[Serusers] Proxy_authorize, www_authorize

Sun Mar 16 00:01:43 CET 2003

Or perhaps I understand a little bit better now. I think the following script 
passage will work better. /Lasse
P.S. To other beginners at SIP: Several clients can't handle the qop parameter 
correctly so it is safer to change the "1" to "0" in the challenges.

# REQUESTS DIRECTED TO MY DOMAIN
	if (uri=~"[@:]mydomain\.com") {

# Challenge registrations
		if (method=="REGISTER") {
			if (!www_authorize("mydomain.com", "subscriber")) {
				www_challenge("mydomain.com", "1");
				break;
			};
			save("location");
			break;
		};

# Challenge INVITE request where the sender has my domain in From
		if (method=="INVITE") {
			if (search("(f|From).*mydomain\.com")) {
				if (!proxy_authorize("mydomain.com", "subscriber")) {
					proxy_challenge("mydomain.com", "1");
					break;
				};
			};
		};
		# native SIP destinations are handled using our USRLOC DB
		if (!lookup("location")) {
			sl_send_reply("404", "Not Found");
			break;
		};

# REQUESTS DIRECTED TO OTHER DOMAINS
	} else {

# Challenge any INVITE request where the sender has my domain in From
		if (method=="INVITE") {
			if (search("(f|From).*mydomain\.com")) {
				if (!proxy_authorize("mydomain.com", "subscriber")) {
					proxy_challenge("mydomain.com", "1");
					break;
				};

# Drop INVITE requests where the sender does not have my domain in From
			} else {
				sl_send_reply("403", "Forbidden");
        			break;
			};
		};
	};
	# forward to current uri now
	if (!t_relay()) {
		sl_reply_error();
	};

On Friday 07 March 2003 00.49, Lasse Jansson wrote:
> OK, I see what you mean. 
<snip>
> > I see two limitations:
> > - if you only challenge INVITEs to outside domain, people out of your
> >   domain can call people in your domain and claim shamelessly your domain
> >   name in From, which is then sort of rubberstamped by the proxy; so I
> > think you can combine challenging based on From along with "anti-spam"
> > policy "drop invites which have my domain neither in From nor in r-uri"
> > - if you apply such policies to other requests than BYE, you will run into
> > troubles, better be permissive about non-INVITEs. See
> >
> > http://www.ietf.org/mail-archive/working-groups/sipping/current/msg04002.
> >ht ml
> >
> > -Jiri
> >
> > At 10:10 PM 3/5/2003, Lasse Jansson wrote:
> > >Thanks,
> > >
> > >One last question: I guess that if I want my server to offer <forwarding
> > > of requests to other domains> only to authorized users in my domain I
> > > should restrict the last part more, as follows:
> > >
> > ># For requests to other domains
> > >                if (!proxy_authorize("mydomain.com", "subscriber")) {
> > >                        proxy_challenge("mydomain.com", "1");
> > >                        break;
> > >                };
> > >
> > >(i.e. I can skip the (search("(f|From).*mydomain\.com")) condition in
> > > this case)
> > >
> > >Lasse