Hi,
The code means, that if an user is establishing a call (UA generate INVITE message) and the user is not already registered on your.domain register server, the user will be challenged to authenticate itself before the call is progressed, and only authentication of users from your.domain will be authorized (accepted).
Personally I think that good practise is to put some code into ser.cfg where REGISTER message is handled, which allow to register (and make a call) only users, which have account on your.domain register (orproxy with register features) server, for example:
sl_send_reply("100","Trying");
if (!www_authorize("your.domain", "subscriber")) { www_challenge("your.domain", "0"); break; };
# only registered users are allowed # do not register someone else
if(!check_to()){ log(1,"LOG: unregistered user registration attempt\n"); sl_send_reply("401","Unauthorized"); sl_send_reply("403","Only registered users are allowed"); break; };
# save the registration process results if (!save("location")){ sl_reply_error(); };
BR
pavol
Citát Ryan Pagquil rpagquil@philonline.com:
Hi, I'm currently subscribed to iptel.org. Well iptel.org's proxy doesn't allow unregistered users to call to anybody, I already tried it. Does having my domain specified in the proxy_authorize section means that only users from my domain will be asked to register first before they can place a call? I think I already tried this.. but I'll still test. =)
Thanks, Ryan
Pavol Segec wrote:
Hi,
If I understand well, you just need to put authorization challenge into your ser.cfg file where INVITE messages are handled, as follows:
if(!proxy_authorize("your.domain","subscriber")){ proxy_challenge("your.domain","0"); sl_send_reply("403","Forbidden"); break; };
pavol
CitĂĄt Dave ddx66@yahoo.com:
You can't as far as I know. You must use a USer Agent that does not allow a user to make a calls unless the UA is registered.
--- rpagquil@philonline.com wrote:
Hi, I'm setting up ser so that unregistered users can't make any calls to anybody. I have configured to allow all other domains to make a call to my local users. But when my local user that is unregistered it can still make calls to other local users. How would I do to block him totally? here is my ser.cfg: debug=3 fork=yes log_stderror=yes listen=202.84.24.107 port=5060 children=4 dns=no rev_dns=no fifo="/tmp/ser_fifo" fifo_db_url="mysql://ser:heslo@localhost/ser" alias=sip.philonline.com #load module part loadmodule "/usr/local/lib/ser/modules/mysql.so" loadmodule "/usr/local/lib/ser/modules/domain.so" loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/tm.so" loadmodule "/usr/local/lib/ser/modules/rr.so" loadmodule "/usr/local/lib/ser/modules/maxfwd.so" loadmodule "/usr/local/lib/ser/modules/usrloc.so" loadmodule "/usr/local/lib/ser/modules/registrar.so" loadmodule "/usr/local/lib/ser/modules/auth.so" loadmodule "/usr/local/lib/ser/modules/auth_db.so" loadmodule "/usr/local/lib/ser/modules/uri.so" loadmodule "/usr/local/lib/ser/modules/uri_db.so" loadmodule "/usr/local/lib/ser/modules/mediaproxy.so" loadmodule "/usr/local/lib/ser/modules/nathelper.so" loadmodule "/usr/local/lib/ser/modules/textops.so" loadmodule "/usr/local/lib/ser/modules/acc.so" loadmodule "/usr/local/lib/ser/modules/permissions.so" #module parameter setup modparam("rr", "enable_full_lr", 1) modparam("auth_db|uri_db|usrloc|domain|permissions", "db_url", "mysql://ser:heslo@localhost/ser") modparam("auth_db", "calculate_ha1", 1) modparam("auth_db", "password_column", "password") modparam("usrloc", "db_mode", 2) modparam("nathelper", "rtpproxy_disable", 1) modparam("nathelper", "natping_interval", 0) modparam("mediaproxy", "natping_interval", 30) modparam("mediaproxy", "mediaproxy_socket", "/var/run/mediaproxy.sock") modparam("mediaproxy", "sip_asymmetrics", "/usr/local/etc/ser/sip-clients") modparam("mediaproxy", "rtp_asymmetrics", "/usr/local/etc/ser/rtp-clients") modparam("registrar", "nat_flag", 6) modparam("acc", "log_level", 2) modparam("acc", "log_fmt", "cdfimorstup") modparam("acc", "report_ack", 1) #modparam("acc", "failed_transactions", 1) modparam("acc", "log_flag", 1) #modparam("acc", "report_cancels", 1) modparam("acc", "db_flag", 1) modparam("acc", "db_missed_flag", 3) modparam("acc", "db_url", "mysql://ser:heslo@localhost/ser") modparam("uri_db", "uri_table", "uri") modparam("uri_db", "uri_user_column", "username") modparam("uri_db", "uri_domain_column", "domain") modparam("domain", "db_mode", 1) modparam("domain", "domain_table", "domain") modparam("domain", "domain_col", "domain") modparam("permissions", "default_allow_file", "/usr/local/etc/ser/allow.permissions") modparam("permissions", "default_deny_file", "/usr/local/etc/ser/deny.permissions") #our routing logic route { if (!mf_process_maxfwd_header("10")) { sl_send_reply("483", "Too many hops"); break; }; if (msg:len > max_len) { sl_send_reply("513", "Message overflow"); break; }; ###record route#### if (method=="INVITE" && client_nat_test("3")) { record_route_preset("202.84.24.107:5060;nat=yes"); } else if (method!="REGISTER") { record_route(); }; ###call tear down section### if (method=="BYE" || method=="CANCEL") { end_media_session(); }; ###accounting### if ((!has_totag() && (method=="INVITE" || method=="ACK")) || (method=="BYE")) { setflag(1); }; ###loose route### if (loose_route()) { if (has_totag() && (method=="INVITE" || method=="ACK")) { if (client_nat_test("3") || search("^Route:.*;nat=yes")) { setflag(6); use_media_proxy(); }; }; route(1); break; }; ###call type processing### if (uri!=myself) { route(1); break; }; if (uri==myself) { if (method=="CANCEL") { route(3); break; } else if (method=="INVITE") { route(3); break; } else if (method=="REGISTER") { route(2); break; }; lookup("aliases"); if (uri!=myself) { route(1); break; }; if (!lookup("location")) { sl_send_reply("404", "User not found"); break; }; }; route(1); } ##Default message handler## route[1] { t_on_reply("1"); if (!t_relay()) { if (method=="INVITE" || method=="ACK") { end_media_session(); }; sl_reply_error(); }; } ##Register message handler## route[2] { sl_send_reply("100", "Trying"); if (!search("^Contact:\ +*") && client_nat_test("7")) { setflag(6); fix_nated_register(); force_rport(); }; if (!www_authorize("sip.philonline.com","subscriber")) {
www_challenge("sip.philonline.com","0"); break; }; if (!check_to()) { sl_send_reply("401", "You are Unauthorized"); break; }; consume_credentials(); if (!save("location")) { sl_reply_error(); }; } ##INVITE message Handler## route[3] { if (client_nat_test("3")) { setflag(7); force_rport(); fix_nated_contact(); }; if (!search("To: .*@sip.philonline.com")) { if (!proxy_authorize("","subscriber")) { proxy_challenge("", "0"); break; }; if (!check_from() && method=="INVITE") { sl_send_reply("403", "User From=ID"); break; }; }; lookup("aliases"); if (uri!=myself) { route(1); break; }; if (!lookup("location")) { sl_send_reply("404", "User not found"); break; }; if (method=="CANCEL") { route(1); break; }; consume_credentials(); if (isflagset(6) || isflagset(7)) { use_media_proxy(); }; route(1); } onreply_route[1] { if (isflagset(6) || isflagset(7) && (status=~"(180)|(183)|2[0-9][0-9]")) { if (!search("^Content-Length:\ +0")) { use_media_proxy(); }; }; if (client_nat_test("1")) { fix_nated_contact(); }; } Thanks, --ryanRyan PagquilInfodyne Inc. (www.philonline.com)Tel. (632)-6870715> _______________________________________________
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-- Ryan Pagquil Infodyne Inc. - PhilOnline.com 3603 Antel Global Corporate Center DoĂąa Julia Vargas Ave. Ortigas Center Pasig City Tel: 687-0715 Web: www.philonline.com
----- Koniec preposlanej správy -----
-
Pavol Segec