[OpenSIPS-Users] I never see 404 not found
Binan AL Halabi
binanalhalabi at yahoo.com
Thu Sep 13 12:00:09 CEST 2012
hej Sajjad,
If you mean the "username" in Authorization header is invalid in step-3 you can do:
adjust your script to send "404 Not Found" since the proxy_authorize and www_ authorize return value is number and if this number is equal to -1 (invalid user) - authentication user does
not exist.
http://www.opensips.org/html/docs/modules/devel/auth_db.html#id250235
//Binan
--- On Fri, 9/7/12, sajjad purmohseni <spurmohseni at yahoo.com> wrote:
From: sajjad purmohseni <spurmohseni at yahoo.com>
Subject: Re: [OpenSIPS-Users] I never see 404 not found
To: "Muhammad Shahzad" <shaheryarkh at googlemail.com>, "users at lists.opensips.org" <users at lists.opensips.org>
Date: Friday, September 7, 2012, 7:45 AM
Hello Muhammad; thanks for your pursuing;
Yes, second Invite or Register contains authentication header; this is the scenario I mean
1 client -------------------------------Invite-------------------------------> proxy2 client <-------------------407 with nonce---------------------------- Proxy3 client ------------Invite with calculated nonce-------------------> Proxy4 client <----------------100 giving a try--------------------------------- Proxy5 client <----------------180 ringing--------------------------------------- Proxy
I mean when client uses invalid "From URI" in authentication header in the third step; proxy should send an "404 not found"; but as I see; server just sends 407 message. As you know, if URI is valid, and calculated
response in authentication header is invalid server sends 407 message too. This causes I cannot understand the URI binding is valid or not. I except if "from URI" binding is invalid in authentication process; server send me an 404 not found message. Is it possible and typical option in SIP proxy servers?
Thank you
-------------------------------------------------- kind regards; Sajad Pourmohseni
From: Muhammad Shahzad <shaheryarkh at googlemail.com>
To: sajjad purmohseni
<spurmohseni at yahoo.com>
Cc: "users at lists.opensips.org" <users at lists.opensips.org>
Sent: Friday, September 7, 2012 6:07 PM
Subject: Re: [OpenSIPS-Users] I never see 404 not found
Does second INVITE contains Proxy-Authorization header? Can you please paste SIP trace here?
Thank you.
On Fri, Sep 7, 2012 at 2:22 PM, sajjad purmohseni <spurmohseni at yahoo.com> wrote:
Hello Muhammad thanks for reply.
I think you mean invalidity of the "To URI"; But I am telling about invalidity of the "From URI" or the caller contact. In authentication process I expect to receive "404 not found" after sending second Invite or Register messages; but I receive 401 or 407. Is int normal action by server or it can send "404 not found" about invalid "From URI" to tell client that the contact URI is invalid?
--------------------------------------------------
kind regards; Sajad Pourmohseni
From: Muhammad Shahzad <shaheryarkh at googlemail.com>
To: sajjad purmohseni <spurmohseni at yahoo.com>; OpenSIPS users mailling list <users at lists.opensips.org>
Sent: Friday, September 7, 2012 1:45 PM
Subject: Re: [OpenSIPS-Users] I never see 404 not found
Yes because you have enabled proxy authentication of every method except REGISTER. Here is where you are doing this.
# authenticate if from local subscriber (uncomment to enable auth)
# authenticate all initial non-REGISTER request that pretend to be
# generated by local subscriber (domain from FROM URI is local)
if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
##if (!(method=="REGISTER") && is_from_local()) /*multidomain version*/
{
if (!proxy_authorize("", "subscriber")) {
proxy_challenge("", "0");
exit;
}
This gets called BEFORE you check for destination, which is right way to do it. The caller should authenticate itself before callee is checked.
Thank you.
On Thu, Sep 6, 2012 at 5:07 PM, sajjad purmohseni <spurmohseni at yahoo.com> wrote:
Hi all
I use sipp tool accompanying opensips server to generate normal SIP traffic. I successfuly enable authentication in opensips; added some users in database and performed authentication proccess in register and invite requests. I see valid authentication as username and passwords are valid and failure in authentication as password is invalid. After sending first invite and receiving 407 (proxy auth req) message; In my scenario an Invite message is sent with authentication header containing valid nonce. My problem is that when URI of re-Invite request is invalid I receive 407 instead of 404 (not found).
I'm so grateful about any help.
This is my opensips config file (opensips.cfg):
#
# $Id: opensips.cfg 5503 2009-03-22 16:22:32Z bogdan_iancu $
#
# OpenSIPS basic configuration script
# by Anca Vamanu <anca at voice-system.ro>
#
# Please refer to the Core CookBook at:
# http://www.opensips.org/index.php?n=Resources.DocsCookbooks
# for a explanation of possible statements, functions and parameters.
#
####### Global Parameters #########
#debug=3
log_stderror=no
log_facility=LOG_LOCAL0
fork=yes
children=4
/* uncomment the following lines to enable debugging */
debug=6
#fork=no
#log_stderror=yes
/* uncomment the next line to disable TCP (default on) */
#disable_tcp=yes
/* uncomment the next line to enable the auto temporary blacklisting of
not available destinations (default disabled) */
#disable_dns_blacklist=no
/* uncomment the next line to enable IPv6 lookup after IPv4 dns
lookup failures (default disabled) */
#dns_try_ipv6=yes
/* uncomment the next line to disable the auto discovery of local aliases
based on revers DNS on IPs (default on) */
#auto_aliases=no
/* uncomment the following lines to enable TLS support (default off) */
#disable_tls = no
#listen = tls:your_IP:5061
#tls_verify_server = 1
#tls_verify_client = 1
#tls_require_client_certificate = 0
#tls_method = TLSv1
#tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
#tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
#tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"
port=5060
/* uncomment and configure the following line if you want opensips to
bind on a specific interface/port/proto (default bind on all available) */
listen=udp:194.225.238.244:5060
####### Modules Section ########
#set module path
mpath="/usr/local/lib64/opensips/modules/"
/* uncomment next line for MySQL DB support */
loadmodule "db_mysql.so"
loadmodule "signaling.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "mi_fifo.so"
loadmodule "uri_db.so"
loadmodule "uri.so"
loadmodule "xlog.so"
loadmodule "acc.so"
/* uncomment next lines for MySQL based authentication support
NOTE: a DB (like db_mysql) module must be also loaded */
loadmodule "auth.so"
loadmodule "auth_db.so"
/* uncomment next line for aliases support
NOTE: a DB (like db_mysql) module must be also loaded */
#loadmodule "alias_db.so"
/* uncomment next line for multi-domain support
NOTE: a DB (like db_mysql) module must be also loaded
NOTE: be sure and enable multi-domain support in all used
modules
(see "multi-module params" section ) */
#loadmodule "domain.so"
/* uncomment the next two lines for presence server support
NOTE: a DB (like db_mysql) module must be also loaded */
#loadmodule "presence.so"
#loadmodule "presence_xml.so"
# ----------------- setting module-specific parameters ---------------
# ----- mi_fifo params -----
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
# ----- rr params -----
# add value to ;lr param to cope with most of the UAs
modparam("rr", "enable_full_lr", 1)
# do not append from tag to the RR (no need for this script)
modparam("rr", "append_fromtag", 0)
# ----- registrar params -----
modparam("registrar", "method_filtering", 1)
/* uncomment the next line to disable parallel forking via location */
# modparam("registrar", "append_branches", 0)
/* uncomment the next line not to allow more than 10 contacts per AOR */
#modparam("registrar", "max_contacts", 10)
# ----- usrloc params -----
modparam("usrloc", "db_mode", 0)
/* uncomment the following lines if you want to enable DB persistency
for location entries */
#modparam("usrloc", "db_mode", 2)
#modparam("usrloc", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")
# ----- uri_db params -----
/* by default we disable the DB support in the module as we do not need it
in this configuration */
modparam("uri_db", "use_uri_table", 0)
modparam("uri_db", "db_url", "")
# ----- acc params -----
/* what sepcial events should be accounted ? */
modparam("acc", "early_media", 1)
modparam("acc", "report_ack", 1)
modparam("acc", "report_cancels", 1)
/* by default ww do not adjust the direct of the sequential requests.
if you enable this parameter, be sure the enable "append_fromtag"
in "rr" module */
modparam("acc", "detect_direction", 0)
/* account triggers (flags) */
modparam("acc", "failed_transaction_flag", 3)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 2)
/* uncomment the following lines to enable DB accounting also */
modparam("acc", "db_flag", 1)
modparam("acc", "db_missed_flag", 2)
# ----- auth_db params -----
/* uncomment the following lines if you want to enable the DB based
authentication */
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
modparam("auth_db", "db_url",
"mysql://opensips:opensipsrw@localhost/opensips")
modparam("auth_db", "load_credentials", "")
# ----- alias_db params -----
/* uncomment the following lines if you want to enable the DB based
aliases */
#modparam("alias_db", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")
# ----- domain params -----
/* uncomment the following lines to enable multi-domain detection
support */
#modparam("domain", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("domain", "db_mode", 1) # Use caching
# ----- multi-module params -----
/* uncomment the following line if you want to enable multi-domain support
in the modules (dafault off) */
#modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1)
# ----- presence params -----
/* uncomment the following lines if you want to enable presence */
#modparam("presence|presence_xml", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("presence_xml", "force_active", 1)
#modparam("presence", "server_address", "sip:192.168.1.2:5060")
####### Routing Logic ########
# main request routing logic
route{
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
}
if (has_totag()) {
# sequential request withing a dialog should
# take the path determined by record-routing
if (loose_route()) {
if (is_method("BYE")) {
setflag(1); # do accounting ...
setflag(3); # ... even if the transaction fails
} else if (is_method("INVITE")) {
# even if in most of the cases is useless, do RR for
# re-INVITEs alos, as some buggy clients do change route set
# during the dialog.
record_route();
}
# route it out to whatever destination was set by loose_route()
# in $du (destination URI).
route(1);
} else {
/* uncomment the following lines if
you want to enable presence */
##if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") {
## # in-dialog subscribe requests
## route(2);
## exit;
##}
if ( is_method("ACK") ) {
if ( t_check_trans() ) {
# non loose-route, but stateful ACK; must be an ACK after
# a 487 or e.g. 404 from upstream server
t_relay();
exit;
} else {
# ACK without matching transaction ->
# ignore and discard
exit;
}
}
sl_send_reply("404","Not
here");
}
exit;
}
#initial requests
# CANCEL processing
if (is_method("CANCEL"))
{
if (t_check_trans())
t_relay();
exit;
}
t_check_trans();
# authenticate if from local subscriber (uncomment to enable auth)
# authenticate all initial non-REGISTER request that pretend to be
# generated by local subscriber (domain from FROM URI is local)
if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
##if (!(method=="REGISTER") && is_from_local()) /*multidomain version*/
{
if (!proxy_authorize("", "subscriber")) {
proxy_challenge("", "0");
exit;
}
if (!check_from()) {
sl_send_reply("403","Forbidden auth ID");
exit;
}
consume_credentials();
# caller authenticated
}
# preloaded route checking
if (loose_route()) {
xlog("L_ERR",
"Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
if (!is_method("ACK"))
sl_send_reply("403","Preload Route denied");
exit;
}
# record routing
if (!is_method("REGISTER|MESSAGE"))
record_route();
# account only INVITEs
if (is_method("INVITE")) {
setflag(1); # do accounting
}
if (!uri==myself)
## replace with following line if multi-domain support is used
##if (!is_uri_host_local())
{
append_hf("P-hint: outbound\r\n");
# if you have some interdomain connections via TLS
##if($rd=="tls_domain1.net") {
## t_relay("tls:domain1.net");
## exit;
##} else if($rd=="tls_domain2.net") {
## t_relay("tls:domain2.net");
## exit;
##}
route(1);
}
# requests for my domain
## uncomment this if you want to enable presence server
## and comment the next 'if' block
## NOTE: uncomment also the definition of route[2] from below
##if( is_method("PUBLISH|SUBSCRIBE"))
## route(2);
if (is_method("PUBLISH"))
{
sl_send_reply("503", "Service Unavailable");
exit;
}
if (is_method("REGISTER"))
{
# authenticate the REGISTER requests (uncomment to enable auth)
if (!www_authorize("", "subscriber"))
{
www_challenge("", "0");
exit;
}
if (!check_to())
{
sl_send_reply("403","Forbidden auth ID");
exit;
}
if (!save("location"))
sl_reply_error();
exit;
}
if ($rU==NULL) {
# request with no Username in RURI
sl_send_reply("484","Address Incomplete");
exit;
}
# apply DB based aliases (uncomment to enable)
##alias_db_lookup("dbaliases");
if (!lookup("location")) {
switch ($retcode) {
case -1:
case -3:
t_newtran();
t_reply("404", "Not Found");
exit;
case -2:
sl_send_reply("405", "Method Not Allowed");
exit;
}
}
# when routing via usrloc, log the missed calls also
setflag(2);
route(1);
}
route[1] {
# for INVITEs enable some additional helper routes
if (is_method("INVITE")) {
t_on_branch("2");
t_on_reply("2");
t_on_failure("1");
}
if (!t_relay()) {
sl_reply_error();
};
exit;
}
# Presence route
/* uncomment the whole following route for enabling presence
NOTE: do not forget to enable the call of this route from the main
route */
##route[2]
##{
## if (!t_newtran())
## {
## sl_reply_error();
## exit;
## };
##
## if(is_method("PUBLISH"))
## {
## handle_publish();
## t_release();
## }
## else
## if( is_method("SUBSCRIBE"))
## {
## handle_subscribe();
## t_release();
## }
##
## exit;
##}
branch_route[2] {
xlog("new branch at $ru\n");
}
onreply_route[2] {
xlog("incoming reply\n");
}
failure_route[1] {
if (t_was_cancelled()) {
exit;
}
# uncomment the following lines if you want to block client
# redirect based on 3xx replies.
##if (t_check_status("3[0-9][0-9]")) {
##t_reply("404","Not found");
## exit;
##}
# uncomment the following lines if you want to redirect the failed
# calls to a different new destination
##if (t_check_status("486|408")) {
## sethostport("192.168.2.100:5060");
## # do not set the missed call flag again
## t_relay();
##}
}
_______________________________________________
Users mailing list
Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
--
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +92 334 422 40 88
MSN: shari_786pk at hotmail.com
Email: shaheryarkh at googlemail.com
--
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +92 334 422 40 88
MSN: shari_786pk at hotmail.com
Email: shaheryarkh at googlemail.com
-----Inline Attachment Follows-----
_______________________________________________
Users mailing list
Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20120913/7c05cef6/attachment-0001.htm>
More information about the Users
mailing list