Does second INVITE contains Proxy-Authorization header? Can you please paste SIP trace here?
Thank you. On Fri, Sep 7, 2012 at 2:22 PM, sajjad purmohseni <[email protected]>wrote: > Hello Muhammad thanks for reply. > > I think you mean invalidity of the "To URI"; But I am telling about > invalidity of the "From URI" or the caller contact. In authentication > process I expect to receive "404 not found" after sending second Invite or > Register messages; but I receive 401 or 407. Is int normal action by server > or it can send "404 not found" about invalid "From URI" to tell client that > the contact URI is invalid? > > -------------------------------------------------- > kind regards; > Sajad Pourmohseni > > > > > ------------------------------ > *From:* Muhammad Shahzad <[email protected]> > *To:* sajjad purmohseni <[email protected]>; OpenSIPS users mailling > list <[email protected]> > *Sent:* Friday, September 7, 2012 1:45 PM > *Subject:* Re: [OpenSIPS-Users] I never see 404 not found > > Yes because you have enabled proxy authentication of every method except > REGISTER. Here is where you are doing this. > > # authenticate if from local subscriber (uncomment to enable auth) > # authenticate all initial non-REGISTER request that pretend to be > # generated by local subscriber (domain from FROM URI is local) > if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/ > ##if (!(method=="REGISTER") && is_from_local()) /*multidomain version*/ > { > if (!proxy_authorize("", "subscriber")) { > proxy_challenge("", "0"); > exit; > } > > This gets called BEFORE you check for destination, which is right way to > do it. The caller should authenticate itself before callee is checked. > > Thank you. > > > On Thu, Sep 6, 2012 at 5:07 PM, sajjad purmohseni > <[email protected]>wrote: > > Hi all > > I use sipp tool accompanying opensips server to generate normal SIP > traffic. I successfuly enable authentication in opensips; added some users > in database and performed authentication proccess in register and invite > requests. I see valid authentication as username and passwords are valid > and failure in authentication as password is invalid. After sending first > invite and receiving 407 (proxy auth req) message; In my scenario an Invite > message is sent with authentication header containing valid nonce. My > problem is that when URI of re-Invite request is invalid I receive 407 > instead of 404 (not found). > I'm so grateful about any help. > > > This is my opensips config file (opensips.cfg): > > > > > > # > # $Id: opensips.cfg 5503 2009-03-22 16:22:32Z bogdan_iancu $ > # > # OpenSIPS basic configuration script > # by Anca Vamanu <[email protected]> > # > # Please refer to the Core CookBook at: > # http://www.opensips.org/index.php?n=Resources.DocsCookbooks > # for a explanation of possible statements, functions and parameters. > # > > ####### Global Parameters ######### > #debug=3 > log_stderror=no > log_facility=LOG_LOCAL0 > fork=yes > children=4 > /* uncomment the following lines to enable debugging */ > debug=6 > #fork=no > #log_stderror=yes > /* uncomment the next line to disable TCP (default on) */ > #disable_tcp=yes > /* uncomment the next line to enable the auto temporary blacklisting of > not available destinations (default disabled) */ > #disable_dns_blacklist=no > /* uncomment the next line to enable IPv6 lookup after IPv4 dns > lookup failures (default disabled) */ > #dns_try_ipv6=yes > /* uncomment the next line to disable the auto discovery of local aliases > based on revers DNS on IPs (default on) */ > #auto_aliases=no > /* uncomment the following lines to enable TLS support (default off) */ > #disable_tls = no > #listen = tls:your_IP:5061 > #tls_verify_server = 1 > #tls_verify_client = 1 > #tls_require_client_certificate = 0 > #tls_method = TLSv1 > #tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem" > #tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem" > #tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem" > port=5060 > /* uncomment and configure the following line if you want opensips to > bind on a specific interface/port/proto (default bind on all available) > */ > listen=udp:194.225.238.244:5060 > > ####### Modules Section ######## > #set module path > mpath="/usr/local/lib64/opensips/modules/" > /* uncomment next line for MySQL DB support */ > loadmodule "db_mysql.so" > loadmodule "signaling.so" > loadmodule "sl.so" > loadmodule "tm.so" > loadmodule "rr.so" > loadmodule "maxfwd.so" > loadmodule "usrloc.so" > loadmodule "registrar.so" > loadmodule "textops.so" > loadmodule "mi_fifo.so" > loadmodule "uri_db.so" > loadmodule "uri.so" > loadmodule "xlog.so" > loadmodule "acc.so" > /* uncomment next lines for MySQL based authentication support > NOTE: a DB (like db_mysql) module must be also loaded */ > loadmodule "auth.so" > loadmodule "auth_db.so" > /* uncomment next line for aliases support > NOTE: a DB (like db_mysql) module must be also loaded */ > #loadmodule "alias_db.so" > /* uncomment next line for multi-domain support > NOTE: a DB (like db_mysql) module must be also loaded > NOTE: be sure and enable multi-domain support in all used modules > (see "multi-module params" section ) */ > #loadmodule "domain.so" > /* uncomment the next two lines for presence server support > NOTE: a DB (like db_mysql) module must be also loaded */ > #loadmodule "presence.so" > #loadmodule "presence_xml.so" > > # ----------------- setting module-specific parameters --------------- > > # ----- mi_fifo params ----- > modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo") > > # ----- rr params ----- > # add value to ;lr param to cope with most of the UAs > modparam("rr", "enable_full_lr", 1) > # do not append from tag to the RR (no need for this script) > modparam("rr", "append_fromtag", 0) > > # ----- registrar params ----- > modparam("registrar", "method_filtering", 1) > /* uncomment the next line to disable parallel forking via location */ > # modparam("registrar", "append_branches", 0) > /* uncomment the next line not to allow more than 10 contacts per AOR */ > #modparam("registrar", "max_contacts", 10) > > # ----- usrloc params ----- > modparam("usrloc", "db_mode", 0) > /* uncomment the following lines if you want to enable DB persistency > for location entries */ > #modparam("usrloc", "db_mode", 2) > #modparam("usrloc", "db_url", > # "mysql://opensips:opensipsrw@localhost/opensips") > > # ----- uri_db params ----- > /* by default we disable the DB support in the module as we do not need it > in this configuration */ > modparam("uri_db", "use_uri_table", 0) > modparam("uri_db", "db_url", "") > > # ----- acc params ----- > /* what sepcial events should be accounted ? */ > modparam("acc", "early_media", 1) > modparam("acc", "report_ack", 1) > modparam("acc", "report_cancels", 1) > /* by default ww do not adjust the direct of the sequential requests. > if you enable this parameter, be sure the enable "append_fromtag" > in "rr" module */ > modparam("acc", "detect_direction", 0) > /* account triggers (flags) */ > modparam("acc", "failed_transaction_flag", 3) > modparam("acc", "log_flag", 1) > modparam("acc", "log_missed_flag", 2) > /* uncomment the following lines to enable DB accounting also */ > modparam("acc", "db_flag", 1) > modparam("acc", "db_missed_flag", 2) > > # ----- auth_db params ----- > /* uncomment the following lines if you want to enable the DB based > authentication */ > modparam("auth_db", "calculate_ha1", yes) > modparam("auth_db", "password_column", "password") > modparam("auth_db", "db_url", > "mysql://opensips:opensipsrw@localhost/opensips") > modparam("auth_db", "load_credentials", "") > > # ----- alias_db params ----- > /* uncomment the following lines if you want to enable the DB based > aliases */ > #modparam("alias_db", "db_url", > # "mysql://opensips:opensipsrw@localhost/opensips") > > # ----- domain params ----- > /* uncomment the following lines to enable multi-domain detection > support */ > #modparam("domain", "db_url", > # "mysql://opensips:opensipsrw@localhost/opensips") > #modparam("domain", "db_mode", 1) # Use caching > > # ----- multi-module params ----- > /* uncomment the following line if you want to enable multi-domain support > in the modules (dafault off) */ > #modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1) > > # ----- presence params ----- > /* uncomment the following lines if you want to enable presence */ > #modparam("presence|presence_xml", "db_url", > # "mysql://opensips:opensipsrw@localhost/opensips") > #modparam("presence_xml", "force_active", 1) > #modparam("presence", "server_address", "sip:192.168.1.2:5060") > > ####### Routing Logic ######## > > # main request routing logic > route{ > if (!mf_process_maxfwd_header("10")) { > sl_send_reply("483","Too Many Hops"); > exit; > } > if (has_totag()) { > # sequential request withing a dialog should > # take the path determined by record-routing > if (loose_route()) { > if (is_method("BYE")) { > setflag(1); # do accounting ... > setflag(3); # ... even if the transaction fails > } else if (is_method("INVITE")) { > # even if in most of the cases is useless, do RR for > # re-INVITEs alos, as some buggy clients do change route set > # during the dialog. > record_route(); > } > # route it out to whatever destination was set by loose_route() > # in $du (destination URI). > route(1); > } else { > /* uncomment the following lines if you want to enable presence */ > ##if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") { > ## # in-dialog subscribe requests > ## route(2); > ## exit; > ##} > if ( is_method("ACK") ) { > if ( t_check_trans() ) { > # non loose-route, but stateful ACK; must be an ACK after > # a 487 or e.g. 404 from upstream server > t_relay(); > exit; > } else { > # ACK without matching transaction -> > # ignore and discard > exit; > } > } > sl_send_reply("404","Not here"); > } > exit; > } > #initial requests > # CANCEL processing > if (is_method("CANCEL")) > { > if (t_check_trans()) > t_relay(); > exit; > } > t_check_trans(); > # authenticate if from local subscriber (uncomment to enable auth) > # authenticate all initial non-REGISTER request that pretend to be > # generated by local subscriber (domain from FROM URI is local) > if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/ > ##if (!(method=="REGISTER") && is_from_local()) /*multidomain version*/ > { > if (!proxy_authorize("", "subscriber")) { > proxy_challenge("", "0"); > exit; > } > if (!check_from()) { > sl_send_reply("403","Forbidden auth ID"); > exit; > } > > consume_credentials(); > # caller authenticated > } > # preloaded route checking > if (loose_route()) { > xlog("L_ERR", > "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]"); > if (!is_method("ACK")) > sl_send_reply("403","Preload Route denied"); > exit; > } > # record routing > if (!is_method("REGISTER|MESSAGE")) > record_route(); > # account only INVITEs > if (is_method("INVITE")) { > setflag(1); # do accounting > } > if (!uri==myself) > ## replace with following line if multi-domain support is used > ##if (!is_uri_host_local()) > { > append_hf("P-hint: outbound\r\n"); > # if you have some interdomain connections via TLS > ##if($rd=="tls_domain1.net") { > ## t_relay("tls:domain1.net"); > ## exit; > ##} else if($rd=="tls_domain2.net") { > ## t_relay("tls:domain2.net"); > ## exit; > ##} > route(1); > } > # requests for my domain > ## uncomment this if you want to enable presence server > ## and comment the next 'if' block > ## NOTE: uncomment also the definition of route[2] from below > ##if( is_method("PUBLISH|SUBSCRIBE")) > ## route(2); > if (is_method("PUBLISH")) > { > sl_send_reply("503", "Service Unavailable"); > exit; > } > > if (is_method("REGISTER")) > { > # authenticate the REGISTER requests (uncomment to enable auth) > if (!www_authorize("", "subscriber")) > { > www_challenge("", "0"); > exit; > } > if (!check_to()) > { > sl_send_reply("403","Forbidden auth ID"); > exit; > } > if (!save("location")) > sl_reply_error(); > exit; > } > if ($rU==NULL) { > # request with no Username in RURI > sl_send_reply("484","Address Incomplete"); > exit; > } > # apply DB based aliases (uncomment to enable) > ##alias_db_lookup("dbaliases"); > if (!lookup("location")) { > switch ($retcode) { > case -1: > case -3: > t_newtran(); > t_reply("404", "Not Found"); > exit; > case -2: > sl_send_reply("405", "Method Not Allowed"); > exit; > } > } > # when routing via usrloc, log the missed calls also > setflag(2); > route(1); > } > > route[1] { > # for INVITEs enable some additional helper routes > if (is_method("INVITE")) { > t_on_branch("2"); > t_on_reply("2"); > t_on_failure("1"); > } > if (!t_relay()) { > sl_reply_error(); > }; > exit; > } > > # Presence route > /* uncomment the whole following route for enabling presence > NOTE: do not forget to enable the call of this route from the main > route */ > ##route[2] > ##{ > ## if (!t_newtran()) > ## { > ## sl_reply_error(); > ## exit; > ## }; > ## > ## if(is_method("PUBLISH")) > ## { > ## handle_publish(); > ## t_release(); > ## } > ## else > ## if( is_method("SUBSCRIBE")) > ## { > ## handle_subscribe(); > ## t_release(); > ## } > ## > ## exit; > ##} > > branch_route[2] { > xlog("new branch at $ru\n"); > } > > onreply_route[2] { > xlog("incoming reply\n"); > } > > failure_route[1] { > if (t_was_cancelled()) { > exit; > } > # uncomment the following lines if you want to block client > # redirect based on 3xx replies. > ##if (t_check_status("3[0-9][0-9]")) { > ##t_reply("404","Not found"); > ## exit; > ##} > # uncomment the following lines if you want to redirect the failed > # calls to a different new destination > ##if (t_check_status("486|408")) { > ## sethostport("192.168.2.100:5060"); > ## # do not set the missed call flag again > ## t_relay(); > ##} > } > > > > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > > -- > Muhammad Shahzad > ----------------------------------- > CISCO Rich Media Communication Specialist (CRMCS) > CISCO Certified Network Associate (CCNA) > Cell: +92 334 422 40 88 > MSN: [email protected] > Email: [email protected] > > > -- Muhammad Shahzad ----------------------------------- CISCO Rich Media Communication Specialist (CRMCS) CISCO Certified Network Associate (CCNA) Cell: +92 334 422 40 88 MSN: [email protected] Email: [email protected]
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
