[please keep the list CC-d because others may also be interested in the solution or may know the answer better.]
On 11/20/2009 07:06 PM, Andres Moya wrote:
Can i ask one more question here. It is complicated, i am using uac_replace_from and uac_auth. I am using failure route to process authentication if necessary and redirect on next carrier.
If i authenticated with one provider, then fot let say 415 ( i set only speex in UAC to get it ;) ). Ok SER send request to second provider, i use uac_replace_from once again in my LOAD_AUTH route then uac_auth again.
Ok. now i see from ngrep that uac_replace_from did nothing in from field and use user@domain for first provider, authentication failed :(
Which authentication fails? The first or the second one? The first should work, at least the from header should be rewritten by the function.
The second authentication will not work this way (if it requires a different from header) because the proxy "remembers" for the header changes done before the first t_relay() function call and applies the same header modifications also for any other branch added from failure route. Hence, the outgoing SIP request to the second provider will contain the same from HF as the request to the first provider.
The easiest way is to apply the header modifications in branch route if you do not need to reuse them later from failure route. Modifications done in branch routes are valid only within that branch.
I moved uac_replace_from to my failure route to call once again before uac_auth, but got config error as i can't use uac_replace_from in failure_route.
I think you already use this function from failure route because it is in a route block that is included from failure route. The only difference is that the syntax checker does not recognize the issue. I am not familiar with uac_replace_from() but after having a quick look at the function I think it is safe to use it from here.
Ok i will use textops to rewrite, but it is ugly?
The main difference is that uac_replace_from() restores the original From HF when the response if forwarded. If you use textops module then you need to restore the header manually.
no. Maybe i should call uac_replace_from in branch route?
I would suggest this way. Both for the first and for the second provider.
Miklos
Thanks
Hmmm...
Thank you very much for support
I use subst('/^From:(.*)sip:[^@]*@[a-zA-Z0-9.]+(.*)$/From:\1sip:$avp(i:21)@$avp(i:24)\2/i');
now replace work strange i can see first time it said correct to: From: sip:andres.moya4@sipdiscount.com;transport=UDP;tag=19790648. for both - first INVITE and second with auth header
Second time i am sending to provider: From: sip:andres.moya4@sipdiscount.com;transport=UDP;tag=19790648.From: sip:21100036838@terrasip.net;transport=UDP;tag=19790648. and then with auth header: From: sip:andres.moya4@sipdiscount.com;transport=UDP;tag=19790648.
something is wrong again :(
You can see i used flags to split first subst call from second one. Second time it is not doing substitution, it is adding to From header :) But then looks like uac_auth removes one :)
I don't care to restore From field, i need it just work.
uac_replace_from do nothing then caller in failure_route via sub route second time. maybe it set From for first branch?
I want it go on list of providers and authenticate then asked.
I have branch_route, i tried to arm t_on_branch , but xlog in this route never write anything in log. I don't know how to use branches. I just know that if i want to call t_relay(), i should always say - append_branch() ;) Any one can explain briefly how branches supposed to work? Especially how to use branch_route. I feel i am nearly there. I guess author of auc module can maybe be interested to add loading of authentication data from database.
my number is sip:andres.moya@riki.ru (not email), anyone welcome to call... testing
ok my logic is
if (number PSTN) { route (PSTN_RELAY); }
route[PSTN_RELAY]{
do first stage cr_route.....
route(LOAD_AUTH);
t_relay();
}
##### LOAD_AUTH ########## # loading authentication information from carrierauth table # set From field according to carrierauth information # arguments: # $rd - request uri doamin, sip provider carrier # returns: # avp(i:20) - rewrited host = $rd # avp(i:21) - auth user # avp(i:22) - auth pass # avp(i:23) - auth realm # avp(i:24) - auth domain
route[LOAD_AUTH]{ xlog ("L_INFO","LOAD_AUTH: searching authentication for host host: $rd"); $avp(i:20)=$rd;
if ( avp_db_query( "SELECT username, password, realm, domain FROM carrierauth WHERE hostname='$rd'", "$avp(i:21);$avp(i:22);$avp(i:23);$avp(i:24)") > 0 ) { xlog ("L_INFO","LOAD_AUTH: for $rd loaded data user: $avp(i:21) pass: $avp(i:22) realm: $avp(i:23) domain: $avp(i:24)");
# replace from_user@from_domain xlog("L_INFO","LOAD_AUTH: changing From: -> sip:$avp(i:21)@$avp(i:24)");
#uac_replace_from("sip:$avp(i:21)@$avp(i:24)"); #uac_replace_from doesnt work in failure route. if (!isflagset(30)) {
subst('/^From:(.*)sip:[^@]*@[a-zA-Z0-9.]+(.*)$/From:\1sip:$avp(i:21)@$avp(i:24)\2/i'); } else {
subst('/^From:(.*)sip:[^@]*@[a-zA-Z0-9.]+(.*)$/From:\1sip:$avp(i:21)@$avp(i:24)\2/i');
} setflag(30); }
# we are not relaying authentications :) remove_hf("Authorization"); # remove client authentication
# reset flag to mark no authentication yet performed resetflag(10); # let's use 10 to know uac authentication was not sent yet
xlog("L_INFO","LOAD_AUTH: flag 10 reset and Authorization header clered. returning\n");
return(1);
}
failure_route[FAIL_ONE] { xlog("L_INFO","entering failure route with code: $T_reply_code \n"); #if (t_grep_status("415")) xlog("L_INFO","415! \n");
if ( t_check_status("401|407") ) # Unathorised reply { xlog("L_INFO","Authentication required \n"); # have we already tried to authenticate? do we have auth information loaded? if (isflagset(10) || $avp(i:21)==$null ) # auth was already sent or we don't have auth info { xlog("Authentication to $avp(i:20) provider as $avp(i:21)@$avp(i:24) failed\n"); t_reply("503","Authentication failed"); avp_delete("$avp(i:20)"); avp_delete("$avp(i:21)"); avp_delete("$avp(i:22)"); avp_delete("$avp(i:23)"); avp_delete("$avp(i:24)"); exit(); # :(
}
# if call from here LOAD_AUTH will look for original uri, not rewriten before if( !is_avp_set("$avp(i:20)") || $avp(i:20)=='') { # if LAOD_AUTH was not done yet route (LOAD_AUTH); # loads auth avps and rewrite 'from' field }
# this avps loaded before by LOAD_AUTH # avp(i:20) - rewrited host # avp(i:21) - auth user # avp(i:22) - auth pass # avp(i:23) - auth realm # avp(i:24) - auth domain
xlog ("L_INFO","for $rd using: $avp(i:21) pass: $avp(i:22) realm: $avp(i:23) domain: $avp(i:24)");
remove_hf("Authorization"); # remove client authentication if (uac_auth()) # adding auth header {xlog ("\nMessage:\n$mb\n\n"); xlog("L_INFO","Authorization header set, sending...\n"); # mark that auth was performed setflag(10);
# next time i want t_check_status look at some other errstatus t_drop_replies();
t_on_failure("FAIL_ONE"); # repeat the request with auth response this time append_branch(); # ??? t_relay();
exit; } }
# In case of failure on PSTN provider, send it to an alternative route: # if ( t_check_status("415|480|408|5[0-9][0-9]")) { if ( isflagset(11) && t_check_status("415|480|408|5[0-9][0-9]")) {
# next time i want t_check_status look at some other errstatus t_drop_replies();
xlog("L_INFO", "FAIL_ONE: got code $T_reply_code will try next carrier domain\n"); revert_uri(); if (!cr_next_domain("$avp(s:carrier)", "$avp(s:domain)", "$avp(s:rc_pstn_num)", "$avp(s:rc_host)", "$T_reply_code", "$avp(s:domain)")) { xlog("L_ERR", "cr_next_domain failed\n"); exit; } if (!cr_route("$avp(s:carrier)", "$avp(s:domain)", "$avp(s:rc_pstn_num)", "$avp(s:rc_pstn_num)", "call_id")) { xlog("L_ERR", "cr_route failed\n"); exit; }
route(LOAD_AUTH);
xlog("L_INFO", "FAIL_ONE: done LOAD_AUTH, relaying to next provider: $rd\n"); t_on_failure("FAIL_ONE"); append_branch(); if (!t_relay()) { xlog("L_ERR", "t_relay to $rd failed\n"); exit; } exit;
}
#!ifdef WITH_NAT if (is_method("INVITE") && (isbflagset("6") || isflagset(5))) { unforce_rtp_proxy(); } #!endif
if (t_is_canceled()) { exit; }
t_reply("404","Not found");
}
Miklos Tirpak wrote:
[please keep the list CC-d because others may also be interested in the solution or may know the answer better.]
On 11/20/2009 07:06 PM, Andres Moya wrote:
Can i ask one more question here. It is complicated, i am using uac_replace_from and uac_auth. I am using failure route to process authentication if necessary and redirect on next carrier.
If i authenticated with one provider, then fot let say 415 ( i set only speex in UAC to get it ;) ). Ok SER send request to second provider, i use uac_replace_from once again in my LOAD_AUTH route then uac_auth again.
Ok. now i see from ngrep that uac_replace_from did nothing in from field and use user@domain for first provider, authentication failed :(
Which authentication fails? The first or the second one? The first should work, at least the from header should be rewritten by the function.
The second authentication will not work this way (if it requires a different from header) because the proxy "remembers" for the header changes done before the first t_relay() function call and applies the same header modifications also for any other branch added from failure route. Hence, the outgoing SIP request to the second provider will contain the same from HF as the request to the first provider.
The easiest way is to apply the header modifications in branch route if you do not need to reuse them later from failure route. Modifications done in branch routes are valid only within that branch.
I moved uac_replace_from to my failure route to call once again before uac_auth, but got config error as i can't use uac_replace_from in failure_route.
I think you already use this function from failure route because it is in a route block that is included from failure route. The only difference is that the syntax checker does not recognize the issue. I am not familiar with uac_replace_from() but after having a quick look at the function I think it is safe to use it from here.
Ok i will use textops to rewrite, but it is ugly?
The main difference is that uac_replace_from() restores the original From HF when the response if forwarded. If you use textops module then you need to restore the header manually.
no. Maybe i should call uac_replace_from in branch route?
I would suggest this way. Both for the first and for the second provider.
Miklos
Thanks
Hmmm...
Thank you very much for support
I use subst('/^From:(.*)sip:[^@]*@[a-zA-Z0-9.]+(.*)$/From:\1sip:$avp(i:21)@$avp(i:24)\2/i');
now replace work strange i can see first time it said correct to: From: sip:andres.moya4@sipdiscount.com;transport=UDP;tag=19790648. for both - first INVITE and second with auth header
Second time i am sending to provider: From: sip:andres.moya4@sipdiscount.com;transport=UDP;tag=19790648.From: sip:21100036838@terrasip.net;transport=UDP;tag=19790648. and then with auth header: From: sip:andres.moya4@sipdiscount.com;transport=UDP;tag=19790648.
something is wrong again :( You can see i used flags to split first subst call from second one. Second time it is not doing substitution, it is adding to From header :) But then looks like uac_auth removes one :)
I don't care to restore From field, i need it just work.
uac_replace_from do nothing then caller in failure_route via sub route second time. maybe it set From for first branch?
I want it go on list of providers and authenticate then asked.
I have branch_route, i tried to arm t_on_branch , but xlog in this route never write anything in log. I don't know how to use branches. I just know that if i want to call t_relay(), i should always say - append_branch() ;) Any one can explain briefly how branches supposed to work? Especially how to use branch_route. I feel i am nearly there. I guess author of auc module can maybe be interested to add loading of authentication data from database.
my number is sip:andres.moya@riki.ru (not email), anyone welcome to call... testing
ok my logic is
if (number PSTN) { route (PSTN_RELAY); }
route[PSTN_RELAY]{
do first stage cr_route.....
route(LOAD_AUTH);
t_relay();
}
##### LOAD_AUTH ########## # loading authentication information from carrierauth table # set From field according to carrierauth information # arguments: # $rd - request uri doamin, sip provider carrier # returns: # avp(i:20) - rewrited host = $rd # avp(i:21) - auth user # avp(i:22) - auth pass # avp(i:23) - auth realm # avp(i:24) - auth domain
route[LOAD_AUTH]{ xlog ("L_INFO","LOAD_AUTH: searching authentication for host host: $rd"); $avp(i:20)=$rd;
if ( avp_db_query( "SELECT username, password, realm, domain FROM carrierauth WHERE hostname='$rd'", "$avp(i:21);$avp(i:22);$avp(i:23);$avp(i:24)") > 0 ) { xlog ("L_INFO","LOAD_AUTH: for $rd loaded data user: $avp(i:21) pass: $avp(i:22) realm: $avp(i:23) domain: $avp(i:24)");
# replace from_user@from_domain xlog("L_INFO","LOAD_AUTH: changing From: -> sip:$avp(i:21)@$avp(i:24)");
#uac_replace_from("sip:$avp(i:21)@$avp(i:24)"); #uac_replace_from doesnt work in failure route. if (!isflagset(30)) {
subst('/^From:(.*)sip:[^@]*@[a-zA-Z0-9.]+(.*)$/From:\1sip:$avp(i:21)@$avp(i:24)\2/i');
} else {
subst('/^From:(.*)sip:[^@]*@[a-zA-Z0-9.]+(.*)$/From:\1sip:$avp(i:21)@$avp(i:24)\2/i'); } setflag(30); }
# we are not relaying authentications :) remove_hf("Authorization"); # remove client authentication
# reset flag to mark no authentication yet performed resetflag(10); # let's use 10 to know uac authentication was not sent yet
xlog("L_INFO","LOAD_AUTH: flag 10 reset and Authorization header clered. returning\n");
return(1);
}
failure_route[FAIL_ONE] { xlog("L_INFO","entering failure route with code: $T_reply_code \n"); #if (t_grep_status("415")) xlog("L_INFO","415! \n");
if ( t_check_status("401|407") ) # Unathorised reply { xlog("L_INFO","Authentication required \n"); # have we already tried to authenticate? do we have auth information loaded? if (isflagset(10) || $avp(i:21)==$null ) # auth was already sent or we don't have auth info { xlog("Authentication to $avp(i:20) provider as $avp(i:21)@$avp(i:24) failed\n"); t_reply("503","Authentication failed"); avp_delete("$avp(i:20)"); avp_delete("$avp(i:21)"); avp_delete("$avp(i:22)"); avp_delete("$avp(i:23)"); avp_delete("$avp(i:24)"); exit(); # :(
}
# if call from here LOAD_AUTH will look for original uri, not rewriten before if( !is_avp_set("$avp(i:20)") || $avp(i:20)=='') { # if LAOD_AUTH was not done yet route (LOAD_AUTH); # loads auth avps and rewrite 'from' field }
# this avps loaded before by LOAD_AUTH # avp(i:20) - rewrited host # avp(i:21) - auth user # avp(i:22) - auth pass # avp(i:23) - auth realm # avp(i:24) - auth domain
xlog ("L_INFO","for $rd using: $avp(i:21) pass: $avp(i:22) realm: $avp(i:23) domain: $avp(i:24)");
remove_hf("Authorization"); # remove client authentication if (uac_auth()) # adding auth header {xlog ("\nMessage:\n$mb\n\n"); xlog("L_INFO","Authorization header set, sending...\n"); # mark that auth was performed setflag(10);
# next time i want t_check_status look at some other errstatus t_drop_replies();
t_on_failure("FAIL_ONE"); # repeat the request with auth response this time append_branch(); # ??? t_relay();
exit; } }
# In case of failure on PSTN provider, send it to an alternative route: # if ( t_check_status("415|480|408|5[0-9][0-9]")) { if ( isflagset(11) && t_check_status("415|480|408|5[0-9][0-9]")) {
# next time i want t_check_status look at some other errstatus t_drop_replies();
xlog("L_INFO", "FAIL_ONE: got code $T_reply_code will try next carrier domain\n"); revert_uri(); if (!cr_next_domain("$avp(s:carrier)", "$avp(s:domain)", "$avp(s:rc_pstn_num)", "$avp(s:rc_host)", "$T_reply_code", "$avp(s:domain)")) { xlog("L_ERR", "cr_next_domain failed\n"); exit; } if (!cr_route("$avp(s:carrier)", "$avp(s:domain)", "$avp(s:rc_pstn_num)", "$avp(s:rc_pstn_num)", "call_id")) { xlog("L_ERR", "cr_route failed\n"); exit; }
route(LOAD_AUTH);
xlog("L_INFO", "FAIL_ONE: done LOAD_AUTH, relaying to next provider: $rd\n"); t_on_failure("FAIL_ONE"); append_branch(); if (!t_relay()) { xlog("L_ERR", "t_relay to $rd failed\n"); exit; } exit;
}
#!ifdef WITH_NAT if (is_method("INVITE") && (isbflagset("6") || isflagset(5))) { unforce_rtp_proxy(); } #!endif
if (t_is_canceled()) { exit; }
t_reply("404","Not found");
}
Miklos Tirpak wrote:
[please keep the list CC-d because others may also be interested in the solution or may know the answer better.]
On 11/20/2009 07:06 PM, Andres Moya wrote:
Can i ask one more question here. It is complicated, i am using uac_replace_from and uac_auth. I am using failure route to process authentication if necessary and redirect on next carrier.
If i authenticated with one provider, then fot let say 415 ( i set only speex in UAC to get it ;) ). Ok SER send request to second provider, i use uac_replace_from once again in my LOAD_AUTH route then uac_auth again.
Ok. now i see from ngrep that uac_replace_from did nothing in from field and use user@domain for first provider, authentication failed :(
Which authentication fails? The first or the second one? The first should work, at least the from header should be rewritten by the function.
The second authentication will not work this way (if it requires a different from header) because the proxy "remembers" for the header changes done before the first t_relay() function call and applies the same header modifications also for any other branch added from failure route. Hence, the outgoing SIP request to the second provider will contain the same from HF as the request to the first provider.
The easiest way is to apply the header modifications in branch route if you do not need to reuse them later from failure route. Modifications done in branch routes are valid only within that branch.
I moved uac_replace_from to my failure route to call once again before uac_auth, but got config error as i can't use uac_replace_from in failure_route.
I think you already use this function from failure route because it is in a route block that is included from failure route. The only difference is that the syntax checker does not recognize the issue. I am not familiar with uac_replace_from() but after having a quick look at the function I think it is safe to use it from here.
Ok i will use textops to rewrite, but it is ugly?
The main difference is that uac_replace_from() restores the original From HF when the response if forwarded. If you use textops module then you need to restore the header manually.
no. Maybe i should call uac_replace_from in branch route?
I would suggest this way. Both for the first and for the second provider.
Miklos
Thanks
Hi,
I made branch route and changing From there, i decided not to restore from.
ok, i doing calls two times and getting:
first time it set ok: From: sip:andres.moya4@sipdiscount.com;tag=572ac509. second time i am getting From: sip:andres.moya4@sipdiscount.comsip:21100036838@terrasip.net;tag=572ac509.
ok trying subst('/^From:(.*)sip:[^@]*@[a-zA-Z0-9.]+(.*)$/From:\1sip:$avp(i:21)@$avp(i:24)\2/i');
first time it substitute ok, on next branch i got result: From: sip:andres.moya4@sipdiscount.com;transport=UDP;tag=ee12f132.sip:andres.moya4@sipdiscount.com
Looks like both methods are broken. ok, uac_replace is here:
LM_DBG("uri to replace [%.*s]\n",from->uri.len, from->uri.s); LM_DBG("replacement uri is [%.*s]\n",from_uri->len, from_uri->s);
Nov 21 01:22:35 v /usr/local/sbin/kamailio[32582]: DEBUG: uac
[from.c:305]: uri to replace [sip:mangust@riki.ru;transport=UDP]
Nov 21 01:22:35 v /usr/local/sbin/kamailio[32582]: DEBUG: uac
[from.c:306]: replacement uri is [sip:andres.moya4@sipdiscount.com] sip:mangust@riki.ru is original from. It is same all sequence of calls. This is actually second call, before sending authenticated INVITE.
Actually i am calling two times uac_replace_from, for first INVITE and for second authenticated. If doing only on first invite is ok with first authentiation, but crashes with results described in the beginning of a mail on second one sip provider. In any case second replace always problem.
/* build del/add lumps */ if ((l=del_lump( msg, from->uri.s-msg->buf, from->uri.len, 0))==0) { LM_ERR("del lump failed\n"); goto error; } p = pkg_malloc( from_uri->len); if (p==0) { LM_ERR("no more pkg mem\n"); goto error; } memcpy( p, from_uri->s, from_uri->len); if (insert_new_lump_after( l, p, from_uri->len, 0)==0) { LM_ERR("insert new lump failed\n"); pkg_free(p); goto error; }
if (from_restore_mode==FROM_NO_RESTORE) return 0;
Result is: From: sip:andres.moya4@sipdiscount.comsip:andres.moya4@sipdiscount.com;tag=1307d94b.
if repeat with next step, try to insert sip:21100036838@terrasip.net, we get: From: sip:andres.moya4@sipdiscount.comsip:21100036838@terrasip.net;tag=87272c59.
I am sure i am doing something wrong, but Kamailio doing strange things too ...
Miklos Tirpak wrote:
[please keep the list CC-d because others may also be interested in the solution or may know the answer better.]
On 11/20/2009 07:06 PM, Andres Moya wrote:
Can i ask one more question here. It is complicated, i am using uac_replace_from and uac_auth. I am using failure route to process authentication if necessary and redirect on next carrier.
If i authenticated with one provider, then fot let say 415 ( i set only speex in UAC to get it ;) ). Ok SER send request to second provider, i use uac_replace_from once again in my LOAD_AUTH route then uac_auth again.
Ok. now i see from ngrep that uac_replace_from did nothing in from field and use user@domain for first provider, authentication failed :(
Which authentication fails? The first or the second one? The first should work, at least the from header should be rewritten by the function.
The second authentication will not work this way (if it requires a different from header) because the proxy "remembers" for the header changes done before the first t_relay() function call and applies the same header modifications also for any other branch added from failure route. Hence, the outgoing SIP request to the second provider will contain the same from HF as the request to the first provider.
The easiest way is to apply the header modifications in branch route if you do not need to reuse them later from failure route. Modifications done in branch routes are valid only within that branch.
I moved uac_replace_from to my failure route to call once again before uac_auth, but got config error as i can't use uac_replace_from in failure_route.
I think you already use this function from failure route because it is in a route block that is included from failure route. The only difference is that the syntax checker does not recognize the issue. I am not familiar with uac_replace_from() but after having a quick look at the function I think it is safe to use it from here.
Ok i will use textops to rewrite, but it is ugly?
The main difference is that uac_replace_from() restores the original From HF when the response if forwarded. If you use textops module then you need to restore the header manually.
no. Maybe i should call uac_replace_from in branch route?
I would suggest this way. Both for the first and for the second provider.
Miklos
Thanks
Hi,
I quickly tried to replace the From HF and add the auth header and it works for two providers. Please check the attached config and rewrite it as you need.
Miklos
On 11/21/2009 02:56 AM, Andres Moya wrote:
Hi,
I made branch route and changing From there, i decided not to restore from.
ok, i doing calls two times and getting:
first time it set ok: From: sip:andres.moya4@sipdiscount.com;tag=572ac509. second time i am getting From: sip:andres.moya4@sipdiscount.comsip:21100036838@terrasip.net;tag=572ac509.
ok trying subst('/^From:(.*)sip:[^@]*@[a-zA-Z0-9.]+(.*)$/From:\1sip:$avp(i:21)@$avp(i:24)\2/i');
first time it substitute ok, on next branch i got result: From: sip:andres.moya4@sipdiscount.com;transport=UDP;tag=ee12f132.sip:andres.moya4@sipdiscount.com
Looks like both methods are broken. ok, uac_replace is here:
LM_DBG("uri to replace [%.*s]\n",from->uri.len, from->uri.s); LM_DBG("replacement uri is [%.*s]\n",from_uri->len, from_uri->s);
Nov 21 01:22:35 v /usr/local/sbin/kamailio[32582]: DEBUG: uac
[from.c:305]: uri to replace [sip:mangust@riki.ru;transport=UDP]
Nov 21 01:22:35 v /usr/local/sbin/kamailio[32582]: DEBUG: uac
[from.c:306]: replacement uri is [sip:andres.moya4@sipdiscount.com] sip:mangust@riki.ru is original from. It is same all sequence of calls. This is actually second call, before sending authenticated INVITE.
Actually i am calling two times uac_replace_from, for first INVITE and for second authenticated. If doing only on first invite is ok with first authentiation, but crashes with results described in the beginning of a mail on second one sip provider. In any case second replace always problem.
/* build del/add lumps */ if ((l=del_lump( msg, from->uri.s-msg->buf, from->uri.len, 0))==0) { LM_ERR("del lump failed\n"); goto error; } p = pkg_malloc( from_uri->len); if (p==0) { LM_ERR("no more pkg mem\n"); goto error; } memcpy( p, from_uri->s, from_uri->len); if (insert_new_lump_after( l, p, from_uri->len, 0)==0) { LM_ERR("insert new lump failed\n"); pkg_free(p); goto error; }
if (from_restore_mode==FROM_NO_RESTORE) return 0;
Result is: From: sip:andres.moya4@sipdiscount.comsip:andres.moya4@sipdiscount.com;tag=1307d94b.
if repeat with next step, try to insert sip:21100036838@terrasip.net, we get: From: sip:andres.moya4@sipdiscount.comsip:21100036838@terrasip.net;tag=87272c59.
I am sure i am doing something wrong, but Kamailio doing strange things too ...
Miklos Tirpak wrote:
[please keep the list CC-d because others may also be interested in the solution or may know the answer better.]
On 11/20/2009 07:06 PM, Andres Moya wrote:
Can i ask one more question here. It is complicated, i am using uac_replace_from and uac_auth. I am using failure route to process authentication if necessary and redirect on next carrier.
If i authenticated with one provider, then fot let say 415 ( i set only speex in UAC to get it ;) ). Ok SER send request to second provider, i use uac_replace_from once again in my LOAD_AUTH route then uac_auth again.
Ok. now i see from ngrep that uac_replace_from did nothing in from field and use user@domain for first provider, authentication failed :(
Which authentication fails? The first or the second one? The first should work, at least the from header should be rewritten by the function.
The second authentication will not work this way (if it requires a different from header) because the proxy "remembers" for the header changes done before the first t_relay() function call and applies the same header modifications also for any other branch added from failure route. Hence, the outgoing SIP request to the second provider will contain the same from HF as the request to the first provider.
The easiest way is to apply the header modifications in branch route if you do not need to reuse them later from failure route. Modifications done in branch routes are valid only within that branch.
I moved uac_replace_from to my failure route to call once again before uac_auth, but got config error as i can't use uac_replace_from in failure_route.
I think you already use this function from failure route because it is in a route block that is included from failure route. The only difference is that the syntax checker does not recognize the issue. I am not familiar with uac_replace_from() but after having a quick look at the function I think it is safe to use it from here.
Ok i will use textops to rewrite, but it is ugly?
The main difference is that uac_replace_from() restores the original From HF when the response if forwarded. If you use textops module then you need to restore the header manually.
no. Maybe i should call uac_replace_from in branch route?
I would suggest this way. Both for the first and for the second provider.
Miklos
Thanks
# ----------- global configuration parameters ------------------------
debug=2 memdbg=3 fork=yes log_stderror=yes children=1 disable_tcp=1 disable_tls=1 disable_sctp=1
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5070 listen=udp:10.38.2.177:5070
flags AUTH_ADDED;
# ------------------ module loading ----------------------------------
loadpath "/home/mtirpak/SER/git/sip-router/" loadmodule "modules_k/sl/sl.so" loadmodule "modules/tm/tm.so" loadmodule "modules_k/rr/rr.so" loadmodule "modules_k/uac/uac.so" loadmodule "modules_k/pv/pv.so"
modparam("uac","credential","username:domain:password") modparam("uac","auth_realm_avp","$avp(s:realm)") modparam("uac","auth_username_avp","$avp(s:user)") modparam("uac","auth_password_avp","$avp(s:password)")
# ------------- routing logic --------------------------------------
route { route("first-provider"); }
route["first-provider"] { log(0, "FIRST PROVIDER #1\n"); $avp(s:realm) = "foo.com"; $avp(s:user) = "Alice"; $avp(s:password) = "1234";
rewritehostport("10.38.2.177:5080"); resetflag(AUTH_ADDED); t_on_failure("first-provider-failure"); t_on_branch("first-provider-prepare"); t_relay(); }
# rewrite the From header from branch route so that it is done # separately for each branch branch_route["first-provider-prepare"] { uac_replace_from("sip:Alice@foo.com"); }
failure_route["first-provider-failure"] { if (!isflagset(AUTH_ADDED) && t_check_status("401|407")) { log(0, "FIRST PROVIDER #2\n"); t_on_failure("first-provider-failure"); t_on_branch("first-provider-prepare"); if (!uac_auth()) { route("second-provider"); return; } setflag(AUTH_ADDED); append_branch(); t_drop_replies(); if (!t_relay()) { route("second-provider"); return; } } else { # Either the authentication did not work # or there was another failure log(0, "FIRST PROVIDER FAILED\n"); t_drop_replies(); route("second-provider"); } }
route["second-provider"] { log(0, "SECOND PROVIDER #1\n"); $avp(s:realm) = "bar.com"; $avp(s:user) = "Bob"; $avp(s:password) = "5678";
rewritehostport("10.38.2.177:5090"); resetflag(AUTH_ADDED); t_on_failure("second-provider-failure"); t_on_branch("second-provider-prepare"); append_branch(); t_relay(); }
branch_route["second-provider-prepare"] { uac_replace_from("sip:Bob@bar.com"); }
failure_route["second-provider-failure"] { if (!isflagset(AUTH_ADDED) && t_check_status("401|407")) { log(0, "SECOND PROVIDER #2\n"); t_on_failure("second-provider-failure"); t_on_branch("second-provider-prepare"); if (!uac_auth()) { route("auth-error"); return; } setflag(AUTH_ADDED); append_branch(); t_drop_replies(); if (!t_relay()) { route("auth-error"); return; } } else { log(0, "SECOND PROVIDER FAILED\n"); if (t_check_status("401|407")) { # Does not let the 401/407 forwarded. route("auth-error"); } } }
route["auth-error"] { t_reply("500", "failed to authenticate"); drop; }
Thank you. Looks like it is ok now. My mistake was to use uac_repace_from in request route first time. Then i rewrite script to call replace only from branch route everything become fine. But anyway uac_repace_from works strange way, should maybe write something in logs.
so result is: if we need to use uac_repace_from more then once in a transaction it should be called from branch_route only. not from request route.
i also noted that my clients send proxy auth info on all ACK and BYE, so i cut them in the beginning of a route:
# we now not authenticating ACKs and BYE, just to prevent relay # of auth data to external providers if ( is_method("ACK|BYE") && is_present_hf("Proxy-Authorization")) remove_hf("Proxy-Authorization");
consume_credentials doesn't help here
Maybe i should use normal (not proxy) authentication on their INVITE?
Andres Moya schrieb:
Thank you. Looks like it is ok now. My mistake was to use uac_repace_from in request route first time. Then i rewrite script to call replace only from branch route everything become fine. But anyway uac_repace_from works strange way, should maybe write something in logs.
so result is: if we need to use uac_repace_from more then once in a transaction it should be called from branch_route only. not from request route.
i also noted that my clients send proxy auth info on all ACK and BYE, so i cut them in the beginning of a route:
that's a good idea
# we now not authenticating ACKs and BYE, just to prevent relay # of auth data to external providers if ( is_method("ACK|BYE") && is_present_hf("Proxy-Authorization")) remove_hf("Proxy-Authorization");
consume_credentials doesn't help here
consume_credentials does only work after calling one of the authentication function.
I would add also (to be on the safe side): remove_hf("Authorization");
Maybe i should use normal (not proxy) authentication on their INVITE?
Proxy-auth is the correct thing.
regards klaus
-
Andres Moya -
Klaus Darilion -
Miklos Tirpak