[Serusers] Proxy_authorize, www_authorize
Lasse Jansson
lasse at solstiernan.nu
Mon Mar 31 21:04:26 CEST 2003
OK, thanks
I've learned something from this thread. I understand the delay in your
answer, and I am anyway impressed by your "mail answering throughput" !
Lasse
On Friday 28 March 2003 14.13, Jiri Kuthan wrote:
> Looks reasonable to me. My apologies it has taken so long to reply -- I've
> been traveling too much.
>
> -Jiri
>
> At 12:01 AM 3/16/2003, Lasse Jansson wrote:
> >Or perhaps I understand a little bit better now. I think the following
> > script passage will work better. /Lasse
> >P.S. To other beginners at SIP: Several clients can't handle the qop
> > parameter correctly so it is safer to change the "1" to "0" in the
> > challenges.
> >
> ># REQUESTS DIRECTED TO MY DOMAIN
> > if (uri=~"[@:]mydomain\.com") {
> >
> ># Challenge registrations
> > if (method=="REGISTER") {
> > if (!www_authorize("mydomain.com", "subscriber"))
> > { www_challenge("mydomain.com", "1"); break;
> > };
> > save("location");
> > break;
> > };
> >
> ># Challenge INVITE request where the sender has my domain in From
> > if (method=="INVITE") {
> > if (search("(f|From).*mydomain\.com")) {
> > if (!proxy_authorize("mydomain.com",
> > "subscriber")) { proxy_challenge("mydomain.com", "1"); break;
> > };
> > };
> > };
> > # native SIP destinations are handled using our USRLOC DB
> > if (!lookup("location")) {
> > sl_send_reply("404", "Not Found");
> > break;
> > };
> >
> ># REQUESTS DIRECTED TO OTHER DOMAINS
> > } else {
> >
> ># Challenge any INVITE request where the sender has my domain in From
> > if (method=="INVITE") {
> > if (search("(f|From).*mydomain\.com")) {
> > if (!proxy_authorize("mydomain.com",
> > "subscriber")) { proxy_challenge("mydomain.com", "1"); break;
> > };
> >
> ># Drop INVITE requests where the sender does not have my domain in From
> > } else {
> > sl_send_reply("403", "Forbidden");
> > break;
> > };
> > };
> > };
> > # forward to current uri now
> > if (!t_relay()) {
> > sl_reply_error();
> > };
> >
> >On Friday 07 March 2003 00.49, Lasse Jansson wrote:
> >> OK, I see what you mean.
> >
> ><snip>
> >
> >> > I see two limitations:
> >> > - if you only challenge INVITEs to outside domain, people out of your
> >> > domain can call people in your domain and claim shamelessly your
> >> > domain name in From, which is then sort of rubberstamped by the proxy;
> >> > so I think you can combine challenging based on From along with
> >> > "anti-spam" policy "drop invites which have my domain neither in From
> >> > nor in r-uri" - if you apply such policies to other requests than BYE,
> >> > you will run into troubles, better be permissive about non-INVITEs.
> >> > See
> >> >
> >> > http://www.ietf.org/mail-archive/working-groups/sipping/current/msg040
> >> >02. ht ml
> >> >
> >> > -Jiri
> >> >
> >> > At 10:10 PM 3/5/2003, Lasse Jansson wrote:
> >> > >Thanks,
> >> > >
> >> > >One last question: I guess that if I want my server to offer
> >> > > <forwarding of requests to other domains> only to authorized users
> >> > > in my domain I should restrict the last part more, as follows:
> >> > >
> >> > ># For requests to other domains
> >> > > if (!proxy_authorize("mydomain.com", "subscriber")) {
> >> > > proxy_challenge("mydomain.com", "1");
> >> > > break;
> >> > > };
> >> > >
> >> > >(i.e. I can skip the (search("(f|From).*mydomain\.com")) condition in
> >> > > this case)
> >> > >
> >> > >Lasse
> >
> >_______________________________________________
> >Serusers mailing list
> >serusers at lists.iptel.org
> >http://lists.iptel.org/mailman/listinfo/serusers
>
> --
> Jiri Kuthan http://iptel.org/~jiri/
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
More information about the sr-users
mailing list