[Serusers] Ser 0.9.0 + Mediaproxy 1.3.1 - Problems with NATed Clients Authentication
Sönmez Güneş
sonmezgunes at gmail.com
Fri May 27 13:00:16 CEST 2005
I have the same problem, If you have a improvement please let me know...
Best Regards...
On 5/25/05, Greger V. Teigre <greger at teigre.com> wrote:
> Could they be caught by the check_to() for some reason? Add some log entries
> in your config file to find out where it stops. And an ngrep trace always
> helps...
> g-)
>
> Felipe Martins wrote:
> > Hi everybody,
> >
> > I've configured SER to work with mediaproxy, I also configured
> > mediaproxy.ini. My clients are authenticating normally, but only the
> > clients that has a Public IP (ex. 200.201.145.146), all the cliets
> > that are behind NAT can't REGISTER. What may be wrong ? Do anyone
> > uses SER 0.9.0 with mysql authentication and Mediaproxy that could
> > give me a hand ?
> > My ser.cfg and mediaproxy.ini are as follows
> >
> >
> > ================== ser.cfg ======================
> > debug=3
> > fork=yes
> > log_stderror=no
> >
> > listen=192.0.2.13 # put your server IP address here
> > port=5060
> > children=4
> >
> > dns=no
> > rev_dns=no
> >
> > fifo="/tmp/ser_fifo"
> > fifo_db_url="mysql://ser:heslo@localhost/ser"
> >
> > loadmodule "/usr/local/lib/ser/modules/mysql.so"
> > loadmodule "/usr/local/lib/ser/modules/sl.so"
> > loadmodule "/usr/local/lib/ser/modules/tm.so"
> > loadmodule "/usr/local/lib/ser/modules/rr.so"
> > loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
> > loadmodule "/usr/local/lib/ser/modules/usrloc.so"
> > loadmodule "/usr/local/lib/ser/modules/registrar.so"
> > loadmodule "/usr/local/lib/ser/modules/auth.so"
> > loadmodule "/usr/local/lib/ser/modules/auth_db.so"
> > loadmodule "/usr/local/lib/ser/modules/uri.so"
> > loadmodule "/usr/local/lib/ser/modules/uri_db.so"
> > loadmodule "/usr/local/lib/ser/modules/domain.so"
> > loadmodule "/usr/local/lib/ser/modules/mediaproxy.so"
> > loadmodule "/usr/local/lib/ser/modules/nathelper.so"
> > loadmodule "/usr/local/lib/ser/modules/textops.so"
> >
> > modparam("auth_db|uri_db|usrloc", "db_url",
> > "mysql://ser:heslo@localhost/ser")
> > modparam("auth_db", "calculate_ha1", 1)
> > modparam("auth_db", "password_column", "password")
> >
> > modparam("nathelper", "rtpproxy_disable", 1)
> > modparam("nathelper", "natping_interval", 0)
> >
> > modparam("mediaproxy","natping_interval", 30)
> > modparam("mediaproxy","mediaproxy_socket", "/var/run/mediaproxy.sock")
> > modparam("mediaproxy","sip_asymmetrics","/usr/local/etc/ser/sip-clients")
> > modparam("mediaproxy","rtp_asymmetrics","/usr/local/etc/ser/rtp-clients")
> >
> > modparam("usrloc", "db_mode", 2)
> >
> > modparam("registrar", "nat_flag", 6)
> >
> > modparam("rr", "enable_full_lr", 1)
> >
> > route {
> >
> > #
> >
> >
> >
> >
> >
> >
> > ----------------------------------------------------------------- #
> > Sanity Check Section #
> > ----------------------------------------------------------------- if
> > (!mf_process_maxfwd_header("10")) { sl_send_reply("483", "Too Many
> > Hops"); break; };
> >
> > if (msg:len > max_len) {
> > sl_send_reply("513", "Message Overflow");
> > break;
> > };
> >
> > #
> >
> >
> >
> >
> >
> >
> >
> >
> > ----------------------------------------------------------------- #
> > Record Route Section #
> > ----------------------------------------------------------------- if
> > (method=="INVITE" && client_nat_test("3")) { # INSERT YOUR IP ADDRESS
> > HERE record_route_preset("192.0.2.13:5060;nat=yes"); } else if
> > (method!="REGISTER") { record_route(); };
> >
> > #
> >
> >
> >
> >
> >
> > ----------------------------------------------------------------- #
> > Call Tear Down Section #
> > ----------------------------------------------------------------- if
> > (method=="BYE" || method=="CANCEL") { end_media_session(); };
> >
> > #
> >
> >
> >
> > ----------------------------------------------------------------- #
> > Loose Route Section #
> > ----------------------------------------------------------------- if
> > (loose_route()) {
> >
> > if (has_totag() && (method=="INVITE" ||
> > method=="ACK")) {
> >
> > if (client_nat_test("3") ||
> > search("^Route:.*;nat=yes")) {
> > setflag(6); use_media_proxy();
> > };
> > };
> >
> > route(1);
> > break;
> > };
> >
> > #
> >
> >
> > ----------------------------------------------------------------- #
> > Call Type Processing Section #
> > -----------------------------------------------------------------
> >
> > if (uri!=myself) {
> > route(1);
> > break;
> > };
> >
> > if (uri==myself) {
> >
> > if (method=="CANCEL") {
> > route(3);
> > break;
> > } else if (method=="INVITE") {
> > route(3);
> > break;
> > } else if (method=="REGISTER") {
> > route(2);
> > break;
> > };
> >
> > lookup("aliases");
> > if (uri!=myself) {
> > route(1);
> > break;
> > };
> >
> > if (!lookup("location")) {
> > sl_send_reply("404", "User Not Found");
> > break;
> > };
> > };
> >
> > route(1);
> > }
> >
> > route[1] {
> >
> > #
> >
> >
> > ----------------------------------------------------------------- #
> > Default Message Handler #
> > -----------------------------------------------------------------
> >
> > t_on_reply("1");
> >
> > if (!t_relay()) {
> >
> > if (method=="INVITE" || method=="ACK") {
> > end_media_session();
> > };
> >
> > sl_reply_error();
> > };
> > }
> >
> > route[2] {
> >
> > #
> >
> >
> > ----------------------------------------------------------------- #
> > REGISTER Message Handler #
> > ----------------------------------------------------------------
> >
> > sl_send_reply("100", "Trying");
> >
> > if (!search("^Contact:\ +\*") && client_nat_test("7")) {
> > setflag(6);
> > fix_nated_register();
> > force_rport();
> > };
> >
> > if (!www_authorize("","subscriber")) {
> > www_challenge("","0");
> > break;
> > };
> >
> > if (!check_to()) {
> > sl_send_reply("401", "Unauthorized");
> > break;
> > };
> >
> > consume_credentials();
> >
> > if (!save("location")) {
> > sl_reply_error();
> > };
> > }
> >
> > route[3] {
> >
> > #
> >
> >
> > ----------------------------------------------------------------- #
> > CANCEL and INVITE Message Handler #
> > -----------------------------------------------------------------
> >
> > if (client_nat_test("3")) {
> > setflag(7);
> > force_rport();
> > fix_nated_contact();
> > };
> >
> > lookup("aliases");
> > if (uri!=myself) {
> > route(1);
> > break;
> > };
> >
> > if (!lookup("location")) {
> > sl_send_reply("404", "User Not Found");
> > break;
> > };
> >
> > if (method=="CANCEL") {
> > route(1);
> > break;
> > };
> >
> > if (!proxy_authorize("","subscriber")) {
> > proxy_challenge("","0");
> > break;
> > } else if (!check_from()) {
> > sl_send_reply("403", "Use From=ID");
> > break;
> > };
> >
> > consume_credentials();
> >
> > if (isflagset(6) || isflagset(7)) {
> > use_media_proxy();
> > };
> >
> > route(1);
> > }
> >
> > onreply_route[1] {
> >
> > if ((isflagset(6) || isflagset(7)) &&
> > (status=~"(180)|(183)|2[0-9][0-9]")) {
> >
> > if (!search("^Content-Length:\ +0")) {
> > use_media_proxy();
> > };
> > };
> >
> > if (client_nat_test("1")) {
> > fix_nated_contact();
> > };
> > }
> >
> > ================== End of ser.cfg ======================
> >
> >
> > =================== mediaproxy.ini ======================
> > ;
> > ; Configuration file for MediaProxy
> > ;
> >
> > [Dispatcher]
> > ;
> > ; Section for configuring the proxy dispatcher
> > ;
> > ; The following options are available here:
> > ;
> > ; start Boolean value that specifies if to start the
> > dispatcher. ; Default value: Yes
> > ;
> > ; socket Path to the UNIX socket where the dispatcher receives
> > ; commands from SER. This should match the value for
> > ; mediaproxy_socket in ser.cfg
> > ; Default value: /var/run/proxydispatcher.sock
> > ;
> > ; group Put the socket in this group and make it group
> > writable. ; Default value: ser
> > ;
> > ; defaultProxy Default mediaproxy to use in case the From/To domains
> > ; involved in the call don't define any.
> > ; Valid values for this are:
> > ;
> > ; - None
> > ; don't use any default proxies. domains without
> > ; mediaproxy SRV records won't work
> > ; - /path/to/unix/socket
> > ; use a single MediaProxy server identified by the
> > given ; UNIX socket path
> > ; - IP_or_hostname[:port]
> > ; use a single MediaProxy server identified by its
> > network ; address. The network address consists of
> > an IP address ; or a hostname and an optional port
> > number separated by ; a double colon. If port is
> > missing 25060 will be assumed. ; Examples:
> > ; 10.0.0.1 (connect to 10.0.0.1 on port
> > 25060) ; 10.0.0.1:90 (connect to 10.0.0.1 on
> > port 90) ; mp1.mydomain.com
> > ; mp1.mydomain.com:7000
> > ; - domain://domain_name
> > ; Use all MediaProxies defined by domain_name,
> > honoring ; their priority and weight to create a
> > cluster of proxies ; with fallback and load
> > balancing capabilities. ;
> > ; Default value: /var/run/mediaproxy.sock
> > ;
> > start = yes
> > socket = /var/run/proxydispatcher.sock
> > group = ser
> > defaultProxy = /var/run/mediaproxy.sock
> >
> > [MediaProxy]
> > ;
> > ; Section for configuring the MediaProxy server
> > ;
> > ; The following options are available here:
> > ;
> > ; start Boolean value that specifies if to start the RTP
> > proxy server. ; Default value: Yes
> > ;
> > ; socket Path to the UNIX socket where MediaProxy receives
> > ; commands from the dispatcher or SER.
> > ; Default value: /var/run/mediaproxy.sock
> > ;
> > ; group Put the socket in this group and make it group
> > writable. ; Default value: ser
> > ;
> > ; listen Network address where MediaProxy receives commands
> > from ; a remote dispatcher.
> > ; Valid values for this are:
> > ;
> > ; - None
> > ; don't listen for network connections at all
> > ; - address[:port]
> > ; listen on the specified address and port
> > ; address can be an IP a hostname or the keyword
> > Any ; (in which case it will listen on 0.0.0.0).
> > If address is ; a hostname, that should map in DNS
> > to an IP address ; present on the machine through
> > an A record. ; If port is missing assume 25060.
> > ;
> > ; Default value: None
> > ;
> > ; allow List of addresses that are allowed to connect to this
> > ; MediaProxy server and send commands.
> > ; They are specified as a comma separated list of
> > entries, with ; each entry being specified in the CIDR
> > network/mask notation ; (ex. 10.0.0.0/8)
> > ;
> > ; In addition simple IP addresses or hostnames are
> > allowed, in ; which case the mask is considered to be
> > 32. ;
> > ; In addition to network ranges/addresses 2 keywords
> > can be used ; for this option:
> > ; None to specify that none is allowed to connect
> > (not very ; useful but this is the default
> > for security reasons) ; Any to specify that
> > anyone is allowed to connect ; (dangerous!)
> > ;
> > ; Example: allow = 10.0.0.0/24, home-pc.mydomain.com,
> > 1.2.3.4 ;
> > ; Default value: None
> > ;
> > ; proxyIP IP address to use to talk to the phones. If not
> > specified, the ; first found will be used. However
> > first found usually means ; first defined in /etc/hosts
> > which may not be what you want. ; If you find that the
> > address that's automatically selected is ; not the one
> > you want, you can specify the right one using this ;
> > option. The address must be one that's present on one of the ;
> > host's interfaces. ;
> > ; portRange The range of ports to use for proxying the rtp
> > streams. ; This option is specified as minport:maxport
> > with minport and ; maxport being even numbers in the
> > range 1024-65536 ; Default value: 35000:65000
> > ;
> > ; TOS Unless you know what TOS means, leave this option
> > alone. ; The TOS value can be specified either as a
> > decimal number or ; as a hex number in the 0xnn format.
> > ; Default value: 0xb8
> > ;
> > ; idleTimeout Expire idle sessions after this much time.
> > ; Default 60 seconds
> > ;
> > ; holdTimeout Expire calls on hold after this much time.
> > ; Default value is 3600 seconds
> > ;
> > ; forceClose Forcibly close a RTP session after this many seconds
> > even if ; it's still active. If forceClose is 0, then a
> > session is never ; closed no matter how long it lasts.
> > ; Default value: 0
> > ;
> > start = yes
> > socket = /var/run/mediaproxy.sock
> > group = ser
> > listen = 200.142.103.114
> > allow = any
> > ;proxyIP = 10.0.0.1
> > portRange = 35000:36000
> > ;TOS = 0xb8
> > idleTimeout = 60
> > holdTimeout = 3600
> > forceClose = 0
> > accounting = off
> >
> > [Accounting]
> > user = ser
> > password = heslo
> > host = any
> > database = ser
> > table = ser
> >
> > #[Accounting]
> > #user = dbuser
> > #password = dbpass
> > #host = dbhost
> > #database = radius
> > #table = radacct
> >
> > =================== End of mediaproxy.ini ======================
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
More information about the sr-users
mailing list