Hi there,
I have a weird issue with kamailio (latest docker image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I check if I have an Authorization header.
Since I don't have an Authorization (first message), I use "www_challenge()". This replies to the SIP phone, and then the SIP phone sends a new REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an HTTP endpoint if this user is allowed to connect and check the password using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone. The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic? Is pausing/resuming to use the async http client is allowed if I'm handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){
if(no_auth_header){
www_challenge("$td","1");
exit;
}
else{
t_newtran();
http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar", "AUTH_REPLY");
}
}
}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");
}
}
##### END SNIP
Best regards!
Hi, I'm running a scenario very similar to yours with kamailio 5.5.3 and I have no issue. The only difference with your scenario is that I don't do the challenge with the client, I always reply 403 and release the transaction after. I didn't have the time to replicate your exact scenario but it could be worth trying to add a t_release() after the www_challenge().
Cheers,
Federico
On Thu, Jan 27, 2022 at 8:04 AM Cyril Ramière cyril.ramiere@gmail.com wrote:
Hi there,
I have a weird issue with kamailio (latest docker image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I check if I have an Authorization header.
Since I don't have an Authorization (first message), I use "www_challenge()". This replies to the SIP phone, and then the SIP phone sends a new REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an HTTP endpoint if this user is allowed to connect and check the password using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone. The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic? Is pausing/resuming to use the async http client is allowed if I'm handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){ if(no_auth_header){ www_challenge("$td","1"); exit; } else{ t_newtran(); http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar", "AUTH_REPLY"); } }}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");}
}
##### END SNIP
Best regards! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hi Frederico,
(sorry for the double posting today, despite telling gmail to not put messages from this mailing il the spam folder, it has done it again :/ )
Thanks for your reply, I tried your suggestion and sadly it has not worked, I still have the same error. Upon searching and digging through the logs I still can't understand why after the http client is doing it's request, the debugger shows that we are not in "request" route but in "failure" route instead, I don't know if this is a consequence or a symptom of the issue.
I triple checked my mock api, it returns a http 200 and sees the request made by the http client.
Cheers
Le jeu. 27 janv. 2022 à 16:17, Federico Cabiddu federico.cabiddu@gmail.com a écrit :
Hi, I'm running a scenario very similar to yours with kamailio 5.5.3 and I have no issue. The only difference with your scenario is that I don't do the challenge with the client, I always reply 403 and release the transaction after. I didn't have the time to replicate your exact scenario but it could be worth trying to add a t_release() after the www_challenge().
Cheers,
Federico
On Thu, Jan 27, 2022 at 8:04 AM Cyril Ramière cyril.ramiere@gmail.com wrote:
Hi there,
I have a weird issue with kamailio (latest docker image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I check if I have an Authorization header.
Since I don't have an Authorization (first message), I use "www_challenge()". This replies to the SIP phone, and then the SIP phone sends a new REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an HTTP endpoint if this user is allowed to connect and check the password using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone. The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic? Is pausing/resuming to use the async http client is allowed if I'm handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){ if(no_auth_header){ www_challenge("$td","1"); exit; } else{ t_newtran(); http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar", "AUTH_REPLY"); } }}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");}
}
##### END SNIP
Best regards! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hi Cyril, it is normal that the callback route is considered a failure route, this is the internal behavior of transaction suspension/resume as implemented by the tm module. Are you sure that there is no other SIP message interfering with your flow? Could you set kamailio loglevel to 3 to see what happens?
Cheers,
Federico
On Mon, Jan 31, 2022 at 10:41 AM Cyril Ramière cyril.ramiere@gmail.com wrote:
Hi Frederico,
(sorry for the double posting today, despite telling gmail to not put messages from this mailing il the spam folder, it has done it again :/ )
Thanks for your reply, I tried your suggestion and sadly it has not worked, I still have the same error. Upon searching and digging through the logs I still can't understand why after the http client is doing it's request, the debugger shows that we are not in "request" route but in "failure" route instead, I don't know if this is a consequence or a symptom of the issue.
I triple checked my mock api, it returns a http 200 and sees the request made by the http client.
Cheers
Le jeu. 27 janv. 2022 à 16:17, Federico Cabiddu < federico.cabiddu@gmail.com> a écrit :
Hi, I'm running a scenario very similar to yours with kamailio 5.5.3 and I have no issue. The only difference with your scenario is that I don't do the challenge with the client, I always reply 403 and release the transaction after. I didn't have the time to replicate your exact scenario but it could be worth trying to add a t_release() after the www_challenge().
Cheers,
Federico
On Thu, Jan 27, 2022 at 8:04 AM Cyril Ramière cyril.ramiere@gmail.com wrote:
Hi there,
I have a weird issue with kamailio (latest docker image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I check if I have an Authorization header.
Since I don't have an Authorization (first message), I use "www_challenge()". This replies to the SIP phone, and then the SIP phone sends a new REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an HTTP endpoint if this user is allowed to connect and check the password using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone. The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic? Is pausing/resuming to use the async http client is allowed if I'm handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){ if(no_auth_header){ www_challenge("$td","1"); exit; } else{ t_newtran(); http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar", "AUTH_REPLY"); } }}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");}
}
##### END SNIP
Best regards! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hi Federico,
Ok, I wasn't aware of this detail about suspend/resume implementation, thanks for pointing that out.
I made a test with debug level 3 as requested, please find the raw logs here : https://pastebin.com/y6kZiweh
I don't think there are other SIP messages interfering with the flow, I have TCP checks (load balancer) running but nothing else is doing SIP requests. As for the client, it sends a REGISTER request, then we reply 401 , then the client sends a new REGISTER with challenge, and we send 500 server error occurred (not me but likely the TMX module).
I'm doing my best trying to understand what went wrong but I'm hitting a wall, thanks for your help :)
Cyril
Le lun. 31 janv. 2022 à 18:57, Federico Cabiddu federico.cabiddu@gmail.com a écrit :
Hi Cyril, it is normal that the callback route is considered a failure route, this is the internal behavior of transaction suspension/resume as implemented by the tm module. Are you sure that there is no other SIP message interfering with your flow? Could you set kamailio loglevel to 3 to see what happens?
Cheers,
Federico
On Mon, Jan 31, 2022 at 10:41 AM Cyril Ramière cyril.ramiere@gmail.com wrote:
Hi Frederico,
(sorry for the double posting today, despite telling gmail to not put messages from this mailing il the spam folder, it has done it again :/ )
Thanks for your reply, I tried your suggestion and sadly it has not worked, I still have the same error. Upon searching and digging through the logs I still can't understand why after the http client is doing it's request, the debugger shows that we are not in "request" route but in "failure" route instead, I don't know if this is a consequence or a symptom of the issue.
I triple checked my mock api, it returns a http 200 and sees the request made by the http client.
Cheers
Le jeu. 27 janv. 2022 à 16:17, Federico Cabiddu < federico.cabiddu@gmail.com> a écrit :
Hi, I'm running a scenario very similar to yours with kamailio 5.5.3 and I have no issue. The only difference with your scenario is that I don't do the challenge with the client, I always reply 403 and release the transaction after. I didn't have the time to replicate your exact scenario but it could be worth trying to add a t_release() after the www_challenge().
Cheers,
Federico
On Thu, Jan 27, 2022 at 8:04 AM Cyril Ramière cyril.ramiere@gmail.com wrote:
Hi there,
I have a weird issue with kamailio (latest docker image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I check if I have an Authorization header.
Since I don't have an Authorization (first message), I use "www_challenge()". This replies to the SIP phone, and then the SIP phone sends a new REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an HTTP endpoint if this user is allowed to connect and check the password using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone. The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic? Is pausing/resuming to use the async http client is allowed if I'm handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){ if(no_auth_header){ www_challenge("$td","1"); exit; } else{ t_newtran(); http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar", "AUTH_REPLY"); } }}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");}
}
##### END SNIP
Best regards! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière cyril.ramiere@gmail.com schrieb am Do., 27. Jan. 2022, 08:04:
Hi there,
I have a weird issue with kamailio (latest docker image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I check if I have an Authorization header.
Since I don't have an Authorization (first message), I use "www_challenge()". This replies to the SIP phone, and then the SIP phone sends a new REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an HTTP endpoint if this user is allowed to connect and check the password using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone. The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic? Is pausing/resuming to use the async http client is allowed if I'm handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){ if(no_auth_header){ www_challenge("$td","1"); exit; } else{ t_newtran(); http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar", "AUTH_REPLY"); } }}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");}
}
##### END SNIP
Best regards! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the clients are "dumb" sip phones.
The goal of my implementation is to use our application API to handle the login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint if this user/password is ok to connect and allow/deny based on the reply and informations provided by the API.
Everything is relying on the fact that I can make my HTTP call when handling the REGISTER, sadly for me, it doesn't work and I still can't figure why.
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann khorsmann@gmail.com a écrit :
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière cyril.ramiere@gmail.com schrieb am Do., 27. Jan. 2022, 08:04:
Hi there,
I have a weird issue with kamailio (latest docker image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I check if I have an Authorization header.
Since I don't have an Authorization (first message), I use "www_challenge()". This replies to the SIP phone, and then the SIP phone sends a new REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an HTTP endpoint if this user is allowed to connect and check the password using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone. The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic? Is pausing/resuming to use the async http client is allowed if I'm handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){ if(no_auth_header){ www_challenge("$td","1"); exit; } else{ t_newtran(); http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar", "AUTH_REPLY"); } }}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");}
}
##### END SNIP
Best regards! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
On 2 Feb 2022, at 23:58, Cyril Ramière cyril.ramiere@gmail.com wrote:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the clients are "dumb" sip phones.
The goal of my implementation is to use our application API to handle the login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint if this user/password is ok to connect and allow/deny based on the reply and informations provided by the API.
Everything is relying on the fact that I can make my HTTP call when handling the REGISTER, sadly for me, it doesn't work and I still can't figure why.
Try http_client. I’ve used it a lot of time for authentication. It will block your thread while waiting for response, but you can handle some of those issues by caching secrets for a short time with htable.
/O
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann <khorsmann@gmail.com mailto:khorsmann@gmail.com> a écrit : Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière <cyril.ramiere@gmail.com mailto:cyril.ramiere@gmail.com> schrieb am Do., 27. Jan. 2022, 08:04: Hi there,
I have a weird issue with kamailio (latest docker image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I check if I have an Authorization header.
Since I don't have an Authorization (first message), I use "www_challenge()". This replies to the SIP phone, and then the SIP phone sends a new REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an HTTP endpoint if this user is allowed to connect and check the password using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone. The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic? Is pausing/resuming to use the async http client is allowed if I'm handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{ route(AUTH);
route[AUTH]{ if (is_method("REGISTER"){ if(no_auth_header){ www_challenge("$td","1"); exit; } else{ t_newtran(); http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar http://xxx.xxx.xxx.xxx:9000/auth?foo=bar", "AUTH_REPLY"); } } }
route[AUTH_REPLY]{ xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n"); }
} ##### END SNIP
Best regards! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
- https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
- https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hi Olle,
I prefer not to use it since you rightly pointed out that it will block the thread during the request.
Since a lot of sip phones will register & interact with kamailio it could seriously hurt the performance.
I will implement caching for sure regardless of the async/non-async-non-optimal solution, but I still hope that this issue will be solved.
Cheers,
Cyril
Le jeu. 3 févr. 2022 à 07:57, Olle E. Johansson oej@edvina.net a écrit :
On 2 Feb 2022, at 23:58, Cyril Ramière cyril.ramiere@gmail.com wrote:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the clients are "dumb" sip phones.
The goal of my implementation is to use our application API to handle the login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint if this user/password is ok to connect and allow/deny based on the reply and informations provided by the API.
Everything is relying on the fact that I can make my HTTP call when handling the REGISTER, sadly for me, it doesn't work and I still can't figure why.
Try http_client. I’ve used it a lot of time for authentication. It will block your thread while waiting for response, but you can handle some of those issues by caching secrets for a short time with htable.
/O
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann khorsmann@gmail.com a écrit :
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière cyril.ramiere@gmail.com schrieb am Do., 27. Jan. 2022, 08:04:
Hi there,
I have a weird issue with kamailio (latest docker image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I check if I have an Authorization header.
Since I don't have an Authorization (first message), I use "www_challenge()". This replies to the SIP phone, and then the SIP phone sends a new REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an HTTP endpoint if this user is allowed to connect and check the password using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone. The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic? Is pausing/resuming to use the async http client is allowed if I'm handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){ if(no_auth_header){ www_challenge("$td","1"); exit; } else{ t_newtran(); http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar", "AUTH_REPLY"); } }}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");}
}
##### END SNIP
Best regards! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
On 3 Feb 2022, at 09:54, Cyril Ramière cyril.ramiere@gmail.com wrote:
Hi Olle,
I prefer not to use it since you rightly pointed out that it will block the thread during the request
Depends of course of your HTTP server… And the number of UDP/TCP listeners. It won’t block all listeners. Since registrations are less time-critical, you could handle the request asynchronously in a background process and thus not block the listener which would lead to more or less the same as using http_asynch. Just fire up a large amount of background processes :-)
/O
Since a lot of sip phones will register & interact with kamailio it could seriously hurt the performance.
I will implement caching for sure regardless of the async/non-async-non-optimal solution, but I still hope that this issue will be solved.
Cheers,
Cyril
Le jeu. 3 févr. 2022 à 07:57, Olle E. Johansson <oej@edvina.net mailto:oej@edvina.net> a écrit :
On 2 Feb 2022, at 23:58, Cyril Ramière <cyril.ramiere@gmail.com mailto:cyril.ramiere@gmail.com> wrote:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the clients are "dumb" sip phones.
The goal of my implementation is to use our application API to handle the login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint if this user/password is ok to connect and allow/deny based on the reply and informations provided by the API.
Everything is relying on the fact that I can make my HTTP call when handling the REGISTER, sadly for me, it doesn't work and I still can't figure why.
Try http_client. I’ve used it a lot of time for authentication. It will block your thread while waiting for response, but you can handle some of those issues by caching secrets for a short time with htable.
/O
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann <khorsmann@gmail.com mailto:khorsmann@gmail.com> a écrit : Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière <cyril.ramiere@gmail.com mailto:cyril.ramiere@gmail.com> schrieb am Do., 27. Jan. 2022, 08:04: Hi there,
I have a weird issue with kamailio (latest docker image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I check if I have an Authorization header.
Since I don't have an Authorization (first message), I use "www_challenge()". This replies to the SIP phone, and then the SIP phone sends a new REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an HTTP endpoint if this user is allowed to connect and check the password using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone. The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic? Is pausing/resuming to use the async http client is allowed if I'm handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{ route(AUTH);
route[AUTH]{ if (is_method("REGISTER"){ if(no_auth_header){ www_challenge("$td","1"); exit; } else{ t_newtran(); http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar http://xxx.xxx.xxx.xxx:9000/auth?foo=bar", "AUTH_REPLY"); } } }
route[AUTH_REPLY]{ xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n"); }
} ##### END SNIP
Best regards! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
- https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
- https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
- https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
You said to handle the registrations inside a background process, how do you achieve that?
In fact I already tried to use the async framework and it wasn't working too, got the same error.
Inside my REGISTER handling route I do :
<check for digest, if not provided -> challenge, if provided then go:> async_task_route("AUTH_DOQUERY");
My AUTH_DOQUERY is:
route[AUTH_DOQUERY]{ xlog("L_NOTICE", "[AUTH_DOQUERY] INIT \n\n"); #I will put the http_client here, but since it is not working there is no need atm. route(AUTH_REPLY); }
And it still manages to produce the same critical error when entering my AUTH_REPLY route :(
16(23) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE
Le jeu. 3 févr. 2022 à 10:29, Olle E. Johansson oej@edvina.net a écrit :
On 3 Feb 2022, at 09:54, Cyril Ramière cyril.ramiere@gmail.com wrote:
Hi Olle,
I prefer not to use it since you rightly pointed out that it will block the thread during the request
Depends of course of your HTTP server… And the number of UDP/TCP listeners. It won’t block all listeners. Since registrations are less time-critical, you could handle the request asynchronously in a background process and thus not block the listener which would lead to more or less the same as using http_asynch. Just fire up a large amount of background processes :-)
/O
Since a lot of sip phones will register & interact with kamailio it could seriously hurt the performance.
I will implement caching for sure regardless of the async/non-async-non-optimal solution, but I still hope that this issue will be solved.
Cheers,
Cyril
Le jeu. 3 févr. 2022 à 07:57, Olle E. Johansson oej@edvina.net a écrit :
On 2 Feb 2022, at 23:58, Cyril Ramière cyril.ramiere@gmail.com wrote:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the clients are "dumb" sip phones.
The goal of my implementation is to use our application API to handle the login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint if this user/password is ok to connect and allow/deny based on the reply and informations provided by the API.
Everything is relying on the fact that I can make my HTTP call when handling the REGISTER, sadly for me, it doesn't work and I still can't figure why.
Try http_client. I’ve used it a lot of time for authentication. It will block your thread while waiting for response, but you can handle some of those issues by caching secrets for a short time with htable.
/O
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann khorsmann@gmail.com a écrit :
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière cyril.ramiere@gmail.com schrieb am Do., 27. Jan. 2022, 08:04:
Hi there,
I have a weird issue with kamailio (latest docker image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I check if I have an Authorization header.
Since I don't have an Authorization (first message), I use "www_challenge()". This replies to the SIP phone, and then the SIP phone sends a new REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an HTTP endpoint if this user is allowed to connect and check the password using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone. The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic? Is pausing/resuming to use the async http client is allowed if I'm handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){ if(no_auth_header){ www_challenge("$td","1"); exit; } else{ t_newtran(); http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar", "AUTH_REPLY"); } }}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");}
}
##### END SNIP
Best regards! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
I have to admit that even looking at the debug logs I cannot understand what's going on in your case. As said I'm running an authentication scenario very similar to yours, being the challenge the only difference. What I can suggest to further digging is to reduce your configuration as much as possible (e.g. I see that you are using topoh) and see if we can understand better what is causing the issue.
Cheers,
Federico
On Thu, Feb 3, 2022 at 7:58 AM Olle E. Johansson oej@edvina.net wrote:
On 2 Feb 2022, at 23:58, Cyril Ramière cyril.ramiere@gmail.com wrote:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the clients are "dumb" sip phones.
The goal of my implementation is to use our application API to handle the login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint if this user/password is ok to connect and allow/deny based on the reply and informations provided by the API.
Everything is relying on the fact that I can make my HTTP call when handling the REGISTER, sadly for me, it doesn't work and I still can't figure why.
Try http_client. I’ve used it a lot of time for authentication. It will block your thread while waiting for response, but you can handle some of those issues by caching secrets for a short time with htable.
/O
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann khorsmann@gmail.com a écrit :
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière cyril.ramiere@gmail.com schrieb am Do., 27. Jan. 2022, 08:04:
Hi there,
I have a weird issue with kamailio (latest docker image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I check if I have an Authorization header.
Since I don't have an Authorization (first message), I use "www_challenge()". This replies to the SIP phone, and then the SIP phone sends a new REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an HTTP endpoint if this user is allowed to connect and check the password using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone. The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic? Is pausing/resuming to use the async http client is allowed if I'm handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){ if(no_auth_header){ www_challenge("$td","1"); exit; } else{ t_newtran(); http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar", "AUTH_REPLY"); } }}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");}
}
##### END SNIP
Best regards! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Okay, so I have done that,
Please find here : https://zerobin.net/?7743b78716b00c72#Jzmdq+5ZlFfZId+M/hP+52Ih0AMAMNUjeUT1cN...
My full config (I redacted some parts like IPs and domains), with the minimal routing blocks to reproduce and the logs.
If you don't mind checking it, it would be great :)
Cheers,
Cyril
Le jeu. 3 févr. 2022 à 11:39, Federico Cabiddu federico.cabiddu@gmail.com a écrit :
I have to admit that even looking at the debug logs I cannot understand what's going on in your case. As said I'm running an authentication scenario very similar to yours, being the challenge the only difference. What I can suggest to further digging is to reduce your configuration as much as possible (e.g. I see that you are using topoh) and see if we can understand better what is causing the issue.
Cheers,
Federico
On Thu, Feb 3, 2022 at 7:58 AM Olle E. Johansson oej@edvina.net wrote:
On 2 Feb 2022, at 23:58, Cyril Ramière cyril.ramiere@gmail.com wrote:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the clients are "dumb" sip phones.
The goal of my implementation is to use our application API to handle the login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint if this user/password is ok to connect and allow/deny based on the reply and informations provided by the API.
Everything is relying on the fact that I can make my HTTP call when handling the REGISTER, sadly for me, it doesn't work and I still can't figure why.
Try http_client. I’ve used it a lot of time for authentication. It will block your thread while waiting for response, but you can handle some of those issues by caching secrets for a short time with htable.
/O
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann khorsmann@gmail.com a écrit :
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière cyril.ramiere@gmail.com schrieb am Do., 27. Jan. 2022, 08:04:
Hi there,
I have a weird issue with kamailio (latest docker image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I check if I have an Authorization header.
Since I don't have an Authorization (first message), I use "www_challenge()". This replies to the SIP phone, and then the SIP phone sends a new REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an HTTP endpoint if this user is allowed to connect and check the password using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone. The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic? Is pausing/resuming to use the async http client is allowed if I'm handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){ if(no_auth_header){ www_challenge("$td","1"); exit; } else{ t_newtran(); http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar", "AUTH_REPLY"); } }}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");}
}
##### END SNIP
Best regards! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hi Cyril, I tried your script and changing sl_send_reply("200","OK"); with send_reply("200","OK") or t_reply("200","OK"); it works, a 200 OK reply is sent out.
The message
"CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE"
comes from trying, in the xlog call, to access $T(reply_code) where there is actually no reply code for the transaction (no reply has been received/generated)
Could you try the following snippet based on http_async_client?
request_route { xlog("L_NOTICE", "ROOT - New request - M=$rm UAC-IP=$si:$sp LB-IP=$tcp(c_si):$tcp(c_sp) UA='$ua' ID=$ci\n");
if (is_method("REGISTER")){ xlog("L_NOTICE", "[ROOT] Got REGISTER. method=$rm - code=$T(reply_code) - Destination=$ru - Origin=[$fU@$si:$sp]\n"); if(!is_present_hf("Authorization")){ xlog("L_INFO","[ROOT::REGISTER] No auth provided, sending CHALLENGE for $fU ($fu) (FINAL)\n"); www_challenge("$td","1"); exit; } else{ xlog("L_INFO","[ROOT::REGISTER] Auth provided, Go to AUTH_DOQUERY using http_async_client\n"); t_newtran(); http_async_query("http://127.0.0.1:8000/%22,%22AUTH_REPLY"); } }
exit; }
route[AUTH_REPLY]{ xlog("L_NOTICE", "[AUTH_REPLY]: http_rs=$http_rs\n"); send_reply("200","OK"); exit; }
(I'm running a simple http server always replying 200 on the loopback interface)
Cheers,
Federico
On Thu, Feb 3, 2022 at 12:13 PM Cyril Ramière cyril.ramiere@gmail.com wrote:
Okay, so I have done that,
Please find here : https://zerobin.net/?7743b78716b00c72#Jzmdq+5ZlFfZId+M/hP+52Ih0AMAMNUjeUT1cN...
My full config (I redacted some parts like IPs and domains), with the minimal routing blocks to reproduce and the logs.
If you don't mind checking it, it would be great :)
Cheers,
Cyril
Le jeu. 3 févr. 2022 à 11:39, Federico Cabiddu federico.cabiddu@gmail.com a écrit :
I have to admit that even looking at the debug logs I cannot understand what's going on in your case. As said I'm running an authentication scenario very similar to yours, being the challenge the only difference. What I can suggest to further digging is to reduce your configuration as much as possible (e.g. I see that you are using topoh) and see if we can understand better what is causing the issue.
Cheers,
Federico
On Thu, Feb 3, 2022 at 7:58 AM Olle E. Johansson oej@edvina.net wrote:
On 2 Feb 2022, at 23:58, Cyril Ramière cyril.ramiere@gmail.com wrote:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the clients are "dumb" sip phones.
The goal of my implementation is to use our application API to handle the login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint if this user/password is ok to connect and allow/deny based on the reply and informations provided by the API.
Everything is relying on the fact that I can make my HTTP call when handling the REGISTER, sadly for me, it doesn't work and I still can't figure why.
Try http_client. I’ve used it a lot of time for authentication. It will block your thread while waiting for response, but you can handle some of those issues by caching secrets for a short time with htable.
/O
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann khorsmann@gmail.com a écrit :
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière cyril.ramiere@gmail.com schrieb am Do., 27. Jan. 2022, 08:04:
Hi there,
I have a weird issue with kamailio (latest docker image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I check if I have an Authorization header.
Since I don't have an Authorization (first message), I use "www_challenge()". This replies to the SIP phone, and then the SIP phone sends a new REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an HTTP endpoint if this user is allowed to connect and check the password using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone. The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic? Is pausing/resuming to use the async http client is allowed if I'm handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){ if(no_auth_header){ www_challenge("$td","1"); exit; } else{ t_newtran(); http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar", "AUTH_REPLY"); } }}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");}
}
##### END SNIP
Best regards! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hi Federico,
Thank you, this was the solution!
You were right about trying to log $T(reply_code), this triggers the critical error and sends a 500 internal server error message. Since I was using the same xlog line across my entire code, $T(reply_code) was called multiple times, I didn't think it would cause such an issue since the documentation states that it returns 0 in the worst case.
I stumbled across another issue, my rtpengine stopped working, it was due to the fact that the http async client (so async framework) uses a "failure_route" when triggering the callback route, so the first action of rtpengine_manage() is to DELETE the transaction if in failure_route.
I moved/refactored some logic to trigger rtpengine inside a branch_route, but I'm wondering if there is a way after my http query is done to revert back to the request_route instead of the failure_route.
Cheers,
Cyril
Le ven. 4 févr. 2022 à 10:00, Federico Cabiddu federico.cabiddu@gmail.com a écrit :
Hi Cyril, I tried your script and changing sl_send_reply("200","OK"); with send_reply("200","OK") or t_reply("200","OK"); it works, a 200 OK reply is sent out.
The message
"CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE"
comes from trying, in the xlog call, to access $T(reply_code) where there is actually no reply code for the transaction (no reply has been received/generated)
Could you try the following snippet based on http_async_client?
request_route { xlog("L_NOTICE", "ROOT - New request - M=$rm UAC-IP=$si:$sp LB-IP=$tcp(c_si):$tcp(c_sp) UA='$ua' ID=$ci\n");
if (is_method("REGISTER")){ xlog("L_NOTICE", "[ROOT] Got REGISTER. method=$rm -code=$T(reply_code) - Destination=$ru - Origin=[$fU@$si:$sp]\n"); if(!is_present_hf("Authorization")){ xlog("L_INFO","[ROOT::REGISTER] No auth provided, sending CHALLENGE for $fU ($fu) (FINAL)\n"); www_challenge("$td","1"); exit; } else{ xlog("L_INFO","[ROOT::REGISTER] Auth provided, Go to AUTH_DOQUERY using http_async_client\n"); t_newtran(); http_async_query("http://127.0.0.1:8000/%22,%22AUTH_REPLY"); } }
exit;}
route[AUTH_REPLY]{ xlog("L_NOTICE", "[AUTH_REPLY]: http_rs=$http_rs\n"); send_reply("200","OK"); exit; }
(I'm running a simple http server always replying 200 on the loopback interface)
Cheers,
Federico
On Thu, Feb 3, 2022 at 12:13 PM Cyril Ramière cyril.ramiere@gmail.com wrote:
Okay, so I have done that,
Please find here : https://zerobin.net/?7743b78716b00c72#Jzmdq+5ZlFfZId+M/hP+52Ih0AMAMNUjeUT1cN...
My full config (I redacted some parts like IPs and domains), with the minimal routing blocks to reproduce and the logs.
If you don't mind checking it, it would be great :)
Cheers,
Cyril
Le jeu. 3 févr. 2022 à 11:39, Federico Cabiddu < federico.cabiddu@gmail.com> a écrit :
I have to admit that even looking at the debug logs I cannot understand what's going on in your case. As said I'm running an authentication scenario very similar to yours, being the challenge the only difference. What I can suggest to further digging is to reduce your configuration as much as possible (e.g. I see that you are using topoh) and see if we can understand better what is causing the issue.
Cheers,
Federico
On Thu, Feb 3, 2022 at 7:58 AM Olle E. Johansson oej@edvina.net wrote:
On 2 Feb 2022, at 23:58, Cyril Ramière cyril.ramiere@gmail.com wrote:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the clients are "dumb" sip phones.
The goal of my implementation is to use our application API to handle the login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint if this user/password is ok to connect and allow/deny based on the reply and informations provided by the API.
Everything is relying on the fact that I can make my HTTP call when handling the REGISTER, sadly for me, it doesn't work and I still can't figure why.
Try http_client. I’ve used it a lot of time for authentication. It will block your thread while waiting for response, but you can handle some of those issues by caching secrets for a short time with htable.
/O
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann khorsmann@gmail.com a écrit :
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière cyril.ramiere@gmail.com schrieb am Do., 27. Jan. 2022, 08:04:
Hi there,
I have a weird issue with kamailio (latest docker image kamailio-ci:5.5.2-alpine) and http_async_client.
Before posting a lot of logs, let me describe what I want to achieve.
I have a Kamailio and a SIP Phone.
The SIP phone sends a REGISTER to kamailio, then in my routing block, I check if I have an Authorization header.
Since I don't have an Authorization (first message), I use "www_challenge()". This replies to the SIP phone, and then the SIP phone sends a new REGISTER with the correct Authorization header.
So far so good.
Now, when I get the REGISTER with Authorization header, I want to ask an HTTP endpoint if this user is allowed to connect and check the password using http_async_query().
The problem is that when the transaction resumes, the tmx module is unhappy and throws this error :
30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE
And a 500 error is sent back to the sip phone. The AUTH_REPLY route is still called and I can use the $http* values.
Do you see something that I am doing wrong or missing in my logic? Is pausing/resuming to use the async http client is allowed if I'm handling a REGISTER transaction?
Here's a simplified version of my routing block (not far from reality):
##### SNIP
request_route{
route(AUTH);
route[AUTH]{
if (is_method("REGISTER"){ if(no_auth_header){ www_challenge("$td","1"); exit; } else{ t_newtran(); http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar", "AUTH_REPLY"); } }}
route[AUTH_REPLY]{
xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n");}
}
##### END SNIP
Best regards! __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hi Cyril, happy to hear that you solved the problem. About switching back to request_route type is not possible, it has to do with the kamailio mechanism to suspend transactions. The callback route is always a failure route. The solution for rtpengine is either to call rtpengine_offer explicitly or call rtpengine_manage in a branch_route, as you are doing and it's imho among the best practices for kamailio.
Cheers,
Federico
On Tue, Feb 8, 2022 at 10:34 AM Cyril Ramière cyril.ramiere@gmail.com wrote:
Hi Federico,
Thank you, this was the solution!
You were right about trying to log $T(reply_code), this triggers the critical error and sends a 500 internal server error message. Since I was using the same xlog line across my entire code, $T(reply_code) was called multiple times, I didn't think it would cause such an issue since the documentation states that it returns 0 in the worst case.
I stumbled across another issue, my rtpengine stopped working, it was due to the fact that the http async client (so async framework) uses a "failure_route" when triggering the callback route, so the first action of rtpengine_manage() is to DELETE the transaction if in failure_route.
I moved/refactored some logic to trigger rtpengine inside a branch_route, but I'm wondering if there is a way after my http query is done to revert back to the request_route instead of the failure_route.
Cheers,
Cyril
Le ven. 4 févr. 2022 à 10:00, Federico Cabiddu federico.cabiddu@gmail.com a écrit :
Hi Cyril, I tried your script and changing sl_send_reply("200","OK"); with send_reply("200","OK") or t_reply("200","OK"); it works, a 200 OK reply is sent out.
The message
"CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no picked branch (-1) for a final response in MODE_ONFAILURE"
comes from trying, in the xlog call, to access $T(reply_code) where there is actually no reply code for the transaction (no reply has been received/generated)
Could you try the following snippet based on http_async_client?
request_route { xlog("L_NOTICE", "ROOT - New request - M=$rm UAC-IP=$si:$sp LB-IP=$tcp(c_si):$tcp(c_sp) UA='$ua' ID=$ci\n");
if (is_method("REGISTER")){ xlog("L_NOTICE", "[ROOT] Got REGISTER. method=$rm -code=$T(reply_code) - Destination=$ru - Origin=[$fU@$si:$sp]\n"); if(!is_present_hf("Authorization")){ xlog("L_INFO","[ROOT::REGISTER] No auth provided, sending CHALLENGE for $fU ($fu) (FINAL)\n"); www_challenge("$td","1"); exit; } else{ xlog("L_INFO","[ROOT::REGISTER] Auth provided, Go to AUTH_DOQUERY using http_async_client\n"); t_newtran(); http_async_query("http://127.0.0.1:8000/%22,%22AUTH_REPLY"); } }
exit;}
route[AUTH_REPLY]{ xlog("L_NOTICE", "[AUTH_REPLY]: http_rs=$http_rs\n"); send_reply("200","OK"); exit; }
(I'm running a simple http server always replying 200 on the loopback interface)
Cheers,
Federico
On Thu, Feb 3, 2022 at 12:13 PM Cyril Ramière cyril.ramiere@gmail.com wrote:
Okay, so I have done that,
Please find here : https://zerobin.net/?7743b78716b00c72#Jzmdq+5ZlFfZId+M/hP+52Ih0AMAMNUjeUT1cN...
My full config (I redacted some parts like IPs and domains), with the minimal routing blocks to reproduce and the logs.
If you don't mind checking it, it would be great :)
Cheers,
Cyril
Le jeu. 3 févr. 2022 à 11:39, Federico Cabiddu < federico.cabiddu@gmail.com> a écrit :
I have to admit that even looking at the debug logs I cannot understand what's going on in your case. As said I'm running an authentication scenario very similar to yours, being the challenge the only difference. What I can suggest to further digging is to reduce your configuration as much as possible (e.g. I see that you are using topoh) and see if we can understand better what is causing the issue.
Cheers,
Federico
On Thu, Feb 3, 2022 at 7:58 AM Olle E. Johansson oej@edvina.net wrote:
On 2 Feb 2022, at 23:58, Cyril Ramière cyril.ramiere@gmail.com wrote:
Hi Karsten,
Thanks for the clue, unfortunately I can't use this module because the clients are "dumb" sip phones.
The goal of my implementation is to use our application API to handle the login.
The plan was that a sip phone sends a REGISTER, I ask the API endpoint if this user/password is ok to connect and allow/deny based on the reply and informations provided by the API.
Everything is relying on the fact that I can make my HTTP call when handling the REGISTER, sadly for me, it doesn't work and I still can't figure why.
Try http_client. I’ve used it a lot of time for authentication. It will block your thread while waiting for response, but you can handle some of those issues by caching secrets for a short time with htable.
/O
Cheers,
Cyril
Le mer. 2 févr. 2022 à 19:49, Karsten Horsmann khorsmann@gmail.com a écrit :
Hi Cyril,
This Kamailio module could imho do the same
https://www.kamailio.org/docs/modules/devel/modules/auth_ephemeral.html
Cyril Ramière cyril.ramiere@gmail.com schrieb am Do., 27. Jan. 2022, 08:04:
> Hi there, > > I have a weird issue with kamailio (latest docker > image kamailio-ci:5.5.2-alpine) and http_async_client. > > Before posting a lot of logs, let me describe what I want to achieve. > > I have a Kamailio and a SIP Phone. > > The SIP phone sends a REGISTER to kamailio, then in my routing > block, I check if I have an Authorization header. > > Since I don't have an Authorization (first message), I > use "www_challenge()". > This replies to the SIP phone, and then the SIP phone sends a new > REGISTER with the correct Authorization header. > > So far so good. > > Now, when I get the REGISTER with Authorization header, I want to > ask an HTTP endpoint if this user is allowed to connect and check the > password using http_async_query(). > > The problem is that when the transaction resumes, the tmx module is > unhappy and throws this error : > > 30(36) CRITICAL: tmx [t_var.c:546]: pv_get_tm_reply_code(): no > picked branch (-1) for a final response in MODE_ONFAILURE > > And a 500 error is sent back to the sip phone. > The AUTH_REPLY route is still called and I can use the $http* values. > > Do you see something that I am doing wrong or missing in my logic? > Is pausing/resuming to use the async http client is allowed if I'm > handling a REGISTER transaction? > > Here's a simplified version of my routing block (not far from > reality): > > ##### SNIP > > request_route{ > > route(AUTH); > > > route[AUTH]{ > > if (is_method("REGISTER"){ > > if(no_auth_header){ > > www_challenge("$td","1"); > > exit; > > } > > else{ > > t_newtran(); > > http_async_query("http://xxx.xxx.xxx.xxx:9000/auth?foo=bar", "AUTH_REPLY"); > > } > > } > > } > > > route[AUTH_REPLY]{ > > xlog("L_INFO", "route[HTTP_REPLY]: status $http_rs\n"); > > } > > > } > > ##### END SNIP > > > Best regards! > __________________________________________________________ > Kamailio - Users Mailing List - Non Commercial Discussions > * sr-users@lists.kamailio.org > Important: keep the mailing list in the recipients, do not reply > only to the sender! > Edit mailing list options or unsubscribe: > * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-
Cyril Ramière -
Federico Cabiddu -
Karsten Horsmann -
Olle E. Johansson