[OpenSIPS-Users] IP Based Authentication on Asterisk with OpenSIP (Bogdan-Andrei Iancu)
Brett Nemeroff
brett at nemeroff.com
Mon Dec 14 15:55:12 CET 2009
Honestly, this is outside of the scope of this mailing list. but this
may get you on track.
First you'll need an asterisk context in the [general] section of your sip.conf:
[general]
context=defalut
then in extensions.conf you'll need to use the SIP_HEADER function, to
check for the header and do your magic based on the result. For your
reference, here's the doc for the SIP_HEADER function
[Syntax]
SIP_HEADER(<name>[,<number>])
[Synopsis]
Gets the specified SIP header
[Description]
Since there are several headers (such as Via) which can occur multiple
times, SIP_HEADER takes an optional second argument to specify which header with
that name to retrieve. Headers start at offset 1.
======%<===========
Lastly, if you are going to add a header with opensips to include
something that is an authoritative reference to the customer, then you
MUST first remove the header from the incoming message or your
customer could spoof it. Let me give you an example, I'm a "bad
customer" and I see you are on the mailing list and are using
X-source-ip: header to authenticate calls. So before I send you calls,
I'll stick in a:
X-source-ip: 192.168.1.1
to mess you up. If you don't first remove the header, both headers (I
think?) will likely reach the asterisk and heaven only knows which one
asterisk will use. :)
Of course, alternatively, you can just do this IN opensips. I do this,
works great. And as a big plus, It doesn't use asterisk or funky
headers. :)
-Brett
On Sat, Dec 12, 2009 at 1:31 PM, Muhammad Zulqarnain
<mzulqarnain2002 at yahoo.com> wrote:
> Hello!
>
> Thanks Bodgan!
>
> I have added following to sip header which add source IP in sip packet
> before sending to asterisk.
> append_hf("X-customer-ip: $si\r\n");
> Sip trace got following packet which add X-customer-ip: x.x.x.x to sip
> header but I am wondering how to told/setup asterisk to read source IP from
> additional sip header instead of network level. Also I have another switch
> named Voipswitch on which I would not be able to customize any thing to
> honor incoming sip header for source ip validation so solution should work
> for all GW/Server other then asterisk only.
>
> U 2009/12/12 18:58:32.829652 y.y.y.y:5060 -> z.z.z.z:5060
> INVITE sip:123456789 at y.y.y.y SIP/2.0.
> Record-Route: <sip:y.y.y.y;lr;ftag=a16f2b41;did=882.11d0f5f>.
> To: <sip:123456789 at y.y.y.y>.
> From: hello<sip:hello at y.y.y.y>;tag=a16f2b41.
> Via: SIP/2.0/UDP y.y.y.y;branch=z9hG4bKfb2e.a79595a4.0.
> Via: SIP/2.0/UDP
> x.x.x.x:7266;received=x.x.x.x;branch=z9hG4bK-d87543-197592634-1--d87543-;rport=7266.
> Call-ID: 9867b13bdc3a4f30.
> CSeq: 1 INVITE.
> Contact: <sip:hello at x.x.x.x:7266>.
> Max-Forwards: 69.
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE,
> INFO.
> Content-Type: application/sdp.
> User-Agent: eyeBeam release 3007n stamp 17816.
> Content-Length: 237.
> X-customer-ip: x.x.x.x.
>
> Please suggest solution with sample configs.
>
> Thanks
> Regards
> Muhammad Zulqarnain
>
>
>>Hi Muhammad,
>>
>>What you can do (and I know for sure it works with Asterisk), is to
>> configure opensips (LB) to add the real src IP (IP of the client) >into a
>> SIP header (in the request) and send it to Asterisk - asterisk will do IP
>> based auth but will take IP from that header (custom >name) instead of
>> taking it from network level.
>
>>Regards,
>>Bogdan
>
> Muhammad Zulqarnain wrote:
>> Hello!
>>
>> This is Zulqarnain and my first post to this mailing list. I just start
>> using OpenSIP and trying to get myself familiar with OpenSIP and it's config
>> files, method etc.
>>
>> Well, I am trying to achieve following:
>> Client IP: x.x.x.x
>> OpenSIP: y.y.y.y
>> Asterisk: z.z.z.z
>>
>> 1) Client -> OpenSIP (Load_balancer) -> Asterisk1, Asterisk2....
>> a) If Client Request is Register -> Relay to Asterisk (It is working
>> fine as peer is defined with user/passwd auth, host=dynamic)
>> b) If Client Request is INVITE -> Relay to Asterisk (Asterisk Reject as
>> peer is defined as IP Auth, type=peer, host=x.x.x.x)
>>
>> "b" scenario failed as Asterisk read OpenSIP IP y.y.y.y and reject the
>> call as Asterisk is expecting Source IP x.x.x.x instead of y.y.y.y
>>
>> I tried following to fix but no success:
>>
>> 1) 302 Redirect for GW Clients, who can only authenticate by IP and don't
>> support registration with user/passwd. But my DID Provider don't support 302
>> redirect although i have tested with Eyebeam Client in peer to peer mode and
>> it works. But as it didn't work with my provider so I tried another way:
>>
>> 2) uac_replace_from & uac_replace_to function of uac.so module, I tried to
>> replace from/to field with client IP but still Invite is from OpenSIP IP
>> y.y.y.y and again Asterisk/Voipswitch (another switch) reject call.
>>
>> If required I can post my config file as well here or pastebin for your
>> expert reviews. I would like to know if it is possible to achive above
>> scenario with OpenSIP, if Yes then how, any example would appreciated.
>>
>> Another small problem is that while setting up 302 redirect I wanted to
>> pass $du value to rewritehost("") as $du have the address return by
>> load_balancer of destination IP and rewritehost() only accept string.
>> Looking for suggestion on this as well.
>>
>> Hopefully to receive positive reply by community.
>>
>> Thanks
>> Regards,
>> Muhammad Zulqarnain
>> MSN: zulqarnain at globalitvision.com
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
>
> -- Bogdan-Andrei Iancu
> www.voice-system.ro
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
More information about the Users
mailing list