We have a front-end before Asterisk 18.9 where users login and then we register them towards the Asterisk with PJSIP endpoints using WebRTC. The Asterisk WSS is exposed towards the internet.
How can we make sure that users can only register towards this Asterisk coming from our front-end?
We need to avoid that users can create their own WebRTC clients and connect from somewhere else since they have username and password.
Is there any way of ensuring that registrations can only be allowed from our front-end without using IP ACL?
You should see your websocket port as just another entry point into your server like UDP port 5060, TCP port 5060 and 5061 etc. Generally it’s easier to configure websocket port to something high, and unusual so that port scanners don’t really bother you, but typically server protection would be down to good username and password policy, fail to ban, and dialplan protection.
In the end of the day tho, if you want your box secure don’t open the ports… otherwise you will have to be performing some sort of security process.
If you are willing to redesign the way your systems work, you could look at reverse proxy Apache to Asterisk, and in the process use something like .htaccess. This way you get Apache to become the “front-line” for you websocket connections, and asterisk binds to 127.0.0.1.
The “Asterisk” is exposed to the internet on port 443 then we use a local port forward to WSS/8089. This is basically for the services to work with firewalls that has aggressive outbound rules to unknown ports (not regards to audio)
All username and password are randomly generated without any user input so we covered that one.
However, the question remains if we can lock down REGISTRATIONs from only our trusted domain. And I believe to have achieved something at least when configuring the endpoints as username@ourdomain. But is this spoof:able or will Asterisk perform certificate checks still as part of the WebRTC?
You can use a Root CA certificate of you own making, then with it generate a server certificate for your WS port (either on Asterisk or at your proxy). You will then need to get the clients to download and install the Root CA on their devices.
This would take a bit longer at setup, but certificates are absolute protection. You will simply not be able to access the port without presenting the correct Root CA.