Hello all,
I'm trying to setup an SBC of sorts so that I can have users
authenticate to opensips using a public interface, then have opensips
relay and rtpproxy that request to a private sip host.
Something like this:
public sip client ---(proxy authetication)--> aa.aa.aa.aa bb.bb.bb.bb
----(sip trunk auth by ip) ---> cc.cc.cc.cc (inside sip gateway)
Where aa.aa.aa.aa and bb.bb.bb.bb live on the same host.
I used osipsconfig with use_auth, use_dbacc, use_dbusrloc, use_dialog,
use_multidomain, use_dialplan, have_inbound_pstn, have_outbound_pstn
I then took the config it created and added rtpproxy module and config
as well as force_send_socket() because when it sent sip to cc.cc.cc.c it
was sourcing from aa.aa.aa.aa instead of bb.bb.bb.bb.
It almost works, and actually works with one way audio from cc.cc.cc.cc
through the proxy to the client, but opensips tells the client that the
audio is at cc.cc.cc.cc which doesn't route.
What's the best way to do multi homing? opensips seems fairly straight
forward with a single IP address, but things got complicated fast when I
added a second IP.
I would just use b2b_init_request("top hiding"); but I get lots of loops
when I do that.
Thanks,
Matt
####### Global Parameters #########
log_level=4
log_stderror=yes
log_facility=LOG_LOCAL0
children=4
/* uncomment the following lines to enable debugging */
#debug_mode=yes
/* uncomment the next line to enable the auto temporary blacklisting of
not available destinations (default disabled) */
#disable_dns_blacklist=no
/* uncomment the next line to enable IPv6 lookup after IPv4 dns
lookup failures (default disabled) */
#dns_try_ipv6=yes
/* comment the next line to enable the auto discovery of local aliases
based on reverse DNS on IPs */
auto_aliases=no
listen=udp:bb.bb.bb.bb:5060 # CUSTOMIZE ME
listen=udp:aa.aa.aa.aa:5060 # CUSTOMIZE ME
####### Modules Section ########
#set module path
mpath="/usr/lib64/opensips/modules/"
#### SIGNALING module
loadmodule "signaling.so"
#### StateLess module
loadmodule "sl.so"
#### Transaction Module
loadmodule "tm.so"
modparam("tm", "fr_timeout", 5)
modparam("tm", "fr_inv_timeout", 30)
modparam("tm", "restart_fr_on_each_reply", 0)
modparam("tm", "onreply_avp_mode", 1)
#### Record Route Module
loadmodule "rr.so"
/* do not append from tag to the RR (no need for this script) */
modparam("rr", "append_fromtag", 0)
#### MAX ForWarD module
loadmodule "maxfwd.so"
#### SIP MSG OPerationS module
loadmodule "sipmsgops.so"
#### FIFO Management Interface
loadmodule "mi_fifo.so"
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
modparam("mi_fifo", "fifo_mode", 0666)
#### PGSQL module
loadmodule "db_postgres.so"
#### HTTPD module
loadmodule "httpd.so"
modparam("httpd", "port", 8888)
#### USeR LOCation module
loadmodule "usrloc.so"
modparam("usrloc", "nat_bflag", "NAT")
modparam("usrloc", "db_mode", 2)
modparam("usrloc", "db_url",
"postgres://opensips:longpassword@localhost/opensips") # CUSTOMIZE ME
#### REGISTRAR module
loadmodule "registrar.so"
modparam("registrar", "tcp_persistent_flag", "TCP_PERSISTENT")
/* uncomment the next line not to allow more than 10 contacts per AOR */
#modparam("registrar", "max_contacts", 10)
#### ACCounting module
loadmodule "acc.so"
/* what special events should be accounted ? */
modparam("acc", "early_media", 0)
modparam("acc", "report_cancels", 0)
/* by default we do not adjust the direct of the sequential requests.
if you enable this parameter, be sure the enable "append_fromtag"
in "rr" module */
modparam("acc", "detect_direction", 0)
modparam("acc", "db_url",
"postgres://opensips:longpassword@localhost/opensips") # CUSTOMIZE ME
#### AUTHentication modules
loadmodule "auth.so"
loadmodule "auth_db.so"
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
modparam("auth_db", "db_url",
"postgres://opensips:longpassword@localhost/opensips") # CUSTOMIZE ME
modparam("auth_db", "load_credentials", "")
#### DOMAIN module
loadmodule "domain.so"
modparam("domain", "db_url",
"postgres://opensips:longpassword@localhost/opensips") #
CUSTOMIZE ME
modparam("domain", "db_mode", 1) # Use caching
modparam("auth_db|usrloc", "use_domain", 1)
#### DIALOG module
loadmodule "dialog.so"
modparam("dialog", "dlg_match_mode", 1)
modparam("dialog", "default_timeout", 21600) # 6 hours timeout
modparam("dialog", "db_mode", 2)
modparam("dialog", "db_url",
"postgres://opensips:longpassword@localhost/opensips") # CUSTOMIZE ME
#### DIALPLAN module
loadmodule "dialplan.so"
modparam("dialplan", "db_url",
"postgres://opensips:longpassword@localhost/opensips") # CUSTOMIZE ME
#### MI_HTTP module
loadmodule "mi_http.so"
modparam("mi_http", "root", "json")
loadmodule "proto_udp.so"
loadmodule "proto_tcp.so"
loadmodule "rtpproxy.so"
modparam("rtpproxy", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") #
CUSTOMIZE ME
loadmodule "json.so"
loadmodule "jsonrpc.so"
loadmodule "event_jsonrpc.so"
####### Routing Logic ########
# main request routing logic
route{
if (!mf_process_maxfwd_header(10)) {
send_reply(483,"Too Many Hops");
exit;
}
if (has_totag()) {
# handle hop-by-hop ACK (no routing required)
if ( is_method("ACK") && t_check_trans() ) {
t_relay();
exit;
}
# sequential request within a dialog should
# take the path determined by record-routing
if ( !loose_route() ) {
# we do record-routing for all our traffic, so we should not
# receive any sequential requests without Route hdr.
send_reply(404,"Not here");
exit;
}
# validate the sequential request against dialog
if ( $DLG_status!=NULL && !validate_dialog() ) {
xlog("In-Dialog $rm from $si (callid=$ci) is not valid
according to dialog\n");
## exit;
}
if (is_method("BYE")) {
# do accounting even if the transaction fails
do_accounting("db","failed");
}
# route it out to whatever destination was set by loose_route()
# in $du (destination URI).
route(relay);
exit;
}
# CANCEL processing
if (is_method("CANCEL")) {
if (t_check_trans())
t_relay();
exit;
}
# absorb retransmissions, but do not create transaction
t_check_trans();
if ( !(is_method("REGISTER") || ($si==cc.cc.cc.cc && $sp==5060 /*
CUSTOMIZE ME */) ) ) {
if (is_myself("$fd")) {
# authenticate if from local subscriber
# authenticate all initial non-REGISTER request that
pretend to be
# generated by local subscriber (domain from FROM URI is local)
if (!proxy_authorize("", "subscriber")) {
proxy_challenge("", 0);
exit;
}
if ($au!=$fU) {
send_reply(403,"Forbidden auth ID");
exit;
}
consume_credentials();
# caller authenticated
} else {
# if caller is not local, then called number must be local
if (!is_myself("$rd")) {
send_reply(403,"Relay Forbidden");
exit;
}
}
}
# preloaded route checking
if (loose_route()) {
xlog("L_ERR",
"Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
if (!is_method("ACK"))
send_reply(403,"Preload Route denied");
exit;
}
# record routing
if (!is_method("REGISTER|MESSAGE"))
record_route();
# account only INVITEs
if (is_method("INVITE")) {
# create dialog with timeout
if ( !create_dialog("B") ) {
send_reply(500,"Internal Server Error");
exit;
}
do_accounting("db");
}
if (!is_myself("$rd")) {
append_hf("P-hint: outbound\r\n");
route(relay);
}
# requests for my domain
if (is_method("PUBLISH|SUBSCRIBE")) {
send_reply(503, "Service Unavailable");
exit;
}
if (is_method("REGISTER")) {
# authenticate the REGISTER requests
if (!www_authorize("", "subscriber")) {
www_challenge("", 0);
exit;
}
if ($au!=$tU) {
send_reply(403,"Forbidden auth ID");
exit;
}
if ($proto == "tcp")
setflag(TCP_PERSISTENT);
if (!save("location"))
sl_reply_error();
exit;
}
if ($rU==NULL) {
# request with no Username in RURI
send_reply(484,"Address Incomplete");
exit;
}
# apply transformations from dialplan table
dp_translate( 0, "$rU", $rU);
if ($rU=~"^\+[1-9][0-9]+$") {
$rd="cc.cc.cc.cc"; # CUSTOMIZE ME
$rp=5060;
force_send_socket(udp:bb.bb.bb.bb:5060);
rtpproxy_engage();
route(relay);
exit;
}
# do lookup with method filtering
if (!lookup("location","m")) {
if (!db_does_uri_exist("$ru","subscriber")) {
send_reply(420,"Bad Extension");
exit;
}
t_reply(404, "Not Found");
exit;
}
# when routing via usrloc, log the missed calls also
do_accounting("db","missed");
route(relay);
}
route[relay] {
# for INVITEs enable some additional helper routes
if (is_method("INVITE")) {
t_on_branch("per_branch_ops");
t_on_reply("handle_nat");
t_on_failure("missed_call");
}
if (!t_relay()) {
send_reply(500,"Internal Error");
}
exit;
}
branch_route[per_branch_ops] {
xlog("new branch at $ru\n");
}
onreply_route[handle_nat] {
xlog("incoming reply\n");
}
failure_route[missed_call] {
if (t_was_cancelled()) {
exit;
}
# uncomment the following lines if you want to block client
# redirect based on 3xx replies.
##if (t_check_status("3[0-9][0-9]")) {
##t_reply(404,"Not found");
## exit;
##}
}
local_route {
if (is_method("BYE") && $DLG_dir=="UPSTREAM") {
acc_db_request("200 Dialog Timeout", "acc");
}
}
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
