O
O
Omnileads Docs
Español
ComunidadForo
Buscar
K
Links
Comment on page

Seguridad

Security

OMniLeads is an application that combines Web (https), WebRTC (wss & sRTP) and VoIP (SIP & RTP) technologies. This implies a certain complexity and when deploying it in production under an Internet exposure scenario.
On the Web side of the things the ideal is to implement a Reverse Proxy or Load Balancer ahead of OMnileads, i.e. exposed to the Internet (TCP 443) and that it forwards the requests to the Nginx of the OMniLeads stack. On the VoIP side, when connecting to the PSTN via VoIP it is ideal to operate behind an SBC (Session Border Controller) exposed to the Internet.
However, we can intelligently use the Cloud Firewall technology when operating over VPS exposed to the Internet.
Below are the Firewall rules to be applied on All In One instance:
  • 443/tcp Nginx: This is where Web/WebRTC requests to Nginx are processed. Port 443 can be opened to the entire Internet.
  • 40000/50000 UDP: WebRTC sRTP RTPengine: this port range can be opened to the entire Internet.
  • 5060/UDP Asterisk: This is where SIP requests for incoming calls from the ITSP(s) are processed. This port must be opened by restricting by origin on the IP(s) of the PSTN SIP termination provider(s).
  • 20000/30000 UDP VoIP RTP Asterisk: this port range can be opened to the entire Internet.
  • 9100/tcp Prometheus node exporter : This is where the connections coming from the monitoring center, more precisely from Prometheus, are processed. This port can be opened by restricting by origin in the IP of the monitoring center.
  • 9187/tcp Prometheus postgres exporter: This is where the connections coming from the monitoring center, more precisely from Prometheus, are processed. This port can be opened by restricting by origin in the IP of the monitoring center.
  • 9127/tcp Prometheus redis exporter: This is where the connections coming from the monitoring center, more precisely from Prometheus, are processed. This port can be opened by restricting by origin in the IP of the monitoring center.
  • 3100/TCP Loki: this is where the connections coming from the monitoring center are processed, more precisely from Grafana, are processed. This port can be opened by restricting by origin on the IP of the monitoring center.
Anterior
Observabilidad
Próximo
Configuración inicial
Última actualización 30d ago