil david.villasmil.work@gmail.com *Sent:* Samstag, 12. August 2023 02:55 *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject:* [SR-Users] Kamailio behind TLS-TCP load balancer
Hello all,
I’m having lots of problems when trying to configure Kamailio behind an AWS tls load balancer to offload tls and receive on tcp on Kamailio. Everything else inside is UDP.
I found I need to manually add record-route presets every time and invite comes in. And when trying to forward an ACK to the client via tls/tcp load balancer Kamailio complaint the socket is not TLS so it fails.
Is there a simpler way of doing this via some parameters I don’t know?
Thanks for helping me with this!
David
--
Regards,
David Villasmil
email: david.villasmil.work@gmail.com
phone: +34669448337
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
DDOS, better Load balancer resiliency, easier to manager, there’s lots of benefits.
On Thu, 17 Aug 2023 at 09:55, Karsten Horsmann khorsmann@gmail.com wrote:
Hi Henning,
Yeah TLS offloading is then not an plus but the benefits from DDOS prevention and clear transport headers should compensate that.
Henning Westerholt hw@gilawa.com schrieb am Mi., 16. Aug. 2023, 10:09:
Hi Karsten,
interesting scenario, thanks. Regarding TLS off-loading its of course less useful then.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
*From:* Karsten Horsmann khorsmann@gmail.com *Sent:* Dienstag, 15. August 2023 20:24 *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject:* [SR-Users] Re: Kamailio behind TLS-TCP load balancer
Hi,
an benefit from using the AWS loadbalancer is the included DDOS prevention. Jonas Swiatek gave that as tipp to me.
He simple setup self-signed certs on the Kamailio behind the NLB loadbalancer.
So it's
Internet -> TLS NLB/AWS loadbalancer -> TLS self-signed Kamailio.
Should solve your problems.
Kind regards
Karsten Horsmann
Henning Westerholt hw@gilawa.com schrieb am Sa., 12. Aug. 2023, 11:09:
Hello David,
the simplest way is of course to just not use the AWS load-balancer. 😉 Do you have performance concerns using Kamailio for that purpose?
As you probably know, SIP as a protocol is not really suited for this kind of cloud balancing infrastructure, which targets more HTTP and other protocols. And Kamailio in a load-balancer scenario is usually the first TLS/TCP/UDP endpoint to reach from the client point of view.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
*From:* David Villasmil david.villasmil.work@gmail.com *Sent:* Samstag, 12. August 2023 02:55 *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject:* [SR-Users] Kamailio behind TLS-TCP load balancer
Hello all,
I’m having lots of problems when trying to configure Kamailio behind an AWS tls load balancer to offload tls and receive on tcp on Kamailio. Everything else inside is UDP.
I found I need to manually add record-route presets every time and invite comes in. And when trying to forward an ACK to the client via tls/tcp load balancer Kamailio complaint the socket is not TLS so it fails.
Is there a simpler way of doing this via some parameters I don’t know?
Thanks for helping me with this!
David
--
Regards,
David Villasmil
email: david.villasmil.work@gmail.com
phone: +34669448337
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Are you want use AWS load balancer for TLS offload? Is used Network Load-balncer (NLB)? Are you have enabled HAproxy protocol on the NLB? Is TCP + HA proxy works stable for you?
Sergey
On Sat, Aug 12, 2023 at 4:19 AM David Villasmil < david.villasmil.work@gmail.com> wrote:
Hello all,
I’m having lots of problems when trying to configure Kamailio behind an AWS tls load balancer to offload tls and receive on tcp on Kamailio. Everything else inside is UDP. I found I need to manually add record-route presets every time and invite comes in. And when trying to forward an ACK to the client via tls/tcp load balancer Kamailio complaint the socket is not TLS so it fails.
Is there a simpler way of doing this via some parameters I don’t know?
Thanks for helping me with this!
David
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337 __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
On Sat, 12 Aug 2023, 09:19 David Villasmil,
I found I need to manually add record-route presets every time and invite comes in. And when trying to forward an ACK to the client via tls/tcp load balancer Kamailio complaint the socket is not TLS so it fails.
Have you tried forcing TCP with t_relay_to_tcp?
-
David Villasmil -
Henning Westerholt -
Karsten Horsmann -
Richard Chan -
Sergey Safarov