OpenPKG Specs: comparison opensips/opensips.cfg

-:b8f87346fde6
+:14b31eac7d5c
 ##
 ##  opensips.cfg -- OpenSIPS server configuration
 ##
-#
-#   GLOBAL CONFIGURATION PARAMETERS
+# General configuration help available at:
-#
+# http://siprouter.teigre.com/doc/gettingstarted/
+# Specific routing help available at:
+# http://www.opensips.org/index.php?n=Resources.DocsCoreRoutes
+# Information on debug and log levels
+# http://www.voice-system.ro/docs/ser-syslog/
+# Die Konfigbloecke sind:
+#   Global Configuration Parameters
+#   Extension Module Loading
+#   Extension Module Configuration
+#   Main Request Routing Logic
+#   Secondary Request Routing Logic
+#   Branch Request Routing Logic
+#   Reply Request Routing Logic
+#   Failure Request Routing Logic
+#   Local Request Routing Logic
+#   Error Request Routing Logic
+#
+# Logging:
+#   L_ALERT (-3) - used if the error requires immediate action.
+#   L_CRIT (-2)  - used if the error is a critical situation.
+#   L_ERR (-1)   - used if the error doesn't cause system malfunctioning.
+#   L_WARN (1)   - used to write warning messages.
+#   L_NOTICE (2) - used to report unusual situations.
+#   L_INFO (3)   - used to write informational messages.
+#   L_DBG (4)    - used to write messages for debugging.
+#
+#   Global Configuration Parameters
+#
 #   process configuration
-debug=1
+debug=4
 log_stderror=no
 fork=yes
-check_via=no
+children=2
-dns=no
+tcp_children=2
-rev_dns=no
-children=4
 user="@l_rusr@"
 group="@l_rgrp@"
-fifo="@l_prefix@/var/opensips/opensips.fifo"
+wdir="@l_prefix@/var/opensips"
-workdir="@l_prefix@/var/opensips"
 #   network configuration
-alias="sip.example.com"
+listen=udp:voip.realhost.tld:5060
-listen="127.0.0.1"
+#listen = tls:voip.realhost.tld:5061
-port=5060
+#   network aliases
-#
+alias=voip.firsthost.tld:5060
-#   EXTENSION MODULE LOADING
+#alias=voip.firsthost.tld:5061
-#
+alias=voip.secondhost.tld:5060
+#alias=voip.secondhost.tld:5061
-#loadmodule "@l_prefix@/lib/opensips/modules/dbtext.so"
+#   enable TLS
-loadmodule "@l_prefix@/lib/opensips/modules/sl.so"
+#https://confluence.terena.org/display/IPTelCB/3.5.2.+TLS+for+OpenSER+(UA-Proxy)
-loadmodule "@l_prefix@/lib/opensips/modules/tm.so"
+#http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html
-loadmodule "@l_prefix@/lib/opensips/modules/rr.so"
+#
-loadmodule "@l_prefix@/lib/opensips/modules/maxfwd.so"
+#Run 'openserctl tls rootCA' to create @l_prefix@/etc/openser/tls/rootCA/cacert.pem.
-loadmodule "@l_prefix@/lib/opensips/modules/usrloc.so"
+#Run 'openserctl tls userCERT' to create user-calist.pem, user-cert.pem, user-cert_req.pem, and user-privkey.pem in @l_prefix@/etc/openser/tls/user/.
-loadmodule "@l_prefix@/lib/opensips/modules/registrar.so"
+#Copy @l_prefix@/etc/openser/tls/rootCA/cacert.pem to the client host.
-loadmodule "@l_prefix@/lib/opensips/modules/textops.so"
+#On Windows XP client hosts, run 'certmrg.msc' to import the certificate into the root certificate store.
+#
-#loadmodule "@l_prefix@/lib/opensips/modules/auth.so"
+#disable_tls       = 0
-#loadmodule "@l_prefix@/lib/opensips/modules/auth_db.so"
+#tls_method        = TLSv1
+#tls_verify_server = 1
-#loadmodule "@l_prefix@/lib/opensips/modules/nathelper.so"
+#tls_verify_client = 1
+#tls_require_client_certificate = 1
-#
+#tls_ciphers_list  = "HIGH:MEDIUM:!ADH"  # openssl ciphers -v HIGH:MEDIUM
-#   EXTENSION MODULE CONFIGURATION
+#tls_certificate = "@l_prefix@/etc/opensips/tls/user/user-cert.pem"
-#
+#tls_private_key = "@l_prefix@/etc/opensips/tls/user/user-privkey.pem"
+#tls_ca_list = "@l_prefix@/etc/opensips/tls/user/user-calist.pem"
-#   module rr:
-modparam("rr", "enable_full_lr", 1)
+#
-#   module usrloc:
+#   Extension Module Loading
-modparam("usrloc", "db_mode", 0)
+#   http://www.opensips.org/index.php?n=Resources.DocsModules
-#modparam("usrloc", "db_mode", 2)
+#
-#modparam("usrloc|auth_db", "db_url", "dbtext://@l_prefix@/var/opensips/db")
+# set module path
+mpath="@l_prefix@/lib/opensips/modules/"
-#   module auth:
-#modparam("auth_db", "calculate_ha1", 1)
+loadmodule "sl.so"          # Stateless replier
-#modparam("auth_db", "password_column", "password")
+loadmodule "tm.so"          # Transaction stateful
-#modparam("auth_db", "user_column", "username")
+loadmodule "signaling.so"   # Signaling wrapper of sl/tm
-#modparam("auth_db", "domain_column", "domain")
+loadmodule "rr.so"          # Record Route and Route
+loadmodule "maxfwd.so"      # Maximum Forward processor
-#   module nathelper:
+loadmodule "db_text.so"     # Text backend for database API
-#modparam("registrar", "nat_flag", 6)
+loadmodule "usrloc.so"      # User location implementation
-#modparam("nathelper", "natping_interval", 30)
+loadmodule "registrar.so"   # SIP Registrar implementation
-#modparam("nathelper", "ping_nated_only", 1)
+loadmodule "uri.so"         # Generic URI operation
-#modparam("nathelper", "rtpproxy_sock", "unix:@l_prefix@/var/opensips/opensips_rtpproxy.sock")
+loadmodule "auth.so"        # Authentication Interface
-#modparam("nathelper", "rtpproxy_disable", 0)
+loadmodule "textops.so"     # Text based manipulations
-#modparam("nathelper", "rtpproxy_disable_tout", 20)
+loadmodule "acc.so"         # Accounting
-#modparam("nathelper", "sipping_from", "sip:pinger@sip.example.com")
+loadmodule "auth_db.so"     # Database backend authentication
+loadmodule "mi_fifo.so"     # FIFO support for Management Interface
-#
+#loadmodule "flatstore.so"   # Fast writing only text database
-#   MAIN ROUTING LOGIC
+#loadmodule "alias_db.so"    # Database aliases
-#
+#loadmodule "domain.so"      # Multidomain support
+#loadmodule "nathelper.so"   # NAT traversal helper
-route{
+#loadmodule "enum.so"        # ENUM lookup
-#   initial sanity checks -- messages with
-#   max_forwards==0, or excessively long requests
-if (!mf_process_maxfwd_header("10")) {
+#
-sl_send_reply("483", "Too Many Hops");
+#   Extension Module Configuration
+#
+# ----- dbtext params -----
+modparam("db_text", "db_mode", 0)  # caching for persistence
+# ----- multimodule params -----
+modparam("usrloc|uri|auth_db", "db_url", "text://@l_prefix@/var/opensips/db")
+# ----- rr params -----
+modparam("rr", "append_fromtag", 1)  # important when using detect_direction
+# ----- usrloc params -----
+/* see 'multimodule params' as well */
+modparam("usrloc", "db_mode", 2)  # Write back database persistence scheme
+# ----- registrar params -----
+modparam("registrar", "max_contacts", 10)  # contacts per AOR allowed
+# ----- acc params -----
+/* see 'multimodule params' as well */
+modparam("acc", "db_url", "dbtext://@l_prefix@/var/opensips/db")
+#modparam("acc", "db_url", "flatstore:@l_prefix@/var/opensips/acc")
+modparam("acc", "early_media", 1)
+modparam("acc", "report_cancels", 1)
+modparam("acc", "detect_direction", 1)
+modparam("acc", "log_level", 2)
+modparam("acc", "log_flag", 1)
+modparam("acc", "log_missed_flag", 2)
+modparam("acc", "db_flag", 1)
+modparam("acc", "db_missed_flag", 2)
+modparam("acc", "failed_transaction_flag", 4)
+# ----- mi_fifo params -----
+modparam("mi_fifo", "fifo_name", "@l_prefix@/var/opensips/opensips.fifo")
+modparam("mi_fifo", "reply_dir", "@l_prefix@/var/opensips/tmp/")
+#
+#   Main Request Routing Logic
+#
+route {
+# message diagnostics
+#log(3, "new branch at $ru\n");
+xlog("L_INFO", "$rm: Orig - $ou\n");
+xlog("L_INFO", "$rm: Req  - $ru\n");
+xlog("L_INFO", "$rm: To   - $tu\n");
+xlog("L_INFO", "$rm: Dest - $du\n");
+xlog("L_INFO", "$rm: From - $fu\n");
+# sanity checks
+if (!mf_process_maxfwd_header("10")) {  # avoid loops in forward logic
+sl_send_reply("483","Too Many Hops");
+exit;
+}
+if (msg:len > max_len) {  # repel DoS attacks
+sl_send_reply("513", "Message Too Large");
 exit;
 };
-if (msg:len >= max_len) {
-sl_send_reply("513", "Message too big");
+# sequential request within a dialog should
-exit;
+# take the path determined by record routing
-};
+if (has_totag()) {
+if (loose_route()) {
-#if (method == "INVITE" && uri != myself) {
+if (is_method("BYE")) {
-#    sl_send_reply("403", "No relaying");
+setflag(1); # do accouting...
+setflag(4); # ...even if the transaction fails
+}
+# mark routing logic in request
+append_hf("P-hint: rr-enforced\r\n");
+route(1);
+} else {
+sl_send_reply("404", "Not Found");
+}
+exit;
+}
+#
+# initial requests
+#
+if (is_method("CANCEL")) {  # CANCEL processing
+if (t_check_trans())
+t_relay();
+exit;
+}
+t_check_trans();
+# authenticate if from local subscriber (uncomment to enable auth)
+#if (!is_method("REGISTER") && from_uri == myself) {
+#    if (!proxy_authorize("", "subscriber")) {
+#        proxy_challenge("", "0");
+#        exit;
+#    }
+#    if (!check_from()) {
+#        sl_send_reply("403","Forbidden");
+#        exit;
+#    }
+#
+#    consume_credentials();
+#    # caller authenticated
+#}
+#   record route all messages to ensure that subsequent messages
+#   will go through our proxy, particularly good if upstream
+#   and downstream entities use different transport protocol
+if (!is_method("REGISTER|MESSAGE")) {
+record_route();
+}
+# account only INVITEs
+if (is_method("INVITE")) {
+setflag(1);
+}
+if (!uri == myself) {
+/* replace with following line if multidomain support is used */
+#if (!is_uri_host_local()) {
+append_hf("P-hint: outbound\r\n");
+# if you have some interdomain connections via TLS
+#if ($rd == "tls_domain1.net") {
+#    t_relay("tls:domain1.net");
+#    exit;
+#} else if ($rd == "tls_domain2.net") {
+#    t_relay("tls:domain2.net");
+#    exit;
+#}
+route(1);
+}
+#
+# requests for my domain
+#
+if (is_method("PUBLISH")) {
+sl_send_reply("503", "Service Unavailable");
+exit;
+}
+if (is_method("REGISTER")) {
+# authenticate the REGISTER requests (uncomment to enable auth)
+#if (!www_authorize("", "subscriber")) {
+#    www_challenge("", "0");
+#    exit;
+#}
+#
+#if (!check_to()) {
+#    sl_send_reply("403","Forbidden");
+#    exit;
+#}
+if (!save("location"))
+sl_reply_error();
+exit;
+}
+if ($rU == NULL) {
+# request with no Username in RURI
+sl_send_reply("484","Address Incomplete");
+exit;
+}
+lookup("location");
+switch ($retcode) {
+case 1:
+append_hf("P-hint: usrloc applied\r\n");
+break;
+case -1:
+t_newtran();
+t_reply("404", "Not Found");
+exit;
+case -2:
+sl_send_reply("405", "Method Not Allowed");
+exit;
+case -3:
+t_newtran();
+t_reply("500", "Server Internal Error");
+exit;
+}
+setflag(2);  # when routing via usrloc then
+route(1);    # log the missed calls as well
+}
+#
+#   Secondary Request Routing Logic
+#
+route[1] {
+# for INVITEs enable some additional helper routes
+if (is_method("INVITE")) {
+t_on_branch("1");
+t_on_reply("1");
+t_on_failure("1");
+}
+# send with stateful forwarding which works reliably even for UDP2TCP
+if (!t_relay())
+sl_reply_error();
+exit;  # safeguard
+}
+#
+#   Branch Request Routing Logic
+#
+branch_route[1] {
+xlog("L_INFO", "new branch at $ru\n");
+}
+#
+#   Reply Request Routing Logic
+#
+onreply_route[1] {
+xlog("L_INFO", "incoming reply at $ru\n");
+#    if ($ua =~ fritz.box)
+#        xlog("L_ERR", "$rm: The Fritzbox replied!\n");
+#    if ($ua =~ fritz.box && has_body("application/sdp"))
+#        search_append_body("a=sendrecv.*", "\na=ptime:30");
+}
+#
+#   Failure Request Routing Logic
+#
+failure_route[1] {
+xlog("L_INFO", "failed route at $ru\n");
+if (t_was_cancelled())
+exit;
+# uncomment the following lines to block
+# client redirect based on 3xx replies
+#if (t_check_status("3[0-9][0-9]")) {
+#t_reply("404","Not Found");
 #    exit;
-#};
+#}
-#   NAT: special handling for NAT'ed clients; first, NAT test is
+# uncomment the following lines to redirect
-#   executed: it looks for via!=received and RFC1918 addresses in
+# failed calls to a different new destination
-#   Contact (may fail if line-folding is used); also, the received
+#if (t_check_status("486|408")) {
-#   test should, if completed, should check all vias for presence of
+#    sethostport("192.168.2.100:5060");
-#   received.
+#    append_branch();
-#if (nat_uac_test("3")) {
+#    # do not set the missed call flag again
-#    #   allow RR-ed requests, as these may indicate that NAT-enabled
+#    t_relay();
-#    #   aproxy takes care of it; unless it is REGISTER
+#}
-#    if (method == "REGISTER" || ! search("^Record-Route:")) {
+}
-#        log("LOG: Someone trying to register from private IP, rewriting\n");
-#        fix_nated_contact(); # rewrite contact with source IP of signalling
-#        if (method == "INVITE") {
+#
-#            fix_nated_sdp("1"); # add direction=active to SDP
+#   Local Request Routing Logic
-#        };
+#
-#        force_rport(); # add rport parameter to topmost Via
+local_route {
-#        setflag(6);    # mark as NAT'ed
+if (is_method("INVITE") && $ru=~"@foreign.tld") {
-#    };
+append_hf("P-hint: foreign request\r\n");
-#};
+exit;
+}
-#   we record-route all messages -- to make sure that
+if (is_method("BYE"))
-#   subsequent messages will go through our proxy; that's
+xlog("L_INFO", "internally generated BYE\n");
-#   particularly good if upstream and downstream entities
+}
-#   use different transport protocol
-if (method != "REGISTER") {
-record_route();
+#
-};
+#   Error Request Routing Logic
+#
-#   subsequent messages withing a dialog should take the
+error_route {
-#   path determined by record-routing
+xlog("L_ERR", "error route class=$(err.class) level=$(err.level) info=$(err.info) rcode=$(err.rcode) rreason=$(err.rreason)\n");
-if (loose_route()) {
+xlog("L_ERR", "error from [$si:$sp]\n");
-#   mark routing logic in request
+xlog("L_ERR", "++++\n$mb\n++++\n");
-append_hf("P-hint: rr-enforced\r\n");
+sl_send_reply("$err.rcode", "$err.rreason");
-route(1);
+exit;
-};
+}
-if (uri != myself) {
-#   mark routing logic in request
-append_hf("P-hint: outbound\r\n");
-route(1);
-};
-#   if the request is for other domain use USRLOC
-#   (in case, it does not work, use the following command
-#   with proper names and addresses in it)
-if (uri == myself) {
-if (method == "REGISTER") {
-#   uncomment this if you want to use digest authentication
-#if (!www_authorize("sip.example.com", "subscriber")) {
-#    www_challenge("sip.example.com", "0");
-#    exit;
-#};
-save("location");
-exit;
-};
-lookup("aliases");
-if (uri != myself) {
-append_hf("P-hint: outbound alias\r\n");
-route(1);
-};
-#   native SIP destinations are handled using our USRLOC DB
-if (!lookup("location")) {
-sl_send_reply("404", "Not Found");
-exit;
-};
-append_hf("P-hint: usrloc applied\r\n");
-};
-route(1);
-}
-route[1] {
-#   disable RFC1918 peers
-if (uri =~ "[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" && !search("^Route:")) {
-sl_send_reply("479", "We don't forward to RFC 1918 IPv4 addresses");
-exit;
-};
-#   NAT: if client or server know to be behind a NAT, enable relay
-#if (isflagset(6)) {
-#    force_rtp_proxy();
-#};
-#   NAT: processing of replies; apply to all transactions
-#t_on_reply("1");
-#   send it out now; use stateful forwarding as it works reliably even for UDP2TCP
-if (!t_relay()) {
-sl_reply_error();
-};
-}
-#onreply_route[1] {
-#   NAT: is it a NAT'ed transaction ?
-#   otherwise, is it a transaction behind a NAT and we did not
-#   know at time of request processing ? (RFC1918 contacts)
-#if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") {
-#    fix_nated_contact();
-#    force_rtp_proxy();
-#} else if (nat_uac_test("1")) {
-#    fix_nated_contact();
-#};
-#}

OpenPKG Specs / file comparison

comparison: opensips/opensips.cfg

opensips/opensips.cfg