[SR-Users] DBURL password in clear
Robert
robert at vooey.co.uk
Thu Nov 16 21:24:12 CET 2017
Hello Jurijs,
Thank you for the link, Docker secrets is definitely something that would be an option, and yes, holding anything in a variable or somewhere it can be easily queried isn’t going to work.
We’ll see what happens.
Cheers - Robert...
> On 16 Nov 2017, at 10:41, Jurijs Ivolga <jurijs.ivolga at gmail.com> wrote:
>
> Hi,
>
> Not sure that this helps, but below is how I solved similar issue by generating include file inside Docker file using env variables, but this is not a good approach for sensitive data.
> echo "\
> <>modparam(\"http_client\", \"httpcon\", \"apiserver=>https://$apiurl\"); \
> <>" >> /kamailio.apiurl
> I believe you can use docker secrets, as described below, but I never used them so I can't help much:
>
> https://medium.com/@basi/docker-environment-variables-expanded-from-secrets-8fa70617b3bc <https://medium.com/@basi/docker-environment-variables-expanded-from-secrets-8fa70617b3bc>
>
> With kind regards,
>
> Jurijs
>
> On Thu, Nov 16, 2017 at 11:34 AM, Daniel Tryba <d.tryba at pocos.nl <mailto:d.tryba at pocos.nl>> wrote:
> On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla wrote:
> > > I???m working for a UK high street bank and our Kamailio implementation has been challenged because we???ve got database passwords held in clear in the configuration file.
> ...
> > > My requirement is simple, I need to be able to supply a password via means such as loading a variable from a run-once script at start up, or a module. The ideal would be to be able to read in a Docker secret :)
> > >
> > you can define a for a token to be used inside kamailio.cfg by using -A
> > command line parameter. So when you start kamailio, fetch the password
> > from your secure system by what so ever meaning, then build the database
> > url based on it and run kamailio with:
> >
> > kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
>
> My guess is the next problem will be the password being visible to all
> users querying the processlist :)
>
> Is including a file (import_file) with passwords an option? Generate the
> file just before startup, remove it (ofcourse in a secure way (shred the
> file and overwrite all freespace with a multiple patters a few dozen
> times (ask the auditors for the exact specifications that make them
> happy))) after kamailio is running.
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20171116/0d013432/attachment.html>
More information about the sr-users
mailing list