[Serusers] digest authentication without db
Francesco Fondelli
francesco.fondelli at gmail.com
Wed Jun 1 13:09:23 CEST 2005
Hello,
I'm new to SER and SIP as well so please forgive my
mistakes.
I'm trying to setup SER in order to forward calls to
a pool of pstn gateways. I want use digest authentication
for UAs but I cannot store userid and passwords on a db.
Basically I would like to do:
if (!www_authorize("mydomain.com", "subscriber")) {
www_challenge("mydomain.com", "0");
break;
};
getting userid and password from a text configuration file
which contains such infos. How can I do that?
I have written a ser cfg file and I would like someone tell me
if is ok. Is a mix of several different cfg files I have found
on the net. I'm sure is far to be ok :-)
Thank for your help.
Ciao
-------------------------------------------------------------------
# ----------- global configuration parameters ------------------------
#debug=3
debug=4
#fork=yes
fork=no
#log_stderror=no
log_stderror=yes
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
#port=5060
#children=4
fifo="/tmp/ser_fifo"
#uid=
#gid=
listen=192.168.1.114
# alias="mydomain.com"
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/auth_db.so"
loadmodule "/usr/local/lib/ser/modules/auth.so"
loadmodule "/usr/local/lib/ser/modules/uri.so"
# ----------------- setting module-specific parameters ---------------
modparam("usrloc", "db_mode", 0)
# ------------------------- routing logic ---------------------------
route {
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
log("Too many hops\n");
sl_send_reply("483","Too Many Hops");
break;
};
if ( msg:len > max_len ) {
log("Message too big\n");
sl_send_reply("513", "Message too big");
break;
};
# process requests for our domain (gws included)
if (uri=~"[@:]mydomain\.com([;:].*)*" |
uri=~"@192.168.1.171([;:].*)*" | #pstn gw1
uri=~"@192.168.1.172([;:].*)*" | #pstn gw2
uri=~"@192.168.1.173([;:].*)*" ) { #pstn gw3
log("Request is for mydomain.com\n");
# registers always MUST be authenticated to
# avoid stealing incoming calls
if (method=="REGISTER") {
log("Request is REGISTER\n");
if (!www_authorize("mydomain.com", "subscriber")) {
log("REGISTER has no credentials, sending challenge\n");
www_challenge("mydomain.com", "0");
break;
};
# prohibit attempts to grab someone else's address
# using someone else's valid credentials
if (!check_to()) {
log("Cheating attempt\n");
sl_send_reply("401", "Unauthorized");
break;
};
# update user location database (it should be in mem)
log("REGISTER is authorized, saving location\n");
save("location");
break;
};
# now it's about PSTN destinations through our gateways
if (uri=~"sip:[0-9]+ at .*") {
# all PSTN destinations only for authenticated users
# (GWs, which have no digest support, are authenticated
# by its IP address)
if (!(src_ip==192.168.1.171 | #pstn gw1
src_ip==192.168.1.172 | #pstn gw2
src_ip==192.168.1.173) & #pstn gw3
!(www_authorize("mydomain.com", "subscriber"))) {
www_challenge("mydomain.com", "0");
break;
};
# requests to gateways must be record-route because the GWs accept
# only requests coming from our proxy
if (method=="INVITE")
record_route();
# XXX: find the best gw using first part of telephone number and...
rewritehostport("192.168.1.171:5060"); #172 or 173
} else {
# native SIP destinations are handled using our USRLOC DB
# and are allowed only from gws
if (src_ip==192.168.1.171 | #pstn gw1
src_ip==192.168.1.172 | #pstn gw2
src_ip==192.168.1.173) { #pstn gw3
if (!lookup("location")) {
log("Unable to lookup contact, sending 404\n");
sl_send_reply("404", "Not Found");
break;
};
} else {
log("No native SIP destination allowed\n");
sl_send_reply("403", "Permission denied");
break;
};
};
} else {
# outbound requests are not allowed
log("No outbound requests allowed\n");
sl_send_reply("403", "Permission denied");
break;
};
# and finally.. forward to current uri; use stateful forwarding; that
# works reliably even if we forward from TCP to UDP
if(!t_relay()) {
sl_reply_error();
};
}
More information about the sr-users
mailing list