Asterisk ARI allowed_origins


Perhaps I do not understand this feature but I am trying to restrict so that only localhost can use the ARI on port 8088.

Here’s my configuration, I have tried both allowed_origin http://localhost:8088 and without protocol localhost:8088

enabled = yes
allowed_origins = http://localhost:8088


Despite having this I can still send requests remotely like this
curl -u ariuser:1234

<--- ARI request received from: --->
Authorization: Basic YXJpdXNlcjoxMjM0
User-Agent: curl/7.88.1
Accept: */*

<--- Sending ARI response to --->
200 OK
Content-type: application/json

Is there a way to limit ARI access to localhost, but having WS exposed externally?

Asterisk version 20.3.0

There is currently no ACL functionality. You would want to put a proxy in front for Websockets and bind the Asterisk HTTP server to localhost only.

OK, well as of now that is not an option. We’ll just live with the fact that ARI is exposed externally and use strong passwords.

Do you happen to know if there’s an existing feature request on such a functionality? Or at least segregating ARI from WS.

block it in your firewall

Feature requests are put on Github[1]. There is no such feature request currently.

[1] Issues · asterisk/asterisk-feature-requests · GitHub

I have created a Feature Request to the best of my ability.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.