[Serusers] Proxy_authorize, www_authorize
Jiri Kuthan
jiri at iptel.org
Fri Mar 28 14:13:47 CET 2003
Looks reasonable to me. My apologies it has taken so long to reply -- I've been
traveling too much.
-Jiri
At 12:01 AM 3/16/2003, Lasse Jansson wrote:
>Or perhaps I understand a little bit better now. I think the following script
>passage will work better. /Lasse
>P.S. To other beginners at SIP: Several clients can't handle the qop parameter
>correctly so it is safer to change the "1" to "0" in the challenges.
>
># REQUESTS DIRECTED TO MY DOMAIN
> if (uri=~"[@:]mydomain\.com") {
>
># Challenge registrations
> if (method=="REGISTER") {
> if (!www_authorize("mydomain.com", "subscriber")) {
> www_challenge("mydomain.com", "1");
> break;
> };
> save("location");
> break;
> };
>
># Challenge INVITE request where the sender has my domain in From
> if (method=="INVITE") {
> if (search("(f|From).*mydomain\.com")) {
> if (!proxy_authorize("mydomain.com", "subscriber")) {
> proxy_challenge("mydomain.com", "1");
> break;
> };
> };
> };
> # native SIP destinations are handled using our USRLOC DB
> if (!lookup("location")) {
> sl_send_reply("404", "Not Found");
> break;
> };
>
># REQUESTS DIRECTED TO OTHER DOMAINS
> } else {
>
># Challenge any INVITE request where the sender has my domain in From
> if (method=="INVITE") {
> if (search("(f|From).*mydomain\.com")) {
> if (!proxy_authorize("mydomain.com", "subscriber")) {
> proxy_challenge("mydomain.com", "1");
> break;
> };
>
># Drop INVITE requests where the sender does not have my domain in From
> } else {
> sl_send_reply("403", "Forbidden");
> break;
> };
> };
> };
> # forward to current uri now
> if (!t_relay()) {
> sl_reply_error();
> };
>
>On Friday 07 March 2003 00.49, Lasse Jansson wrote:
>> OK, I see what you mean.
><snip>
>> > I see two limitations:
>> > - if you only challenge INVITEs to outside domain, people out of your
>> > domain can call people in your domain and claim shamelessly your domain
>> > name in From, which is then sort of rubberstamped by the proxy; so I
>> > think you can combine challenging based on From along with "anti-spam"
>> > policy "drop invites which have my domain neither in From nor in r-uri"
>> > - if you apply such policies to other requests than BYE, you will run into
>> > troubles, better be permissive about non-INVITEs. See
>> >
>> > http://www.ietf.org/mail-archive/working-groups/sipping/current/msg04002.
>> >ht ml
>> >
>> > -Jiri
>> >
>> > At 10:10 PM 3/5/2003, Lasse Jansson wrote:
>> > >Thanks,
>> > >
>> > >One last question: I guess that if I want my server to offer <forwarding
>> > > of requests to other domains> only to authorized users in my domain I
>> > > should restrict the last part more, as follows:
>> > >
>> > ># For requests to other domains
>> > > if (!proxy_authorize("mydomain.com", "subscriber")) {
>> > > proxy_challenge("mydomain.com", "1");
>> > > break;
>> > > };
>> > >
>> > >(i.e. I can skip the (search("(f|From).*mydomain\.com")) condition in
>> > > this case)
>> > >
>> > >Lasse
>
>_______________________________________________
>Serusers mailing list
>serusers at lists.iptel.org
>http://lists.iptel.org/mailman/listinfo/serusers
--
Jiri Kuthan http://iptel.org/~jiri/
More information about the sr-users
mailing list