[Users] Re: proxy authorization required sent to the wrong port
Benko
benkokakao at gmail.com
Wed Sep 27 19:22:40 CEST 2006
sorry for the attachments, here they are as txt-files...
-------------- next part --------------
# Uncomment these 3 lines to debug SER
debug = 5
fork = no
log_stderror = yes
check_via = yes
dns = yes
rev_dns = no
listen = 2XX.XXX.XXX.98
port = 5060
children = 4
fifo = "/tmp/openser_fifo"
alias = 2XX.XXX.XXX.98
alias = sipserver.xy.mydomain.org
#mhomed=1
# mhomed tells SER to check which network interface has the correct route, if there are multiple interf.
loadmodule "/lib/openser/modules/exec.so"
loadmodule "/lib/openser/modules/postgres.so"
loadmodule "/lib/openser/modules/sl.so"
loadmodule "/lib/openser/modules/tm.so"
loadmodule "/lib/openser/modules/rr.so"
loadmodule "/lib/openser/modules/maxfwd.so"
loadmodule "/lib/openser/modules/usrloc.so"
loadmodule "/lib/openser/modules/registrar.so"
loadmodule "/lib/openser/modules/textops.so"
loadmodule "/lib/openser/modules/auth.so"
loadmodule "/lib/openser/modules/auth_db.so"
loadmodule "/lib/openser/modules/uri_db.so"
loadmodule "/lib/openser/modules/uri.so"
loadmodule "/lib/openser/modules/nathelper.so"
loadmodule "/lib/openser/modules/xlog.so"
modparam( "auth_db", "db_url", "postgres://openser:topsecret@127.0.0.1/mydb" )
modparam( "auth_db", "calculate_ha1", yes )
modparam( "auth_db", "user_column", "username" )
#modparam( "auth_db", "domain_column", "domain" )
modparam( "auth_db", "password_column", "password" )
#modparam( "auth_db", "use_domain", 0 )
modparam( "nathelper", "natping_interval", 30 )
modparam( "nathelper", "ping_nated_only", 1 )
#modparam("nathelper", "rtpproxy_disable", 1)
modparam( "nathelper", "rtpproxy_sock", "udp:2XX.XXX.XXX.98:35000")
modparam( "registrar", "append_branches", 1 )
modparam( "registrar", "desc_time_order", 1 )
modparam( "registrar", "nat_flag", 6 )
modparam("registrar", "min_expires", 60)
modparam("registrar", "default_expires", 120)
modparam("registrar", "max_expires", 4000) #expire values set to 66 minutes due to phones not recognizing the max value but have a default value of 60min)
modparam( "rr", "enable_full_lr", 1 )
modparam( "uri_db", "db_url", "postgres://openser:topsecret@127.0.0.1/mydb" )
modparam( "usrloc", "db_url", "postgres://openser:topsecret@127.0.0.1/mydb" )
modparam( "usrloc", "db_mode", 2 )
route{
if ( ! mf_process_maxfwd_header( "10" ) ) {
sl_send_reply( "483", "Too Many Hops" );
return;
};
if ( msg:len >= 2048 ) {
sl_send_reply( "513", "Message too big" );
return;
};
if ( ! method == "REGISTER" ) {
record_route();
};
if (method=="BYE" || method=="CANCEL") {
unforce_rtp_proxy();
};
if ( loose_route()) {
if (( method=="INVITE" || method=="REFER") && !has_totag()) {
sl_send_reply("403", "Forbidden");
return;
};
if ( method == "INVITE" ) {
if ( ! proxy_authorize( "sipserver.xy.mydomain.org", "subscriber" ) ) {
proxy_challenge( "sipserver.xy.mydomain.org", "0" );
return;
} else if ( ! check_from() ) { #check_from checks the username against the db
sl_send_reply( "403", "Username must be same as login name" );
return;
};
consume_credentials();
if (nat_uac_test("19")) {
setflag(6);
force_rport(); #adds the rport we have received the packet from to be added to the first via-header
fix_nated_contact(); #Rewrites Contact HF to contain request's source address:port
if ( ! search( "^Content-Length:\ 0" ) ) {
fix_nated_sdp( "1" );
};
};
force_rtp_proxy("l"); #Rewrites SDP body to ensure that media is passed through an RTP proxy.
#(l-flag means lookup mode, only use this if a corresponding
#session already exists in the rtpproxy
}
xlog("L_ERR", "XXXXXXXXXXXXXLOG1 route1 time [$Tf] method <$rm> r-uri <$ru> 2nd via <$hdr(via[1])>\n");
route(1);
return;
};
if ( uri != myself) {
xlog("L_ERR", "XXXXXXXXXXXXXLOG2 route1 time [$Tf] method <$rm> r-uri <$ru> 2nd via <$hdr(via[1])>\n");
route(1);
return;
};
if ( method == "ACK" ) {
xlog("L_ERR", "XXXXXXXXXXXXXLOG3 route1 time [$Tf] method <$rm> r-uri <$ru> 2nd via <$hdr(via[1])>\n");
route(1);
return;
} else if ( method == "CANCEL" ) {
xlog("L_ERR", "XXXXXXXXXXXXXLOG4 route1 time [$Tf] method <$rm> r-uri <$ru> 2nd via <$hdr(via[1])>\n");
route(1);
return;
} else if ( method == "INVITE" ) {
xlog("L_ERR", "XXXXXXXXXXXXXLOG5 route3 time [$Tf] method <$rm> r-uri <$ru> 2nd via <$hdr(via[1])>\n");
route(3);
return;
} else if (method == "REGISTER" ) {
xlog("L_ERR", "XXXXXXXXXXXXXLOG6 route2 time [$Tf] method <$rm> r-uri <$ru> 2nd via <$hdr(via[1])>\n");
route(2);
return;
};
lookup("aliases");
if (uri!=myself) {
xlog("L_ERR", "XXXXXXXXXXXXXLOG7 route1 time [$Tf] method <$rm> r-uri <$ru> 2nd via <$hdr(via[1])>\n");
route(1);
return;
};
if (!lookup("location")) {
sl_send_reply("404","User Not Found");
return;
};
xlog("L_ERR", "XXXXXXXXXXXXXLOG8 route1 time [$Tf] method <$rm> r-uri <$ru> 2nd via <$hdr(via[1])>\n");
route(1);
}
route[1] {
t_on_reply("1");
if (!t_relay()) {
if (method =="INVITE" && isflagset (6)) {
unforce_rtp_proxy();
};
sl_reply_error();
};
}
route[2] {
if (!search("^Contact:[ ]*\*") && nat_uac_test("19")) {
setflag(6);
fix_nated_register();
if ( ! search( "^Content-Length:\ 0" ) ) {
fix_nated_sdp( "1" );
};
force_rport();
};
sl_send_reply("100", "Trying");
if (!www_authorize("sipserver.xy.mydomain.org","subscriber")) {
www_challenge("sipserver.xy.mydomain.org","0");
return;
};
consume_credentials();
if (!save("location")) {
sl_reply_error();
};
}
route[3] {
if ( src_ip == 2XX.XXX.XXX.97 ) {
lookup("aliases");
if (!lookup("location")) {
sl_send_reply("404","User Not Found");
return;
};
route ( 4 );
route ( 1 );
return;
};
if (!proxy_authorize("sipserver.xy.mydomain.org","subscriber")) {
proxy_challenge("sipserver.xy.mydomain.org","0");
return;
} else if (!check_from()) {
sl_send_reply("403","Username does not match Login name");
return;
};
consume_credentials();
if (nat_uac_test("19")) {
setflag(6);
}
lookup("aliases");
if (uri != myself ) {
xlog("L_ERR", "XXXXXXXXXXXXXLOG9 inroute3 route4-1 time [$Tf] method <$rm> r-uri <$ru> 2nd via <$hdr(via[1])>\n");
route(4);
xlog("L_ERR", "XXXXXXXXXXXXXLOG10-1 inroute3 route1-1 time [$Tf] method <$rm> r-uri <$ru> 2nd via <$hdr(via[1])>\n");
rewritehostport("mgw.xy.mydomain.org");
xlog("L_ERR", "XXXXXXXXXXXXXLOG10-2 inroute3 route1-1 time [$Tf] method <$rm> r-uri <$ru> 2nd via <$hdr(via[1])>\n");
route(1);
return;
};
xlog("L_ERR", "XXXXXXXXXXXXXLOG11 inroute3 route4-2 time [$Tf] method <$rm> r-uri <$ru> 2nd via <$hdr(via[1])>\n");
route(4);
xlog("L_ERR", "XXXXXXXXXXXXXLOG11-1 inroute3 route1-2 time [$Tf] method <$rm> r-uri <$ru> 2nd via <$hdr(via[1])>\n");
rewritehostport("mgw.xy.mydomain.org");
xlog("L_ERR", "XXXXXXXXXXXXXLOG11-2 inroute3 route1-2 time [$Tf] method <$rm> r-uri <$ru> 2nd via <$hdr(via[1])>\n");
route(1);
}
route[4] {
if (isflagset(6)) {
force_rport();
fix_nated_contact();
if ( ! search( "^Content-Length:\ 0" ) ) {
fix_nated_sdp( "1" );
};
force_rtp_proxy();
}
}
onreply_route[ 1 ] {
if (isflagset(6) && status=~"(180)|(183)|2[0-9][0-9]") {
if (!search("^Content-Lenth:[ ]*0")) {
force_rtp_proxy();
};
};
if( nat_uac_test( "1" ) ) {
fix_nated_contact();
if ( ! search( "^Content-Length:\ 0" ) ) {
fix_nated_sdp( "1" );
};
};
}
-------------- next part --------------
#
U 8XX.XXX.X96:1879 -> 2XX.XXX.XXX.X8:5060
INVITE sip:0123456789 at sipserver.xy.mydomain.org;user=phone SIP/2.0.
Via: SIP/2.0/UDP 10.1.99.161:5060;branch=z9hG4bKd1d8154c1C0FA1C7.
From: "Test2" <sip:666555804 at sipserver.xy.mydomain.org>;tag=D4463162-BBC51ECB.
To: <sip:0123456789 at sipserver.xy.mydomain.org;user=phone>.
CSeq: 1 INVITE.
Call-ID: 12f4a0ce-6b2a600-d177cb11 at 10.1.99.161.
Contact: <sip:666555804 at 10.1.99.161:5060>.
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER.
User-Agent: PolycomSoundPointIP-SPIP_501-UA/1.6.7.0098.
Supported: 100rel,replaces.
Allow-Events: talk,hold,conference.
Max-Forwards: 70.
Content-Type: application/sdp.
Content-Length: 247.
.
v=0.
o=- 1159352772 1159352772 IN IP4 10.1.99.161.
s=Polycom IP Phone.
c=IN IP4 10.1.99.161.
t=0 0.
a=sendrecv.
m=audio 2236 RTP/AVP 0 8 18 101.
a=rtpmap:0 PCMU/8000.
a=rtpmap:8 PCMA/8000.
a=rtpmap:18 G729/8000.
a=rtpmap:101 telephone-event/8000.
#
U 2XX.XXX.XXX.X8:5060 -> 8XX.XXX.X96:5060
SIP/2.0 407 Proxy Authentication Required.
Via: SIP/2.0/UDP 10.1.99.161:5060;branch=z9hG4bKd1d8154c1C0FA1C7;received=8XX.XXX.X96.
From: "Test2" <sip:666555804 at sipserver.xy.mydomain.org>;tag=D4463162-BBC51ECB.
To: <sip:0123456789 at sipserver.xy.mydomain.org;user=phone>;tag=2f7d8fa65b1e4a32386804888f034ca8.b3bf.
CSeq: 1 INVITE.
Call-ID: 12f4a0ce-6b2a600-d177cb11 at 10.1.99.161.
Proxy-Authenticate: Digest realm="sipserver.xy.mydomain.org", nonce="451a9b18ed7ecc6616af7ad9d07a019e47075c4c".
Server: OpenSer (1.1.0-tls (i386/linux)).
Content-Length: 0.
Warning: 392 2XX.XXX.XXX.X8:5060 "Noisy feedback tells: pid=12123 req_src_ip=8XX.XXX.X96 req_src_port=1879 in_uri=sip:0123456789 at sipserver.xy.mydomain.org;user=phone out_uri=sip:0123456789 at sipserver.xy.mydomain.org;user=phone via_cnt==1".
.
-------------- next part --------------
# Uncomment these 3 lines to debug SER
#debug = 5
#fork = no
#log_stderror = yes
check_via = yes
dns = yes
rev_dns = no
listen = 2XX.XXX.XXX.X8
port = 5060
children = 4
fifo = "/tmp/openser_fifo"
alias = 2XX.XXX.XXX.X8
alias = sipserver.xy.mydomain.org
#mhomed=1
loadmodule "/lib/openser/modules/exec.so"
loadmodule "/lib/openser/modules/postgres.so"
loadmodule "/lib/openser/modules/sl.so"
loadmodule "/lib/openser/modules/tm.so"
loadmodule "/lib/openser/modules/rr.so"
loadmodule "/lib/openser/modules/maxfwd.so"
loadmodule "/lib/openser/modules/usrloc.so"
loadmodule "/lib/openser/modules/registrar.so"
loadmodule "/lib/openser/modules/textops.so"
loadmodule "/lib/openser/modules/auth.so"
loadmodule "/lib/openser/modules/auth_db.so"
loadmodule "/lib/openser/modules/uri_db.so"
loadmodule "/lib/openser/modules/nathelper.so"
modparam( "auth_db", "db_url", "postgres://openser:topsecret@127.0.0.1/mydb" )
modparam( "auth_db", "calculate_ha1", yes )
#this is the entry where ser asks the astcc-db for credentials?
modparam( "auth_db", "user_column", "username" )
#modparam( "auth_db", "domain_column", "domain" )
modparam( "auth_db", "password_column", "password" )
## Correct, and the table name is set in the www_auth command
#modparam( "auth_db", "use_domain", 0 )
modparam( "nathelper", "natping_interval", 30 )
modparam( "nathelper", "ping_nated_only", 1 )
modparam("nathelper", "rtpproxy_disable", 1)
modparam( "registrar", "append_branches", 1 )
modparam( "registrar", "desc_time_order", 1 )
modparam( "registrar", "nat_flag", 6 )
modparam( "registrar", "nat_flag", 6 )
modparam("registrar", "min_expires", 60)
modparam("registrar", "default_expires", 120)
modparam("registrar", "max_expires", 4000) #expire values set to 66 minutes due to phones not recognizing the max value but have a default value of 60min)
modparam( "rr", "enable_full_lr", 1 )
modparam( "uri_db", "db_url", "postgres://openser:topsecret@127.0.0.1/mydb" )
modparam( "usrloc", "db_url", "postgres://openser:topsecret@127.0.0.1/mydb" )
modparam( "usrloc", "db_mode", 2 )
route{
if ( ! mf_process_maxfwd_header( "10" ) ) {
sl_send_reply( "483", "Too Many Hops" );
return;
};
if ( msg:len >= 2048 ) {
sl_send_reply( "513", "Message too big" );
return;
};
if ( ! method == "REGISTER" ) record_route();
if( nat_uac_test( "19" ) ) {
fix_nated_contact();
if ( ! search( "^Content-Length:\ 0" ) ) {
fix_nated_sdp( "3" );
};
force_rport();
setflag( 6 );
};
if ( loose_route() ) {
route( 1 );
return;
};
if ( uri == myself ) {
if ( method == "REGISTER" ) {
if ( ! www_authorize( "sip.xy.mydomain.org", "subscriber" ) ) {
www_challenge( "sip.xy.mydomain.org", "0" );
return;
};
save( "location" );
return;
};
if ( src_ip == 2XX.XXX.XXX.X97 ) {
# This is the mgw calling a user
lookup( "aliases" );
if ( ! lookup( "location" ) ) {
sl_send_reply( "404", "Not Found" );
return;
};
route( 1 );
return;
};
# Any call that gets here is from a user. Make sure it's authorised.
if ( method == "INVITE" ) {
if ( ! proxy_authorize( "sip.xy.mydomain.org", "subscriber" ) ) {
proxy_challenge( "sip.xy.mydomain.org", "0" );
return;
};
if ( ! check_from() ) {
sl_send_reply( "403", "Username must be same as login name" );
return;
};
consume_credentials();
};
# Forward to mgw
rewritehostport( "mgw.xy.mydomain.org:5060" );
route( 1 );
return;
};
# Handle SIP message like BYE that are routed direct to the destination.
if ( method == "INVITE" || method == "REGISTER" ) {
sl_send_reply( "403", "Host part forbidden" );
return;
};
route( 1 );
return;
}
route[ 1 ] {
t_on_reply( "1" );
if ( ! t_relay() ) {
sl_reply_error();
};
}
onreply_route[ 1 ] {
if( nat_uac_test( "19" ) ) {
fix_nated_contact();
if ( ! search( "^Content-Length:\ 0" ) ) {
fix_nated_sdp( "3" );
};
force_rport();
};
}
-------------- next part --------------
#
U 8X.XXX.XXX.196:1879 -> 2XX.XXX.XXX.X8:5060
INVITE sip:0123456789 at sipserver.xy.mydomain.org;user=phone SIP/2.0.
Via: SIP/2.0/UDP 10.1.99.161:5060;branch=z9hG4bK10f2dfccF544647.
From: "Test2" <sip:666555804 at sipserver.xy.mydomain.org>;tag=1EEC6FE2-471D7B4B.
To: <sip:0123456789 at sipserver.xy.mydomain.org;user=phone>.
CSeq: 1 INVITE.
Call-ID: 8f2f474e-fd26c880-5ea03b91 at 10.1.99.161.
Contact: <sip:666555804 at 10.1.99.161:5060>.
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER.
User-Agent: PolycomSoundPointIP-SPIP_501-UA/1.6.7.0098.
Supported: 100rel,replaces.
Allow-Events: talk,hold,conference.
Max-Forwards: 70.
Content-Type: application/sdp.
Content-Length: 247.
.
v=0.
o=- 1159353416 1159353416 IN IP4 10.1.99.161.
s=Polycom IP Phone.
c=IN IP4 10.1.99.161.
t=0 0.
a=sendrecv.
m=audio 2248 RTP/AVP 0 8 18 101.
a=rtpmap:0 PCMU/8000.
a=rtpmap:8 PCMA/8000.
a=rtpmap:18 G729/8000.
a=rtpmap:101 telephone-event/8000.
#
U 2XX.XXX.XXX.X8:5060 -> 8X.XXX.XXX.196:1879
SIP/2.0 407 Proxy Authentication Required.
Via: SIP/2.0/UDP 10.1.99.161:5060;branch=z9hG4bK10f2dfccF544647;rport=1879;received=8X.XXX.XXX.196.
From: "Test2" <sip:666555804 at sipserver.xy.mydomain.org>;tag=1EEC6FE2-471D7B4B.
To: <sip:0123456789 at sipserver.xy.mydomain.org;user=phone>;tag=2f7d8fa65b1e4a32386804888f034ca8.53d8.
CSeq: 1 INVITE.
Call-ID: 8f2f474e-fd26c880-5ea03b91 at 10.1.99.161.
Proxy-Authenticate: Digest realm="sipserver.xy.mydomain.org", nonce="451a9d9b4e08564c79b123b751a72d6613281c16".
Server: OpenSer (1.1.0-tls (i386/linux)).
Content-Length: 0.
Warning: 392 2XX.XXX.XXX.X8:5060 "Noisy feedback tells: pid=31922 req_src_ip=8X.XXX.XXX.196 req_src_port=1879 in_uri=sip:0123456789 at sipserver.xy.mydomain.org;user=phone out_uri=sip:0123456789 at sipserver.xy.mydomain.org;user=phone via_cnt==1".
More information about the sr-users
mailing list