#1 2017-05-25 13:51:00

christian poirier

How to secure the use of the API for external-auth

My organization faces to a security problem.

We want to use the external-auth feature from the API because we have a single sign-on and do not want our users to have to login again when switch from our application to the virtual meeting room.
We succeed to use the feature, but anyone from any ip can call the API to test login even if does not know the HTTP_AUTH_HEADER name. We can not restrict the API calls from dedicated IP addresses. We try to use HTTP_AUTH_TRUSTED_HOSTS but the calls always come from localhost as we can see in api.log

[05-25 13:50:25] https-8443-12 XML API called, action = login, host = server.domain, session = null, caller = 127.0.0.1, user = unknown, parameters = &action=login&external-auth=use

Does anyone knows how to restrict the API external-auth to some IP addresses?

christian poirier

Re: How to secure the use of the API for external-auth

I found why the application always received the IP address 127.0.0.1 instead of the actual IP address of the client. This was because of the STUNNEL application that provides the HTTPS connection that is configured as a non-transparent proxy. The STUNNEL application does not support the transparent proxy in the Windows version, but only in the Linux version. So I have to find a proxy server application on Windows.