Hello Brett Nemeroff! Thanks for your valuable suggestion and for security measure to avoid spoofing by bad customers, I will try it.
Thanks Regards, Zulqarnain >Honestly, this is outside of the scope of this mailing list. but this >may get you on track. >First you'll need an asterisk context in the [general] section of your >sip.conf: >[general] >context=defalut >then in extensions.conf you'll need to use the SIP_HEADER function, to >check for the header and do your magic based on the result. For your >reference, here's the doc for the SIP_HEADER function >[Syntax] >SIP_HEADER(<name>[,<number>]) >[Synopsis] >Gets the specified SIP header >[Description] >Since there are several headers (such as Via) which can occur multiple >times, SIP_HEADER takes an optional second argument to specify which header >with >that name to retrieve. Headers start at offset 1. ======%<=========== >Lastly, if you are going to add a header with opensips to include >something that is an authoritative reference to the customer, then you >MUST first remove the header from the incoming message or your >customer could spoof it. Let me give you an example, I'm a "bad >customer" and I see you are on the mailing list and are using >X-source-ip: header to authenticate calls. So before I send you calls, >I'll stick in a: >X-source-ip: 192.168.1.1 >to mess you up. If you don't first remove the header, both headers (I >think?) will likely reach the asterisk and heaven only knows which one >asterisk will use. :) >Of course, alternatively, you can just do this IN opensips. I do this, >works great. And as a big plus, It doesn't use asterisk or funky >headers. :) >-Brett On Sat, Dec 12, 2009 at 1:31 PM, Muhammad Zulqarnain <[email protected]> wrote: > Hello! > > Thanks Bodgan! > > I have added following to sip header which add source IP in sip packet > before sending to asterisk. > append_hf("X-customer-ip: $si\r\n"); > Sip trace got following packet which add X-customer-ip: x.x.x.x to sip > header but I am wondering how to told/setup asterisk to read source IP from > additional sip header instead of network level. Also I have another switch > named Voipswitch on which I would not be able to customize any thing to > honor incoming sip header for source ip validation so solution should work > for all GW/Server other then asterisk only. > > U 2009/12/12 18:58:32.829652 y.y.y.y:5060 -> z.z.z.z:5060 > INVITE sip:[email protected] SIP/2.0. > Record-Route: <sip:y.y.y.y;lr;ftag=a16f2b41;did=882.11d0f5f>. > To: <sip:[email protected]>. > From: hello<sip:[email protected]>;tag=a16f2b41. > Via: SIP/2.0/UDP y.y.y.y;branch=z9hG4bKfb2e.a79595a4.0. > Via: SIP/2.0/UDP > x.x.x.x:7266;received=x.x.x.x;branch=z9hG4bK-d87543-197592634-1--d87543-;rport=7266. > Call-ID: 9867b13bdc3a4f30. > CSeq: 1 INVITE. > Contact: <sip:[email protected]:7266>. > Max-Forwards: 69. > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, > INFO. > Content-Type: application/sdp. > User-Agent: eyeBeam release 3007n stamp 17816. > Content-Length: 237. > X-customer-ip: x.x.x.x. > > Please suggest solution with sample configs. > > Thanks > Regards > Muhammad Zulqarnain > > >>Hi Muhammad, >> >>What you can do (and I know for sure it works with Asterisk), is to >> configure opensips (LB) to add the real src IP (IP of the client) >into a >> SIP header (in the request) and send it to Asterisk - asterisk will do IP >> based auth but will take IP from that header (custom >name) instead of >> taking it from network level. > >>Regards, >>Bogdan > > Muhammad Zulqarnain wrote: >> Hello! >> >> This is Zulqarnain and my first post to this mailing list. I just start >> using OpenSIP and trying to get myself familiar with OpenSIP and it's config >> files, method etc. >> >> Well, I am trying to achieve following: >> Client IP: x.x.x.x >> OpenSIP: y.y.y.y >> Asterisk: z.z.z.z >> >> 1) Client -> OpenSIP (Load_balancer) -> Asterisk1, Asterisk2.... >> a) If Client Request is Register -> Relay to Asterisk (It is working >> fine as peer is defined with user/passwd auth, host=dynamic) >> b) If Client Request is INVITE -> Relay to Asterisk (Asterisk Reject as >> peer is defined as IP Auth, type=peer, host=x.x.x.x) >> >> "b" scenario failed as Asterisk read OpenSIP IP y.y.y.y and reject the >> call as Asterisk is expecting Source IP x.x.x.x instead of y.y.y.y >> >> I tried following to fix but no success: >> >> 1) 302 Redirect for GW Clients, who can only authenticate by IP and don't >> support registration with user/passwd. But my DID Provider don't support 302 >> redirect although i have tested with Eyebeam Client in peer to peer mode and >> it works. But as it didn't work with my provider so I tried another way: >> >> 2) uac_replace_from & uac_replace_to function of uac.so module, I tried to >> replace from/to field with client IP but still Invite is from OpenSIP IP >> y.y.y.y and again Asterisk/Voipswitch (another switch) reject call. >> >> If required I can post my config file as well here or pastebin for your >> expert reviews. I would like to know if it is possible to achive above >> scenario with OpenSIP, if Yes then how, any example would appreciated. >> >> Another small problem is that while setting up 302 redirect I wanted to >> pass $du value to rewritehost("") as $du have the address return by >> load_balancer of destination IP and rewritehost() only accept string. >> Looking for suggestion on this as well. >> >> Hopefully to receive positive reply by community. >> >> Thanks >> Regards, >> Muhammad Zulqarnain >> MSN: [email protected] >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> > > > -- Bogdan-Andrei Iancu > www.voice-system.ro > > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
