[sr-dev] [kamailio/kamailio] core: tcp - add alias for cinfo dst IP (PR #2888)
sergey-safarov
notifications at github.com
Wed Oct 20 13:30:14 CEST 2021
Hello Federico @grumvalski
I tried before use `haproxy` protocol and found Kamailio implementation is very restrictive.
As example
1) CPU 100% usage when created TCP connection and data do not send #2658
2) no ability to define a list of trusted sources, because now any fraud host can send crafted haproxy packet and break ACL rules used on Kamailio side. Relevant feature `set_real_ip_from` exist in nginx ([Link](https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from)). From my point of view it is a big security hole.
Could you also look for limitations described above.
Just for info, nginx config snippet with haproxy feature.
```
server {
listen 0.0.0.0:3128 proxy_protocol;
listen [::]:3128 proxy_protocol;
set_real_ip_from 4.101.84.5/32;
set_real_ip_from 4.101.84.133/32;
set_real_ip_from 4.236.25.5/32;
set_real_ip_from 4.236.25.133/32;
real_ip_header proxy_protocol;
...
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/2888#issuecomment-947575963
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20211020/0e038e34/attachment.htm>
More information about the sr-dev
mailing list