[Serusers] digest authentication without db

1 Jun 2005


      Hello,
I'm new to SER and SIP as well so please forgive my
mistakes.
I'm trying to setup SER in order to forward calls to
a pool of pstn gateways. I want use digest authentication
for UAs but I cannot store userid and passwords on a db.
Basically I would like to do:
if (!www_authorize("mydomain.com", "subscriber")) {
                 www_challenge("mydomain.com", "0");
                 break;
         };
getting userid and password from a text configuration file
which contains such infos. How can I do that?
I have written a ser cfg file and I would like someone tell me
if is ok. Is a mix of several different cfg files I have found
on the net. I'm sure is far to be ok :-)
Thank for your help.
Ciao
-------------------------------------------------------------------
# ----------- global configuration parameters ------------------------
#debug=3
debug=4
#fork=yes
fork=no
#log_stderror=no
log_stderror=yes
check_via=no	 # (cmd. line: -v)
dns=no           # (cmd. line: -r)
rev_dns=no       # (cmd. line: -R)
#port=5060
#children=4
fifo="/tmp/ser_fifo"
#uid=
#gid=
listen=192.168.1.114
# alias="mydomain.com"
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/auth_db.so"
loadmodule "/usr/local/lib/ser/modules/auth.so"
loadmodule "/usr/local/lib/ser/modules/uri.so"
# ----------------- setting module-specific parameters ---------------
modparam("usrloc", "db_mode",   0)
# -------------------------  routing logic ---------------------------
route {
    # initial sanity checks -- messages with
    # max_forwards==0, or excessively long requests
    if (!mf_process_maxfwd_header("10")) {
    	log("Too many hops\n");
    	sl_send_reply("483","Too Many Hops");
    	break;
    };
    if ( msg:len > max_len ) {
    	log("Message too big\n");
    	sl_send_reply("513", "Message too big");
    	break;
    };
# process requests for our domain (gws included)
    if (uri=~"[@:]mydomain.com([;:].*)*" |
        uri=~"@192.168.1.171([;:].*)*" |         #pstn gw1
        uri=~"@192.168.1.172([;:].*)*"	|    #pstn gw2
        uri=~"@192.168.1.173([;:].*)*" ) {       #pstn gw3
log("Request is for mydomain.com\n");
# registers always MUST be authenticated to
    	# avoid stealing incoming calls	
    	if (method=="REGISTER") {
log("Request is REGISTER\n");
if (!www_authorize("mydomain.com", "subscriber")) {
             			log("REGISTER has no credentials, sending challenge\n");
                                 www_challenge("mydomain.com", "0");
                                 break;
                         };
# prohibit attempts to grab someone else's address
    		# using someone else's valid credentials
    		if (!check_to()) {
    			log("Cheating attempt\n");
    			sl_send_reply("401", "Unauthorized");
    			break;
    		};
    			
    		# update user location database (it should be in mem)
           		log("REGISTER is authorized, saving location\n");
    		save("location");
    		break;
    	};
# now it's about PSTN destinations through our gateways
    	if (uri=~"sip:[0-9]+@.*") {
    		# all PSTN destinations only for authenticated users
    		# (GWs, which have no digest support, are authenticated
    		# by its IP address)
if (!(src_ip==192.168.1.171 | 	#pstn gw1
    		      src_ip==192.168.1.172 | 	#pstn gw2
    		      src_ip==192.168.1.173) & 	#pstn gw3
    		      !(www_authorize("mydomain.com", "subscriber"))) {
    			www_challenge("mydomain.com", "0");
    			break;
    		};
    		
    		# requests to gateways must be record-route because the GWs accept
    		# only requests coming from our proxy
    		if (method=="INVITE")
    			record_route();
# XXX: find the best gw using first part of telephone number and...
rewritehostport("192.168.1.171:5060"); #172 or 173
    	} else {
    		# native SIP destinations are handled using our USRLOC DB
    		# and are allowed only from gws
    		if (src_ip==192.168.1.171 | 	#pstn gw1
    		    src_ip==192.168.1.172 | 	#pstn gw2
    		    src_ip==192.168.1.173) { 	#pstn gw3
    			if (!lookup("location")) {
    				log("Unable to lookup contact, sending 404\n");
    				sl_send_reply("404", "Not Found");
    				break;
    			};
    		} else {
    			log("No native SIP destination allowed\n");
    			sl_send_reply("403", "Permission denied");
    			break;
    		};
    	};
         } else {
    	# outbound requests are not allowed
    	log("No outbound requests allowed\n");
    	sl_send_reply("403", "Permission denied");
    	break;
    };
# and finally.. forward to current uri; use stateful forwarding; that
    # works reliably even if we forward from TCP to UDP
    if(!t_relay()) {
    	sl_reply_error();
    };
}

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

[Serusers] digest authentication without db