diff -r 8f552d1cd671 -r 67e813202d53 opensips/opensips.cfg --- a/opensips/opensips.cfg Wed Sep 21 14:02:13 2011 +0200 +++ b/opensips/opensips.cfg Wed Sep 21 14:04:16 2011 +0200 @@ -2,197 +2,380 @@ ## opensips.cfg -- OpenSIPS server configuration ## + +# General configuration help available at: +# http://siprouter.teigre.com/doc/gettingstarted/ + +# Specific routing help available at: +# http://www.opensips.org/index.php?n=Resources.DocsCoreRoutes + +# Information on debug and log levels +# http://www.voice-system.ro/docs/ser-syslog/ + +# Die Konfigbloecke sind: +# Global Configuration Parameters +# Extension Module Loading +# Extension Module Configuration +# Main Request Routing Logic +# Secondary Request Routing Logic +# Branch Request Routing Logic +# Reply Request Routing Logic +# Failure Request Routing Logic +# Local Request Routing Logic +# Error Request Routing Logic # -# GLOBAL CONFIGURATION PARAMETERS +# Logging: +# L_ALERT (-3) - used if the error requires immediate action. +# L_CRIT (-2) - used if the error is a critical situation. +# L_ERR (-1) - used if the error doesn't cause system malfunctioning. +# L_WARN (1) - used to write warning messages. +# L_NOTICE (2) - used to report unusual situations. +# L_INFO (3) - used to write informational messages. +# L_DBG (4) - used to write messages for debugging. + + # - +# Global Configuration Parameters +# # process configuration -debug=1 +debug=4 log_stderror=no fork=yes -check_via=no -dns=no -rev_dns=no -children=4 +children=2 +tcp_children=2 user="@l_rusr@" group="@l_rgrp@" -fifo="@l_prefix@/var/opensips/opensips.fifo" -workdir="@l_prefix@/var/opensips" +wdir="@l_prefix@/var/opensips" # network configuration -alias="sip.example.com" -listen="127.0.0.1" -port=5060 +listen=udp:voip.realhost.tld:5060 +#listen = tls:voip.realhost.tld:5061 + +# network aliases +alias=voip.firsthost.tld:5060 +#alias=voip.firsthost.tld:5061 +alias=voip.secondhost.tld:5060 +#alias=voip.secondhost.tld:5061 + +# enable TLS +#https://confluence.terena.org/display/IPTelCB/3.5.2.+TLS+for+OpenSER+(UA-Proxy) +#http://www.opensips.org/html/docs/tutorials/tls-1.4.x.html +# +#Run 'openserctl tls rootCA' to create @l_prefix@/etc/openser/tls/rootCA/cacert.pem. +#Run 'openserctl tls userCERT' to create user-calist.pem, user-cert.pem, user-cert_req.pem, and user-privkey.pem in @l_prefix@/etc/openser/tls/user/. +#Copy @l_prefix@/etc/openser/tls/rootCA/cacert.pem to the client host. +#On Windows XP client hosts, run 'certmrg.msc' to import the certificate into the root certificate store. +# +#disable_tls = 0 +#tls_method = TLSv1 +#tls_verify_server = 1 +#tls_verify_client = 1 +#tls_require_client_certificate = 1 +#tls_ciphers_list = "HIGH:MEDIUM:!ADH" # openssl ciphers -v HIGH:MEDIUM +#tls_certificate = "@l_prefix@/etc/opensips/tls/user/user-cert.pem" +#tls_private_key = "@l_prefix@/etc/opensips/tls/user/user-privkey.pem" +#tls_ca_list = "@l_prefix@/etc/opensips/tls/user/user-calist.pem" + # -# EXTENSION MODULE LOADING +# Extension Module Loading +# http://www.opensips.org/index.php?n=Resources.DocsModules # +# set module path +mpath="@l_prefix@/lib/opensips/modules/" -#loadmodule "@l_prefix@/lib/opensips/modules/dbtext.so" +loadmodule "sl.so" # Stateless replier +loadmodule "tm.so" # Transaction stateful +loadmodule "signaling.so" # Signaling wrapper of sl/tm +loadmodule "rr.so" # Record Route and Route +loadmodule "maxfwd.so" # Maximum Forward processor +loadmodule "db_text.so" # Text backend for database API +loadmodule "usrloc.so" # User location implementation +loadmodule "registrar.so" # SIP Registrar implementation +loadmodule "uri.so" # Generic URI operation +loadmodule "auth.so" # Authentication Interface +loadmodule "textops.so" # Text based manipulations +loadmodule "acc.so" # Accounting +loadmodule "auth_db.so" # Database backend authentication +loadmodule "mi_fifo.so" # FIFO support for Management Interface +#loadmodule "flatstore.so" # Fast writing only text database +#loadmodule "alias_db.so" # Database aliases +#loadmodule "domain.so" # Multidomain support +#loadmodule "nathelper.so" # NAT traversal helper +#loadmodule "enum.so" # ENUM lookup -loadmodule "@l_prefix@/lib/opensips/modules/sl.so" -loadmodule "@l_prefix@/lib/opensips/modules/tm.so" -loadmodule "@l_prefix@/lib/opensips/modules/rr.so" -loadmodule "@l_prefix@/lib/opensips/modules/maxfwd.so" -loadmodule "@l_prefix@/lib/opensips/modules/usrloc.so" -loadmodule "@l_prefix@/lib/opensips/modules/registrar.so" -loadmodule "@l_prefix@/lib/opensips/modules/textops.so" - -#loadmodule "@l_prefix@/lib/opensips/modules/auth.so" -#loadmodule "@l_prefix@/lib/opensips/modules/auth_db.so" - -#loadmodule "@l_prefix@/lib/opensips/modules/nathelper.so" # -# EXTENSION MODULE CONFIGURATION +# Extension Module Configuration # +# ----- dbtext params ----- +modparam("db_text", "db_mode", 0) # caching for persistence -# module rr: -modparam("rr", "enable_full_lr", 1) +# ----- multimodule params ----- +modparam("usrloc|uri|auth_db", "db_url", "text://@l_prefix@/var/opensips/db") -# module usrloc: -modparam("usrloc", "db_mode", 0) -#modparam("usrloc", "db_mode", 2) -#modparam("usrloc|auth_db", "db_url", "dbtext://@l_prefix@/var/opensips/db") +# ----- rr params ----- +modparam("rr", "append_fromtag", 1) # important when using detect_direction -# module auth: -#modparam("auth_db", "calculate_ha1", 1) -#modparam("auth_db", "password_column", "password") -#modparam("auth_db", "user_column", "username") -#modparam("auth_db", "domain_column", "domain") +# ----- usrloc params ----- +/* see 'multimodule params' as well */ +modparam("usrloc", "db_mode", 2) # Write back database persistence scheme -# module nathelper: -#modparam("registrar", "nat_flag", 6) -#modparam("nathelper", "natping_interval", 30) -#modparam("nathelper", "ping_nated_only", 1) -#modparam("nathelper", "rtpproxy_sock", "unix:@l_prefix@/var/opensips/opensips_rtpproxy.sock") -#modparam("nathelper", "rtpproxy_disable", 0) -#modparam("nathelper", "rtpproxy_disable_tout", 20) -#modparam("nathelper", "sipping_from", "sip:pinger@sip.example.com") +# ----- registrar params ----- +modparam("registrar", "max_contacts", 10) # contacts per AOR allowed + +# ----- acc params ----- +/* see 'multimodule params' as well */ +modparam("acc", "db_url", "dbtext://@l_prefix@/var/opensips/db") +#modparam("acc", "db_url", "flatstore:@l_prefix@/var/opensips/acc") +modparam("acc", "early_media", 1) +modparam("acc", "report_cancels", 1) +modparam("acc", "detect_direction", 1) +modparam("acc", "log_level", 2) +modparam("acc", "log_flag", 1) +modparam("acc", "log_missed_flag", 2) +modparam("acc", "db_flag", 1) +modparam("acc", "db_missed_flag", 2) +modparam("acc", "failed_transaction_flag", 4) + +# ----- mi_fifo params ----- +modparam("mi_fifo", "fifo_name", "@l_prefix@/var/opensips/opensips.fifo") +modparam("mi_fifo", "reply_dir", "@l_prefix@/var/opensips/tmp/") + # -# MAIN ROUTING LOGIC +# Main Request Routing Logic # +route { + # message diagnostics + #log(3, "new branch at $ru\n"); + xlog("L_INFO", "$rm: Orig - $ou\n"); + xlog("L_INFO", "$rm: Req - $ru\n"); + xlog("L_INFO", "$rm: To - $tu\n"); + xlog("L_INFO", "$rm: Dest - $du\n"); + xlog("L_INFO", "$rm: From - $fu\n"); -route{ - # initial sanity checks -- messages with - # max_forwards==0, or excessively long requests - if (!mf_process_maxfwd_header("10")) { - sl_send_reply("483", "Too Many Hops"); + # sanity checks + if (!mf_process_maxfwd_header("10")) { # avoid loops in forward logic + sl_send_reply("483","Too Many Hops"); exit; - }; - if (msg:len >= max_len) { - sl_send_reply("513", "Message too big"); + } + if (msg:len > max_len) { # repel DoS attacks + sl_send_reply("513", "Message Too Large"); exit; }; - #if (method == "INVITE" && uri != myself) { - # sl_send_reply("403", "No relaying"); - # exit; - #}; + # sequential request within a dialog should + # take the path determined by record routing + if (has_totag()) { + if (loose_route()) { + if (is_method("BYE")) { + setflag(1); # do accouting... + setflag(4); # ...even if the transaction fails + } + # mark routing logic in request + append_hf("P-hint: rr-enforced\r\n"); + route(1); + } else { + sl_send_reply("404", "Not Found"); + } + exit; + } - # NAT: special handling for NAT'ed clients; first, NAT test is - # executed: it looks for via!=received and RFC1918 addresses in - # Contact (may fail if line-folding is used); also, the received - # test should, if completed, should check all vias for presence of - # received. - #if (nat_uac_test("3")) { - # # allow RR-ed requests, as these may indicate that NAT-enabled - # # aproxy takes care of it; unless it is REGISTER - # if (method == "REGISTER" || ! search("^Record-Route:")) { - # log("LOG: Someone trying to register from private IP, rewriting\n"); - # fix_nated_contact(); # rewrite contact with source IP of signalling - # if (method == "INVITE") { - # fix_nated_sdp("1"); # add direction=active to SDP - # }; - # force_rport(); # add rport parameter to topmost Via - # setflag(6); # mark as NAT'ed - # }; - #}; + # + # initial requests + # + if (is_method("CANCEL")) { # CANCEL processing + if (t_check_trans()) + t_relay(); + exit; + } - # we record-route all messages -- to make sure that - # subsequent messages will go through our proxy; that's - # particularly good if upstream and downstream entities - # use different transport protocol - if (method != "REGISTER") { + t_check_trans(); + + # authenticate if from local subscriber (uncomment to enable auth) + #if (!is_method("REGISTER") && from_uri == myself) { + # if (!proxy_authorize("", "subscriber")) { + # proxy_challenge("", "0"); + # exit; + # } + # if (!check_from()) { + # sl_send_reply("403","Forbidden"); + # exit; + # } + # + # consume_credentials(); + # # caller authenticated + #} + + # record route all messages to ensure that subsequent messages + # will go through our proxy, particularly good if upstream + # and downstream entities use different transport protocol + if (!is_method("REGISTER|MESSAGE")) { record_route(); - }; + } - # subsequent messages withing a dialog should take the - # path determined by record-routing - if (loose_route()) { - # mark routing logic in request - append_hf("P-hint: rr-enforced\r\n"); + # account only INVITEs + if (is_method("INVITE")) { + setflag(1); + } + + if (!uri == myself) { + /* replace with following line if multidomain support is used */ + #if (!is_uri_host_local()) { + append_hf("P-hint: outbound\r\n"); + # if you have some interdomain connections via TLS + #if ($rd == "tls_domain1.net") { + # t_relay("tls:domain1.net"); + # exit; + #} else if ($rd == "tls_domain2.net") { + # t_relay("tls:domain2.net"); + # exit; + #} route(1); - }; + } - if (uri != myself) { - # mark routing logic in request - append_hf("P-hint: outbound\r\n"); - route(1); - }; + # + # requests for my domain + # + if (is_method("PUBLISH")) { + sl_send_reply("503", "Service Unavailable"); + exit; + } - # if the request is for other domain use USRLOC - # (in case, it does not work, use the following command - # with proper names and addresses in it) - if (uri == myself) { - if (method == "REGISTER") { - # uncomment this if you want to use digest authentication - #if (!www_authorize("sip.example.com", "subscriber")) { - # www_challenge("sip.example.com", "0"); - # exit; - #}; - save("location"); + if (is_method("REGISTER")) { + # authenticate the REGISTER requests (uncomment to enable auth) + #if (!www_authorize("", "subscriber")) { + # www_challenge("", "0"); + # exit; + #} + # + #if (!check_to()) { + # sl_send_reply("403","Forbidden"); + # exit; + #} + + if (!save("location")) + sl_reply_error(); + + exit; + } + + if ($rU == NULL) { + # request with no Username in RURI + sl_send_reply("484","Address Incomplete"); + exit; + } + + lookup("location"); + switch ($retcode) { + case 1: + append_hf("P-hint: usrloc applied\r\n"); + break; + case -1: + t_newtran(); + t_reply("404", "Not Found"); exit; - }; + case -2: + sl_send_reply("405", "Method Not Allowed"); + exit; + case -3: + t_newtran(); + t_reply("500", "Server Internal Error"); + exit; + } - lookup("aliases"); - if (uri != myself) { - append_hf("P-hint: outbound alias\r\n"); - route(1); - }; - - # native SIP destinations are handled using our USRLOC DB - if (!lookup("location")) { - sl_send_reply("404", "Not Found"); - exit; - }; - append_hf("P-hint: usrloc applied\r\n"); - }; - - route(1); + setflag(2); # when routing via usrloc then + route(1); # log the missed calls as well } + +# +# Secondary Request Routing Logic +# route[1] { - # disable RFC1918 peers - if (uri =~ "[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" && !search("^Route:")) { - sl_send_reply("479", "We don't forward to RFC 1918 IPv4 addresses"); - exit; - }; - - # NAT: if client or server know to be behind a NAT, enable relay - #if (isflagset(6)) { - # force_rtp_proxy(); - #}; - - # NAT: processing of replies; apply to all transactions - #t_on_reply("1"); - - # send it out now; use stateful forwarding as it works reliably even for UDP2TCP - if (!t_relay()) { + # for INVITEs enable some additional helper routes + if (is_method("INVITE")) { + t_on_branch("1"); + t_on_reply("1"); + t_on_failure("1"); + } + + # send with stateful forwarding which works reliably even for UDP2TCP + if (!t_relay()) sl_reply_error(); - }; + + exit; # safeguard } -#onreply_route[1] { - # NAT: is it a NAT'ed transaction ? - # otherwise, is it a transaction behind a NAT and we did not - # know at time of request processing ? (RFC1918 contacts) - #if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") { - # fix_nated_contact(); - # force_rtp_proxy(); - #} else if (nat_uac_test("1")) { - # fix_nated_contact(); - #}; -#} +# +# Branch Request Routing Logic +# +branch_route[1] { + xlog("L_INFO", "new branch at $ru\n"); +} + + +# +# Reply Request Routing Logic +# +onreply_route[1] { + xlog("L_INFO", "incoming reply at $ru\n"); +# if ($ua =~ fritz.box) +# xlog("L_ERR", "$rm: The Fritzbox replied!\n"); +# if ($ua =~ fritz.box && has_body("application/sdp")) +# search_append_body("a=sendrecv.*", "\na=ptime:30"); +} + + +# +# Failure Request Routing Logic +# +failure_route[1] { + xlog("L_INFO", "failed route at $ru\n"); + if (t_was_cancelled()) + exit; + + # uncomment the following lines to block + # client redirect based on 3xx replies + #if (t_check_status("3[0-9][0-9]")) { + #t_reply("404","Not Found"); + # exit; + #} + + # uncomment the following lines to redirect + # failed calls to a different new destination + #if (t_check_status("486|408")) { + # sethostport("192.168.2.100:5060"); + # append_branch(); + # # do not set the missed call flag again + # t_relay(); + #} +} + + +# +# Local Request Routing Logic +# +local_route { + if (is_method("INVITE") && $ru=~"@foreign.tld") { + append_hf("P-hint: foreign request\r\n"); + exit; + } + if (is_method("BYE")) + xlog("L_INFO", "internally generated BYE\n"); +} + + +# +# Error Request Routing Logic +# +error_route { + xlog("L_ERR", "error route class=$(err.class) level=$(err.level) info=$(err.info) rcode=$(err.rcode) rreason=$(err.rreason)\n"); + xlog("L_ERR", "error from [$si:$sp]\n"); + xlog("L_ERR", "++++\n$mb\n++++\n"); + sl_send_reply("$err.rcode", "$err.rreason"); + exit; +} +