Yealink Forums

Full Version: Stop RPS from asking for <mac>.cfg and common cfg
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi all,

I am reinventing a wheel and writing a php script that will sit on my provisioning server, responsible for "authorizing" and then serving up configuration files.

The idea is that the phones will hit a backend php script, which will collect the phones MAC address (from the http user agent), look it up in a MySQL database which contains a reference of files to serve.

I am wondering, is it possible to get RPS to only make a single request instead of also asking for specific config files?

For example, in apache logs we see the phone making three requests;

[08/Nov/2016:13:44:37 +1000] "GET /ylk/ HTTP/1.1" 200 - "-" "Yealink SIP-T48G 35.80.0.130 00:15:56:2B:0E:59"
[08/Nov/2016:13:44:38 +1000] "GET /ylk/001565b20e59.cfg HTTP/1.1" 200 - "-" "Yealink SIP-T48G 35.80.0.130 00:15:56:2B:0E:59"
[08/Nov/2016:13:44:38 +1000] "GET /ylk/y000000000035.cfg HTTP/1.1" 200 - "-" "Yealink SIP-T48G 35.80.0.130 00:15:56:2B:0E:59"

The first GET hits the script, but can I get it to stop requesting the two other individual mac and common config files (as, I will provide these to the phone via the script).

Or, maybe I am going about this the wrong way and should just use the script to validate a legitimate MAC address, then use a redirect to send the phone to another directory containing encrypted config files. I'm attempting to reduce the exposure of config files to the broader internet.

Thanks in advance,
Just because the phone requests the different config files does not mean you need to actually serve or provide all of them. For example, it would be fairly easy to setup your server so that it only processes requests for the generic model number files (y0000000000035.cfg) and ignore everything else. Then, whenever the request for that file comes in you do your backend lookup on the MAC info passed by the user agent, and simply pass through (or generate, whatever you want to do) your encrypted config file. Just my two cents anyway.
Yeah, I reckon I am going about this wrong. I will just use my script to serve a file based on the request. So, if phone requests common.cfg, my script will pull that from a private directory. I will however, do a quick lookup of the MAC address to "authorise" that the phone is legitimate prior to serving any cfg files. Lastly, I'll encrypt the cfg files. So there'll be a few layers of security - a person would need to firstly spoof a known MAC (will take a while to brute force), and if successful in spoofing a correct MAC then they'll be served an encrypted file anyway.
If you're really worried you can also go a step further and add username/password to the URL provided by RPS. Then put username/password protection on your script to ensure that only requests who provide the valid login are even allowed to try. That way even if somebody spoofed a valid MAC unless they were actually sniffing a live request they wouldn't know how to login to your script... and as you said, if they did all that they would still end up with an encrypted config file.
Thank you for the sharing of the jolouis.
Any question, please let me know.

Best Regards,
Lucia
Reference URL's