sipwise
/
kamailio
mirror of https://github.com/sipwise/kamailio.git
1
0
Fork 0
Code Issues Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
kamailio/doc/tutorials/presence/cfg/ps.cfg

569 lines
16 KiB
Raw Permalink Blame History

#
# $Id$
#
# First start SIP-router sample config script with:
# database, accounting, authentication, multi-domain support
# PSTN GW section, named flags, named routes, global-,
# domain- and user-preferences with AVPs
# Several of these features are only here for demonstration purpose
# what can be achieved with the SIP-router config script language.
#
# If you look for a simpler version with a lot less dependencies
# please refer to the ser-basic.cfg file in your SIP-router distribution.
# To get this config running you need to execute the following commands
# with the new serctl (the capital word are just place holders)
# - ser_ctl domain add DOMAINNAME
# - ser_ctl user add USERNAME@DOMAINNAME -p PASSWORD
# If you want to have PID header for your user
# - ser_attr add uid=UID asserted_id="PID"
# If you want to have gateway support
# - ser_db add attr_types name=gw_ip rich_type=string raw_type=2 description="The gateway IP for the default ser.cfg" default_flags=33
# - ser_attr add global gw_ip=GATEWAY-IP
# ----------- global configuration parameters ------------------------
debug=3 # debug level (cmd line: -dddddddddd)
memdbg=10 # memory debug log level
#memlog=10 # memory statistics log level
#log_facility=LOG_LOCAL0 # sets the facility used for logging (see syslog(3))
/* Uncomment these lines to enter debugging mode
fork=no
log_stderror=yes
*/
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
#port=5060
#children=4
#user=ser
#group=ser
#disable_core=yes #disables core dumping
#open_fd_limit=1024 # sets the open file descriptors limit
#mhomed=yes # useful for multihomed hosts, small performance penalty
#disable_tcp=yes
#tcp_accept_aliases=yes # accepts the tcp alias via option (see NEWS)
#
# ------------------ module loading ----------------------------------
# load a SQL database for authentication, domains, user AVPs etc.
loadmodule "/home/kubartv/SER/lib/ser/modules/mysql.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/sl.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/tm.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/rr.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/maxfwd.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/usrloc.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/registrar.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/xlog.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/textops.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/ctl.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/fifo.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/auth.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/auth_db.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/gflags.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/domain.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/uri_db.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/avp.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/avp_db.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/acc_db.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/xmlrpc.so"
# presence related modules
loadmodule "/home/kubartv/SER/lib/ser/modules/pa.so"
loadmodule "/home/kubartv/SER/lib/ser/modules/dialog.so"
# ----------------- setting script FLAGS -----------------------------
flags
FLAG_ACC : 1 # include message in accounting
avpflags
dialog_cookie; # handled by rr module
# ----------------- setting module-specific parameters ---------------
# specify the path to you database here
modparam("acc_db|auth_db|avp_db|domain|gflags|usrloc|uri_db", "db_url", "mysql://ser:heslo@127.0.0.1/ser")
# -- usrloc params --
# as we use the database anyway we will use it for usrloc as well
modparam("usrloc", "db_mode", 1)
# -- auth params --
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
#
# limit the length of the AVP cookie to only necessary ones
modparam("rr", "cookie_filter", "(account)")
#
# you probably do not want that someone can simply read and change
# the AVP cookie in your Routes, thus should really change this
# secret value below
modparam("rr", "cookie_secret", "MyRRAVPcookiesecret")
# -- gflags params --
# load the global AVPs
modparam("gflags", "load_global_attrs", 1)
# -- domain params --
# load the domain AVPs
modparam("domain", "load_domain_attrs", 1)
# -- ctl params --
# by default ctl listens on unixs:/tmp/ser_ctl if no other address is
# specified in modparams; this is also the default for sercmd
modparam("ctl", "binrpc", "unixs:/tmp/ser_ctl")
# listen on the "standard" fifo for backward compatibility
modparam("ctl", "fifo", "fifo:/tmp/ser_fifo")
# listen on tcp, localhost
#modparam("ctl", "binrpc", "tcp:localhost:2046")
# -- acc_db params --
# failed transactions (=negative responses) should be logged to
modparam("acc_db", "failed_transactions", 1)
# comment the next line if you don't want to have accounting to DB
modparam("acc_db", "log_flag", "FLAG_ACC")
# -- tm params --
# uncomment the following line if you want to avoid that each new reply
# restarts the resend timer (see INBOUND route below)
#modparam("tm", "restart_fr_on_each_reply", "0")
# -- presence modules parameters --
modparam("pa", "use_db", 1)
modparam("pa", "auth", "none")
modparam("pa", "winfo_auth", "none")
modparam("pa", "db_url", "mysql://ser:heslo@127.0.0.1/ser")
# ------------------------- request routing logic -------------------
# main routing logic
route{
# if you have a PSTN gateway just un-comment the follwoing line and
# specify the IP address of it to route calls to it
#$gw_ip = "1.2.3.4"
# first do some initial sanity checks
route(INIT);
# check if the request is routed via Route header or
# needs a Record-Route header
route(RR);
# check if the request belongs to our proxy
route(DOMAIN);
# handle REGISTER requests
route(REGISTRAR);
# handle requests destined for presence server (SUBSCRIBE, PUBLISH, ...)
route(PRESENCE);
# from here on we want to know you is calling
route(AUTHENTICATION);
# check if we should be outbound proxy for a local user
route(OUTBOUND);
# check if the request is for a local user
route(INBOUND);
# here you coud for example try to an ENUM lookup before
# the call gets routed to the PSTN
#route(ENUM);
# lets see if someone wants to call a PSTN number
route(PSTN);
# nothing matched, reject it finally
sl_send_reply("404", "No route matched");
}
route[FORWARD]
{
# here you could decide whether this call needs a RTP relay or not
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (!t_relay()) {
sl_reply_error();
};
drop;
}
route[INIT]
{
# as soon as it is save to distinguish HTTP from SIP
# we can un-comment the next line
route(RPC);
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
drop;
};
if (msg:len >= max_len ) {
sl_send_reply("513", "Message too big");
drop;
};
# you could add some NAT detection here for example
# or you cuold call here some of the check from the sanity module
# lets account all initial INVITEs and the BYEs
# if (method=="INVITE" && @to.tag=="" || method=="BYE") {
if (method=="INVITE" && @to.tag=="") {
setflag(FLAG_ACC);
}
}
route[RPC]
{
# allow XMLRPC from localhost
if ((method=="POST" || method=="GET") &&
src_ip==127.0.0.1) {
if (msg:len >= 8192) {
sl_send_reply("513", "Request to big");
drop;
}
# lets see if a module want to answer this
dispatch_rpc();
drop;
}
}
route[RR]
{
# subsequent messages within a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
# if the Route contained the accounting AVP cookie we
# set the accounting flag for the acc_db module.
# this is more for demonstration purpose as this could
# also be solved without RR cookies.
# Note: this means all in-dialog request will show up in the
# accounting tables, so prepare your accounting software for this ;-)
if ($account == "yes") {
setflag(FLAG_ACC);
}
# for broken devices which overwrite their Route's with each
# (not present) RR from within dialog requests it is better
# to repeat the RRing
# and if we call rr after loose_route the AVP cookies are restored
# automatically :)
record_route();
route(FORWARD);
} else if (!method=="REGISTER") {
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
# if the initial INVITE got the ACC flag store this in
# an RR AVP cookie. This is more for demonstration purpose
if (isflagset(FLAG_ACC)) {
$account = "yes";
setavpflag($account, "dialog_cookie");
}
record_route();
}
}
route[DOMAIN]
{
# check if the caller is from a local domain
lookup_domain("$fd", "@from.uri.host");
# check if the callee is at a local domain [presence: we can not use @ruri
# here because in consequent SUBSCRIBEs will be there our IP and not the
# domain]
lookup_domain("$td", "@to.uri.host");
# we don't know the domain of the caller and also not
# the domain of the callee -> somone uses our proxy as
# a relay
if (!$t.did && !$f.did) {
sl_send_reply("403", "Relaying Forbidden");
drop;
}
}
route[REGISTRAR]
{
# if the request is a REGISTER lets take care of it
if (method=="REGISTER") {
# check if the REGISTER if for one of our local domains
if (!$t.did) {
sl_send_reply("403", "Register forwarding forbidden");
drop;
}
# we want only authenticated users to be registered
# if (!www_authenticate("$fd.digest_realm", "credentials")) {
# if ($? == -2) {
# sl_send_reply("500", "Internal Server Error");
# } else if ($? == -3) {
# sl_send_reply("400", "Bad Request");
# } else {
# if ($digest_challenge) {
# append_to_reply("%$digest_challenge");
# }
# sl_send_reply("401", "Unauthorized");
# }
# drop;
# };
# check if the authenticated user is the same as the target user
if (!lookup_user("$tu.uid", "@to.uri")) {
sl_send_reply("404", "Unknown user in To");
drop;
}
if ($f.uid != $t.uid) {
sl_send_reply("403", "Authentication and To-Header mismatch");
drop;
}
# check if the authenticated user is the same as the request originator
# you may uncomment it if you care, what uri is in From header
#if (!lookup_user("$fu.uid", "@from.uri")) {
# sl_send_reply("404", "Unknown user in From");
# drop;
#}
#if ($fu.uid != $tu.uid) {
# sl_send_reply("403", "Authentication and From-Header mismatch");
# drop;
#}
# everyhting is fine so lets store the binding
save_contacts("location");
drop;
};
}
route[AUTHENTICATION]
{
if (method=="CANCEL" || method=="ACK") {
# you are not allowed to challenge these methods
break;
}
# requests from non-local to local domains should be permitted
# remove this if you want a walled garden
if (! $f.did) {
break;
}
# as gateways are usually not able to authenticate for their
# requests you will have trust them base on some other information
# like the source IP address. WARNING: if at all this is only safe
# in a local network!!!
#if (src_ip==a.b.c.d) {
# break;
#}
if (!proxy_authenticate("$fd.digest_realm", "credentials")) {
if ($? == -2) {
sl_send_reply("500", "Internal Server Error");
} else if ($? == -3) {
sl_send_reply("400", "Bad Request");
} else {
if ($digest_challenge) {
append_to_reply("%$digest_challenge");
}
sl_send_reply("407", "Proxy Authentication Required");
}
drop;
}
# check if the UID from the authentication meets the From header
$authuid = $uid;
if (!lookup_user("$fu.uid", "@from.uri")) {
del_attr("$uid");
}
if ($fu.uid != $fr.authuid) {
sl_send_reply("403", "Fake Identity");
drop;
}
# load the user AVPs (preferences) of the caller, e.g. for RPID header
load_attrs("$fu", "$f.uid");
}
route[OUTBOUND]
{
# if a local user calls to a foreign domain we play outbound proxy for him
# comment this out if you want a walled garden
if ($f.did && ! $t.did) {
append_hf("P-hint: outbound\r\n");
route(FORWARD);
}
}
route[INBOUND]
{
# lets see if know the callee
if (lookup_user("$tu.uid", "@ruri")) {
# load the preferences of the callee to have his timeout values loaded
load_attrs("$tu", "$t.uid");
# if you want to know if the callee username was an alias
# check it like this
#if (! $tu.uri_canonical) {
# if the alias URI has different AVPs/preferences
# you can load them into the URI track like this
#load_attrs("$tr", "@ruri");
#}
# native SIP destinations are handled using our USRLOC DB
if (lookup_contacts("location")) {
append_hf("P-hint: usrloc applied\r\n");
# we set the TM module timers according to the preferences
# of the callee (avoid too long ringing of his phones)
# Note1: timer values have to be in ms now!
# Note2: this makes even more sense if you switch to a voicemail
# in a FAILURE route
if ($t.fr_inv_timer) {
if ($t.fr_timer) {
t_set_fr("$t.fr_inv_timer", "$t.fr_timer");
} else {
t_set_fr("$t.fr_inv_timer");
}
}
route(FORWARD);
} else {
sl_send_reply("480", "User temporarily not available");
drop;
}
};
}
route[PSTN]
{
# Only if the AVP 'gw_ip' is set and the request URI contains
# only a number we consider sending this to the PSTN GW.
# Only users from a local domain are permitted to make calls.
# Additionally you might want to check the acl AVP to verify
# that the user is allowed to make such expensives calls.
if ($f.did && $gw_ip &&
uri=~"sips?:\+?[0-9]{3,18}@.*") {
# probably you need to convert the number in the request
# URI according to the requirements of your gateway here
# if an AVP 'asserted_id' is set we insert an RPID header
if ($asserted_id) {
xlset_attr("$rpidheader", "<sip:%$asserted_id@%@ruri.host>;screen=yes");
replace_attr_hf("Remote-Party-ID", "$rpidheader");
}
# just replace the domain part of the RURI with the
# value from the AVP and send it out
attr2uri("$gw_ip", "domain");
route(FORWARD);
}
}
route[PRES_AUTHENTICATE]
{
# we want only authenticated users to be registered
if (!www_authenticate("$fd.digest_realm", "credentials")) {
if ($? == -2) {
sl_send_reply("500", "Internal Server Error");
} else if ($? == -3) {
sl_send_reply("400", "Bad Request");
} else {
if ($digest_challenge) {
append_to_reply("%$digest_challenge");
}
sl_send_reply("401", "Unauthorized");
}
drop;
};
# check if the UID from the authentication meets the From header
$authuid = $uid;
if (!lookup_user("$fu.uid", "@from.uri")) {
del_attr("$uid");
}
if ($fu.uid != $fr.authuid) {
sl_send_reply("403", "Fake Identity");
drop;
}
}
route[RLS]
{
# to be done ... ;-)
break;
}
route[PRESENCE]
{
# if the request is one of presence messages lets take care of it
if (!((method=="SUBSCRIBE") || (method=="PUBLISH"))) {
# it is not presence related message let it be
break;
}
# check if the request is for one of our local domains
if (!$t.did) {
xlog("L_ERR", "Unknown domain in presence related message\n");
sl_send_reply("403", "Will not forward presence");
drop;
}
# authenticate the user in From using www_authenticate
# route(PRES_AUTHENTICATE);
if (!t_newtran()) {
sl_send_reply("500", "Internal error (t_newtran)");
drop;
}
if (!lookup_user("$tu.uid", "@to.uri")) {
if (method=="SUBSCRIBE") {
# SUBSCRIBE to nonexisting user -> try to handle it
# with RLS
route(RLS);
}
t_reply("404", "Unknown user in To");
drop;
}
if (method=="SUBSCRIBE") {
handle_subscription("registrar");
}
if (method=="PUBLISH") {
handle_publish("registrar");
}
drop;
}
Reference in new issue View Git Blame Copy Permalink