[Serusers] Proxy_authorize, www_authorize
Jiri Kuthan
jiri at iptel.org
Wed Mar 5 23:05:04 CET 2003
Lasse,
I see two limitations:
- if you only challenge INVITEs to outside domain, people out of your
domain can call people in your domain and claim shamelessly your domain
name in From, which is then sort of rubberstamped by the proxy; so I think
you can combine challenging based on From along with "anti-spam" policy
"drop invites which have my domain neither in From nor in r-uri"
- if you apply such policies to other requests than BYE, you will run into
troubles, better be permissive about non-INVITEs. See
http://www.ietf.org/mail-archive/working-groups/sipping/current/msg04002.html
-Jiri
At 10:10 PM 3/5/2003, Lasse Jansson wrote:
>Thanks,
>
>One last question: I guess that if I want my server to offer <forwarding of
>requests to other domains> only to authorized users in my domain I should
>restrict the last part more, as follows:
>
># For requests to other domains
> if (!proxy_authorize("mydomain.com", "subscriber")) {
> proxy_challenge("mydomain.com", "1");
> break;
> };
>
>(i.e. I can skip the (search("(f|From).*mydomain\.com")) condition in this
>case)
>
>Lasse
>
>On Wednesday 05 March 2003 02.08, Jiri Kuthan wrote:
>> At 10:43 PM 3/4/2003, Lasse Jansson wrote:
>> >Thanks for your answer !
>> >
>> >I guess then that the following lines (based on the default script) would
>> > work to implement all of Michael's example ?
>> >
>> >Lasse
>> >
>> > if (uri=~mydomain.com) {
>>
>> perhaps better (uri=~"[@:]mydomain\.com"). Everything else seems reasonable
>> to me.
>>
>> -Jiri
>>
>> _______________________________________________
>> Serusers mailing list
>> serusers at lists.iptel.org
>> http://lists.iptel.org/mailman/listinfo/serusers
--
Jiri Kuthan http://iptel.org/~jiri/
More information about the sr-users
mailing list