Network & Security
Network topology
Internet
│
├── Cloudflare (DNS + CDN + Access)
│ ├── editor.astradial.com → 89.116.31.109:3001
│ ├── devpbx.astradial.com → 89.116.31.109:8000
│ ├── gateway.astradial.com → 89.116.31.109:7860
│ ├── stageeditor.astradial.com → 94.136.188.221:3001 (Access-gated)
│ └── stagesip.astradial.com → 94.136.188.221:5080 (grey, direct)
│
├── Tata NNI (private SIP network)
│ └── NUC Gateway (10.54.225.90) → Asterisk SIP
│
└── WireGuard tunnels
├── NUC (10.10.10.2) ↔ Prod (10.10.10.1)
└── Prod (10.10.10.1) ↔ Staging (10.10.10.3)
Firewall (ufw)
| Port | Protocol | Purpose |
| 22 | TCP | SSH |
| 80 | TCP | HTTP (Cloudflare origin) |
| 443 | TCP | HTTPS (Cloudflare origin) |
| 5080 | UDP | SIP (non-standard, avoids ISP blocking) |
| 51820 | UDP | WireGuard |
| 10000-20000 | UDP | RTP (Asterisk media) |
Security measures
- Cloudflare Access: staging hostnames gated by email allowlist
- fail2ban: SSH brute-force protection (active on all servers)
- Self-signed certs: origin servers use self-signed; Cloudflare handles public TLS
- RBAC: 4 roles (owner/admin/manager/agent) enforce API-level access control
- JWT auth: 24h expiry, org-scoped or user-scoped tokens
- Firebase Auth: email/password with verification for platform users
- Audit log: all sensitive actions tracked (recording access, deletion, role changes)
- GeoIP filtering: SIP port protected by India-only GeoIP rule (monthly update cron)