Based on the documentation, Web RTC depends on res_http. This is the same HTTP server used by ARI.
I want to use Web RTC and expose the interface on a public IP, however I don’t want to expose ARI endpoints to all the internet.
Is something like this possible? Accept Web RTC connections on a public interface and accept ARI connections only on localhost or a private interface?
The only way I can think to do this offhand would be to have the asterisk internal http server listen only on the loopback or private address and run an nginx reverse-proxy that’s bound to the external address and forwards to the asterisk internal http server. You’d then set a rule in nginx to only allow /ws.
But doesn’t PJSIP have its own bind address and port? It never uses HTTP/HTTPS for anything (except of course for initiating WebSocket connections), so I don’t see why anything in http.conf should have anything to do with it.
WebRTC uses web sockets.
Exactly.
No. The bind and tls parameters in a websocket transport in pjsip.conf are ignored. The internal web server defined in http.conf is used for both ARI and WebRTC communications.
I find that a rather surprising oversight from a security viewpoint.
The only way I can think of to work around this is to have your own intermediary server. This will accept websocket-only connections from clients, and in turn it will make websocket-only connections to Asterisk.
Would that work? Is there a chance that any of the content might be (accidentally) interpreted by ARI?
That’s what I suggested above with nginx acting as a reverse proxy.
ARI REST endpoints and its event websocket are password protected so even if an /ari URL somehow made it through the reverse-proxy it wouldn’t do much good.
Thanks for the replies. Nginx was also the only thing I could come up with, I was hoping there was something else. I will try doing it with Nginx, hopefully it won’t have issues forwarding websocket traffic. Will come back with my findings.
I agree its not too good from a security viewpoint, the proxy solution sounds good enough but it would be nicer if we can deal with it directly in asterisk. ari.conf already has a parameter for allowed CORS origins, I wonder what the devs think of including something similar but for IP addresses. Sort of like the ACL for PJSIP endpoints.
It’d likely be accepted, but just thinking about things ultimately doesn’t cause the work to be done - so the work still has to be done.
I’d also add that the HTTP Server in Asterisk is real basic, so it’s generally a good idea to put a proxy in front regardless.
The thing with proxying through a standard web server is, can you ensure that the connection will only be passed on after it has been upgraded to WebSocket, and not before?
If you configure the reverse-proxy correctly, yes.
https://nginx.org/en/docs/http/websocket.html
A google search for “nginx proxy websockets” will return lots of useful results.
or put a Kamailio in front as a proxy
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.