Yes because you have enabled proxy authentication of every method except REGISTER. Here is where you are doing this.<div><br></div><div><span style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)"># authenticate if from local subscriber (uncomment to enable auth)</span><br style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)">
<span style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)"> # authenticate all initial non-REGISTER request that pretend to be</span><br style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)">
<span style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)"> # generated by local subscriber (domain from FROM URI is local)</span><br style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)">
<span style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)"> if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/</span><br style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)">
<span style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)"> ##if (!(method=="REGISTER") && is_from_local()) /*multidomain version*/</span><br style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)">
<span style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)"> {</span><br style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)">
<span style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)"> if (!proxy_authorize("", "subscriber")) {</span><br style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)">
<span style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)"> proxy_challenge("", "0");</span><br style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)">
<span style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)"> exit;</span><br style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)">
<span style="color:rgb(34,34,34);font-family:tahoma,'new york',times,serif;font-size:16px;background-color:rgb(255,255,255)"> }</span></div><div><br></div><div>This gets called BEFORE you check for destination, which is right way to do it. The caller should authenticate itself before callee is checked.</div>
<div><br></div><div>Thank you.</div><div><br><br><div class="gmail_quote">On Thu, Sep 6, 2012 at 5:07 PM, sajjad purmohseni <span dir="ltr"><<a href="mailto:spurmohseni@yahoo.com" target="_blank">spurmohseni@yahoo.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-size:12pt;font-family:tahoma,new york,times,serif"><div><span></span></div>
<div></div>
<div>Hi all</div>
<div> </div>
<div>I use sipp tool accompanying opensips server to generate normal SIP traffic. I successfuly enable authentication in opensips; added some users in database and performed authentication proccess in register and invite requests. I see valid authentication as username and passwords are valid and failure in authentication as password is invalid. After sending first invite and receiving 407 (proxy auth req) message; In my scenario an Invite message is sent with authentication header containing valid nonce. My problem is that when URI of re-Invite request is invalid I receive 407 instead of 404 (not found). </div>
<div>I'm so <span>grateful about any help.</span></div>
<div> </div>
<div> </div>
<div>This is my opensips config file (opensips.cfg):</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>#<br># $Id: opensips.cfg 5503 2009-03-22 16:22:32Z bogdan_iancu $<br>#<br># OpenSIPS basic configuration script<br># by Anca Vamanu <<a href="mailto:anca@voice-system.ro" target="_blank">anca@voice-system.ro</a>><br>
#<br># Please refer to the Core CookBook at:<br># <a href="http://www.opensips.org/index.php?n=Resources.DocsCookbooks" target="_blank">http://www.opensips.org/index.php?n=Resources.DocsCookbooks</a><br># for a explanation of possible statements, functions and parameters.<br>
#</div>
<div><br>####### Global Parameters #########</div>
<div>#debug=3<br>log_stderror=no<br>log_facility=LOG_LOCAL0</div>
<div>fork=yes<br>children=4</div>
<div>/* uncomment the following lines to enable debugging */<br>debug=6<br>#fork=no<br>#log_stderror=yes</div>
<div>/* uncomment the next line to disable TCP (default on) */<br>#disable_tcp=yes</div>
<div>/* uncomment the next line to enable the auto temporary blacklisting of <br> not available destinations (default disabled) */<br>#disable_dns_blacklist=no</div>
<div>/* uncomment the next line to enable IPv6 lookup after IPv4 dns <br> lookup failures (default disabled) */<br>#dns_try_ipv6=yes</div>
<div>/* uncomment the next line to disable the auto discovery of local aliases<br> based on revers DNS on IPs (default on) */<br>#auto_aliases=no</div>
<div>/* uncomment the following lines to enable TLS support (default off) */<br>#disable_tls = no<br>#listen = tls:your_IP:5061<br>#tls_verify_server = 1<br>#tls_verify_client = 1<br>#tls_require_client_certificate = 0<br>
#tls_method = TLSv1<br>#tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"<br>#tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"<br>#tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"</div>
<div>port=5060</div>
<div>/* uncomment and configure the following line if you want opensips to <br> bind on a specific interface/port/proto (default bind on all available) */<br>listen=udp:<a href="http://194.225.238.244:5060" target="_blank">194.225.238.244:5060</a></div>
<div><br>####### Modules Section ########</div>
<div>#set module path<br>mpath="/usr/local/lib64/opensips/modules/"</div>
<div>/* uncomment next line for MySQL DB support */<br>loadmodule "db_mysql.so"<br>loadmodule "signaling.so"<br>loadmodule "sl.so"<br>loadmodule "tm.so"<br>loadmodule "rr.so"<br>
loadmodule "maxfwd.so"<br>loadmodule "usrloc.so"<br>loadmodule "registrar.so"<br>loadmodule "textops.so"<br>loadmodule "mi_fifo.so"<br>loadmodule "uri_db.so"<br>
loadmodule "uri.so"<br>loadmodule "xlog.so"<br>loadmodule "acc.so"<br>/* uncomment next lines for MySQL based authentication support <br> NOTE: a DB (like db_mysql) module must be also loaded */<br>
loadmodule "auth.so"<br>loadmodule "auth_db.so"<br>/* uncomment next line for aliases support<br> NOTE: a DB (like db_mysql) module must be also loaded */<br>#loadmodule "alias_db.so"<br>/* uncomment next line for multi-domain support<br>
NOTE: a DB (like db_mysql) module must be also loaded<br> NOTE: be sure and enable multi-domain support in all used
modules<br> (see "multi-module params" section ) */<br>#loadmodule "domain.so"<br>/* uncomment the next two lines for presence server support<br> NOTE: a DB (like db_mysql) module must be also loaded */<br>
#loadmodule "presence.so"<br>#loadmodule "presence_xml.so"</div>
<div><br># ----------------- setting module-specific parameters ---------------</div>
<div><br># ----- mi_fifo params -----<br>modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")</div>
<div><br># ----- rr params -----<br># add value to ;lr param to cope with most of the UAs<br>modparam("rr", "enable_full_lr", 1)<br># do not append from tag to the RR (no need for this script)<br>modparam("rr", "append_fromtag", 0)</div>
<div><br># ----- registrar params -----<br>modparam("registrar", "method_filtering", 1)<br>/* uncomment the next line to disable parallel forking via location */<br># modparam("registrar", "append_branches", 0)<br>
/* uncomment the next line not to allow more than 10 contacts per AOR */<br>#modparam("registrar", "max_contacts", 10)</div>
<div><br># ----- usrloc params -----<br>modparam("usrloc", "db_mode", 0)<br>/* uncomment the following lines if you want to enable DB persistency<br> for location entries */<br>#modparam("usrloc", "db_mode", 2)<br>
#modparam("usrloc", "db_url",<br># "mysql://opensips:opensipsrw@localhost/opensips")</div>
<div><br># ----- uri_db params -----<br>/* by default we disable the DB support in the module as we do not need it<br> in this configuration */<br>modparam("uri_db", "use_uri_table", 0)<br>modparam("uri_db", "db_url", "")</div>
<div><br># ----- acc params -----<br>/* what sepcial events should be accounted ? */<br>modparam("acc", "early_media", 1)<br>modparam("acc", "report_ack", 1)<br>modparam("acc", "report_cancels", 1)<br>
/* by default ww do not adjust the direct of the sequential requests.<br> if you enable this parameter, be sure the enable "append_fromtag"<br> in "rr" module */<br>modparam("acc", "detect_direction", 0)<br>
/* account triggers (flags) */<br>modparam("acc", "failed_transaction_flag", 3)<br>modparam("acc", "log_flag", 1)<br>modparam("acc", "log_missed_flag", 2)<br>/* uncomment the following lines to enable DB accounting also */<br>
modparam("acc", "db_flag", 1)<br>modparam("acc", "db_missed_flag", 2)</div>
<div><br># ----- auth_db params -----<br>/* uncomment the following lines if you want to enable the DB based<br> authentication */<br>modparam("auth_db", "calculate_ha1", yes)<br>modparam("auth_db", "password_column", "password")<br>
modparam("auth_db", "db_url",<br> "mysql://opensips:opensipsrw@localhost/opensips")<br>modparam("auth_db", "load_credentials", "")</div>
<div><br># ----- alias_db params -----<br>/* uncomment the following lines if you want to enable the DB based<br> aliases */<br>#modparam("alias_db", "db_url",<br># "mysql://opensips:opensipsrw@localhost/opensips")</div>
<div><br># ----- domain params -----<br>/* uncomment the following lines to enable multi-domain detection<br> support */<br>#modparam("domain", "db_url",<br># "mysql://opensips:opensipsrw@localhost/opensips")<br>
#modparam("domain", "db_mode", 1) # Use caching</div>
<div><br># ----- multi-module params -----<br>/* uncomment the following line if you want to enable multi-domain support<br> in the modules (dafault off) */<br>#modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1)</div>
<div><br># ----- presence params -----<br>/* uncomment the following lines if you want to enable presence */<br>#modparam("presence|presence_xml", "db_url",<br># "mysql://opensips:opensipsrw@localhost/opensips")<br>
#modparam("presence_xml", "force_active", 1)<br>#modparam("presence", "server_address", "sip:<a href="http://192.168.1.2:5060" target="_blank">192.168.1.2:5060</a>")</div>
<div><br>####### Routing Logic ########</div>
<div><br># main request routing logic</div>
<div>route{</div>
<div> if (!mf_process_maxfwd_header("10")) {<br> sl_send_reply("483","Too Many Hops");<br> exit;<br> }</div>
<div> if (has_totag()) {<br> # sequential request withing a dialog should<br> # take the path determined by record-routing<br> if (loose_route()) {<br> if (is_method("BYE")) {<br> setflag(1); # do accounting ...<br>
setflag(3); # ... even if the transaction fails<br> } else if (is_method("INVITE")) {<br> # even if in most of the cases is useless, do RR for<br> # re-INVITEs alos, as some buggy clients do change route set<br>
# during the dialog.<br> record_route();<br> }<br> # route it out to whatever destination was set by loose_route()<br> # in $du (destination URI).<br> route(1);<br> } else {<br> /* uncomment the following lines if
you want to enable presence */<br> ##if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") {<br> ## # in-dialog subscribe requests<br> ## route(2);<br> ## exit;<br> ##}<br>
if ( is_method("ACK") ) {<br> if ( t_check_trans() ) {<br> # non loose-route, but stateful ACK; must be an ACK after <br> # a 487 or e.g. 404 from upstream server<br> t_relay();<br> exit;<br>
} else {<br> # ACK without matching transaction -><br> # ignore and discard<br> exit;<br> }<br> } <br> sl_send_reply("404","Not
here");<br> }<br> exit;<br> }</div>
<div> #initial requests</div>
<div> # CANCEL processing<br> if (is_method("CANCEL"))<br> {<br> if (t_check_trans())<br> t_relay();<br> exit;<br> }</div>
<div> t_check_trans();</div>
<div> # authenticate if from local subscriber (uncomment to enable auth)<br> # authenticate all initial non-REGISTER request that pretend to be<br> # generated by local subscriber (domain from FROM URI is local)<br> if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/<br>
##if (!(method=="REGISTER") && is_from_local()) /*multidomain version*/<br> {<br> if (!proxy_authorize("", "subscriber")) {<br> proxy_challenge("", "0");<br> exit;<br>
}<br> if (!check_from()) {<br> sl_send_reply("403","Forbidden auth ID");<br> exit;<br> }<br> <br> consume_credentials();<br> # caller authenticated<br> }</div>
<div> # preloaded route checking<br> if (loose_route()) {<br> xlog("L_ERR",<br> "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");<br> if (!is_method("ACK"))<br> sl_send_reply("403","Preload Route denied");<br>
exit;<br> }</div>
<div> # record routing<br> if (!is_method("REGISTER|MESSAGE"))<br> record_route();</div>
<div> # account only INVITEs<br> if (is_method("INVITE")) {<br> setflag(1); # do accounting<br> }<br> if (!uri==myself)<br> ## replace with following line if multi-domain support is used<br> ##if (!is_uri_host_local())<br>
{<br> append_hf("P-hint: outbound\r\n"); <br> # if you have some interdomain connections via TLS<br> ##if($rd=="<a href="http://tls_domain1.net" target="_blank">tls_domain1.net</a>") {<br> ## t_relay("tls:<a href="http://domain1.net" target="_blank">domain1.net</a>");<br>
## exit;<br> ##} else if($rd=="<a href="http://tls_domain2.net" target="_blank">tls_domain2.net</a>") {<br> ## t_relay("tls:<a href="http://domain2.net" target="_blank">domain2.net</a>");<br> ## exit;<br>
##}<br> route(1);<br> }</div>
<div> # requests for my domain</div>
<div> ## uncomment this if you want to enable presence server <br> ## and comment the next 'if' block<br> ## NOTE: uncomment also the definition of route[2] from below<br> ##if( is_method("PUBLISH|SUBSCRIBE"))<br>
## route(2);</div>
<div> if (is_method("PUBLISH"))<br> {<br> sl_send_reply("503", "Service Unavailable");<br> exit;<br> }<br> </div>
<div> if (is_method("REGISTER"))<br> {<br> # authenticate the REGISTER requests (uncomment to enable auth)<br> if (!www_authorize("", "subscriber"))<br> {<br> www_challenge("", "0");<br>
exit;<br> }</div>
<div> if (!check_to()) <br> {<br> sl_send_reply("403","Forbidden auth ID");<br> exit;<br> }</div>
<div> if (!save("location"))<br> sl_reply_error();</div>
<div> exit;<br> }</div>
<div> if ($rU==NULL) {<br> # request with no Username in RURI<br> sl_send_reply("484","Address Incomplete");<br> exit;<br> }</div>
<div> # apply DB based aliases (uncomment to enable)<br> ##alias_db_lookup("dbaliases");</div>
<div> if (!lookup("location")) {<br> switch ($retcode) {<br> case -1:<br> case -3:<br> t_newtran();<br> t_reply("404", "Not Found");<br> exit;<br> case -2:<br> sl_send_reply("405", "Method Not Allowed");<br>
exit;<br> }<br> }</div>
<div> # when routing via usrloc, log the missed calls also<br> setflag(2);</div>
<div> route(1);<br>}</div>
<div><br>route[1] {<br> # for INVITEs enable some additional helper routes<br> if (is_method("INVITE")) {<br> t_on_branch("2");<br> t_on_reply("2");<br> t_on_failure("1");<br> }</div>
<div> if (!t_relay()) {<br> sl_reply_error();<br> };<br> exit;<br>}</div>
<div><br># Presence route<br>/* uncomment the whole following route for enabling presence<br> NOTE: do not forget to enable the call of this route from the main<br> route */<br>##route[2]<br>##{<br>## if (!t_newtran())<br>
## {<br>## sl_reply_error();<br>## exit;<br>## };<br>##<br>## if(is_method("PUBLISH"))<br>## {<br>## handle_publish();<br>## t_release();<br>## }<br>## else<br>## if( is_method("SUBSCRIBE"))<br>## {<br>
## handle_subscribe();<br>## t_release();<br>## }<br>##<br>## exit;<br>##}</div>
<div><br>branch_route[2] {<br> xlog("new branch at $ru\n");<br>}</div>
<div><br>onreply_route[2] {<br> xlog("incoming reply\n");<br>}</div>
<div><br>failure_route[1] {<br> if (t_was_cancelled()) {<br> exit;<br> }</div>
<div> # uncomment the following lines if you want to block client <br> # redirect based on 3xx replies.<br> ##if (t_check_status("3[0-9][0-9]")) {<br> ##t_reply("404","Not found");<br> ## exit;<br>
##}</div>
<div> # uncomment the following lines if you want to redirect the failed <br> # calls to a different new destination<br> ##if (t_check_status("486|408")) {<br> ## sethostport("<a href="http://192.168.2.100:5060" target="_blank">192.168.2.100:5060</a>");<br>
## # do not set the missed call flag again<br> ## t_relay();<br> ##}<br>}</div>
<div><span style="FONT-FAMILY:tahoma,times,serif;FONT-SIZE:18px"></span></div>
<div><span style="FONT-FAMILY:tahoma,times,serif;FONT-SIZE:18px"><span style="BACKGROUND-COLOR:transparent"></span><br><br><br></span></div></div></div><br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Muhammad Shahzad<br>-----------------------------------<br>CISCO Rich Media Communication Specialist (CRMCS)<br>CISCO Certified Network Associate (CCNA)<br>
Cell: +92 334 422 40 88<br>MSN: <a href="mailto:shari_786pk@hotmail.com">shari_786pk@hotmail.com</a><br>Email: <a href="mailto:shaheryarkh@googlemail.com">shaheryarkh@googlemail.com</a><br>
</div>