[OpenSIPS-Users] PBX sending calls to Opensips
Ali Pey
alipey at gmail.com
Tue Jul 31 04:06:09 CEST 2012
Schneur,
Not disagreeing with the way you are doing it, but you can use the
permissions module for the pbxs only. This way you can add the ips in the
address table and keep track of who is allowed and block any other
requests. There won't be any script change or reload required. A new pbx
would require a new ip address in the table and a reload command.
Regards,
Ali Pey
On Mon, Jul 30, 2012 at 7:39 PM, Schneur Rosenberg <rosenberg11219 at gmail.com
> wrote:
> Ali I can't compare PBX addresses, we are a voip company and I can't
> manually edit my script for every PBX our customer installs, I ended
> up doing the avp_db_query() and then rewriting the from header with
> uac_replace_from("","sip:$au@$si") which will retrieve the username
> from the Proxy-Authorization: field, I had to use uac_replace_from
> because $fu is read only.
>
> On Wed, Jul 25, 2012 at 11:58 PM, Ali Pey <alipey at gmail.com> wrote:
> > This would work too. Here though you do a db query for each call and can
> > slow down the performance if that's important to you. Examining
> usernames'
> > patterns can be faster.
> >
> > You can also use the registered function instead of a db query:
> >
> > if (registered("location","$fu")) {
> > xlog("caller is registered\n");
> > }
> >
> > http://www.opensips.org/html/docs/modules/1.8.x/registrar.html#id293162
> >
> > Regards,
> > Ali Pey
> >
> >
> > On Wed, Jul 25, 2012 at 4:23 PM, Schneur Rosenberg
> > <rosenberg11219 at gmail.com> wrote:
> >>
> >> I already did something similar look at snippet bellow so any call
> >> coming from a IP thats registered to our server will always do
> >> proxy_authorize(), other calls will assume that its a unauthenticated
> >> DID call or a call going to a local call
> >>
> >> if (!(method=="REGISTER"))
> >> {
> >> avp_db_query("select username from location where
> >> contact regexp '$si' or received like
> >> 'sip:$si%'","$avp(is_registered)");
> >> }
> >> if (!(method=="REGISTER") && avp_check("$avp(is_registered)",
> >> "gt/1/g"))
> >> {
> >> if(!is_from_gw())
> >> {
> >> if (!proxy_authorize("sosglobal", "subscriber"))
> >> {
> >> append_hf("P-hint: Proxy auth
> >> failed\r\n");
> >> proxy_challenge("sosglobal", "0");
> >> exit;
> >> }
> >>
> >>
> >> }
> >>
> >>
> >> On Wed, Jul 25, 2012 at 8:48 PM, Ali Pey <alipey at gmail.com> wrote:
> >> > Schneur,
> >> >
> >> > You can examine the src_ip first to see if the call if from your pbx
> or
> >> > not.
> >> > Then you can also examine to request-uri to distinguish the call
> between
> >> > a
> >> > pstn call or a sip client - assuming your sip clients have a different
> >> > sip
> >> > address/pattern than pstn numbers. Things like this:
> >> >
> >> > if ( src_ip == pbx1_ip || src_ip == pbx2_ip ){
> >> > # From PBXs
> >> > }
> >> >
> >> > if ($rU=~"^\+?[0-9]{3,18}") {
> >> > # request-uri is for a PSTN number, send the message to whatever
> >> > route(1)
> >> > }
> >> >
> >> > Basically you need to find a difference between the call attributes
> and
> >> > examine that, it can be the src_ip, ruri pattern, etc.
> >> >
> >> > Regards,
> >> > Ali Pey
> >> >
> >> > On Wed, Jul 25, 2012 at 9:41 AM, Schneur Rosenberg
> >> > <rosenberg11219 at gmail.com> wrote:
> >> >>
> >> >> check_source_address won't work for me, my clients are behind Dynamic
> >> >> ip's, there is no way for me to know in advance their ip address
> >> >>
> >> >> On Mon, Jul 23, 2012 at 8:55 PM, Brett Nemeroff <brett at nemeroff.com>
> >> >> wrote:
> >> >> > Scot,
> >> >> > the function "is_from_local" uses the From URI and as such, will
> not
> >> >> > work if
> >> >> > the originator mangles the from uri (as in the case of your example
> >> >> > below).
> >> >> >
> >> >> > A more secure way to do this that may suit your needs is to use the
> >> >> > permissions module and actually check the source IP of the request:
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> http://www.opensips.org/html/docs/modules/1.8.x/permissions.html#id293503
> >> >> >
> >> >> > Look at the "check_source_address" and or "get_source_group".
> Either
> >> >> > of
> >> >> > these can compare the source IP of the originator to a known list.
> >> >> > From
> >> >> > there, you can perform script logic based on where the request came
> >> >> > from.
> >> >> >
> >> >> > Hope that helps!
> >> >> > -Brett
> >> >> >
> >> >> >
> >> >> > On Mon, Jul 23, 2012 at 11:38 AM, Schneur Rosenberg
> >> >> > <rosenberg11219 at gmail.com> wrote:
> >> >> >>
> >> >> >> I'm using opensips as a registrar server and as a loadbalancer,
> all
> >> >> >> phones are registered to opensips and all incoming and outgoing
> >> >> >> calls
> >> >> >> go to Asterisk boxes via load balancing, therefore I have 3 kinds
> of
> >> >> >> calls going to opensips,
> >> >> >> 1) outgoing calls coming from one of the phones Registered to
> >> >> >> opensips,
> >> >> >> 2) incoming calls (we allow all incoming calls no matter from
> where
> >> >> >> they come, I call them unauthenticated DID)
> >> >> >> 3) Calls ringing to a phone registered to opensips, the Asterisk
> >> >> >> boxes
> >> >> >> will send the calls to the phone either after getting a call from
> a
> >> >> >> DID, or when a internal user wants to call another internal user
> >> >> >>
> >> >> >> The way I differentiate between the calls is I do a if
> >> >> >> (!(method=="REGISTER") && is_from_local()) this will check
> >> >> >> credentials
> >> >> >> and send call to asterisk to process outgoing call, then I do a
> >> >> >> else
> >> >> >> if ((method=="INVITE")) which will check if the call is going to
> a
> >> >> >> local phone by doing if (!lookup("location", "m")) if that fails
> >> >> >> that
> >> >> >> it assumes its a incoming did call, and it will send it to
> asterisk
> >> >> >> with a prefix so asterisk knows its a unauthenticated incoming
> call,
> >> >> >> bellow I pasted a skeleton of the code I'm using.
> >> >> >>
> >> >> >> Everything worked fine, until I connected a PBX to my opensips,
> then
> >> >> >> the from came in with the address of the PBX and the
> >> >> >> is_from_local()
> >> >> >> test was not true, so it did not work, I had the same problem when
> >> >> >> sending a call from a SPA3000 and blocking caller id, in that case
> >> >> >> it
> >> >> >> also obscured the from address, as follows "From: Anonymous
> >> >> >> <sip:anonymous at localhost>;tag=ea3ee097cd947aeeo0." , the only
> >> >> >> reference of the user or domain was in the RPID field and calls
> did
> >> >> >> not go through.
> >> >> >>
> >> >> >> Is there anyway to check if a source IP is registered to our
> system
> >> >> >> and only then it should send a 407? this way if I have a BPX
> >> >> >> registered it will then ask for credentials, all others it will
> >> >> >> assume
> >> >> >> that either a call to the local phone or unauthenticated DID, I
> >> >> >> understand that I wont be able to send calls to the system only if
> >> >> >> registration was done before, but I have no problem with that, I
> >> >> >> could do it with avp_db_query() on the subscriber table, but I
> want
> >> >> >> to
> >> >> >> know if there is a better way.
> >> >> >>
> >> >> >> If there is there a better solution then the above solution please
> >> >> >> let
> >> >> >> me
> >> >> >> know
> >> >> >>
> >> >> >> if (!(method=="REGISTER") && is_from_local())
> >> >> >> {
> >> >> >> #check credentials
> >> >> >> }
> >> >> >> else if ((method=="INVITE")) #unathenticated did or
> call
> >> >> >> going to phone registered to opensips
> >> >> >> {
> >> >> >>
> >> >> >> if (!lookup("location", "m")) #calling local
> phone
> >> >> >> {
> >> >> >> #send to phone registered to opensips
> >> >> >> }
> >> >> >> else
> >> >> >> {
> >> >> >> #incoming did send call to asterisk to
> >> >> >> process
> >> >> >> }
> >> >> >> }
> >> >> >> else
> >> >> >> {
> >> >> >> #outgoing calls route continues here
> >> >> >> }
> >> >> >> ...................................
> >> >> >>
> >> >> >> _______________________________________________
> >> >> >> Users mailing list
> >> >> >> Users at lists.opensips.org
> >> >> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >> >> >
> >> >> >
> >> >> >
> >> >> > _______________________________________________
> >> >> > Users mailing list
> >> >> > Users at lists.opensips.org
> >> >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >> >> >
> >> >>
> >> >> _______________________________________________
> >> >> Users mailing list
> >> >> Users at lists.opensips.org
> >> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > Users mailing list
> >> > Users at lists.opensips.org
> >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >> >
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.opensips.org
> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20120730/67cfb0d2/attachment-0001.htm>
More information about the Users
mailing list