1.1 --- a/opensips/opensips.cfg Wed Sep 21 14:02:13 2011 +0200
1.2 +++ b/opensips/opensips.cfg Wed Sep 21 14:04:16 2011 +0200
1.3 @@ -2,197 +2,380 @@
1.4 ## opensips.cfg -- OpenSIPS server configuration
1.5 ##
1.6
1.7 +
1.8 +# General configuration help available at:
1.9 +# http://siprouter.teigre.com/doc/gettingstarted/
1.10 +
1.11 +# Specific routing help available at:
1.12 +# http://www.opensips.org/index.php?n=Resources.DocsCoreRoutes
1.13 +
1.14 +# Information on debug and log levels
1.15 +# http://www.voice-system.ro/docs/ser-syslog/
1.16 +
1.17 +# Die Konfigbloecke sind:
1.18 +# Global Configuration Parameters
1.19 +# Extension Module Loading
1.20 +# Extension Module Configuration
1.21 +# Main Request Routing Logic
1.22 +# Secondary Request Routing Logic
1.23 +# Branch Request Routing Logic
1.24 +# Reply Request Routing Logic
1.25 +# Failure Request Routing Logic
1.26 +# Local Request Routing Logic
1.27 +# Error Request Routing Logic
1.28 #
1.29 -# GLOBAL CONFIGURATION PARAMETERS
1.30 +# Logging:
1.31 +# L_ALERT (-3) - used if the error requires immediate action.
1.32 +# L_CRIT (-2) - used if the error is a critical situation.
1.33 +# L_ERR (-1) - used if the error doesn't cause system malfunctioning.
1.34 +# L_WARN (1) - used to write warning messages.
1.35 +# L_NOTICE (2) - used to report unusual situations.
1.36 +# L_INFO (3) - used to write informational messages.
1.37 +# L_DBG (4) - used to write messages for debugging.
1.38 +
1.39 +
1.40 #
1.41 -
1.42 +# Global Configuration Parameters
1.43 +#
1.44 # process configuration
1.45 -debug=1
1.46 +debug=4
1.47 log_stderror=no
1.48 fork=yes
1.49 -check_via=no
1.50 -dns=no
1.51 -rev_dns=no
1.52 -children=4
1.53 +children=2
1.54 +tcp_children=2
1.55 user="@l_rusr@"
1.56 group="@l_rgrp@"
1.57 -fifo="@l_prefix@/var/opensips/opensips.fifo"
1.58 -workdir="@l_prefix@/var/opensips"
1.59 +wdir="@l_prefix@/var/opensips"
1.60
1.61 # network configuration
1.62 -alias="sip.example.com"
1.63 -listen="127.0.0.1"
1.64 -port=5060
1.65 +listen=udp:voip.realhost.tld:5060
1.66 +#listen = tls:voip.realhost.tld:5061
1.67 +
1.68 +# network aliases
1.69 +alias=voip.firsthost.tld:5060
1.70 +#alias=voip.firsthost.tld:5061
1.71 +alias=voip.secondhost.tld:5060
1.72 +#alias=voip.secondhost.tld:5061
1.73 +
1.74 +# enable TLS
1.75 +#https://confluence.terena.org/display/IPTelCB/3.5.2.+TLS+for+OpenSER+(UA-Proxy)
1.76 +#http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html
1.77 +#
1.78 +#Run 'openserctl tls rootCA' to create @l_prefix@/etc/openser/tls/rootCA/cacert.pem.
1.79 +#Run 'openserctl tls userCERT' to create user-calist.pem, user-cert.pem, user-cert_req.pem, and user-privkey.pem in @l_prefix@/etc/openser/tls/user/.
1.80 +#Copy @l_prefix@/etc/openser/tls/rootCA/cacert.pem to the client host.
1.81 +#On Windows XP client hosts, run 'certmrg.msc' to import the certificate into the root certificate store.
1.82 +#
1.83 +#disable_tls = 0
1.84 +#tls_method = TLSv1
1.85 +#tls_verify_server = 1
1.86 +#tls_verify_client = 1
1.87 +#tls_require_client_certificate = 1
1.88 +#tls_ciphers_list = "HIGH:MEDIUM:!ADH" # openssl ciphers -v HIGH:MEDIUM
1.89 +#tls_certificate = "@l_prefix@/etc/opensips/tls/user/user-cert.pem"
1.90 +#tls_private_key = "@l_prefix@/etc/opensips/tls/user/user-privkey.pem"
1.91 +#tls_ca_list = "@l_prefix@/etc/opensips/tls/user/user-calist.pem"
1.92 +
1.93
1.94 #
1.95 -# EXTENSION MODULE LOADING
1.96 +# Extension Module Loading
1.97 +# http://www.opensips.org/index.php?n=Resources.DocsModules
1.98 #
1.99 +# set module path
1.100 +mpath="@l_prefix@/lib/opensips/modules/"
1.101
1.102 -#loadmodule "@l_prefix@/lib/opensips/modules/dbtext.so"
1.103 +loadmodule "sl.so" # Stateless replier
1.104 +loadmodule "tm.so" # Transaction stateful
1.105 +loadmodule "signaling.so" # Signaling wrapper of sl/tm
1.106 +loadmodule "rr.so" # Record Route and Route
1.107 +loadmodule "maxfwd.so" # Maximum Forward processor
1.108 +loadmodule "db_text.so" # Text backend for database API
1.109 +loadmodule "usrloc.so" # User location implementation
1.110 +loadmodule "registrar.so" # SIP Registrar implementation
1.111 +loadmodule "uri.so" # Generic URI operation
1.112 +loadmodule "auth.so" # Authentication Interface
1.113 +loadmodule "textops.so" # Text based manipulations
1.114 +loadmodule "acc.so" # Accounting
1.115 +loadmodule "auth_db.so" # Database backend authentication
1.116 +loadmodule "mi_fifo.so" # FIFO support for Management Interface
1.117 +#loadmodule "flatstore.so" # Fast writing only text database
1.118 +#loadmodule "alias_db.so" # Database aliases
1.119 +#loadmodule "domain.so" # Multidomain support
1.120 +#loadmodule "nathelper.so" # NAT traversal helper
1.121 +#loadmodule "enum.so" # ENUM lookup
1.122
1.123 -loadmodule "@l_prefix@/lib/opensips/modules/sl.so"
1.124 -loadmodule "@l_prefix@/lib/opensips/modules/tm.so"
1.125 -loadmodule "@l_prefix@/lib/opensips/modules/rr.so"
1.126 -loadmodule "@l_prefix@/lib/opensips/modules/maxfwd.so"
1.127 -loadmodule "@l_prefix@/lib/opensips/modules/usrloc.so"
1.128 -loadmodule "@l_prefix@/lib/opensips/modules/registrar.so"
1.129 -loadmodule "@l_prefix@/lib/opensips/modules/textops.so"
1.130 -
1.131 -#loadmodule "@l_prefix@/lib/opensips/modules/auth.so"
1.132 -#loadmodule "@l_prefix@/lib/opensips/modules/auth_db.so"
1.133 -
1.134 -#loadmodule "@l_prefix@/lib/opensips/modules/nathelper.so"
1.135
1.136 #
1.137 -# EXTENSION MODULE CONFIGURATION
1.138 +# Extension Module Configuration
1.139 #
1.140 +# ----- dbtext params -----
1.141 +modparam("db_text", "db_mode", 0) # caching for persistence
1.142
1.143 -# module rr:
1.144 -modparam("rr", "enable_full_lr", 1)
1.145 +# ----- multimodule params -----
1.146 +modparam("usrloc|uri|auth_db", "db_url", "text://@l_prefix@/var/opensips/db")
1.147
1.148 -# module usrloc:
1.149 -modparam("usrloc", "db_mode", 0)
1.150 -#modparam("usrloc", "db_mode", 2)
1.151 -#modparam("usrloc|auth_db", "db_url", "dbtext://@l_prefix@/var/opensips/db")
1.152 +# ----- rr params -----
1.153 +modparam("rr", "append_fromtag", 1) # important when using detect_direction
1.154
1.155 -# module auth:
1.156 -#modparam("auth_db", "calculate_ha1", 1)
1.157 -#modparam("auth_db", "password_column", "password")
1.158 -#modparam("auth_db", "user_column", "username")
1.159 -#modparam("auth_db", "domain_column", "domain")
1.160 +# ----- usrloc params -----
1.161 +/* see 'multimodule params' as well */
1.162 +modparam("usrloc", "db_mode", 2) # Write back database persistence scheme
1.163
1.164 -# module nathelper:
1.165 -#modparam("registrar", "nat_flag", 6)
1.166 -#modparam("nathelper", "natping_interval", 30)
1.167 -#modparam("nathelper", "ping_nated_only", 1)
1.168 -#modparam("nathelper", "rtpproxy_sock", "unix:@l_prefix@/var/opensips/opensips_rtpproxy.sock")
1.169 -#modparam("nathelper", "rtpproxy_disable", 0)
1.170 -#modparam("nathelper", "rtpproxy_disable_tout", 20)
1.171 -#modparam("nathelper", "sipping_from", "sip:pinger@sip.example.com")
1.172 +# ----- registrar params -----
1.173 +modparam("registrar", "max_contacts", 10) # contacts per AOR allowed
1.174 +
1.175 +# ----- acc params -----
1.176 +/* see 'multimodule params' as well */
1.177 +modparam("acc", "db_url", "dbtext://@l_prefix@/var/opensips/db")
1.178 +#modparam("acc", "db_url", "flatstore:@l_prefix@/var/opensips/acc")
1.179 +modparam("acc", "early_media", 1)
1.180 +modparam("acc", "report_cancels", 1)
1.181 +modparam("acc", "detect_direction", 1)
1.182 +modparam("acc", "log_level", 2)
1.183 +modparam("acc", "log_flag", 1)
1.184 +modparam("acc", "log_missed_flag", 2)
1.185 +modparam("acc", "db_flag", 1)
1.186 +modparam("acc", "db_missed_flag", 2)
1.187 +modparam("acc", "failed_transaction_flag", 4)
1.188 +
1.189 +# ----- mi_fifo params -----
1.190 +modparam("mi_fifo", "fifo_name", "@l_prefix@/var/opensips/opensips.fifo")
1.191 +modparam("mi_fifo", "reply_dir", "@l_prefix@/var/opensips/tmp/")
1.192 +
1.193
1.194 #
1.195 -# MAIN ROUTING LOGIC
1.196 +# Main Request Routing Logic
1.197 #
1.198 +route {
1.199 + # message diagnostics
1.200 + #log(3, "new branch at $ru\n");
1.201 + xlog("L_INFO", "$rm: Orig - $ou\n");
1.202 + xlog("L_INFO", "$rm: Req - $ru\n");
1.203 + xlog("L_INFO", "$rm: To - $tu\n");
1.204 + xlog("L_INFO", "$rm: Dest - $du\n");
1.205 + xlog("L_INFO", "$rm: From - $fu\n");
1.206
1.207 -route{
1.208 - # initial sanity checks -- messages with
1.209 - # max_forwards==0, or excessively long requests
1.210 - if (!mf_process_maxfwd_header("10")) {
1.211 - sl_send_reply("483", "Too Many Hops");
1.212 + # sanity checks
1.213 + if (!mf_process_maxfwd_header("10")) { # avoid loops in forward logic
1.214 + sl_send_reply("483","Too Many Hops");
1.215 exit;
1.216 - };
1.217 - if (msg:len >= max_len) {
1.218 - sl_send_reply("513", "Message too big");
1.219 + }
1.220 + if (msg:len > max_len) { # repel DoS attacks
1.221 + sl_send_reply("513", "Message Too Large");
1.222 exit;
1.223 };
1.224
1.225 - #if (method == "INVITE" && uri != myself) {
1.226 - # sl_send_reply("403", "No relaying");
1.227 - # exit;
1.228 - #};
1.229 + # sequential request within a dialog should
1.230 + # take the path determined by record routing
1.231 + if (has_totag()) {
1.232 + if (loose_route()) {
1.233 + if (is_method("BYE")) {
1.234 + setflag(1); # do accouting...
1.235 + setflag(4); # ...even if the transaction fails
1.236 + }
1.237 + # mark routing logic in request
1.238 + append_hf("P-hint: rr-enforced\r\n");
1.239 + route(1);
1.240 + } else {
1.241 + sl_send_reply("404", "Not Found");
1.242 + }
1.243 + exit;
1.244 + }
1.245
1.246 - # NAT: special handling for NAT'ed clients; first, NAT test is
1.247 - # executed: it looks for via!=received and RFC1918 addresses in
1.248 - # Contact (may fail if line-folding is used); also, the received
1.249 - # test should, if completed, should check all vias for presence of
1.250 - # received.
1.251 - #if (nat_uac_test("3")) {
1.252 - # # allow RR-ed requests, as these may indicate that NAT-enabled
1.253 - # # aproxy takes care of it; unless it is REGISTER
1.254 - # if (method == "REGISTER" || ! search("^Record-Route:")) {
1.255 - # log("LOG: Someone trying to register from private IP, rewriting\n");
1.256 - # fix_nated_contact(); # rewrite contact with source IP of signalling
1.257 - # if (method == "INVITE") {
1.258 - # fix_nated_sdp("1"); # add direction=active to SDP
1.259 - # };
1.260 - # force_rport(); # add rport parameter to topmost Via
1.261 - # setflag(6); # mark as NAT'ed
1.262 - # };
1.263 - #};
1.264 + #
1.265 + # initial requests
1.266 + #
1.267 + if (is_method("CANCEL")) { # CANCEL processing
1.268 + if (t_check_trans())
1.269 + t_relay();
1.270 + exit;
1.271 + }
1.272
1.273 - # we record-route all messages -- to make sure that
1.274 - # subsequent messages will go through our proxy; that's
1.275 - # particularly good if upstream and downstream entities
1.276 - # use different transport protocol
1.277 - if (method != "REGISTER") {
1.278 + t_check_trans();
1.279 +
1.280 + # authenticate if from local subscriber (uncomment to enable auth)
1.281 + #if (!is_method("REGISTER") && from_uri == myself) {
1.282 + # if (!proxy_authorize("", "subscriber")) {
1.283 + # proxy_challenge("", "0");
1.284 + # exit;
1.285 + # }
1.286 + # if (!check_from()) {
1.287 + # sl_send_reply("403","Forbidden");
1.288 + # exit;
1.289 + # }
1.290 + #
1.291 + # consume_credentials();
1.292 + # # caller authenticated
1.293 + #}
1.294 +
1.295 + # record route all messages to ensure that subsequent messages
1.296 + # will go through our proxy, particularly good if upstream
1.297 + # and downstream entities use different transport protocol
1.298 + if (!is_method("REGISTER|MESSAGE")) {
1.299 record_route();
1.300 - };
1.301 + }
1.302
1.303 - # subsequent messages withing a dialog should take the
1.304 - # path determined by record-routing
1.305 - if (loose_route()) {
1.306 - # mark routing logic in request
1.307 - append_hf("P-hint: rr-enforced\r\n");
1.308 + # account only INVITEs
1.309 + if (is_method("INVITE")) {
1.310 + setflag(1);
1.311 + }
1.312 +
1.313 + if (!uri == myself) {
1.314 + /* replace with following line if multidomain support is used */
1.315 + #if (!is_uri_host_local()) {
1.316 + append_hf("P-hint: outbound\r\n");
1.317 + # if you have some interdomain connections via TLS
1.318 + #if ($rd == "tls_domain1.net") {
1.319 + # t_relay("tls:domain1.net");
1.320 + # exit;
1.321 + #} else if ($rd == "tls_domain2.net") {
1.322 + # t_relay("tls:domain2.net");
1.323 + # exit;
1.324 + #}
1.325 route(1);
1.326 - };
1.327 + }
1.328
1.329 - if (uri != myself) {
1.330 - # mark routing logic in request
1.331 - append_hf("P-hint: outbound\r\n");
1.332 - route(1);
1.333 - };
1.334 + #
1.335 + # requests for my domain
1.336 + #
1.337 + if (is_method("PUBLISH")) {
1.338 + sl_send_reply("503", "Service Unavailable");
1.339 + exit;
1.340 + }
1.341
1.342 - # if the request is for other domain use USRLOC
1.343 - # (in case, it does not work, use the following command
1.344 - # with proper names and addresses in it)
1.345 - if (uri == myself) {
1.346 - if (method == "REGISTER") {
1.347 - # uncomment this if you want to use digest authentication
1.348 - #if (!www_authorize("sip.example.com", "subscriber")) {
1.349 - # www_challenge("sip.example.com", "0");
1.350 - # exit;
1.351 - #};
1.352 - save("location");
1.353 + if (is_method("REGISTER")) {
1.354 + # authenticate the REGISTER requests (uncomment to enable auth)
1.355 + #if (!www_authorize("", "subscriber")) {
1.356 + # www_challenge("", "0");
1.357 + # exit;
1.358 + #}
1.359 + #
1.360 + #if (!check_to()) {
1.361 + # sl_send_reply("403","Forbidden");
1.362 + # exit;
1.363 + #}
1.364 +
1.365 + if (!save("location"))
1.366 + sl_reply_error();
1.367 +
1.368 + exit;
1.369 + }
1.370 +
1.371 + if ($rU == NULL) {
1.372 + # request with no Username in RURI
1.373 + sl_send_reply("484","Address Incomplete");
1.374 + exit;
1.375 + }
1.376 +
1.377 + lookup("location");
1.378 + switch ($retcode) {
1.379 + case 1:
1.380 + append_hf("P-hint: usrloc applied\r\n");
1.381 + break;
1.382 + case -1:
1.383 + t_newtran();
1.384 + t_reply("404", "Not Found");
1.385 exit;
1.386 - };
1.387 + case -2:
1.388 + sl_send_reply("405", "Method Not Allowed");
1.389 + exit;
1.390 + case -3:
1.391 + t_newtran();
1.392 + t_reply("500", "Server Internal Error");
1.393 + exit;
1.394 + }
1.395
1.396 - lookup("aliases");
1.397 - if (uri != myself) {
1.398 - append_hf("P-hint: outbound alias\r\n");
1.399 - route(1);
1.400 - };
1.401 -
1.402 - # native SIP destinations are handled using our USRLOC DB
1.403 - if (!lookup("location")) {
1.404 - sl_send_reply("404", "Not Found");
1.405 - exit;
1.406 - };
1.407 - append_hf("P-hint: usrloc applied\r\n");
1.408 - };
1.409 -
1.410 - route(1);
1.411 + setflag(2); # when routing via usrloc then
1.412 + route(1); # log the missed calls as well
1.413 }
1.414
1.415 +
1.416 +#
1.417 +# Secondary Request Routing Logic
1.418 +#
1.419 route[1] {
1.420 - # disable RFC1918 peers
1.421 - if (uri =~ "[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" && !search("^Route:")) {
1.422 - sl_send_reply("479", "We don't forward to RFC 1918 IPv4 addresses");
1.423 - exit;
1.424 - };
1.425 -
1.426 - # NAT: if client or server know to be behind a NAT, enable relay
1.427 - #if (isflagset(6)) {
1.428 - # force_rtp_proxy();
1.429 - #};
1.430 -
1.431 - # NAT: processing of replies; apply to all transactions
1.432 - #t_on_reply("1");
1.433 -
1.434 - # send it out now; use stateful forwarding as it works reliably even for UDP2TCP
1.435 - if (!t_relay()) {
1.436 + # for INVITEs enable some additional helper routes
1.437 + if (is_method("INVITE")) {
1.438 + t_on_branch("1");
1.439 + t_on_reply("1");
1.440 + t_on_failure("1");
1.441 + }
1.442 +
1.443 + # send with stateful forwarding which works reliably even for UDP2TCP
1.444 + if (!t_relay())
1.445 sl_reply_error();
1.446 - };
1.447 +
1.448 + exit; # safeguard
1.449 }
1.450
1.451 -#onreply_route[1] {
1.452 - # NAT: is it a NAT'ed transaction ?
1.453 - # otherwise, is it a transaction behind a NAT and we did not
1.454 - # know at time of request processing ? (RFC1918 contacts)
1.455 - #if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") {
1.456 - # fix_nated_contact();
1.457 - # force_rtp_proxy();
1.458 - #} else if (nat_uac_test("1")) {
1.459 - # fix_nated_contact();
1.460 - #};
1.461 -#}
1.462
1.463 +#
1.464 +# Branch Request Routing Logic
1.465 +#
1.466 +branch_route[1] {
1.467 + xlog("L_INFO", "new branch at $ru\n");
1.468 +}
1.469 +
1.470 +
1.471 +#
1.472 +# Reply Request Routing Logic
1.473 +#
1.474 +onreply_route[1] {
1.475 + xlog("L_INFO", "incoming reply at $ru\n");
1.476 +# if ($ua =~ fritz.box)
1.477 +# xlog("L_ERR", "$rm: The Fritzbox replied!\n");
1.478 +# if ($ua =~ fritz.box && has_body("application/sdp"))
1.479 +# search_append_body("a=sendrecv.*", "\na=ptime:30");
1.480 +}
1.481 +
1.482 +
1.483 +#
1.484 +# Failure Request Routing Logic
1.485 +#
1.486 +failure_route[1] {
1.487 + xlog("L_INFO", "failed route at $ru\n");
1.488 + if (t_was_cancelled())
1.489 + exit;
1.490 +
1.491 + # uncomment the following lines to block
1.492 + # client redirect based on 3xx replies
1.493 + #if (t_check_status("3[0-9][0-9]")) {
1.494 + #t_reply("404","Not Found");
1.495 + # exit;
1.496 + #}
1.497 +
1.498 + # uncomment the following lines to redirect
1.499 + # failed calls to a different new destination
1.500 + #if (t_check_status("486|408")) {
1.501 + # sethostport("192.168.2.100:5060");
1.502 + # append_branch();
1.503 + # # do not set the missed call flag again
1.504 + # t_relay();
1.505 + #}
1.506 +}
1.507 +
1.508 +
1.509 +#
1.510 +# Local Request Routing Logic
1.511 +#
1.512 +local_route {
1.513 + if (is_method("INVITE") && $ru=~"@foreign.tld") {
1.514 + append_hf("P-hint: foreign request\r\n");
1.515 + exit;
1.516 + }
1.517 + if (is_method("BYE"))
1.518 + xlog("L_INFO", "internally generated BYE\n");
1.519 +}
1.520 +
1.521 +
1.522 +#
1.523 +# Error Request Routing Logic
1.524 +#
1.525 +error_route {
1.526 + xlog("L_ERR", "error route class=$(err.class) level=$(err.level) info=$(err.info) rcode=$(err.rcode) rreason=$(err.rreason)\n");
1.527 + xlog("L_ERR", "error from [$si:$sp]\n");
1.528 + xlog("L_ERR", "++++\n$mb\n++++\n");
1.529 + sl_send_reply("$err.rcode", "$err.rreason");
1.530 + exit;
1.531 +}
1.532 +
