[SR-Users] Best practises for websocket authentication

[Grant Bagdasarian]

Hi Fatih/Shaheryarkh,

Shaheryarkh comment is exactly what I was going for, so performing some
kind of authentication before the Upgrade of the HTTP connection.

I’ve been playing around with the auth_ephemeral module inside the xhttp
event_route, which seems to be working just fine. Currently, my script
requires a somewhat two step authentication process, first by
authenticating the HTTP request using auth_ephemeral, followed by a SIP
REGISTER using regular Digest Auth.

A few extra questions from my side:
1) In the case of no HTTP authentication, and no IP whitelisting, anyone on
the public internet would be able to open up a WebSocket connection to a
publicly available Kamailio proxy configured with WebSocket support,
correct?
2) If somehow the Kamailio proxy is equipped with an authentication
mechanism of the HTTP request, and a client fails to authenticate, how does
Kamailio handle the closure of the HTTP connection? Like hold resources
like ports, file descriptors, etc, until they’re ready to be cleaned up
after some timeout.

Tbh, I haven’t done a deep dive into HTTP handling by Kamailio yet, and
perhaps these settings can be tuned using the various TCP settings exposed
by Kamailio.

Thanks and regards,

Grant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20190613/5b25f026/attachment.html>