OpenPKG Specs: opensips/opensips.cfg@b972dc20871f (annotated)

opensips/opensips.cfg@b972dc20871f (annotated)

opensips/opensips.cfg

Wed, 21 Sep 2011 16:06:14 +0200

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Wed, 21 Sep 2011 16:06:14 +0200
changeset 382: b972dc20871f
parent 377: 67e813202d53
child 397: c98ae03f4266
permissions: -rw-r--r--

Warning, downgrading software version due to TLS or TCP blocking defects in newest vendor version.

 ##
 ##  opensips.cfg -- OpenSIPS server configuration
 ##
 # General configuration help available at:
 # http://siprouter.teigre.com/doc/gettingstarted/
 # Specific routing help available at:
 # http://www.opensips.org/index.php?n=Resources.DocsCoreRoutes
 # Information on debug and log levels
 # http://www.voice-system.ro/docs/ser-syslog/
 # Die Konfigbloecke sind:
 #   Global Configuration Parameters
 #   Extension Module Loading
 #   Extension Module Configuration
 #   Main Request Routing Logic
 #   Secondary Request Routing Logic
 #   Branch Request Routing Logic
 #   Reply Request Routing Logic
 #   Failure Request Routing Logic
 #   Local Request Routing Logic
 #   Error Request Routing Logic
 #
 # Logging:
 #   L_ALERT (-3) - used if the error requires immediate action.
 #   L_CRIT (-2)  - used if the error is a critical situation.
 #   L_ERR (-1)   - used if the error doesn't cause system malfunctioning.
 #   L_WARN (1)   - used to write warning messages.
 #   L_NOTICE (2) - used to report unusual situations.
 #   L_INFO (3)   - used to write informational messages.
 #   L_DBG (4)    - used to write messages for debugging.
 #
 #   Global Configuration Parameters
 #
 #   process configuration
 debug=4
 log_stderror=no
 fork=yes
 children=2
 tcp_children=2
 user="@l_rusr@"
 group="@l_rgrp@"
 wdir="@l_prefix@/var/opensips"
 #   network configuration
 listen=udp:voip.realhost.tld:5060
 #listen = tls:voip.realhost.tld:5061
 #   network aliases
 alias=voip.firsthost.tld:5060
 #alias=voip.firsthost.tld:5061
 alias=voip.secondhost.tld:5060
 #alias=voip.secondhost.tld:5061
 #   enable TLS
 #https://confluence.terena.org/display/IPTelCB/3.5.2.+TLS+for+OpenSER+(UA-Proxy)
 #http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html
 #
 #Run 'openserctl tls rootCA' to create @l_prefix@/etc/openser/tls/rootCA/cacert.pem.
 #Run 'openserctl tls userCERT' to create user-calist.pem, user-cert.pem, user-cert_req.pem, and user-privkey.pem in @l_prefix@/etc/openser/tls/user/.
 #Copy @l_prefix@/etc/openser/tls/rootCA/cacert.pem to the client host.
 #On Windows XP client hosts, run 'certmrg.msc' to import the certificate into the root certificate store.
 #
 #disable_tls       = 0
 #tls_method        = TLSv1
 #tls_verify_server = 1
 #tls_verify_client = 1
 #tls_require_client_certificate = 1
 #tls_ciphers_list  = "HIGH:MEDIUM:!ADH"  # openssl ciphers -v HIGH:MEDIUM
 #tls_certificate = "@l_prefix@/etc/opensips/tls/user/user-cert.pem"
 #tls_private_key = "@l_prefix@/etc/opensips/tls/user/user-privkey.pem"
 #tls_ca_list = "@l_prefix@/etc/opensips/tls/user/user-calist.pem"
 #
 #   Extension Module Loading
 #   http://www.opensips.org/index.php?n=Resources.DocsModules
 #
 # set module path
 mpath="@l_prefix@/lib/opensips/modules/"
 loadmodule "sl.so"          # Stateless replier
 loadmodule "tm.so"          # Transaction stateful
 loadmodule "signaling.so"   # Signaling wrapper of sl/tm
 loadmodule "rr.so"          # Record Route and Route
 loadmodule "maxfwd.so"      # Maximum Forward processor
 loadmodule "db_text.so"     # Text backend for database API
 loadmodule "usrloc.so"      # User location implementation
 loadmodule "registrar.so"   # SIP Registrar implementation
 loadmodule "uri.so"         # Generic URI operation
 loadmodule "auth.so"        # Authentication Interface
 loadmodule "textops.so"     # Text based manipulations
 loadmodule "acc.so"         # Accounting
 loadmodule "auth_db.so"     # Database backend authentication
 loadmodule "mi_fifo.so"     # FIFO support for Management Interface
 #loadmodule "flatstore.so"   # Fast writing only text database
 #loadmodule "alias_db.so"    # Database aliases
 #loadmodule "domain.so"      # Multidomain support
 #loadmodule "nathelper.so"   # NAT traversal helper
 #loadmodule "enum.so"        # ENUM lookup
 #
 #   Extension Module Configuration
 #
 # ----- dbtext params -----
 modparam("db_text", "db_mode", 0)  # caching for persistence
 # ----- multimodule params -----
 modparam("usrloc|uri|auth_db", "db_url", "text://@l_prefix@/var/opensips/db")
 # ----- rr params -----
 modparam("rr", "enable_full_lr", 1)  # add value to ;lr param for broken UAs
 modparam("rr", "append_fromtag", 1)  # important when using detect_direction
 # ----- usrloc params -----
 /* see 'multimodule params' as well */
 modparam("usrloc", "db_mode", 2)  # Write back database persistence scheme
 # ----- registrar params -----
 modparam("registrar", "max_contacts", 10)  # contacts per AOR allowed
 # ----- acc params -----
 /* see 'multimodule params' as well */
 modparam("acc", "db_url", "dbtext://@l_prefix@/var/opensips/db")
 #modparam("acc", "db_url", "flatstore:@l_prefix@/var/opensips/acc")
 modparam("acc", "early_media", 1)
 modparam("acc", "report_ack", 1)
 modparam("acc", "report_cancels", 1)
 modparam("acc", "detect_direction", 1)
 modparam("acc", "log_level", 2)
 modparam("acc", "log_flag", 1)
 modparam("acc", "log_missed_flag", 2)
 modparam("acc", "db_flag", 1)
 modparam("acc", "db_missed_flag", 2)
 modparam("acc", "failed_transaction_flag", 4)
 # ----- mi_fifo params -----
 modparam("mi_fifo", "fifo_name", "@l_prefix@/var/opensips/opensips.fifo")
 modparam("mi_fifo", "reply_dir", "@l_prefix@/var/opensips/tmp/")
 #
 #   Main Request Routing Logic
 #
 route {
     # message diagnostics
     #log(3, "new branch at $ru\n");
     xlog("L_INFO", "$rm: Orig - $ou\n");
     xlog("L_INFO", "$rm: Req  - $ru\n");
     xlog("L_INFO", "$rm: To   - $tu\n");
     xlog("L_INFO", "$rm: Dest - $du\n");
     xlog("L_INFO", "$rm: From - $fu\n");
     # sanity checks
     if (!mf_process_maxfwd_header("10")) {  # avoid loops in forward logic
         sl_send_reply("483","Too Many Hops");
         exit;
     }
     if (msg:len > max_len) {  # repel DoS attacks
         sl_send_reply("513", "Message Too Large");
         exit;
     };
     # sequential request within a dialog should
     # take the path determined by record routing
     if (has_totag()) {
         if (loose_route()) {
             if (is_method("BYE")) {
                 setflag(1); # do accouting...
                 setflag(4); # ...even if the transaction fails
             }
             # mark routing logic in request
             append_hf("P-hint: rr-enforced\r\n");
             route(1);
         } else {
             sl_send_reply("404", "Not Found");
         }
         exit;
     }
     #
     # initial requests
     #
     if (is_method("CANCEL")) {  # CANCEL processing
         if (t_check_trans())
             t_relay();
         exit;
     }
     t_check_trans();
     # authenticate if from local subscriber (uncomment to enable auth)
     #if (!is_method("REGISTER") && from_uri == myself) {
     #    if (!proxy_authorize("", "subscriber")) {
     #        proxy_challenge("", "0");
     #        exit;
     #    }
     #    if (!check_from()) {
     #        sl_send_reply("403","Forbidden");
     #        exit;
     #    }
     #
     #    consume_credentials();
     #    # caller authenticated
     #}
     #   record route all messages to ensure that subsequent messages
     #   will go through our proxy, particularly good if upstream
     #   and downstream entities use different transport protocol
     if (!is_method("REGISTER|MESSAGE")) {
         record_route();
     }
     # account only INVITEs
     if (is_method("INVITE")) {
         setflag(1);
     }
     if (!uri == myself) {
     /* replace with following line if multidomain support is used */
     #if (!is_uri_host_local()) {
         append_hf("P-hint: outbound\r\n");
         # if you have some interdomain connections via TLS
         #if ($rd == "tls_domain1.net") {
         #    t_relay("tls:domain1.net");
         #    exit;
         #} else if ($rd == "tls_domain2.net") {
         #    t_relay("tls:domain2.net");
         #    exit;
         #}
         route(1);
     }
     #
     # requests for my domain
     #
     if (is_method("PUBLISH")) {
         sl_send_reply("503", "Service Unavailable");
         exit;
     }
     if (is_method("REGISTER")) {
         # authenticate the REGISTER requests (uncomment to enable auth)
         #if (!www_authorize("", "subscriber")) {
         #    www_challenge("", "0");
         #    exit;
         #}
         #
         #if (!check_to()) {
         #    sl_send_reply("403","Forbidden");
         #    exit;
         #}
         if (!save("location"))
             sl_reply_error();
         exit;
     }
     if ($rU == NULL) {
         # request with no Username in RURI
         sl_send_reply("484","Address Incomplete");
         exit;
     }
     lookup("location");
     switch ($retcode) {
         case 1:
             append_hf("P-hint: usrloc applied\r\n");
             break;
         case -1:
             t_newtran();
             t_reply("404", "Not Found");
             exit;
         case -2:
             sl_send_reply("405", "Method Not Allowed");
             exit;
         case -3:
             t_newtran();
             t_reply("500", "Server Internal Error");
             exit;
     }
     setflag(2);  # when routing via usrloc then
     route(1);    # log the missed calls as well
 }
 #
 #   Secondary Request Routing Logic
 #
 route[1] {
     # for INVITEs enable some additional helper routes
     if (is_method("INVITE")) {
         t_on_branch("1");
         t_on_reply("1");
         t_on_failure("1");
     }
     # send with stateful forwarding which works reliably even for UDP2TCP
     if (!t_relay())
         sl_reply_error();
     exit;  # safeguard
 }
 #
 #   Branch Request Routing Logic
 #
 branch_route[1] {
     xlog("L_INFO", "new branch at $ru\n");
 }
 #
 #   Reply Request Routing Logic
 #
 onreply_route[1] {
     xlog("L_INFO", "incoming reply at $ru\n");
 #    if ($ua =~ fritz.box)
 #        xlog("L_ERR", "$rm: The Fritzbox replied!\n");
 #    if ($ua =~ fritz.box && has_body("application/sdp"))
 #        search_append_body("a=sendrecv.*", "\na=ptime:30");
 }
 #
 #   Failure Request Routing Logic
 #
 failure_route[1] {
     xlog("L_INFO", "failed route at $ru\n");
     if (t_was_cancelled())
         exit;
     # uncomment the following lines to block
     # client redirect based on 3xx replies
     #if (t_check_status("3[0-9][0-9]")) {
     #t_reply("404","Not Found");
     #    exit;
     #}
     # uncomment the following lines to redirect
     # failed calls to a different new destination
     #if (t_check_status("486|408")) {
     #    sethostport("192.168.2.100:5060");
     #    append_branch();
     #    # do not set the missed call flag again
     #    t_relay();
     #}
 }
 #
 #   Local Request Routing Logic
 #
 local_route {
     if (is_method("INVITE") && $ru=~"@foreign.tld") {
         append_hf("P-hint: foreign request\r\n");
         exit;
     }
     if (is_method("BYE"))
         xlog("L_INFO", "internally generated BYE\n");
 }
 #
 #   Error Request Routing Logic
 #
 error_route {
     xlog("L_ERR", "error route class=$(err.class) level=$(err.level) info=$(err.info) rcode=$(err.rcode) rreason=$(err.rreason)\n");
     xlog("L_ERR", "error from [$si:$sp]\n");
     xlog("L_ERR", "++++\n$mb\n++++\n");
     sl_send_reply("$err.rcode", "$err.rreason");
     exit;
 }

OpenPKG Specs / annotate

opensips/opensips.cfg@b972dc20871f (annotated)

opensips/opensips.cfg