Yes you can, it’s totally doable.
But you must have one socket for unencrypted and one for encrypted. So you need 2 “listen” one TLS and one TCP.


On Sun, 10 Nov 2019 at 02:16, sthustfo <sthustfo@gmail.com> wrote:
Well, I was hoping there was a way to proxy from non secure (WS) to secure one (TLS) upstream.


On Sun, Nov 10, 2019 at 6:12 AM David Villasmil <david.villasmil.work@gmail.com> wrote:
You need to have a TLS listen like


On Sun, 10 Nov 2019 at 00:32, David Villasmil <david.villasmil.work@gmail.com> wrote:
From what you paste, 8080 is not TLS

On Sat, 9 Nov 2019 at 23:29, sthustfo <sthustfo@gmail.com> wrote:
Kamailio listening on WS only as seen from below log snippet. As I mentioned earlier, talks pure WS (no WSS) with the clients, and TLS towards the SIP server.

 0(3268) INFO: <core> [core/sctp_core.c:74]: sctp_core_check_support(): SCTP API not enabled - if you want to use it, load sctp module
Listening on
             tcp: 10.0.0.14 [10.0.0.14]:8080
Aliases:
             *: test.example.com:*

And here is the relevant portion from config file.
listen=tcp:10.0.0.14:8080

With the above, I modified dispatcher.list as below
# setid(integer) destination(sip uri) flags (integer, optional), priority(int,opt), attrs (str,optional)
1007 sip:10.0.0.100:5061;transport=tls 0 3 socket=tcp:10.0.0.14:8080;ping_from=sip:10.0.0.14

With the above change, I see following in the logs

 1(3271) WARNING: <core> [core/forward.c:228]: get_send_socket2(): protocol/port mismatch (forced tcp:10.0.0.14:8080, to tls:10.0.0.100:5061)
 1(3271) ERROR: tm [ut.h:315]: uri2dst2(): no corresponding socket found for "10.0.0.100" af 2 (tls:10.0.0.100:5061)
 1(3271) ERROR: tm [uac.c:449]: t_uac_prepare(): no socket found
 1(3271) ERROR: dispatcher [dispatch.c:3107]: ds_ping_set(): unable to ping [sip:10.0.0.100:5061;transport=tls]
 1(3271) WARNING: <core> [core/forward.c:228]: get_send_socket2(): protocol/port mismatch (forced tcp:10.0.0.14:8080, to tls:10.0.0.100:5061)

But not attempts to connect to the SIP server.

On Sat, Nov 9, 2019 at 11:48 PM David Villasmil <david.villasmil.work@gmail.com> wrote:
Please paste the “listen” parameters from the config.

On Sat, 9 Nov 2019 at 18:04, David Villasmil <david.villasmil.work@gmail.com> wrote:
Is kamailio listening in that socket?

On Sat, 9 Nov 2019 at 17:34, sthustfo <sthustfo@gmail.com> wrote:
Thanks Karsten. Instead of SIP server, I ran a simple socket listener program to see if dispatcher is attempting to connect to it or not. But it did not receive any client connection attempts. So after looking at the logs, I found below log statements. Any idea why this might have happened?

 0(3004) ERROR: dispatcher [dispatch.c:411]: pack_dest(): non-local socket <tls:10.0.0.14:5061>
 0(3004) WARNING: dispatcher [dispatch.c:816]: ds_load_list(): unable to add destination sip:10.0.0.100:5061;transport=tls to set 1007 -- skipping

dispatcher.list file pasted below contains the address. Why would this be an error?

# setid(integer) destination(sip uri) flags (integer, optional), priority(int,opt), attrs (str,optional)
1007 sip:10.0.0.100:5061;transport=tls 0 3 socket=tls:10.0.0.14:5061;ping_from=sip:10.0.0.14


On Sat, Nov 9, 2019 at 9:35 PM Karsten Horsmann <khorsmann@gmail.com> wrote:
Hi,

I guess the dispatcher is not able to get an 200 okay from your upstream tls / sipserver. And so the dispatcher did his job. Find no active dispatcher targets, then told you that. 

You find more about the dispatcher state with kamctl dispatcher dump or kamcmd dispatcher.list 

And read the module docu of dispatcher, they explain you the states of the commands above.

Hints here:

Reading dispatcher docu, understand the states, read tls (maybe that's your root cause). 


Cheers 
Karsten 

sthustfo <sthustfo@gmail.com> schrieb am Sa., 9. Nov. 2019, 14:56:
Thanks David. You are right, ds_select_dst() is failing and error log is shown.

 9(2528) ERROR: {1 9733 REGISTER e4rvba563tlnj0i3a906qa} dispatcher [dispatch.c:2032]: ds_manage_routes(): no destination sets
 9(2528) exec: {1 9733 REGISTER e4rvba563tlnj0i3a906qa} *** cfgtrace:request_route=[DISPATCH] c=[/etc/kamailio/kamailio.cfg] l=970 a=25 n=xdbg
 9(2528) DEBUG: {1 9733 REGISTER e4rvba563tlnj0i3a906qa} <script>: --- DISPATCH: Dispatcher could not find any destination
 9(2528) exec: {1 9733 REGISTER e4rvba563tlnj0i3a906qa} *** cfgtrace:request_route=[DISPATCH] c=[/etc/kamailio/kamailio.cfg] l=971 a=26 n=send_reply

Here is the config around ds_select_dst()

# Dispatch requests
route[DISPATCH] {
        # round robin dispatching on gateways group '1'
        if(!ds_select_dst("1007", "4")) {
                xdbg("--- DISPATCH: Dispatcher could not find any destination\n");
                send_reply("404", "No destination");
                exit;
        }
        t_on_failure("RTF_DISPATCH");
        route(RELAY);
        exit;
}

Is there any way to see the logs for communication that happens with the destination? As you said, that also could be one of points of failure.

BTW, I have set following config for pinging destination.

modparam("dispatcher", "list_file", "/etc/kamailio/dispatcher.list")
#modparam("dispatcher", "db_url", DBURL)                        #Use DBURL variable for database parameters
modparam("dispatcher", "ds_ping_interval", 10)          #How often to ping destinations to check status
modparam("dispatcher", "ds_ping_method", "OPTIONS")     #Send SIP Options ping
modparam("dispatcher", "ds_probing_threshold", 10)      #How many failed pings in a row do we need before we consider it down
modparam("dispatcher", "ds_inactive_threshold", 10)     #How many sucessful pings in a row do we need before considering it up
modparam("dispatcher", "ds_ping_latency_stats", 1)      #Enables stats on latency
modparam("dispatcher", "ds_probing_mode", 1)            #Keeps pinging gateways when state is known (to detect change in state)

Best Regards.

On Sat, Nov 9, 2019 at 6:32 PM David Villasmil <david.villasmil.work@gmail.com> wrote:
Please post the config around the ds_select

What that’s saying is basically it could not find a destination for the set you are asking for.

Either because the setid you provide with the function doesn’t exist, or the destination is not responding to the pings.


On Sat, 9 Nov 2019 at 10:33, sthustfo <sthustfo@gmail.com> wrote:
Thanks Karsten. The setup consists of client connecting to kamailio over WS (10.0.0.14). Kamailio needs to proxy the requests to SIP server (10.0.0.100) over TLS. As per your suggestion, I modified the dispatch list as below

# setid(integer) destination(sip uri) flags (integer, optional), priority(int,opt), attrs (str,optional)
1007 sip:10.0.0.100:5061;transport=tls 0 3 socket=tls:10.0.0.14:5061;ping_from=sip:10.0.0.14

With above, kamailio replies to REGISTER with "SIP/2.0 404 No destination". And in the logs, I see following statement.

1(2281) DEBUG: dispatcher [dispatch.c:3125]: ds_check_timer(): no destination sets

What does this mean? Is kamailio not able to talk to SIP server for some reason?

Regards

On Fri, Nov 8, 2019 at 11:55 PM Karsten Horsmann <khorsmann@gmail.com> wrote:
Hi,


Your config line for the dispatcher makes no sense for me. 

1007 sip:10.0.0.100:5061;transport=tls 0 3 socket=tls:10.0.0.100:5061;ping_from=sip:10.0.0.14


Means setid 1007 (like an group to arrange multiple targets) okay. 
But sip:10.0.0.100:5061;transport=tls is the dispatcher target Uri. Where your calls are placed when you call the dispatcher function with setid 1007.

In combination with socket=10.0.0.100:5061 (that indicates your Kamailio socket, the proxy ip) 
That you talking with yourself. 

You should read the module documentations for dispatcher and tls. 

Or describe your ip setup and your config a bit more. 

Cheers 
Karsten 

sthustfo <sthustfo@gmail.com> schrieb am Fr., 8. Nov. 2019, 17:41:
Hi Karsten, David,

Thanks for your pointers. Earlier I was using mysql backend where the dispatch list was stored. Now following your suggestions, I have switched to dispatcher list in a file (/etc/kamailio/dispatcher.list) and put in the following

# setid(integer) destination(sip uri) flags (integer, optional), priority(int,opt), attrs (str,optional)
1007 sip:10.0.0.100:5061;transport=tls 0 3 socket=tls:10.0.0.100:5061;ping_from=sip:10.0.0.14

Even with this, when HTTP request in, the same is upgraded to WS connection. But this gets closed after couple of seconds. Does the below log indicate anything?

9(1784) exec: *** cfgtrace:request_route=[xhttp:request] c=[/etc/kamailio/kamailio.cfg] l=1112 a=2 n=exit
 9(1784) DEBUG: <core> [core/usr_avp.c:636]: destroy_avp_list(): destroying list (nil)

Is there any way to understand what's happening? I do not see any other error lin logs.

Thanks.



On Thu, Nov 7, 2019 at 2:34 PM Daniel-Constantin Mierla <miconda@gmail.com> wrote:

Hello,

On 06.11.19 20:46, Karsten Horsmann wrote:
Hi, 

the sips Uri schemata is not used for tls with dispatcher.

jumping in to clarify a bit about sips protocol schema. It doesn't imply TLS as one may think HTTPS does it for HTTP. The sips is mandating that the traffic goes over secure links, which can be IPSec/VPN or even just private network, so it is ok using UDP or TCP when sips is present.

In SIP, if TLS is wanted, then transport=tls has to be added to the URI.

As for dispatcher, one more clarification: trasport=tls in attrs has nothing to do with the destination address, so that has to be in the value of the destination field, as Karsten gave in his example.

And, as general note: better do not use sips at all, it can mess up some nodes in the path, if you are not sure about the need of sips -- just do uri;trasport=tls.

Cheers,
Daniel


Here an example for flatfile dispatcher.list (need corrected values). 

The socket line must match an listen directive in your Kamailio.cfg. 


root@sbc1:~# cat /etc/kamailio/dispatcher.list
# setid(integer) destination(sip uri) flags (integer, optional), priority(int,opt), attrs (str,optional)
1007 sip:sip.pstnhub.microsoft.com;transport=tls 0 3 socket=tls:212.xx.xx.xx:5061;ping_from=sip:sbc-d01.yourdomain

Cheers 
Karsten 

sthustfo <sthustfo@gmail.com> schrieb am Mi., 6. Nov. 2019, 20:32:
I have a basic setup where kamailio receives SIP over websocket (no WSS) and forwards to SIP server over TLS. I have enabled TLS in kamailio.cfg and added dispatcher node as sips:SIP_SERVER:5061 and transport=tls.

+----+-------+------------------------+-------+----------+---------------+----------------+
| id | setid | destination            | flags | priority | attrs         | description    |
+----+-------+------------------------+-------+----------+---------------+----------------+
|  4 |     1 | sips:10.0.0.100:5061 |     0 |        0 | transport=tls | SIP SERVER |
+----+-------+------------------------+-------+----------+---------------+----------------+

Now when REGISTER is received over websocket, kamailio is responding with error code 500 and phrase "500 I'm terribly sorry, server error occurred (7/SL)". And on the console I see the following error messages.

12(33858) DEBUG: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} <core> [core/md5utils.c:67]: MD5StringArray(): MD5 calculated: f1ecf7bcb659b07fe81e332e100044e5
12(33858) ERROR: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} tm [ut.h:315]: uri2dst2(): no corresponding socket found for "10.0.0.100" af 2 (tls:10.0.0.100:5061)
12(33858) ERROR: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} tm [t_fwd.c:467]: prepare_new_uac(): can't fwd to af 2, proto 3  (no corresponding listening socket)
12(33858) ERROR: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} tm [t_fwd.c:1735]: t_forward_nonack(): failure to add branches

12(33858) DEBUG: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} tm [t_funcs.c:334]: t_relay_to(): t_forward_nonack returned error -7 (-7)
12(33858) DEBUG: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} tm [t_funcs.c:352]: t_relay_to(): -7 error reply generation delayed
12(33858) exec: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} *** cfgtrace:request_route=[RELAY] c=[/etc/kamailio/kamailio.cfg] l=587 a=24 n=sl_reply_error
12(33858) DEBUG: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} <core> [core/msg_translator.c:162]: check_via_address(): (10.0.0.14, hsvmphm3ps12.invalid, 0)
12(33858) DEBUG: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} websocket [ws_conn.c:452]: wsconn_get(): wsconn_get for id [3]

tls.cfg contents
[client:default]
method = TLSv1
verify_certificate = yes
require_certificate = yes
private_key = /home/test/kamailio/internal.key
certificate = /home/test/kamailio/internal.crt
ca_list = /home/test/kamailio/ca_list.pem

Any reason why this error is seen? Any inputs appreciated.

Thanks.
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio World Conference - April 27-29, 2020, in Berlin -- www.kamailioworld.com
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Regards,

David Villasmil
phone: +34669448337
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Regards,

David Villasmil
phone: +34669448337
--
Regards,

David Villasmil
phone: +34669448337
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Regards,

David Villasmil
phone: +34669448337
--
Regards,

David Villasmil
phone: +34669448337
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Regards,

David Villasmil
email: david.villasmil.work@gmail.com
phone: +34669448337