Security considerations
Última actualización
Última actualización
OMniLeads is an application that combines Web (https), WebRTC (wss & sRTP), and VoIP (SIP & RTP) technologies. This implies a certain complexity when deploying it in production under an Internet exposure scenario.
On the Web side of things, it is ideal to implement a Reverse Proxy or Load Balancer in front of OMniLeads, meaning exposed to the Internet (TCP 443) and forwarding requests to the Nginx of the OMniLeads stack. Regarding VoIP, when connected to the PSTN through VoIP, it is ideal to operate behind a Session Border Controller (SBC) exposed to the Internet. However, we can intelligently use Cloud Firewall technology when operating on VPS exposed to the Internet. Below are the firewall rules that will be applied to the All In One instance:
443/TCP Nginx: This is where Web/WebRTC requests are processed by Nginx. Port 443 can be opened to the entire Internet.
40000-50000/UDP: WebRTC sRTP RTPengine: This port range can be opened to the entire Internet.
5060/UDP Asterisk: This is where SIP requests for incoming calls from ITSP are processed. This port should be opened, restricting by source IP(s) of the PSTN SIP termination provider(s).
20000-30000/UDP VoIP RTP Asterisk: This port range should be opened, restricted to the source IPs of the PSTN SIP termination providers.
9090/TCP Prometheus (optional, only if you are monitoring with Grafana and Prometheus): This is where connections from the monitoring center, specifically from Prometheus Master, are processed. This port can be opened by restricting the source to the monitoring center's IP.
3100/TCP Loki (optional, only if you are centralizing container logs with Grafana and Loki): This is where connections from the monitoring center, specifically Grafana, are processed. This port can be opened by restricting it to the IP of the monitoring center.