michael@376: ## michael@376: ## opensips.cfg -- OpenSIPS server configuration michael@376: ## michael@376: michael@377: michael@377: # General configuration help available at: michael@377: # http://siprouter.teigre.com/doc/gettingstarted/ michael@377: michael@377: # Specific routing help available at: michael@377: # http://www.opensips.org/index.php?n=Resources.DocsCoreRoutes michael@377: michael@377: # Information on debug and log levels michael@377: # http://www.voice-system.ro/docs/ser-syslog/ michael@377: michael@377: # Die Konfigbloecke sind: michael@377: # Global Configuration Parameters michael@377: # Extension Module Loading michael@377: # Extension Module Configuration michael@377: # Main Request Routing Logic michael@377: # Secondary Request Routing Logic michael@377: # Branch Request Routing Logic michael@377: # Reply Request Routing Logic michael@377: # Failure Request Routing Logic michael@377: # Local Request Routing Logic michael@377: # Error Request Routing Logic michael@376: # michael@377: # Logging: michael@377: # L_ALERT (-3) - used if the error requires immediate action. michael@377: # L_CRIT (-2) - used if the error is a critical situation. michael@377: # L_ERR (-1) - used if the error doesn't cause system malfunctioning. michael@377: # L_WARN (1) - used to write warning messages. michael@377: # L_NOTICE (2) - used to report unusual situations. michael@377: # L_INFO (3) - used to write informational messages. michael@377: # L_DBG (4) - used to write messages for debugging. michael@377: michael@377: michael@376: # michael@377: # Global Configuration Parameters michael@377: # michael@376: # process configuration michael@377: debug=4 michael@376: log_stderror=no michael@376: fork=yes michael@377: children=2 michael@377: tcp_children=2 michael@376: user="@l_rusr@" michael@376: group="@l_rgrp@" michael@377: wdir="@l_prefix@/var/opensips" michael@376: michael@376: # network configuration michael@377: listen=udp:voip.realhost.tld:5060 michael@377: #listen = tls:voip.realhost.tld:5061 michael@377: michael@377: # network aliases michael@377: alias=voip.firsthost.tld:5060 michael@377: #alias=voip.firsthost.tld:5061 michael@377: alias=voip.secondhost.tld:5060 michael@377: #alias=voip.secondhost.tld:5061 michael@377: michael@377: # enable TLS michael@377: #https://confluence.terena.org/display/IPTelCB/3.5.2.+TLS+for+OpenSER+(UA-Proxy) michael@377: #http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html michael@377: # michael@377: #Run 'openserctl tls rootCA' to create @l_prefix@/etc/openser/tls/rootCA/cacert.pem. michael@377: #Run 'openserctl tls userCERT' to create user-calist.pem, user-cert.pem, user-cert_req.pem, and user-privkey.pem in @l_prefix@/etc/openser/tls/user/. michael@377: #Copy @l_prefix@/etc/openser/tls/rootCA/cacert.pem to the client host. michael@377: #On Windows XP client hosts, run 'certmrg.msc' to import the certificate into the root certificate store. michael@377: # michael@377: #disable_tls = 0 michael@377: #tls_method = TLSv1 michael@377: #tls_verify_server = 1 michael@377: #tls_verify_client = 1 michael@377: #tls_require_client_certificate = 1 michael@377: #tls_ciphers_list = "HIGH:MEDIUM:!ADH" # openssl ciphers -v HIGH:MEDIUM michael@377: #tls_certificate = "@l_prefix@/etc/opensips/tls/user/user-cert.pem" michael@377: #tls_private_key = "@l_prefix@/etc/opensips/tls/user/user-privkey.pem" michael@377: #tls_ca_list = "@l_prefix@/etc/opensips/tls/user/user-calist.pem" michael@377: michael@376: michael@376: # michael@377: # Extension Module Loading michael@377: # http://www.opensips.org/index.php?n=Resources.DocsModules michael@376: # michael@377: # set module path michael@377: mpath="@l_prefix@/lib/opensips/modules/" michael@376: michael@377: loadmodule "sl.so" # Stateless replier michael@377: loadmodule "tm.so" # Transaction stateful michael@377: loadmodule "signaling.so" # Signaling wrapper of sl/tm michael@377: loadmodule "rr.so" # Record Route and Route michael@377: loadmodule "maxfwd.so" # Maximum Forward processor michael@377: loadmodule "db_text.so" # Text backend for database API michael@377: loadmodule "usrloc.so" # User location implementation michael@377: loadmodule "registrar.so" # SIP Registrar implementation michael@377: loadmodule "uri.so" # Generic URI operation michael@377: loadmodule "auth.so" # Authentication Interface michael@377: loadmodule "textops.so" # Text based manipulations michael@377: loadmodule "acc.so" # Accounting michael@377: loadmodule "auth_db.so" # Database backend authentication michael@377: loadmodule "mi_fifo.so" # FIFO support for Management Interface michael@377: #loadmodule "flatstore.so" # Fast writing only text database michael@377: #loadmodule "alias_db.so" # Database aliases michael@377: #loadmodule "domain.so" # Multidomain support michael@377: #loadmodule "nathelper.so" # NAT traversal helper michael@377: #loadmodule "enum.so" # ENUM lookup michael@376: michael@376: michael@376: # michael@377: # Extension Module Configuration michael@376: # michael@377: # ----- dbtext params ----- michael@377: modparam("db_text", "db_mode", 0) # caching for persistence michael@376: michael@377: # ----- multimodule params ----- michael@377: modparam("usrloc|uri|auth_db", "db_url", "text://@l_prefix@/var/opensips/db") michael@376: michael@377: # ----- rr params ----- michael@377: modparam("rr", "append_fromtag", 1) # important when using detect_direction michael@376: michael@377: # ----- usrloc params ----- michael@377: /* see 'multimodule params' as well */ michael@377: modparam("usrloc", "db_mode", 2) # Write back database persistence scheme michael@376: michael@377: # ----- registrar params ----- michael@377: modparam("registrar", "max_contacts", 10) # contacts per AOR allowed michael@377: michael@377: # ----- acc params ----- michael@377: /* see 'multimodule params' as well */ michael@377: modparam("acc", "db_url", "dbtext://@l_prefix@/var/opensips/db") michael@377: #modparam("acc", "db_url", "flatstore:@l_prefix@/var/opensips/acc") michael@377: modparam("acc", "early_media", 1) michael@377: modparam("acc", "report_cancels", 1) michael@377: modparam("acc", "detect_direction", 1) michael@377: modparam("acc", "log_level", 2) michael@377: modparam("acc", "log_flag", 1) michael@377: modparam("acc", "log_missed_flag", 2) michael@377: modparam("acc", "db_flag", 1) michael@377: modparam("acc", "db_missed_flag", 2) michael@377: modparam("acc", "failed_transaction_flag", 4) michael@377: michael@377: # ----- mi_fifo params ----- michael@377: modparam("mi_fifo", "fifo_name", "@l_prefix@/var/opensips/opensips.fifo") michael@377: modparam("mi_fifo", "reply_dir", "@l_prefix@/var/opensips/tmp/") michael@377: michael@376: michael@376: # michael@377: # Main Request Routing Logic michael@376: # michael@377: route { michael@377: # message diagnostics michael@377: #log(3, "new branch at $ru\n"); michael@377: xlog("L_INFO", "$rm: Orig - $ou\n"); michael@377: xlog("L_INFO", "$rm: Req - $ru\n"); michael@377: xlog("L_INFO", "$rm: To - $tu\n"); michael@377: xlog("L_INFO", "$rm: Dest - $du\n"); michael@377: xlog("L_INFO", "$rm: From - $fu\n"); michael@376: michael@377: # sanity checks michael@377: if (!mf_process_maxfwd_header("10")) { # avoid loops in forward logic michael@377: sl_send_reply("483","Too Many Hops"); michael@376: exit; michael@377: } michael@377: if (msg:len > max_len) { # repel DoS attacks michael@377: sl_send_reply("513", "Message Too Large"); michael@376: exit; michael@376: }; michael@376: michael@377: # sequential request within a dialog should michael@377: # take the path determined by record routing michael@377: if (has_totag()) { michael@377: if (loose_route()) { michael@377: if (is_method("BYE")) { michael@377: setflag(1); # do accouting... michael@377: setflag(4); # ...even if the transaction fails michael@377: } michael@377: # mark routing logic in request michael@377: append_hf("P-hint: rr-enforced\r\n"); michael@377: route(1); michael@377: } else { michael@377: sl_send_reply("404", "Not Found"); michael@377: } michael@377: exit; michael@377: } michael@376: michael@377: # michael@377: # initial requests michael@377: # michael@377: if (is_method("CANCEL")) { # CANCEL processing michael@377: if (t_check_trans()) michael@377: t_relay(); michael@377: exit; michael@377: } michael@376: michael@377: t_check_trans(); michael@377: michael@377: # authenticate if from local subscriber (uncomment to enable auth) michael@377: #if (!is_method("REGISTER") && from_uri == myself) { michael@377: # if (!proxy_authorize("", "subscriber")) { michael@377: # proxy_challenge("", "0"); michael@377: # exit; michael@377: # } michael@377: # if (!check_from()) { michael@377: # sl_send_reply("403","Forbidden"); michael@377: # exit; michael@377: # } michael@377: # michael@377: # consume_credentials(); michael@377: # # caller authenticated michael@377: #} michael@377: michael@377: # record route all messages to ensure that subsequent messages michael@377: # will go through our proxy, particularly good if upstream michael@377: # and downstream entities use different transport protocol michael@377: if (!is_method("REGISTER|MESSAGE")) { michael@376: record_route(); michael@377: } michael@376: michael@377: # account only INVITEs michael@377: if (is_method("INVITE")) { michael@377: setflag(1); michael@377: } michael@377: michael@377: if (!uri == myself) { michael@377: /* replace with following line if multidomain support is used */ michael@377: #if (!is_uri_host_local()) { michael@377: append_hf("P-hint: outbound\r\n"); michael@377: # if you have some interdomain connections via TLS michael@377: #if ($rd == "tls_domain1.net") { michael@377: # t_relay("tls:domain1.net"); michael@377: # exit; michael@377: #} else if ($rd == "tls_domain2.net") { michael@377: # t_relay("tls:domain2.net"); michael@377: # exit; michael@377: #} michael@376: route(1); michael@377: } michael@376: michael@377: # michael@377: # requests for my domain michael@377: # michael@377: if (is_method("PUBLISH")) { michael@377: sl_send_reply("503", "Service Unavailable"); michael@377: exit; michael@377: } michael@376: michael@377: if (is_method("REGISTER")) { michael@377: # authenticate the REGISTER requests (uncomment to enable auth) michael@377: #if (!www_authorize("", "subscriber")) { michael@377: # www_challenge("", "0"); michael@377: # exit; michael@377: #} michael@377: # michael@377: #if (!check_to()) { michael@377: # sl_send_reply("403","Forbidden"); michael@377: # exit; michael@377: #} michael@377: michael@377: if (!save("location")) michael@377: sl_reply_error(); michael@377: michael@377: exit; michael@377: } michael@377: michael@377: if ($rU == NULL) { michael@377: # request with no Username in RURI michael@377: sl_send_reply("484","Address Incomplete"); michael@377: exit; michael@377: } michael@377: michael@377: lookup("location"); michael@377: switch ($retcode) { michael@377: case 1: michael@377: append_hf("P-hint: usrloc applied\r\n"); michael@377: break; michael@377: case -1: michael@377: t_newtran(); michael@377: t_reply("404", "Not Found"); michael@376: exit; michael@377: case -2: michael@377: sl_send_reply("405", "Method Not Allowed"); michael@377: exit; michael@377: case -3: michael@377: t_newtran(); michael@377: t_reply("500", "Server Internal Error"); michael@377: exit; michael@377: } michael@376: michael@377: setflag(2); # when routing via usrloc then michael@377: route(1); # log the missed calls as well michael@376: } michael@376: michael@377: michael@377: # michael@377: # Secondary Request Routing Logic michael@377: # michael@376: route[1] { michael@377: # for INVITEs enable some additional helper routes michael@377: if (is_method("INVITE")) { michael@377: t_on_branch("1"); michael@377: t_on_reply("1"); michael@377: t_on_failure("1"); michael@377: } michael@377: michael@377: # send with stateful forwarding which works reliably even for UDP2TCP michael@377: if (!t_relay()) michael@376: sl_reply_error(); michael@377: michael@377: exit; # safeguard michael@376: } michael@376: michael@376: michael@377: # michael@377: # Branch Request Routing Logic michael@377: # michael@377: branch_route[1] { michael@377: xlog("L_INFO", "new branch at $ru\n"); michael@377: } michael@377: michael@377: michael@377: # michael@377: # Reply Request Routing Logic michael@377: # michael@377: onreply_route[1] { michael@377: xlog("L_INFO", "incoming reply at $ru\n"); michael@377: # if ($ua =~ fritz.box) michael@377: # xlog("L_ERR", "$rm: The Fritzbox replied!\n"); michael@377: # if ($ua =~ fritz.box && has_body("application/sdp")) michael@377: # search_append_body("a=sendrecv.*", "\na=ptime:30"); michael@377: } michael@377: michael@377: michael@377: # michael@377: # Failure Request Routing Logic michael@377: # michael@377: failure_route[1] { michael@377: xlog("L_INFO", "failed route at $ru\n"); michael@377: if (t_was_cancelled()) michael@377: exit; michael@377: michael@377: # uncomment the following lines to block michael@377: # client redirect based on 3xx replies michael@377: #if (t_check_status("3[0-9][0-9]")) { michael@377: #t_reply("404","Not Found"); michael@377: # exit; michael@377: #} michael@377: michael@377: # uncomment the following lines to redirect michael@377: # failed calls to a different new destination michael@377: #if (t_check_status("486|408")) { michael@377: # sethostport("192.168.2.100:5060"); michael@377: # append_branch(); michael@377: # # do not set the missed call flag again michael@377: # t_relay(); michael@377: #} michael@377: } michael@377: michael@377: michael@377: # michael@377: # Local Request Routing Logic michael@377: # michael@377: local_route { michael@377: if (is_method("INVITE") && $ru=~"@foreign.tld") { michael@377: append_hf("P-hint: foreign request\r\n"); michael@377: exit; michael@377: } michael@377: if (is_method("BYE")) michael@377: xlog("L_INFO", "internally generated BYE\n"); michael@377: } michael@377: michael@377: michael@377: # michael@377: # Error Request Routing Logic michael@377: # michael@377: error_route { michael@377: xlog("L_ERR", "error route class=$(err.class) level=$(err.level) info=$(err.info) rcode=$(err.rcode) rreason=$(err.rreason)\n"); michael@377: xlog("L_ERR", "error from [$si:$sp]\n"); michael@377: xlog("L_ERR", "++++\n$mb\n++++\n"); michael@377: sl_send_reply("$err.rcode", "$err.rreason"); michael@377: exit; michael@377: } michael@377: