31 May
2005
31 May
'05
1:10 p.m.
Hello everybody,
is it possible to check if a user is already registered or authenticated?
I want to allow only registered users call to PSTN destinations.
Regards
Bastian
31 May
31 May
7:26 p.m.
Hi,
I think you are looking for the function
registered("location")
Regards,
C.
On 5/31/05, Bastian Schern <ml01(a)in-bln.de> wrote:
Hello everybody,
is it possible to check if a user is already registered or authenticated?
I want to allow only registered users call to PSTN destinations.
Regards
Bastian
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
1 Jun
1 Jun
1:31 a.m.
It looks like that I looked for, but it will not work on my SER:
--- snip ---
if( registered( "location" ) ) {
rewritehostport( "localhost:5061" );
} else {
log( 1, "ERR: <403> Unauthorized call\n" );
sl_send_reply( "403", "Unauthorized call" );
break;
};
--- snap ---
It will always do the "else" condition.
Did I made something wrong?
Regrds
Bastian
Cesc schrieb:
Hi,
I think you are looking for the function
registered("location")
Regards,
C.
On 5/31/05, Bastian Schern <ml01(a)in-bln.de> wrote:
>Hello everybody,
>
>is it possible to check if a user is already registered or authenticated?
>
>I want to allow only registered users call to PSTN destinations.
>
>Regards
> Bastian
11:03 a.m.
Hi,
Well, this piece of code looks correct, but it is out of context. It
may be the way your config file is that makes you always hit the else.
Other than that ... have you checked the obvious? is the user really
registered (check with >serctl ul show)? the function checks the
request uri, is that what you want? do you modify the request uri
before this point?
What version of ser are you running?
One question ... why do you rewrite host and port? if the user is
already registered, just doing a lookup("location") would be enough to
for the uri to be rewritten to the contact and then you can t_relay it
... no need to do the localhost:5061
C.
On 6/1/05, Bastian Schern <ml01(a)in-bln.de> wrote:
It looks like that I looked for, but it will not work
on my SER:
--- snip ---
if( registered( "location" ) ) {
rewritehostport( "localhost:5061" );
} else {
log( 1, "ERR: <403> Unauthorized call\n" );
sl_send_reply( "403", "Unauthorized call" );
break;
};
--- snap ---
It will always do the "else" condition.
Did I made something wrong?
Regrds
Bastian
Cesc schrieb:
Hi,
I think you are looking for the function
registered("location")
Regards,
C.
On 5/31/05, Bastian Schern <ml01(a)in-bln.de> wrote:
>Hello everybody,
>
>is it possible to check if a user is already registered or authenticated?
>
>I want to allow only registered users call to PSTN destinations.
>
>Regards
> Bastian
2:13 p.m.
Hi,
I attached my complete ser.cfg.
I tested with "serctl ul show" and the User is registered. But I think
it is the wrong function.
I want to prohibit unregistered users to make PSTN calls without
reauthentication.
Is that possible?
Cesc schrieb:
Hi,
Well, this piece of code looks correct, but it is out of context. It
may be the way your config file is that makes you always hit the else.
Other than that ... have you checked the obvious? is the user really
registered (check with >serctl ul show)? the function checks the
request uri, is that what you want? do you modify the request uri
before this point?
What version of ser are you running?
I'm running ser-0.8.14.
One question ... why do you rewrite host and port? if the user is
already registered, just doing a lookup("location") would be enough to
for the uri to be rewritten to the contact and then you can t_relay it
... no need to do the localhost:5061
Is it not correct? I forward the authorized calls to the PSTN gateway.
Regards
Bastian
# ----------- global configuration parameters ------------------------
debug=3 # debug level (cmd line: -dddddddddd)
fork=yes
#children=4
log_stderror=no # (cmd line: -E)
log_facility=LOG_LOCAL0
uid="ser" # user | uid - uid to be used by the server.
gid="www" # group | gid - gid to be used by the server.
fifo="/tmp/ser_fifo"
#fifo_mode=0666
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
#listen=192.168.1.1
#port=5060
# ------------------ module loading ----------------------------------
loadmodule "/lib/ser/modules/sl.so"
loadmodule "/lib/ser/modules/tm.so"
loadmodule "/lib/ser/modules/rr.so"
loadmodule "/lib/ser/modules/maxfwd.so"
loadmodule "/lib/ser/modules/usrloc.so"
#loadmodule "/lib/ser/modules/group.so"
loadmodule "/lib/ser/modules/uri.so"
loadmodule "/lib/ser/modules/domain.so"
loadmodule "/lib/ser/modules/registrar.so"
loadmodule "/lib/ser/modules/xlog.so"
loadmodule "/lib/ser/modules/textops.so"
loadmodule "/lib/ser/modules/auth.so"
loadmodule "/lib/ser/modules/auth_db.so"
loadmodule "/lib/ser/modules/mysql.so"
loadmodule "/lib/ser/modules/acc.so"
loadmodule "/lib/ser/modules/mediaproxy.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
# 2 enables write-back to persistent mysql storage for
# speed, disable=0, write-through=1
modparam("usrloc", "db_mode", 2)
# minimize write back window - default is 60 seconds
modparam("usrloc", "timer_interval", 10)
# database location
modparam("usrloc", "db_url",
"mysql://ser_rw_de1:12345678@dbserver1/ser")
# --
# -- auth params --
# database location
modparam("auth_db", "db_url",
"mysql://ser_ro_de1:12345678@localhost/ser")
# don't allows clear text passwords in the mysql database
modparam("auth_db", "calculate_ha1", no)
#modparam("auth_db", "calculate_ha1", yes)
# name of password column in mysql database
modparam("auth_db", "password_column", "ha1")
#modparam("auth_db", "password_column", "password")
# --
# -- uri params --
# database location
modparam("uri", "db_url",
"mysql://ser_ro_de1:12345678@localhost/ser")
# --
# -- domain params ---
modparam("domain", "db_url",
"mysql://ser_ro_de1:12345678@localhost/ser")
#modparam("domain", "db_mode", 1) # Use chaching
# --
# -- acc params --
modparam("acc", "log_level", 1)
# database location
modparam("acc", "db_url",
"mysql://ser_rw_de1:12345678@dbserver1/ser")
# that is the flag for which we will account . don't forget to
# set the same one :-)
modparam("acc", "log_flag", 1 )
modparam("acc", "db_flag", 1 )
# --
# -- xlog params --
modparam("xlog", "buf_size", 81920)
# --
# -- MediaProxy params --
modparam("mediaproxy", "mediaproxy_socket",
"/var/run/proxydispatcher.sock")
modparam("mediaproxy", "sip_asymmetrics",
"/etc/ser/sip-asymmetrics-clients")
modparam("mediaproxy", "rtp_asymmetrics",
"/etc/ser/rtp-asymmetrics-clients")
modparam("mediaproxy", "natping_interval", 20)
#modparam("mediaproxy", "natping_interval", 60)
modparam("registrar", "nat_flag", 5)
# --
#
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# --
#
# # ------------------------- request routing logic -------------------
#
# # main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if( !mf_process_maxfwd_header("10") ) {
sl_send_reply( "483", "Too Many Hops" );
log( 1, "483 <Too many hops>\n" );
break;
};
if( msg:len > max_len ) {
sl_send_reply( "513", "Message too big" );
log( 1, "513 <Message too big>\n" );
break;
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
#if (!method=="REGISTER") record_route();
record_route();
if( client_nat_test("1") ) {
log( 1, "NAT: Private IP requirement, fixed contact (in main routine).\n" );
setflag(5);
force_rport();
fix_contact();
append_hf( "P-hint: fixed NAT contact for request\r\n" );
};
# loose-route processing
if( loose_route() ) {
log( 1, "RTG: loose_route()\n" );
if( isflagset(5) ) {
if( method == "BYE" || method == "CANCEL" ) {
log( 1, "NAT: BYE or CANCEL received, finishing the stocking sesion.\n" );
end_media_session();
# setflag(1);
};
};
t_relay();
break;
};
# starting accounting
# setflag(1);
if( method == "REGISTER" ) {
xlog( "L_INFO", "REG: <%fu> tries to register.\n" );
if( !www_authorize( "kundt.net", "subscriber" ) ) {
www_challenge( "kundt.net", "0" );
break;
};
if( !check_to() ) {
log( 1, "ERR: <403> Username != Authorization User\n" );
sl_send_reply( "403", "Username != Authorization User" );
break;
};
save( "location_de1" );
xlog( "L_INFO", "REG: location of <%fu> saved.\n" );
} else if( method == "INVITE" ) {
if( uri =~ "^sip:[1-9][0-9]+" ||
uri =~ "^sip:0[1-9][0-9]+" ||
uri =~ "^sip:00[1-9][0-9]+" ||
uri =~ "^sip:0.+[1-9]00[1-9][0-9]+" )
{
log( 1, "FWD: Relaying PSTN call to Asterisk gateway!\n" );
# if( !proxy_authorize( "kundt.net", "subscriber" ) ) {
# proxy_challenge( "kundt.net", "1" );
# break;
# };
# if( !check_from() ) {
# log( 1, "ERR: <403> Username != Authorization User\n" );
# sl_send_reply( "403", "Username != Authorization User" );
# break;
# };
if( !registered( "location_de1" ) ) {
rewritehostport( "localhost:5061" );
} else {
log( 1, "ERR: <403> Unauthorized call\n" );
sl_send_reply( "403", "Unauthorized call" );
break;
};
} else if( uri == myself ) {
# look now, if there is an alias in the "aliases" table; don't care
# about return value: whether there is some or not, move ahead then
#if( lookup( "aliases" ) ) {
# xlog( "L_INFO", "LOC: <%ru> is an alias!\n" );
#}
if( uri =~ "^sip:\*[0-9]+" ) {
log( 1, "INT: removing leading *\n" );
strip(1);
} else if( uri =~ "^sip:\#[0-9]+" ) {
log( 1, "INT: removing leading *\n" );
strip(1);
} else if( uri =~ "^sip:000[0-9]+" ) {
log( 1, "INT: removing leading 000\n" );
strip(3);
};
xlog( "L_INFO", "LOC: try to locate <%ru> via datbase ...\n"
);
if( lookup( "location_de1" ) ) {
xlog( "L_INFO", "LOC: ... found <%ru> in database
'location_de1' !\n" );
} else if( lookup( "location_us1" ) ) {
xlog( "L_INFO", "LOC: ... found <%ru> in database
'location_us1' !\n" );
rewritehostport( "sipbase.com:5060" );
} else {
log( 1, "FWD: ... not found, forwarding to local Asterisk gateway!\n" );
prefix( "000" );
rewritehostport( "localhost:5061" );
#sl_send_reply("404", "Not found");
#log( 1, "404 <Not found>\n");
};
};
# Handle NATed calls
if( isflagset(5) ) {
route(1);
};
} else if( method=="BYE" || method=="CANCEL" ) {
if( isflagset(5) ) {
log( 1, "NAT: BYE or CANCEL received, finishing the stocking sesion.\n" );
end_media_session();
# setflag(1);
};
};
# forward to current uri now; use stateful forwarding; that
# works reliably even if we forward from TCP to UDP
if( !t_relay() ) {
log( 1, "RELAY ERROR\n" );
sl_reply_error();
};
}
route[1] {
t_on_reply("1");
if( ( isflagset(5) ) && ( method=="INVITE" || method=="ACK" )
) {
log( 1, "NAT: INVITE received, enabling MediaProxy.\n" );
use_media_proxy();
append_hf( "P-hint: request forced to media proxy\r\n" );
};
append_hf( "P-hint: USRLOC\r\n" );
}
# ---------------------------- Begin On-Reply Routes --------------------------
onreply_route[1] {
# If we've got here, it's because we've previously passed through a block
# which handles NAT requests and has set a t_on_reply condition. DB 03-08-2004
if( status =~ "(183)|(2[0-9][0-9])" ) {
# if( client_nat_test("1") || isflagset(5) ) {
if( isflagset(5) ) {
log( 1, "NAT: Reply from NAT'd client --> fixing contact
(onreply_route)\n" );
fix_contact();
log( 1, "NAT: NAT'd transaction answered --> enabling media proxy
(onreply_route)\n" );
use_media_proxy();
setflag(5);
};
};
}
# ------------------------------ End On-Reply Routes --------------------------
3:02 p.m.
Hi,
Ok ... so your ser receives the invite and you will only forward to
pstn if user is authenticated. So, what you want is to authorize the
invites with proxy_authorize() and if they fail, use proxy_challenge()
Once authorization is ok, you can use check_from.
(you have this part of code commented in your config file).
What you get with this is low security, but at least you now that
whoever is sending the messages is in your "subscribers" database.
Of course the registered("location") returns always false ... it
checks the request uri, not the from uri! The request uri contains the
pstn number.
And by the way, in the config you sent ... you always hit the else
because you do:
if( ! registered( ... ) )
rewrite ...
else ...
it should be if( registered () ) ... but i guess you were tired of
hitting the else and you made this change on purpose :)
On the other hand ... why don't you try instead of rewriting the
request uri, to use something like: t_relay_to_udp(ip, port), or
t_relay_to_tcp(ip, port) or forward(ip, port) ...
One last comment ... if this invite that arrives to you comes not
directly from a phone, but from another proxy ... and supposing all
proxies are controlled by you ... you may want to be able to reuse the
same Proxy-Auth header data for all. This way, only the first proxy
will challenge the phone asking for the credentials, then just forward
the INV (without consuming the auth header data) to the next proxy.
For this, you need to set the "secret" parameter in the "auth" mode
to
be equal in all proxies.
modparam("auth", "secret", "this_is_not_a_secret_anymore")
Regards,
C.
On 6/1/05, Bastian Schern <ml01(a)in-bln.de> wrote:
Hi,
I attached my complete ser.cfg.
I tested with "serctl ul show" and the User is registered. But I think
it is the wrong function.
I want to prohibit unregistered users to make PSTN calls without
reauthentication.
Is that possible?
Cesc schrieb:
Hi,
Well, this piece of code looks correct, but it is out of context. It
may be the way your config file is that makes you always hit the else.
Other than that ... have you checked the obvious? is the user really
registered (check with >serctl ul show)? the function checks the
request uri, is that what you want? do you modify the request uri
before this point?
What version of ser are you running?
I'm running ser-0.8.14.
One question ... why do you rewrite host and port? if the user is
already registered, just doing a lookup("location") would be enough to
for the uri to be rewritten to the contact and then you can t_relay it
... no need to do the localhost:5061
Is it not correct? I forward the authorized calls to the PSTN gateway.
Regards
Bastian
7120
days inactive
7121
days old
5 comments
2 participants
participants (2)
-
Bastian Schern -
Cesc