PJSIP: Is that possible to identify endpoints with auth_username -> ip order?

ogibayashi · December 17, 2020, 9:37am

Hello,

Is that possible to identify endpoints with auth_username -> ip order with PJSIP?
What I want to do is:

first authenticate a request by Authorization header, if authenticated, route to endpoint A based on auth_username.
If not authenticated, check src IP and if it matches, route the request to another endpoint B.
Otherwise, reject the request.

I have tried “endpoint_identifer_order=auth_usrename,ip” setting, but if the request comes from the src IP which matches the identifier definition, the request is not challenged.
Is it possible to let Asterisk behaves as above?

Regards,

Hironori

jcolp · December 17, 2020, 9:40am

Not for that particular scenario I don’t think. It’s kind of in a scenario where it can’t work - if identifying based on auth_username you need to challenge them, however you don’t want to challenge if it’s an IP match. You have to use “username” with the username in the From header so it knows which endpoint from the start.

ogibayashi · December 17, 2020, 11:28am

Thanks for your response!
Unfortunately, we cannot control From header in our case, but I found that I can use custom header to distinguish case 1. and 2.

I used “endpoint_identifer_order=header,ip” setting and created two endpoints.

[endpoint-case-1]
type=identify
endpoint=endpoint1
match_header=x-some-header:foo

[endpoint-case-2]
type=identify
match=1.2.3.4/32
endpoint=endpoint2

Then, if a request from 1.2.3.4 has x-some-header=foo, it will be routed to endpoint1 and I could add authentication on that endpoint.
If another request from the same IP does not have the header, it will be routed to endpoint2 without authentication.
This is not exactly the same scenario I have imagined, but I’m fine with it because I can add an endpoint with authentication while keeping existing IP based identification.

Thanks!