From f722ade2a59872cb8c62e81809ef4d83d11434e5 Mon Sep 17 00:00:00 2001
From: David Troy <dave@popvox.com>
Date: Mon, 23 Jun 2008 11:37:23 -0400
Subject: added files to project

---
 configs/astmanproxy.conf  |  97 +++++++++++++++++++++++++++++
 configs/astmanproxy.users |  10 +++
 configs/ssl.conf          | 154 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 261 insertions(+)
 create mode 100644 configs/astmanproxy.conf
 create mode 100644 configs/astmanproxy.users
 create mode 100644 configs/ssl.conf

(limited to 'configs')

diff --git a/configs/astmanproxy.conf b/configs/astmanproxy.conf
new file mode 100644
index 0000000..5c2f480
--- /dev/null
+++ b/configs/astmanproxy.conf
@@ -0,0 +1,97 @@
+; astmanproxy.conf
+; Asterisk Manager Proxy Configuration Sample
+; (C) 2005-2006 David C. Troy - dave@popvox.com
+
+; List of asterisk host(s) you want to proxy
+; host = ip_addr, port, user, secret, events, use_ssl
+host = localhost, 5038, dave, moo, on, off
+
+;host = 192.168.1.173, 5038, dave, moo, on, on
+;host = 127.0.0.2, 5038, user, secret, on
+;host = otherhost, 5038, user, secret, on
+;host = newhost, 5030, user, secret, off
+;host = oldhost, 5040, user, secret, off
+;host = myhost, 5038, user, secret, on
+
+; Server reconnect interval (in seconds); how often to retry
+; Connecting to an asterisk server whose connection was lost
+retryinterval = 2
+
+; Number of times to retry connecting to a given server
+; use 0 for infinitely, or some finite number
+maxretries = 10
+
+; How long do we wait on the manager port for an SSL session start? (ms)
+sslclienthellotimeout = 200
+
+; Do we accept encrypted SSL manager connections?
+acceptencryptedconnection = yes
+
+; Do we accept unencrypted manager connections?
+acceptunencryptedconnection = yes
+
+; Amount of time to wait before timing out on writes to asterisk
+asteriskwritetimeout=100
+
+; Amount of time to wait before timing out on writes to clients
+clientwritetimeout=200
+
+; Our server-side SSL certificate; what we use when answering clients
+certfile = /var/lib/asterisk/certs/proxy-server.pem
+
+; Address for proxy to listen on, can be set to * or x.x.x.x format
+; recommend that you listen only on 127.0.0.1 or on an interface that
+; is otherwise locked down to a trusted host, since the proxy
+; currently provides NO authentication/authorization of its own
+listenaddress = *
+
+; Port for proxy to listen on		
+listenport = 1234
+
+; Do we require authentication (either proxykey or astmanproxy.users entry)?
+; See README and astmanproxy.users for more info
+authrequired = no
+
+; Setting a proxy key requires proxy client connections to
+; specify a ProxyKey: keyvalue header in the first incoming request
+; to the proxy.  Once this is done the client remains authenticated.
+; This allows for a simple security layer.  If not specified,
+; no key is required, however other security measures (listening on
+; a protected interface, behind firewall, iptables, etc) should be
+; in place and well understood.
+; proxykey = foobar
+
+; local user and group for proxy to run as; will NOT run as root!
+proc_user = nobody
+proc_group = nobody
+
+; default input and output format for clients
+; inputformat = (standard|xml|http)
+; outputformat = (standard|xml|csv)
+inputformat = standard
+outputformat = standard
+
+; to enable REST/XMLRPC-like functionality, try this combo.
+; this gives you http input (POST or GET) and either
+; text/xml or text/plain output with NO webserver required!
+; to access: http://[host]:1234/?Action=Ping&ActionID=Foo
+;
+; inputformat = http
+; outputfomat = xml|standard
+; autofilter = on
+
+; set autofilter to be on or off by default
+; with autofilter on, you can automatically filter responses
+; to include only messages related to a specific actionid,
+; as specified in a previous message
+; valid values: on, off
+; can also be changed on a per-client basis using
+; ProxyAction: SetAutoFilter
+; AutoFilter: (on|off)
+autofilter = off
+
+; location of logfile -- will be owned by proc_user/proc_group
+; /opt/log location is good on Mac OS X
+;logfile = /opt/log/asterisk/astmanproxy.log
+logfile = /var/log/asterisk/astmanproxy.log
+
diff --git a/configs/astmanproxy.users b/configs/astmanproxy.users
new file mode 100644
index 0000000..9e31056
--- /dev/null
+++ b/configs/astmanproxy.users
@@ -0,0 +1,10 @@
+; Astmanproxy user list
+;
+; Reload permissions by sending a SIGHUP
+;
+; "user" is the username, secret is the password, and the (optional)
+; channel setting causes filtering of events only for the specified
+; channel to be sent to this user.
+;
+; user=secret,channel,out_context (to Asterisk),in_context (From Asterisk)
+steve=steve,SIP/snom190,local,
diff --git a/configs/ssl.conf b/configs/ssl.conf
new file mode 100644
index 0000000..d10d9a1
--- /dev/null
+++ b/configs/ssl.conf
@@ -0,0 +1,154 @@
+# Asterisk SSL configuration
+#
+# OpenSSL configuration file for custom Certificate Authority. Use a
+# different openssl.cnf file to generate certificate signing requests;
+# this one is for use only in Certificate Authority operations (csr ->
+# cert, cert revocation, revocation list generation).
+#
+# Be sure to customize this file prior to use, e.g. the commonName and
+# other options under the root_ca_distinguished_name section.
+
+HOME                    = .
+RANDFILE                = $ENV::HOME/.rnd
+
+[ ca ]
+default_ca      = MyAsteriskCA
+
+[ MyAsteriskCA ]
+dir             = .
+# unsed at present, and my limited certs can be kept in current dir
+#certs          = $dir/certs
+new_certs_dir   = $dir/newcerts
+crl_dir         = $dir/crl
+database        = $dir/index
+
+certificate     = $dir/ca-cert.pem
+serial          = $dir/serial
+crl             = $dir/ca-crl.pem
+private_key     = $dir/private/ca-key.pem
+RANDFILE        = $dir/private/.rand
+
+x509_extensions = usr_cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt        = ca_default
+cert_opt        = ca_default
+
+default_crl_days= 30
+default_days    = 7300
+# if need to be compatible with older software, use weaker md5
+default_md      = sha1
+# MSIE may need following set to yes?
+preserve        = no
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy          = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName             = US
+stateOrProvinceName     = CA
+organizationName        = XYZ
+organizationalUnitName  = XYZ 
+commonName              = asterisk
+emailAddress            = root@localhost 
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+####################################################################
+[ req ]
+default_bits            = 2048
+default_keyfile         = ./private/ca-key.pem
+default_md              = sha1
+
+prompt                  = no
+distinguished_name      = root_ca_distinguished_name
+
+x509_extensions = v3_ca
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix   : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req
+
+[ root_ca_distinguished_name ]
+commonName = NoSuchCA CA
+countryName = US
+stateOrProvinceName = California
+localityName = San Mateo
+0.organizationName = domain.net
+emailAddress = nobody@localhost
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+nsCaRevocationUrl               = https://www.sial.org/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
-- 
cgit