I never see 404 not found

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

I never see 404 not found

sajjad purmohseni
Hi all
 
I use sipp tool accompanying opensips server to generate normal SIP traffic. I successfuly enable authentication in opensips; added some users in database and performed authentication proccess in register and invite requests. I see valid authentication as username and passwords are valid and failure in authentication as password is invalid. After sending first invite and receiving 407 (proxy auth req) message; In my scenario an Invite message is sent with authentication header containing valid nonce. My problem is that when URI of re-Invite request is invalid I receive 407 instead of 404 (not found).
I'm so grateful about any help.
 
 
This is my opensips config file (opensips.cfg):
 
 
 
 
 
#
# $Id: opensips.cfg 5503 2009-03-22 16:22:32Z bogdan_iancu $
#
# OpenSIPS basic configuration script
#     by Anca Vamanu <[hidden email]>
#
# Please refer to the Core CookBook at:
#      http://www.opensips.org/index.php?n=Resources.DocsCookbooks
# for a explanation of possible statements, functions and parameters.
#

####### Global Parameters #########
#debug=3
log_stderror=no
log_facility=LOG_LOCAL0
fork=yes
children=4
/* uncomment the following lines to enable debugging */
debug=6
#fork=no
#log_stderror=yes
/* uncomment the next line to disable TCP (default on) */
#disable_tcp=yes
/* uncomment the next line to enable the auto temporary blacklisting of
   not available destinations (default disabled) */
#disable_dns_blacklist=no
/* uncomment the next line to enable IPv6 lookup after IPv4 dns
   lookup failures (default disabled) */
#dns_try_ipv6=yes
/* uncomment the next line to disable the auto discovery of local aliases
   based on revers DNS on IPs (default on) */
#auto_aliases=no
/* uncomment the following lines to enable TLS support  (default off) */
#disable_tls = no
#listen = tls:your_IP:5061
#tls_verify_server = 1
#tls_verify_client = 1
#tls_require_client_certificate = 0
#tls_method = TLSv1
#tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
#tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
#tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"
port=5060
/* uncomment and configure the following line if you want opensips to
   bind on a specific interface/port/proto (default bind on all available) */
listen=udp:194.225.238.244:5060

####### Modules Section ########
#set module path
mpath="/usr/local/lib64/opensips/modules/"
/* uncomment next line for MySQL DB support */
loadmodule "db_mysql.so"
loadmodule "signaling.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "mi_fifo.so"
loadmodule "uri_db.so"
loadmodule "uri.so"
loadmodule "xlog.so"
loadmodule "acc.so"
/* uncomment next lines for MySQL based authentication support
   NOTE: a DB (like db_mysql) module must be also loaded */
loadmodule "auth.so"
loadmodule "auth_db.so"
/* uncomment next line for aliases support
   NOTE: a DB (like db_mysql) module must be also loaded */
#loadmodule "alias_db.so"
/* uncomment next line for multi-domain support
   NOTE: a DB (like db_mysql) module must be also loaded
   NOTE: be sure and enable multi-domain support in all used modules
         (see "multi-module params" section ) */
#loadmodule "domain.so"
/* uncomment the next two lines for presence server support
   NOTE: a DB (like db_mysql) module must be also loaded */
#loadmodule "presence.so"
#loadmodule "presence_xml.so"

# ----------------- setting module-specific parameters ---------------

# ----- mi_fifo params -----
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")

# ----- rr params -----
# add value to ;lr param to cope with most of the UAs
modparam("rr", "enable_full_lr", 1)
# do not append from tag to the RR (no need for this script)
modparam("rr", "append_fromtag", 0)

# ----- registrar params -----
modparam("registrar", "method_filtering", 1)
/* uncomment the next line to disable parallel forking via location */
# modparam("registrar", "append_branches", 0)
/* uncomment the next line not to allow more than 10 contacts per AOR */
#modparam("registrar", "max_contacts", 10)

# ----- usrloc params -----
modparam("usrloc", "db_mode",   0)
/* uncomment the following lines if you want to enable DB persistency
   for location entries */
#modparam("usrloc", "db_mode",   2)
#modparam("usrloc", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")

# ----- uri_db params -----
/* by default we disable the DB support in the module as we do not need it
   in this configuration */
modparam("uri_db", "use_uri_table", 0)
modparam("uri_db", "db_url", "")

# ----- acc params -----
/* what sepcial events should be accounted ? */
modparam("acc", "early_media", 1)
modparam("acc", "report_ack", 1)
modparam("acc", "report_cancels", 1)
/* by default ww do not adjust the direct of the sequential requests.
   if you enable this parameter, be sure the enable "append_fromtag"
   in "rr" module */
modparam("acc", "detect_direction", 0)
/* account triggers (flags) */
modparam("acc", "failed_transaction_flag", 3)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 2)
/* uncomment the following lines to enable DB accounting also */
modparam("acc", "db_flag", 1)
modparam("acc", "db_missed_flag", 2)

# ----- auth_db params -----
/* uncomment the following lines if you want to enable the DB based
   authentication */
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
modparam("auth_db", "db_url",
 "mysql://opensips:opensipsrw@localhost/opensips")
modparam("auth_db", "load_credentials", "")

# ----- alias_db params -----
/* uncomment the following lines if you want to enable the DB based
   aliases */
#modparam("alias_db", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")

# ----- domain params -----
/* uncomment the following lines to enable multi-domain detection
   support */
#modparam("domain", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("domain", "db_mode", 1)   # Use caching

# ----- multi-module params -----
/* uncomment the following line if you want to enable multi-domain support
   in the modules (dafault off) */
#modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1)

# ----- presence params -----
/* uncomment the following lines if you want to enable presence */
#modparam("presence|presence_xml", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("presence_xml", "force_active", 1)
#modparam("presence", "server_address", "sip:192.168.1.2:5060")

####### Routing Logic ########

# main request routing logic
route{
 if (!mf_process_maxfwd_header("10")) {
  sl_send_reply("483","Too Many Hops");
  exit;
 }
 if (has_totag()) {
  # sequential request withing a dialog should
  # take the path determined by record-routing
  if (loose_route()) {
   if (is_method("BYE")) {
    setflag(1); # do accounting ...
    setflag(3); # ... even if the transaction fails
   } else if (is_method("INVITE")) {
    # even if in most of the cases is useless, do RR for
    # re-INVITEs alos, as some buggy clients do change route set
    # during the dialog.
    record_route();
   }
   # route it out to whatever destination was set by loose_route()
   # in $du (destination URI).
   route(1);
  } else {
   /* uncomment the following lines if you want to enable presence */
   ##if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") {
   ## # in-dialog subscribe requests
   ## route(2);
   ## exit;
   ##}
   if ( is_method("ACK") ) {
    if ( t_check_trans() ) {
     # non loose-route, but stateful ACK; must be an ACK after
     # a 487 or e.g. 404 from upstream server
     t_relay();
     exit;
    } else {
     # ACK without matching transaction ->
     # ignore and discard
     exit;
    }
   }  
   sl_send_reply("404","Not here");
  }
  exit;
 }
 #initial requests
 # CANCEL processing
 if (is_method("CANCEL"))
 {
  if (t_check_trans())
   t_relay();
  exit;
 }
 t_check_trans();
 # authenticate if from local subscriber (uncomment to enable auth)
 # authenticate all initial non-REGISTER request that pretend to be
 # generated by local subscriber (domain from FROM URI is local)
 if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
 ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
 {
  if (!proxy_authorize("", "subscriber")) {
   proxy_challenge("", "0");
   exit;
  }
  if (!check_from()) {
   sl_send_reply("403","Forbidden auth ID");
   exit;
  }
 
  consume_credentials();
  # caller authenticated
 }
 # preloaded route checking
 if (loose_route()) {
  xlog("L_ERR",
  "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
  if (!is_method("ACK"))
   sl_send_reply("403","Preload Route denied");
  exit;
 }
 # record routing
 if (!is_method("REGISTER|MESSAGE"))
  record_route();
 # account only INVITEs
 if (is_method("INVITE")) {
  setflag(1); # do accounting
 }
 if (!uri==myself)
 ## replace with following line if multi-domain support is used
 ##if (!is_uri_host_local())
 {
  append_hf("P-hint: outbound\r\n");
  # if you have some interdomain connections via TLS
  ##if($rd=="tls_domain1.net") {
  ## t_relay("tls:domain1.net");
  ## exit;
  ##} else if($rd=="tls_domain2.net") {
  ## t_relay("tls:domain2.net");
  ## exit;
  ##}
  route(1);
 }
 # requests for my domain
 ## uncomment this if you want to enable presence server
 ##   and comment the next 'if' block
 ##   NOTE: uncomment also the definition of route[2] from  below
 ##if( is_method("PUBLISH|SUBSCRIBE"))
 ##  route(2);
 if (is_method("PUBLISH"))
 {
  sl_send_reply("503", "Service Unavailable");
  exit;
 }
 
 if (is_method("REGISTER"))
 {
  # authenticate the REGISTER requests (uncomment to enable auth)
  if (!www_authorize("", "subscriber"))
  {
   www_challenge("", "0");
   exit;
  }
  if (!check_to())
  {
   sl_send_reply("403","Forbidden auth ID");
   exit;
  }
  if (!save("location"))
   sl_reply_error();
  exit;
 }
 if ($rU==NULL) {
  # request with no Username in RURI
  sl_send_reply("484","Address Incomplete");
  exit;
 }
 # apply DB based aliases (uncomment to enable)
 ##alias_db_lookup("dbaliases");
 if (!lookup("location")) {
  switch ($retcode) {
   case -1:
   case -3:
    t_newtran();
    t_reply("404", "Not Found");
    exit;
   case -2:
    sl_send_reply("405", "Method Not Allowed");
    exit;
  }
 }
 # when routing via usrloc, log the missed calls also
 setflag(2);
 route(1);
}

route[1] {
 # for INVITEs enable some additional helper routes
 if (is_method("INVITE")) {
  t_on_branch("2");
  t_on_reply("2");
  t_on_failure("1");
 }
 if (!t_relay()) {
  sl_reply_error();
 };
 exit;
}

# Presence route
/* uncomment the whole following route for enabling presence
   NOTE: do not forget to enable the call of this route from the main
     route */
##route[2]
##{
## if (!t_newtran())
## {
##  sl_reply_error();
##  exit;
## };
##
## if(is_method("PUBLISH"))
## {
##  handle_publish();
##  t_release();
## }
## else
## if( is_method("SUBSCRIBE"))
## {
##  handle_subscribe();
##  t_release();
## }
##
## exit;
##}

branch_route[2] {
 xlog("new branch at $ru\n");
}

onreply_route[2] {
 xlog("incoming reply\n");
}

failure_route[1] {
 if (t_was_cancelled()) {
  exit;
 }
 # uncomment the following lines if you want to block client
 # redirect based on 3xx replies.
 ##if (t_check_status("3[0-9][0-9]")) {
 ##t_reply("404","Not found");
 ## exit;
 ##}
 # uncomment the following lines if you want to redirect the failed
 # calls to a different new destination
 ##if (t_check_status("486|408")) {
 ## sethostport("192.168.2.100:5060");
 ## # do not set the missed call flag again
 ## t_relay();
 ##}
}




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: I never see 404 not found

Muhammad Shahzad
Yes because you have enabled proxy authentication of every method except REGISTER. Here is where you are doing this.

# authenticate if from local subscriber (uncomment to enable auth)
 # authenticate all initial non-REGISTER request that pretend to be
 # generated by local subscriber (domain from FROM URI is local)
 if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
 ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
 {
  if (!proxy_authorize("", "subscriber")) {
   proxy_challenge("", "0");
   exit;
  }

This gets called BEFORE you check for destination, which is right way to do it. The caller should authenticate itself before callee is checked.

Thank you.


On Thu, Sep 6, 2012 at 5:07 PM, sajjad purmohseni <[hidden email]> wrote:
Hi all
 
I use sipp tool accompanying opensips server to generate normal SIP traffic. I successfuly enable authentication in opensips; added some users in database and performed authentication proccess in register and invite requests. I see valid authentication as username and passwords are valid and failure in authentication as password is invalid. After sending first invite and receiving 407 (proxy auth req) message; In my scenario an Invite message is sent with authentication header containing valid nonce. My problem is that when URI of re-Invite request is invalid I receive 407 instead of 404 (not found).
I'm so grateful about any help.
 
 
This is my opensips config file (opensips.cfg):
 
 
 
 
 
#
# $Id: opensips.cfg 5503 2009-03-22 16:22:32Z bogdan_iancu $
#
# OpenSIPS basic configuration script
#     by Anca Vamanu <[hidden email]>
#
# Please refer to the Core CookBook at:
#      http://www.opensips.org/index.php?n=Resources.DocsCookbooks
# for a explanation of possible statements, functions and parameters.
#

####### Global Parameters #########
#debug=3
log_stderror=no
log_facility=LOG_LOCAL0
fork=yes
children=4
/* uncomment the following lines to enable debugging */
debug=6
#fork=no
#log_stderror=yes
/* uncomment the next line to disable TCP (default on) */
#disable_tcp=yes
/* uncomment the next line to enable the auto temporary blacklisting of
   not available destinations (default disabled) */
#disable_dns_blacklist=no
/* uncomment the next line to enable IPv6 lookup after IPv4 dns
   lookup failures (default disabled) */
#dns_try_ipv6=yes
/* uncomment the next line to disable the auto discovery of local aliases
   based on revers DNS on IPs (default on) */
#auto_aliases=no
/* uncomment the following lines to enable TLS support  (default off) */
#disable_tls = no
#listen = tls:your_IP:5061
#tls_verify_server = 1
#tls_verify_client = 1
#tls_require_client_certificate = 0
#tls_method = TLSv1
#tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
#tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
#tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"
port=5060
/* uncomment and configure the following line if you want opensips to
   bind on a specific interface/port/proto (default bind on all available) */
listen=udp:194.225.238.244:5060

####### Modules Section ########
#set module path
mpath="/usr/local/lib64/opensips/modules/"
/* uncomment next line for MySQL DB support */
loadmodule "db_mysql.so"
loadmodule "signaling.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "mi_fifo.so"
loadmodule "uri_db.so"
loadmodule "uri.so"
loadmodule "xlog.so"
loadmodule "acc.so"
/* uncomment next lines for MySQL based authentication support
   NOTE: a DB (like db_mysql) module must be also loaded */
loadmodule "auth.so"
loadmodule "auth_db.so"
/* uncomment next line for aliases support
   NOTE: a DB (like db_mysql) module must be also loaded */
#loadmodule "alias_db.so"
/* uncomment next line for multi-domain support
   NOTE: a DB (like db_mysql) module must be also loaded
   NOTE: be sure and enable multi-domain support in all used modules
         (see "multi-module params" section ) */
#loadmodule "domain.so"
/* uncomment the next two lines for presence server support
   NOTE: a DB (like db_mysql) module must be also loaded */
#loadmodule "presence.so"
#loadmodule "presence_xml.so"

# ----------------- setting module-specific parameters ---------------

# ----- mi_fifo params -----
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")

# ----- rr params -----
# add value to ;lr param to cope with most of the UAs
modparam("rr", "enable_full_lr", 1)
# do not append from tag to the RR (no need for this script)
modparam("rr", "append_fromtag", 0)

# ----- registrar params -----
modparam("registrar", "method_filtering", 1)
/* uncomment the next line to disable parallel forking via location */
# modparam("registrar", "append_branches", 0)
/* uncomment the next line not to allow more than 10 contacts per AOR */
#modparam("registrar", "max_contacts", 10)

# ----- usrloc params -----
modparam("usrloc", "db_mode",   0)
/* uncomment the following lines if you want to enable DB persistency
   for location entries */
#modparam("usrloc", "db_mode",   2)
#modparam("usrloc", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")

# ----- uri_db params -----
/* by default we disable the DB support in the module as we do not need it
   in this configuration */
modparam("uri_db", "use_uri_table", 0)
modparam("uri_db", "db_url", "")

# ----- acc params -----
/* what sepcial events should be accounted ? */
modparam("acc", "early_media", 1)
modparam("acc", "report_ack", 1)
modparam("acc", "report_cancels", 1)
/* by default ww do not adjust the direct of the sequential requests.
   if you enable this parameter, be sure the enable "append_fromtag"
   in "rr" module */
modparam("acc", "detect_direction", 0)
/* account triggers (flags) */
modparam("acc", "failed_transaction_flag", 3)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 2)
/* uncomment the following lines to enable DB accounting also */
modparam("acc", "db_flag", 1)
modparam("acc", "db_missed_flag", 2)

# ----- auth_db params -----
/* uncomment the following lines if you want to enable the DB based
   authentication */
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
modparam("auth_db", "db_url",
 "mysql://opensips:opensipsrw@localhost/opensips")
modparam("auth_db", "load_credentials", "")

# ----- alias_db params -----
/* uncomment the following lines if you want to enable the DB based
   aliases */
#modparam("alias_db", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")

# ----- domain params -----
/* uncomment the following lines to enable multi-domain detection
   support */
#modparam("domain", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("domain", "db_mode", 1)   # Use caching

# ----- multi-module params -----
/* uncomment the following line if you want to enable multi-domain support
   in the modules (dafault off) */
#modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1)

# ----- presence params -----
/* uncomment the following lines if you want to enable presence */
#modparam("presence|presence_xml", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("presence_xml", "force_active", 1)
#modparam("presence", "server_address", "sip:192.168.1.2:5060")

####### Routing Logic ########

# main request routing logic
route{
 if (!mf_process_maxfwd_header("10")) {
  sl_send_reply("483","Too Many Hops");
  exit;
 }
 if (has_totag()) {
  # sequential request withing a dialog should
  # take the path determined by record-routing
  if (loose_route()) {
   if (is_method("BYE")) {
    setflag(1); # do accounting ...
    setflag(3); # ... even if the transaction fails
   } else if (is_method("INVITE")) {
    # even if in most of the cases is useless, do RR for
    # re-INVITEs alos, as some buggy clients do change route set
    # during the dialog.
    record_route();
   }
   # route it out to whatever destination was set by loose_route()
   # in $du (destination URI).
   route(1);
  } else {
   /* uncomment the following lines if you want to enable presence */
   ##if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") {
   ## # in-dialog subscribe requests
   ## route(2);
   ## exit;
   ##}
   if ( is_method("ACK") ) {
    if ( t_check_trans() ) {
     # non loose-route, but stateful ACK; must be an ACK after
     # a 487 or e.g. 404 from upstream server
     t_relay();
     exit;
    } else {
     # ACK without matching transaction ->
     # ignore and discard
     exit;
    }
   }  
   sl_send_reply("404","Not here");
  }
  exit;
 }
 #initial requests
 # CANCEL processing
 if (is_method("CANCEL"))
 {
  if (t_check_trans())
   t_relay();
  exit;
 }
 t_check_trans();
 # authenticate if from local subscriber (uncomment to enable auth)
 # authenticate all initial non-REGISTER request that pretend to be
 # generated by local subscriber (domain from FROM URI is local)
 if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
 ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
 {
  if (!proxy_authorize("", "subscriber")) {
   proxy_challenge("", "0");
   exit;
  }
  if (!check_from()) {
   sl_send_reply("403","Forbidden auth ID");
   exit;
  }
 
  consume_credentials();
  # caller authenticated
 }
 # preloaded route checking
 if (loose_route()) {
  xlog("L_ERR",
  "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
  if (!is_method("ACK"))
   sl_send_reply("403","Preload Route denied");
  exit;
 }
 # record routing
 if (!is_method("REGISTER|MESSAGE"))
  record_route();
 # account only INVITEs
 if (is_method("INVITE")) {
  setflag(1); # do accounting
 }
 if (!uri==myself)
 ## replace with following line if multi-domain support is used
 ##if (!is_uri_host_local())
 {
  append_hf("P-hint: outbound\r\n");
  # if you have some interdomain connections via TLS
  ##if($rd=="tls_domain1.net") {
  ## t_relay("tls:domain1.net");
  ## exit;
  ##} else if($rd=="tls_domain2.net") {
  ## t_relay("tls:domain2.net");
  ## exit;
  ##}
  route(1);
 }
 # requests for my domain
 ## uncomment this if you want to enable presence server
 ##   and comment the next 'if' block
 ##   NOTE: uncomment also the definition of route[2] from  below
 ##if( is_method("PUBLISH|SUBSCRIBE"))
 ##  route(2);
 if (is_method("PUBLISH"))
 {
  sl_send_reply("503", "Service Unavailable");
  exit;
 }
 
 if (is_method("REGISTER"))
 {
  # authenticate the REGISTER requests (uncomment to enable auth)
  if (!www_authorize("", "subscriber"))
  {
   www_challenge("", "0");
   exit;
  }
  if (!check_to())
  {
   sl_send_reply("403","Forbidden auth ID");
   exit;
  }
  if (!save("location"))
   sl_reply_error();
  exit;
 }
 if ($rU==NULL) {
  # request with no Username in RURI
  sl_send_reply("484","Address Incomplete");
  exit;
 }
 # apply DB based aliases (uncomment to enable)
 ##alias_db_lookup("dbaliases");
 if (!lookup("location")) {
  switch ($retcode) {
   case -1:
   case -3:
    t_newtran();
    t_reply("404", "Not Found");
    exit;
   case -2:
    sl_send_reply("405", "Method Not Allowed");
    exit;
  }
 }
 # when routing via usrloc, log the missed calls also
 setflag(2);
 route(1);
}

route[1] {
 # for INVITEs enable some additional helper routes
 if (is_method("INVITE")) {
  t_on_branch("2");
  t_on_reply("2");
  t_on_failure("1");
 }
 if (!t_relay()) {
  sl_reply_error();
 };
 exit;
}

# Presence route
/* uncomment the whole following route for enabling presence
   NOTE: do not forget to enable the call of this route from the main
     route */
##route[2]
##{
## if (!t_newtran())
## {
##  sl_reply_error();
##  exit;
## };
##
## if(is_method("PUBLISH"))
## {
##  handle_publish();
##  t_release();
## }
## else
## if( is_method("SUBSCRIBE"))
## {
##  handle_subscribe();
##  t_release();
## }
##
## exit;
##}

branch_route[2] {
 xlog("new branch at $ru\n");
}

onreply_route[2] {
 xlog("incoming reply\n");
}

failure_route[1] {
 if (t_was_cancelled()) {
  exit;
 }
 # uncomment the following lines if you want to block client
 # redirect based on 3xx replies.
 ##if (t_check_status("3[0-9][0-9]")) {
 ##t_reply("404","Not found");
 ## exit;
 ##}
 # uncomment the following lines if you want to redirect the failed
 # calls to a different new destination
 ##if (t_check_status("486|408")) {
 ## sethostport("192.168.2.100:5060");
 ## # do not set the missed call flag again
 ## t_relay();
 ##}
}




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




--
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +92 334 422 40 88
MSN: [hidden email]
Email: [hidden email]

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: I never see 404 not found

sajjad purmohseni
Hello Muhammad  thanks for reply.

I think you mean invalidity of the "To URI"; But I am telling about invalidity of the "From URI" or the caller contact. In authentication process I expect to receive "404 not found" after sending second Invite or Register messages; but I receive 401 or 407. Is int normal action by server or it can send "404 not found" about invalid "From URI" to tell client that the contact URI is invalid?

--------------------------------------------------
kind regards;
        Sajad Pourmohseni
 




From: Muhammad Shahzad <[hidden email]>
To: sajjad purmohseni <[hidden email]>; OpenSIPS users mailling list <[hidden email]>
Sent: Friday, September 7, 2012 1:45 PM
Subject: Re: [OpenSIPS-Users] I never see 404 not found

Yes because you have enabled proxy authentication of every method except REGISTER. Here is where you are doing this.

# authenticate if from local subscriber (uncomment to enable auth)
 # authenticate all initial non-REGISTER request that pretend to be
 # generated by local subscriber (domain from FROM URI is local)
 if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
 ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
 {
  if (!proxy_authorize("", "subscriber")) {
   proxy_challenge("", "0");
   exit;
  }

This gets called BEFORE you check for destination, which is right way to do it. The caller should authenticate itself before callee is checked.

Thank you.


On Thu, Sep 6, 2012 at 5:07 PM, sajjad purmohseni <[hidden email]> wrote:
Hi all
 
I use sipp tool accompanying opensips server to generate normal SIP traffic. I successfuly enable authentication in opensips; added some users in database and performed authentication proccess in register and invite requests. I see valid authentication as username and passwords are valid and failure in authentication as password is invalid. After sending first invite and receiving 407 (proxy auth req) message; In my scenario an Invite message is sent with authentication header containing valid nonce. My problem is that when URI of re-Invite request is invalid I receive 407 instead of 404 (not found).
I'm so grateful about any help.
 
 
This is my opensips config file (opensips.cfg):
 
 
 
 
 
#
# $Id: opensips.cfg 5503 2009-03-22 16:22:32Z bogdan_iancu $
#
# OpenSIPS basic configuration script
#     by Anca Vamanu <[hidden email]>
#
# Please refer to the Core CookBook at:
#      http://www.opensips.org/index.php?n=Resources.DocsCookbooks
# for a explanation of possible statements, functions and parameters.
#

####### Global Parameters #########
#debug=3
log_stderror=no
log_facility=LOG_LOCAL0
fork=yes
children=4
/* uncomment the following lines to enable debugging */
debug=6
#fork=no
#log_stderror=yes
/* uncomment the next line to disable TCP (default on) */
#disable_tcp=yes
/* uncomment the next line to enable the auto temporary blacklisting of
   not available destinations (default disabled) */
#disable_dns_blacklist=no
/* uncomment the next line to enable IPv6 lookup after IPv4 dns
   lookup failures (default disabled) */
#dns_try_ipv6=yes
/* uncomment the next line to disable the auto discovery of local aliases
   based on revers DNS on IPs (default on) */
#auto_aliases=no
/* uncomment the following lines to enable TLS support  (default off) */
#disable_tls = no
#listen = tls:your_IP:5061
#tls_verify_server = 1
#tls_verify_client = 1
#tls_require_client_certificate = 0
#tls_method = TLSv1
#tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
#tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
#tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"
port=5060
/* uncomment and configure the following line if you want opensips to
   bind on a specific interface/port/proto (default bind on all available) */
listen=udp:194.225.238.244:5060

####### Modules Section ########
#set module path
mpath="/usr/local/lib64/opensips/modules/"
/* uncomment next line for MySQL DB support */
loadmodule "db_mysql.so"
loadmodule "signaling.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "mi_fifo.so"
loadmodule "uri_db.so"
loadmodule "uri.so"
loadmodule "xlog.so"
loadmodule "acc.so"
/* uncomment next lines for MySQL based authentication support
   NOTE: a DB (like db_mysql) module must be also loaded */
loadmodule "auth.so"
loadmodule "auth_db.so"
/* uncomment next line for aliases support
   NOTE: a DB (like db_mysql) module must be also loaded */
#loadmodule "alias_db.so"
/* uncomment next line for multi-domain support
   NOTE: a DB (like db_mysql) module must be also loaded
   NOTE: be sure and enable multi-domain support in all used modules
         (see "multi-module params" section ) */
#loadmodule "domain.so"
/* uncomment the next two lines for presence server support
   NOTE: a DB (like db_mysql) module must be also loaded */
#loadmodule "presence.so"
#loadmodule "presence_xml.so"

# ----------------- setting module-specific parameters ---------------

# ----- mi_fifo params -----
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")

# ----- rr params -----
# add value to ;lr param to cope with most of the UAs
modparam("rr", "enable_full_lr", 1)
# do not append from tag to the RR (no need for this script)
modparam("rr", "append_fromtag", 0)

# ----- registrar params -----
modparam("registrar", "method_filtering", 1)
/* uncomment the next line to disable parallel forking via location */
# modparam("registrar", "append_branches", 0)
/* uncomment the next line not to allow more than 10 contacts per AOR */
#modparam("registrar", "max_contacts", 10)

# ----- usrloc params -----
modparam("usrloc", "db_mode",   0)
/* uncomment the following lines if you want to enable DB persistency
   for location entries */
#modparam("usrloc", "db_mode",   2)
#modparam("usrloc", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")

# ----- uri_db params -----
/* by default we disable the DB support in the module as we do not need it
   in this configuration */
modparam("uri_db", "use_uri_table", 0)
modparam("uri_db", "db_url", "")

# ----- acc params -----
/* what sepcial events should be accounted ? */
modparam("acc", "early_media", 1)
modparam("acc", "report_ack", 1)
modparam("acc", "report_cancels", 1)
/* by default ww do not adjust the direct of the sequential requests.
   if you enable this parameter, be sure the enable "append_fromtag"
   in "rr" module */
modparam("acc", "detect_direction", 0)
/* account triggers (flags) */
modparam("acc", "failed_transaction_flag", 3)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 2)
/* uncomment the following lines to enable DB accounting also */
modparam("acc", "db_flag", 1)
modparam("acc", "db_missed_flag", 2)

# ----- auth_db params -----
/* uncomment the following lines if you want to enable the DB based
   authentication */
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
modparam("auth_db", "db_url",
 "mysql://opensips:opensipsrw@localhost/opensips")
modparam("auth_db", "load_credentials", "")

# ----- alias_db params -----
/* uncomment the following lines if you want to enable the DB based
   aliases */
#modparam("alias_db", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")

# ----- domain params -----
/* uncomment the following lines to enable multi-domain detection
   support */
#modparam("domain", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("domain", "db_mode", 1)   # Use caching

# ----- multi-module params -----
/* uncomment the following line if you want to enable multi-domain support
   in the modules (dafault off) */
#modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1)

# ----- presence params -----
/* uncomment the following lines if you want to enable presence */
#modparam("presence|presence_xml", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("presence_xml", "force_active", 1)
#modparam("presence", "server_address", "sip:192.168.1.2:5060")

####### Routing Logic ########

# main request routing logic
route{
 if (!mf_process_maxfwd_header("10")) {
  sl_send_reply("483","Too Many Hops");
  exit;
 }
 if (has_totag()) {
  # sequential request withing a dialog should
  # take the path determined by record-routing
  if (loose_route()) {
   if (is_method("BYE")) {
    setflag(1); # do accounting ...
    setflag(3); # ... even if the transaction fails
   } else if (is_method("INVITE")) {
    # even if in most of the cases is useless, do RR for
    # re-INVITEs alos, as some buggy clients do change route set
    # during the dialog.
    record_route();
   }
   # route it out to whatever destination was set by loose_route()
   # in $du (destination URI).
   route(1);
  } else {
   /* uncomment the following lines if you want to enable presence */
   ##if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") {
   ## # in-dialog subscribe requests
   ## route(2);
   ## exit;
   ##}
   if ( is_method("ACK") ) {
    if ( t_check_trans() ) {
     # non loose-route, but stateful ACK; must be an ACK after
     # a 487 or e.g. 404 from upstream server
     t_relay();
     exit;
    } else {
     # ACK without matching transaction ->
     # ignore and discard
     exit;
    }
   }  
   sl_send_reply("404","Not here");
  }
  exit;
 }
 #initial requests
 # CANCEL processing
 if (is_method("CANCEL"))
 {
  if (t_check_trans())
   t_relay();
  exit;
 }
 t_check_trans();
 # authenticate if from local subscriber (uncomment to enable auth)
 # authenticate all initial non-REGISTER request that pretend to be
 # generated by local subscriber (domain from FROM URI is local)
 if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
 ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
 {
  if (!proxy_authorize("", "subscriber")) {
   proxy_challenge("", "0");
   exit;
  }
  if (!check_from()) {
   sl_send_reply("403","Forbidden auth ID");
   exit;
  }
 
  consume_credentials();
  # caller authenticated
 }
 # preloaded route checking
 if (loose_route()) {
  xlog("L_ERR",
  "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
  if (!is_method("ACK"))
   sl_send_reply("403","Preload Route denied");
  exit;
 }
 # record routing
 if (!is_method("REGISTER|MESSAGE"))
  record_route();
 # account only INVITEs
 if (is_method("INVITE")) {
  setflag(1); # do accounting
 }
 if (!uri==myself)
 ## replace with following line if multi-domain support is used
 ##if (!is_uri_host_local())
 {
  append_hf("P-hint: outbound\r\n");
  # if you have some interdomain connections via TLS
  ##if($rd=="tls_domain1.net") {
  ## t_relay("tls:domain1.net");
  ## exit;
  ##} else if($rd=="tls_domain2.net") {
  ## t_relay("tls:domain2.net");
  ## exit;
  ##}
  route(1);
 }
 # requests for my domain
 ## uncomment this if you want to enable presence server
 ##   and comment the next 'if' block
 ##   NOTE: uncomment also the definition of route[2] from  below
 ##if( is_method("PUBLISH|SUBSCRIBE"))
 ##  route(2);
 if (is_method("PUBLISH"))
 {
  sl_send_reply("503", "Service Unavailable");
  exit;
 }
 
 if (is_method("REGISTER"))
 {
  # authenticate the REGISTER requests (uncomment to enable auth)
  if (!www_authorize("", "subscriber"))
  {
   www_challenge("", "0");
   exit;
  }
  if (!check_to())
  {
   sl_send_reply("403","Forbidden auth ID");
   exit;
  }
  if (!save("location"))
   sl_reply_error();
  exit;
 }
 if ($rU==NULL) {
  # request with no Username in RURI
  sl_send_reply("484","Address Incomplete");
  exit;
 }
 # apply DB based aliases (uncomment to enable)
 ##alias_db_lookup("dbaliases");
 if (!lookup("location")) {
  switch ($retcode) {
   case -1:
   case -3:
    t_newtran();
    t_reply("404", "Not Found");
    exit;
   case -2:
    sl_send_reply("405", "Method Not Allowed");
    exit;
  }
 }
 # when routing via usrloc, log the missed calls also
 setflag(2);
 route(1);
}

route[1] {
 # for INVITEs enable some additional helper routes
 if (is_method("INVITE")) {
  t_on_branch("2");
  t_on_reply("2");
  t_on_failure("1");
 }
 if (!t_relay()) {
  sl_reply_error();
 };
 exit;
}

# Presence route
/* uncomment the whole following route for enabling presence
   NOTE: do not forget to enable the call of this route from the main
     route */
##route[2]
##{
## if (!t_newtran())
## {
##  sl_reply_error();
##  exit;
## };
##
## if(is_method("PUBLISH"))
## {
##  handle_publish();
##  t_release();
## }
## else
## if( is_method("SUBSCRIBE"))
## {
##  handle_subscribe();
##  t_release();
## }
##
## exit;
##}

branch_route[2] {
 xlog("new branch at $ru\n");
}

onreply_route[2] {
 xlog("incoming reply\n");
}

failure_route[1] {
 if (t_was_cancelled()) {
  exit;
 }
 # uncomment the following lines if you want to block client
 # redirect based on 3xx replies.
 ##if (t_check_status("3[0-9][0-9]")) {
 ##t_reply("404","Not found");
 ## exit;
 ##}
 # uncomment the following lines if you want to redirect the failed
 # calls to a different new destination
 ##if (t_check_status("486|408")) {
 ## sethostport("192.168.2.100:5060");
 ## # do not set the missed call flag again
 ## t_relay();
 ##}
}




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




--
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +92 334 422 40 88
MSN: [hidden email]
Email: [hidden email]



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: I never see 404 not found

Muhammad Shahzad
Does second INVITE contains Proxy-Authorization header? Can you please paste SIP trace here?

Thank you.


On Fri, Sep 7, 2012 at 2:22 PM, sajjad purmohseni <[hidden email]> wrote:
Hello Muhammad  thanks for reply.

I think you mean invalidity of the "To URI"; But I am telling about invalidity of the "From URI" or the caller contact. In authentication process I expect to receive "404 not found" after sending second Invite or Register messages; but I receive 401 or 407. Is int normal action by server or it can send "404 not found" about invalid "From URI" to tell client that the contact URI is invalid?

--------------------------------------------------
kind regards;
        Sajad Pourmohseni
 




From: Muhammad Shahzad <[hidden email]>
To: sajjad purmohseni <[hidden email]>; OpenSIPS users mailling list <[hidden email]>
Sent: Friday, September 7, 2012 1:45 PM
Subject: Re: [OpenSIPS-Users] I never see 404 not found

Yes because you have enabled proxy authentication of every method except REGISTER. Here is where you are doing this.

# authenticate if from local subscriber (uncomment to enable auth)
 # authenticate all initial non-REGISTER request that pretend to be
 # generated by local subscriber (domain from FROM URI is local)
 if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
 ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
 {
  if (!proxy_authorize("", "subscriber")) {
   proxy_challenge("", "0");
   exit;
  }

This gets called BEFORE you check for destination, which is right way to do it. The caller should authenticate itself before callee is checked.

Thank you.


On Thu, Sep 6, 2012 at 5:07 PM, sajjad purmohseni <[hidden email]> wrote:
Hi all
 
I use sipp tool accompanying opensips server to generate normal SIP traffic. I successfuly enable authentication in opensips; added some users in database and performed authentication proccess in register and invite requests. I see valid authentication as username and passwords are valid and failure in authentication as password is invalid. After sending first invite and receiving 407 (proxy auth req) message; In my scenario an Invite message is sent with authentication header containing valid nonce. My problem is that when URI of re-Invite request is invalid I receive 407 instead of 404 (not found).
I'm so grateful about any help.
 
 
This is my opensips config file (opensips.cfg):
 
 
 
 
 
#
# $Id: opensips.cfg 5503 2009-03-22 16:22:32Z bogdan_iancu $
#
# OpenSIPS basic configuration script
#     by Anca Vamanu <[hidden email]>
#
# Please refer to the Core CookBook at:
#      http://www.opensips.org/index.php?n=Resources.DocsCookbooks
# for a explanation of possible statements, functions and parameters.
#

####### Global Parameters #########
#debug=3
log_stderror=no
log_facility=LOG_LOCAL0
fork=yes
children=4
/* uncomment the following lines to enable debugging */
debug=6
#fork=no
#log_stderror=yes
/* uncomment the next line to disable TCP (default on) */
#disable_tcp=yes
/* uncomment the next line to enable the auto temporary blacklisting of
   not available destinations (default disabled) */
#disable_dns_blacklist=no
/* uncomment the next line to enable IPv6 lookup after IPv4 dns
   lookup failures (default disabled) */
#dns_try_ipv6=yes
/* uncomment the next line to disable the auto discovery of local aliases
   based on revers DNS on IPs (default on) */
#auto_aliases=no
/* uncomment the following lines to enable TLS support  (default off) */
#disable_tls = no
#listen = tls:your_IP:5061
#tls_verify_server = 1
#tls_verify_client = 1
#tls_require_client_certificate = 0
#tls_method = TLSv1
#tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
#tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
#tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"
port=5060
/* uncomment and configure the following line if you want opensips to
   bind on a specific interface/port/proto (default bind on all available) */
listen=udp:194.225.238.244:5060

####### Modules Section ########
#set module path
mpath="/usr/local/lib64/opensips/modules/"
/* uncomment next line for MySQL DB support */
loadmodule "db_mysql.so"
loadmodule "signaling.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "mi_fifo.so"
loadmodule "uri_db.so"
loadmodule "uri.so"
loadmodule "xlog.so"
loadmodule "acc.so"
/* uncomment next lines for MySQL based authentication support
   NOTE: a DB (like db_mysql) module must be also loaded */
loadmodule "auth.so"
loadmodule "auth_db.so"
/* uncomment next line for aliases support
   NOTE: a DB (like db_mysql) module must be also loaded */
#loadmodule "alias_db.so"
/* uncomment next line for multi-domain support
   NOTE: a DB (like db_mysql) module must be also loaded
   NOTE: be sure and enable multi-domain support in all used modules
         (see "multi-module params" section ) */
#loadmodule "domain.so"
/* uncomment the next two lines for presence server support
   NOTE: a DB (like db_mysql) module must be also loaded */
#loadmodule "presence.so"
#loadmodule "presence_xml.so"

# ----------------- setting module-specific parameters ---------------

# ----- mi_fifo params -----
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")

# ----- rr params -----
# add value to ;lr param to cope with most of the UAs
modparam("rr", "enable_full_lr", 1)
# do not append from tag to the RR (no need for this script)
modparam("rr", "append_fromtag", 0)

# ----- registrar params -----
modparam("registrar", "method_filtering", 1)
/* uncomment the next line to disable parallel forking via location */
# modparam("registrar", "append_branches", 0)
/* uncomment the next line not to allow more than 10 contacts per AOR */
#modparam("registrar", "max_contacts", 10)

# ----- usrloc params -----
modparam("usrloc", "db_mode",   0)
/* uncomment the following lines if you want to enable DB persistency
   for location entries */
#modparam("usrloc", "db_mode",   2)
#modparam("usrloc", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")

# ----- uri_db params -----
/* by default we disable the DB support in the module as we do not need it
   in this configuration */
modparam("uri_db", "use_uri_table", 0)
modparam("uri_db", "db_url", "")

# ----- acc params -----
/* what sepcial events should be accounted ? */
modparam("acc", "early_media", 1)
modparam("acc", "report_ack", 1)
modparam("acc", "report_cancels", 1)
/* by default ww do not adjust the direct of the sequential requests.
   if you enable this parameter, be sure the enable "append_fromtag"
   in "rr" module */
modparam("acc", "detect_direction", 0)
/* account triggers (flags) */
modparam("acc", "failed_transaction_flag", 3)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 2)
/* uncomment the following lines to enable DB accounting also */
modparam("acc", "db_flag", 1)
modparam("acc", "db_missed_flag", 2)

# ----- auth_db params -----
/* uncomment the following lines if you want to enable the DB based
   authentication */
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
modparam("auth_db", "db_url",
 "mysql://opensips:opensipsrw@localhost/opensips")
modparam("auth_db", "load_credentials", "")

# ----- alias_db params -----
/* uncomment the following lines if you want to enable the DB based
   aliases */
#modparam("alias_db", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")

# ----- domain params -----
/* uncomment the following lines to enable multi-domain detection
   support */
#modparam("domain", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("domain", "db_mode", 1)   # Use caching

# ----- multi-module params -----
/* uncomment the following line if you want to enable multi-domain support
   in the modules (dafault off) */
#modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1)

# ----- presence params -----
/* uncomment the following lines if you want to enable presence */
#modparam("presence|presence_xml", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("presence_xml", "force_active", 1)
#modparam("presence", "server_address", "sip:192.168.1.2:5060")

####### Routing Logic ########

# main request routing logic
route{
 if (!mf_process_maxfwd_header("10")) {
  sl_send_reply("483","Too Many Hops");
  exit;
 }
 if (has_totag()) {
  # sequential request withing a dialog should
  # take the path determined by record-routing
  if (loose_route()) {
   if (is_method("BYE")) {
    setflag(1); # do accounting ...
    setflag(3); # ... even if the transaction fails
   } else if (is_method("INVITE")) {
    # even if in most of the cases is useless, do RR for
    # re-INVITEs alos, as some buggy clients do change route set
    # during the dialog.
    record_route();
   }
   # route it out to whatever destination was set by loose_route()
   # in $du (destination URI).
   route(1);
  } else {
   /* uncomment the following lines if you want to enable presence */
   ##if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") {
   ## # in-dialog subscribe requests
   ## route(2);
   ## exit;
   ##}
   if ( is_method("ACK") ) {
    if ( t_check_trans() ) {
     # non loose-route, but stateful ACK; must be an ACK after
     # a 487 or e.g. 404 from upstream server
     t_relay();
     exit;
    } else {
     # ACK without matching transaction ->
     # ignore and discard
     exit;
    }
   }  
   sl_send_reply("404","Not here");
  }
  exit;
 }
 #initial requests
 # CANCEL processing
 if (is_method("CANCEL"))
 {
  if (t_check_trans())
   t_relay();
  exit;
 }
 t_check_trans();
 # authenticate if from local subscriber (uncomment to enable auth)
 # authenticate all initial non-REGISTER request that pretend to be
 # generated by local subscriber (domain from FROM URI is local)
 if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
 ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
 {
  if (!proxy_authorize("", "subscriber")) {
   proxy_challenge("", "0");
   exit;
  }
  if (!check_from()) {
   sl_send_reply("403","Forbidden auth ID");
   exit;
  }
 
  consume_credentials();
  # caller authenticated
 }
 # preloaded route checking
 if (loose_route()) {
  xlog("L_ERR",
  "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
  if (!is_method("ACK"))
   sl_send_reply("403","Preload Route denied");
  exit;
 }
 # record routing
 if (!is_method("REGISTER|MESSAGE"))
  record_route();
 # account only INVITEs
 if (is_method("INVITE")) {
  setflag(1); # do accounting
 }
 if (!uri==myself)
 ## replace with following line if multi-domain support is used
 ##if (!is_uri_host_local())
 {
  append_hf("P-hint: outbound\r\n");
  # if you have some interdomain connections via TLS
  ##if($rd=="tls_domain1.net") {
  ## t_relay("tls:domain1.net");
  ## exit;
  ##} else if($rd=="tls_domain2.net") {
  ## t_relay("tls:domain2.net");
  ## exit;
  ##}
  route(1);
 }
 # requests for my domain
 ## uncomment this if you want to enable presence server
 ##   and comment the next 'if' block
 ##   NOTE: uncomment also the definition of route[2] from  below
 ##if( is_method("PUBLISH|SUBSCRIBE"))
 ##  route(2);
 if (is_method("PUBLISH"))
 {
  sl_send_reply("503", "Service Unavailable");
  exit;
 }
 
 if (is_method("REGISTER"))
 {
  # authenticate the REGISTER requests (uncomment to enable auth)
  if (!www_authorize("", "subscriber"))
  {
   www_challenge("", "0");
   exit;
  }
  if (!check_to())
  {
   sl_send_reply("403","Forbidden auth ID");
   exit;
  }
  if (!save("location"))
   sl_reply_error();
  exit;
 }
 if ($rU==NULL) {
  # request with no Username in RURI
  sl_send_reply("484","Address Incomplete");
  exit;
 }
 # apply DB based aliases (uncomment to enable)
 ##alias_db_lookup("dbaliases");
 if (!lookup("location")) {
  switch ($retcode) {
   case -1:
   case -3:
    t_newtran();
    t_reply("404", "Not Found");
    exit;
   case -2:
    sl_send_reply("405", "Method Not Allowed");
    exit;
  }
 }
 # when routing via usrloc, log the missed calls also
 setflag(2);
 route(1);
}

route[1] {
 # for INVITEs enable some additional helper routes
 if (is_method("INVITE")) {
  t_on_branch("2");
  t_on_reply("2");
  t_on_failure("1");
 }
 if (!t_relay()) {
  sl_reply_error();
 };
 exit;
}

# Presence route
/* uncomment the whole following route for enabling presence
   NOTE: do not forget to enable the call of this route from the main
     route */
##route[2]
##{
## if (!t_newtran())
## {
##  sl_reply_error();
##  exit;
## };
##
## if(is_method("PUBLISH"))
## {
##  handle_publish();
##  t_release();
## }
## else
## if( is_method("SUBSCRIBE"))
## {
##  handle_subscribe();
##  t_release();
## }
##
## exit;
##}

branch_route[2] {
 xlog("new branch at $ru\n");
}

onreply_route[2] {
 xlog("incoming reply\n");
}

failure_route[1] {
 if (t_was_cancelled()) {
  exit;
 }
 # uncomment the following lines if you want to block client
 # redirect based on 3xx replies.
 ##if (t_check_status("3[0-9][0-9]")) {
 ##t_reply("404","Not found");
 ## exit;
 ##}
 # uncomment the following lines if you want to redirect the failed
 # calls to a different new destination
 ##if (t_check_status("486|408")) {
 ## sethostport("192.168.2.100:5060");
 ## # do not set the missed call flag again
 ## t_relay();
 ##}
}




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




--
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: <a href="tel:%2B92%20334%20422%2040%2088" value="+923344224088" target="_blank">+92 334 422 40 88
MSN: [hidden email]
Email: [hidden email]





--
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +92 334 422 40 88
MSN: [hidden email]
Email: [hidden email]

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: I never see 404 not found

sajjad purmohseni
Hello Muhammad; thanks for your pursuing;

Yes, second Invite or Register contains authentication header; this is the scenario I mean

client -------------------------------Invite------------------------------->  proxy
2 client <-------------------407 with nonce----------------------------  Proxy
3 client ------------Invite with calculated nonce-------------------> Proxy
4 client <----------------100 giving a try--------------------------------- Proxy
5 client <----------------180 ringing--------------------------------------- Proxy

I mean when client uses invalid "From URI" in authentication header in the third step; proxy should send an "404 not found"; but as I see; server just sends 407 message. As you know, if URI is valid, and calculated response in authentication header is invalid server sends 407 message too. This causes I cannot understand the URI binding is valid or not. I except if "from URI" binding is invalid in authentication process; server send me an 404 not found message. Is it possible and typical option in SIP proxy servers? 

Thank you

--------------------------------------------------
kind regards;
        Sajad Pourmohseni
 




From: Muhammad Shahzad <[hidden email]>
To: sajjad purmohseni <[hidden email]>
Cc: "[hidden email]" <[hidden email]>
Sent: Friday, September 7, 2012 6:07 PM
Subject: Re: [OpenSIPS-Users] I never see 404 not found

Does second INVITE contains Proxy-Authorization header? Can you please paste SIP trace here?

Thank you.


On Fri, Sep 7, 2012 at 2:22 PM, sajjad purmohseni <[hidden email]> wrote:
Hello Muhammad  thanks for reply.

I think you mean invalidity of the "To URI"; But I am telling about invalidity of the "From URI" or the caller contact. In authentication process I expect to receive "404 not found" after sending second Invite or Register messages; but I receive 401 or 407. Is int normal action by server or it can send "404 not found" about invalid "From URI" to tell client that the contact URI is invalid?

--------------------------------------------------
kind regards;
        Sajad Pourmohseni
 




From: Muhammad Shahzad <[hidden email]>
To: sajjad purmohseni <[hidden email]>; OpenSIPS users mailling list <[hidden email]>
Sent: Friday, September 7, 2012 1:45 PM
Subject: Re: [OpenSIPS-Users] I never see 404 not found

Yes because you have enabled proxy authentication of every method except REGISTER. Here is where you are doing this.

# authenticate if from local subscriber (uncomment to enable auth)
 # authenticate all initial non-REGISTER request that pretend to be
 # generated by local subscriber (domain from FROM URI is local)
 if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
 ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
 {
  if (!proxy_authorize("", "subscriber")) {
   proxy_challenge("", "0");
   exit;
  }

This gets called BEFORE you check for destination, which is right way to do it. The caller should authenticate itself before callee is checked.

Thank you.


On Thu, Sep 6, 2012 at 5:07 PM, sajjad purmohseni <[hidden email]> wrote:
Hi all
 
I use sipp tool accompanying opensips server to generate normal SIP traffic. I successfuly enable authentication in opensips; added some users in database and performed authentication proccess in register and invite requests. I see valid authentication as username and passwords are valid and failure in authentication as password is invalid. After sending first invite and receiving 407 (proxy auth req) message; In my scenario an Invite message is sent with authentication header containing valid nonce. My problem is that when URI of re-Invite request is invalid I receive 407 instead of 404 (not found).
I'm so grateful about any help.
 
 
This is my opensips config file (opensips.cfg):
 
 
 
 
 
#
# $Id: opensips.cfg 5503 2009-03-22 16:22:32Z bogdan_iancu $
#
# OpenSIPS basic configuration script
#     by Anca Vamanu <[hidden email]>
#
# Please refer to the Core CookBook at:
#      http://www.opensips.org/index.php?n=Resources.DocsCookbooks
# for a explanation of possible statements, functions and parameters.
#

####### Global Parameters #########
#debug=3
log_stderror=no
log_facility=LOG_LOCAL0
fork=yes
children=4
/* uncomment the following lines to enable debugging */
debug=6
#fork=no
#log_stderror=yes
/* uncomment the next line to disable TCP (default on) */
#disable_tcp=yes
/* uncomment the next line to enable the auto temporary blacklisting of
   not available destinations (default disabled) */
#disable_dns_blacklist=no
/* uncomment the next line to enable IPv6 lookup after IPv4 dns
   lookup failures (default disabled) */
#dns_try_ipv6=yes
/* uncomment the next line to disable the auto discovery of local aliases
   based on revers DNS on IPs (default on) */
#auto_aliases=no
/* uncomment the following lines to enable TLS support  (default off) */
#disable_tls = no
#listen = tls:your_IP:5061
#tls_verify_server = 1
#tls_verify_client = 1
#tls_require_client_certificate = 0
#tls_method = TLSv1
#tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
#tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
#tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"
port=5060
/* uncomment and configure the following line if you want opensips to
   bind on a specific interface/port/proto (default bind on all available) */
listen=udp:194.225.238.244:5060

####### Modules Section ########
#set module path
mpath="/usr/local/lib64/opensips/modules/"
/* uncomment next line for MySQL DB support */
loadmodule "db_mysql.so"
loadmodule "signaling.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "mi_fifo.so"
loadmodule "uri_db.so"
loadmodule "uri.so"
loadmodule "xlog.so"
loadmodule "acc.so"
/* uncomment next lines for MySQL based authentication support
   NOTE: a DB (like db_mysql) module must be also loaded */
loadmodule "auth.so"
loadmodule "auth_db.so"
/* uncomment next line for aliases support
   NOTE: a DB (like db_mysql) module must be also loaded */
#loadmodule "alias_db.so"
/* uncomment next line for multi-domain support
   NOTE: a DB (like db_mysql) module must be also loaded
   NOTE: be sure and enable multi-domain support in all used modules
         (see "multi-module params" section ) */
#loadmodule "domain.so"
/* uncomment the next two lines for presence server support
   NOTE: a DB (like db_mysql) module must be also loaded */
#loadmodule "presence.so"
#loadmodule "presence_xml.so"

# ----------------- setting module-specific parameters ---------------

# ----- mi_fifo params -----
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")

# ----- rr params -----
# add value to ;lr param to cope with most of the UAs
modparam("rr", "enable_full_lr", 1)
# do not append from tag to the RR (no need for this script)
modparam("rr", "append_fromtag", 0)

# ----- registrar params -----
modparam("registrar", "method_filtering", 1)
/* uncomment the next line to disable parallel forking via location */
# modparam("registrar", "append_branches", 0)
/* uncomment the next line not to allow more than 10 contacts per AOR */
#modparam("registrar", "max_contacts", 10)

# ----- usrloc params -----
modparam("usrloc", "db_mode",   0)
/* uncomment the following lines if you want to enable DB persistency
   for location entries */
#modparam("usrloc", "db_mode",   2)
#modparam("usrloc", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")

# ----- uri_db params -----
/* by default we disable the DB support in the module as we do not need it
   in this configuration */
modparam("uri_db", "use_uri_table", 0)
modparam("uri_db", "db_url", "")

# ----- acc params -----
/* what sepcial events should be accounted ? */
modparam("acc", "early_media", 1)
modparam("acc", "report_ack", 1)
modparam("acc", "report_cancels", 1)
/* by default ww do not adjust the direct of the sequential requests.
   if you enable this parameter, be sure the enable "append_fromtag"
   in "rr" module */
modparam("acc", "detect_direction", 0)
/* account triggers (flags) */
modparam("acc", "failed_transaction_flag", 3)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 2)
/* uncomment the following lines to enable DB accounting also */
modparam("acc", "db_flag", 1)
modparam("acc", "db_missed_flag", 2)

# ----- auth_db params -----
/* uncomment the following lines if you want to enable the DB based
   authentication */
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
modparam("auth_db", "db_url",
 "mysql://opensips:opensipsrw@localhost/opensips")
modparam("auth_db", "load_credentials", "")

# ----- alias_db params -----
/* uncomment the following lines if you want to enable the DB based
   aliases */
#modparam("alias_db", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")

# ----- domain params -----
/* uncomment the following lines to enable multi-domain detection
   support */
#modparam("domain", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("domain", "db_mode", 1)   # Use caching

# ----- multi-module params -----
/* uncomment the following line if you want to enable multi-domain support
   in the modules (dafault off) */
#modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1)

# ----- presence params -----
/* uncomment the following lines if you want to enable presence */
#modparam("presence|presence_xml", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("presence_xml", "force_active", 1)
#modparam("presence", "server_address", "sip:192.168.1.2:5060")

####### Routing Logic ########

# main request routing logic
route{
 if (!mf_process_maxfwd_header("10")) {
  sl_send_reply("483","Too Many Hops");
  exit;
 }
 if (has_totag()) {
  # sequential request withing a dialog should
  # take the path determined by record-routing
  if (loose_route()) {
   if (is_method("BYE")) {
    setflag(1); # do accounting ...
    setflag(3); # ... even if the transaction fails
   } else if (is_method("INVITE")) {
    # even if in most of the cases is useless, do RR for
    # re-INVITEs alos, as some buggy clients do change route set
    # during the dialog.
    record_route();
   }
   # route it out to whatever destination was set by loose_route()
   # in $du (destination URI).
   route(1);
  } else {
   /* uncomment the following lines if you want to enable presence */
   ##if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") {
   ## # in-dialog subscribe requests
   ## route(2);
   ## exit;
   ##}
   if ( is_method("ACK") ) {
    if ( t_check_trans() ) {
     # non loose-route, but stateful ACK; must be an ACK after
     # a 487 or e.g. 404 from upstream server
     t_relay();
     exit;
    } else {
     # ACK without matching transaction ->
     # ignore and discard
     exit;
    }
   }  
   sl_send_reply("404","Not here");
  }
  exit;
 }
 #initial requests
 # CANCEL processing
 if (is_method("CANCEL"))
 {
  if (t_check_trans())
   t_relay();
  exit;
 }
 t_check_trans();
 # authenticate if from local subscriber (uncomment to enable auth)
 # authenticate all initial non-REGISTER request that pretend to be
 # generated by local subscriber (domain from FROM URI is local)
 if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
 ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
 {
  if (!proxy_authorize("", "subscriber")) {
   proxy_challenge("", "0");
   exit;
  }
  if (!check_from()) {
   sl_send_reply("403","Forbidden auth ID");
   exit;
  }
 
  consume_credentials();
  # caller authenticated
 }
 # preloaded route checking
 if (loose_route()) {
  xlog("L_ERR",
  "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
  if (!is_method("ACK"))
   sl_send_reply("403","Preload Route denied");
  exit;
 }
 # record routing
 if (!is_method("REGISTER|MESSAGE"))
  record_route();
 # account only INVITEs
 if (is_method("INVITE")) {
  setflag(1); # do accounting
 }
 if (!uri==myself)
 ## replace with following line if multi-domain support is used
 ##if (!is_uri_host_local())
 {
  append_hf("P-hint: outbound\r\n");
  # if you have some interdomain connections via TLS
  ##if($rd=="tls_domain1.net") {
  ## t_relay("tls:domain1.net");
  ## exit;
  ##} else if($rd=="tls_domain2.net") {
  ## t_relay("tls:domain2.net");
  ## exit;
  ##}
  route(1);
 }
 # requests for my domain
 ## uncomment this if you want to enable presence server
 ##   and comment the next 'if' block
 ##   NOTE: uncomment also the definition of route[2] from  below
 ##if( is_method("PUBLISH|SUBSCRIBE"))
 ##  route(2);
 if (is_method("PUBLISH"))
 {
  sl_send_reply("503", "Service Unavailable");
  exit;
 }
 
 if (is_method("REGISTER"))
 {
  # authenticate the REGISTER requests (uncomment to enable auth)
  if (!www_authorize("", "subscriber"))
  {
   www_challenge("", "0");
   exit;
  }
  if (!check_to())
  {
   sl_send_reply("403","Forbidden auth ID");
   exit;
  }
  if (!save("location"))
   sl_reply_error();
  exit;
 }
 if ($rU==NULL) {
  # request with no Username in RURI
  sl_send_reply("484","Address Incomplete");
  exit;
 }
 # apply DB based aliases (uncomment to enable)
 ##alias_db_lookup("dbaliases");
 if (!lookup("location")) {
  switch ($retcode) {
   case -1:
   case -3:
    t_newtran();
    t_reply("404", "Not Found");
    exit;
   case -2:
    sl_send_reply("405", "Method Not Allowed");
    exit;
  }
 }
 # when routing via usrloc, log the missed calls also
 setflag(2);
 route(1);
}

route[1] {
 # for INVITEs enable some additional helper routes
 if (is_method("INVITE")) {
  t_on_branch("2");
  t_on_reply("2");
  t_on_failure("1");
 }
 if (!t_relay()) {
  sl_reply_error();
 };
 exit;
}

# Presence route
/* uncomment the whole following route for enabling presence
   NOTE: do not forget to enable the call of this route from the main
     route */
##route[2]
##{
## if (!t_newtran())
## {
##  sl_reply_error();
##  exit;
## };
##
## if(is_method("PUBLISH"))
## {
##  handle_publish();
##  t_release();
## }
## else
## if( is_method("SUBSCRIBE"))
## {
##  handle_subscribe();
##  t_release();
## }
##
## exit;
##}

branch_route[2] {
 xlog("new branch at $ru\n");
}

onreply_route[2] {
 xlog("incoming reply\n");
}

failure_route[1] {
 if (t_was_cancelled()) {
  exit;
 }
 # uncomment the following lines if you want to block client
 # redirect based on 3xx replies.
 ##if (t_check_status("3[0-9][0-9]")) {
 ##t_reply("404","Not found");
 ## exit;
 ##}
 # uncomment the following lines if you want to redirect the failed
 # calls to a different new destination
 ##if (t_check_status("486|408")) {
 ## sethostport("192.168.2.100:5060");
 ## # do not set the missed call flag again
 ## t_relay();
 ##}
}




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




--
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +92 334 422 40 88
MSN: [hidden email]
Email: [hidden email]





--
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +92 334 422 40 88
MSN: [hidden email]
Email: [hidden email]



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: I never see 404 not found

Binan83
hej Sajjad,
If you mean the "username" in Authorization header is invalid in step-3 you can do:
adjust your script to send "404 Not Found" since the proxy_authorize and www_ authorize return value is number and if this number is equal to -1 (invalid user) - authentication user does not exist.
http://www.opensips.org/html/docs/modules/devel/auth_db.html#id250235

//Binan

--- On Fri, 9/7/12, sajjad purmohseni <[hidden email]> wrote:

From: sajjad purmohseni <[hidden email]>
Subject: Re: [OpenSIPS-Users] I never see 404 not found
To: "Muhammad Shahzad" <[hidden email]>, "[hidden email]" <[hidden email]>
Date: Friday, September 7, 2012, 7:45 AM

Hello Muhammad; thanks for your pursuing;

Yes, second Invite or Register contains authentication header; this is the scenario I mean

client -------------------------------Invite------------------------------->  proxy
2 client <-------------------407 with nonce----------------------------  Proxy
3 client ------------Invite with calculated nonce-------------------> Proxy
4 client <----------------100 giving a try--------------------------------- Proxy
5 client <----------------180 ringing--------------------------------------- Proxy

I mean when client uses invalid "From URI" in authentication header in the third step; proxy should send an "404 not found"; but as I see; server just sends 407 message. As you know, if URI is valid, and calculated response in authentication header is invalid server sends 407 message too. This causes I cannot understand the URI binding is valid or not. I except if "from URI" binding is invalid in authentication process; server send me an 404 not found message. Is it possible and typical option in SIP proxy servers? 

Thank you

--------------------------------------------------
kind regards;
        Sajad Pourmohseni
 




From: Muhammad Shahzad <[hidden email]>
To: sajjad purmohseni <[hidden email]>
Cc: "[hidden email]" <[hidden email]>
Sent: Friday, September 7, 2012 6:07 PM
Subject: Re: [OpenSIPS-Users] I never see 404 not found

Does second INVITE contains Proxy-Authorization header? Can you please paste SIP trace here?

Thank you.


On Fri, Sep 7, 2012 at 2:22 PM, sajjad purmohseni <spurmohseni@...> wrote:
Hello Muhammad  thanks for reply.

I think you mean invalidity of the "To URI"; But I am telling about invalidity of the "From URI" or the caller contact. In authentication process I expect to receive "404 not found" after sending second Invite or Register messages; but I receive 401 or 407. Is int normal action by server or it can send "404 not found" about invalid "From URI" to tell client that the contact URI is invalid?

--------------------------------------------------
kind regards;
        Sajad Pourmohseni
 




From: Muhammad Shahzad <shaheryarkh@...>
To: sajjad purmohseni <spurmohseni@...>; OpenSIPS users mailling list <users@...>
Sent: Friday, September 7, 2012 1:45 PM
Subject: Re: [OpenSIPS-Users] I never see 404 not found

Yes because you have enabled proxy authentication of every method except REGISTER. Here is where you are doing this.

# authenticate if from local subscriber (uncomment to enable auth)
 # authenticate all initial non-REGISTER request that pretend to be
 # generated by local subscriber (domain from FROM URI is local)
 if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
 ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
 {
  if (!proxy_authorize("", "subscriber")) {
   proxy_challenge("", "0");
   exit;
  }

This gets called BEFORE you check for destination, which is right way to do it. The caller should authenticate itself before callee is checked.

Thank you.


On Thu, Sep 6, 2012 at 5:07 PM, sajjad purmohseni <spurmohseni@...> wrote:
Hi all
 
I use sipp tool accompanying opensips server to generate normal SIP traffic. I successfuly enable authentication in opensips; added some users in database and performed authentication proccess in register and invite requests. I see valid authentication as username and passwords are valid and failure in authentication as password is invalid. After sending first invite and receiving 407 (proxy auth req) message; In my scenario an Invite message is sent with authentication header containing valid nonce. My problem is that when URI of re-Invite request is invalid I receive 407 instead of 404 (not found).
I'm so grateful about any help.
 
 
This is my opensips config file (opensips.cfg):
 
 
 
 
 
#
# $Id: opensips.cfg 5503 2009-03-22 16:22:32Z bogdan_iancu $
#
# OpenSIPS basic configuration script
#     by Anca Vamanu <anca@...>
#
# Please refer to the Core CookBook at:
#      http://www.opensips.org/index.php?n=Resources.DocsCookbooks
# for a explanation of possible statements, functions and parameters.
#

####### Global Parameters #########
#debug=3
log_stderror=no
log_facility=LOG_LOCAL0
fork=yes
children=4
/* uncomment the following lines to enable debugging */
debug=6
#fork=no
#log_stderror=yes
/* uncomment the next line to disable TCP (default on) */
#disable_tcp=yes
/* uncomment the next line to enable the auto temporary blacklisting of
   not available destinations (default disabled) */
#disable_dns_blacklist=no
/* uncomment the next line to enable IPv6 lookup after IPv4 dns
   lookup failures (default disabled) */
#dns_try_ipv6=yes
/* uncomment the next line to disable the auto discovery of local aliases
   based on revers DNS on IPs (default on) */
#auto_aliases=no
/* uncomment the following lines to enable TLS support  (default off) */
#disable_tls = no
#listen = tls:your_IP:5061
#tls_verify_server = 1
#tls_verify_client = 1
#tls_require_client_certificate = 0
#tls_method = TLSv1
#tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
#tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
#tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"
port=5060
/* uncomment and configure the following line if you want opensips to
   bind on a specific interface/port/proto (default bind on all available) */
listen=udp:194.225.238.244:5060

####### Modules Section ########
#set module path
mpath="/usr/local/lib64/opensips/modules/"
/* uncomment next line for MySQL DB support */
loadmodule "db_mysql.so"
loadmodule "signaling.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "mi_fifo.so"
loadmodule "uri_db.so"
loadmodule "uri.so"
loadmodule "xlog.so"
loadmodule "acc.so"
/* uncomment next lines for MySQL based authentication support
   NOTE: a DB (like db_mysql) module must be also loaded */
loadmodule "auth.so"
loadmodule "auth_db.so"
/* uncomment next line for aliases support
   NOTE: a DB (like db_mysql) module must be also loaded */
#loadmodule "alias_db.so"
/* uncomment next line for multi-domain support
   NOTE: a DB (like db_mysql) module must be also loaded
   NOTE: be sure and enable multi-domain support in all used modules
         (see "multi-module params" section ) */
#loadmodule "domain.so"
/* uncomment the next two lines for presence server support
   NOTE: a DB (like db_mysql) module must be also loaded */
#loadmodule "presence.so"
#loadmodule "presence_xml.so"

# ----------------- setting module-specific parameters ---------------

# ----- mi_fifo params -----
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")

# ----- rr params -----
# add value to ;lr param to cope with most of the UAs
modparam("rr", "enable_full_lr", 1)
# do not append from tag to the RR (no need for this script)
modparam("rr", "append_fromtag", 0)

# ----- registrar params -----
modparam("registrar", "method_filtering", 1)
/* uncomment the next line to disable parallel forking via location */
# modparam("registrar", "append_branches", 0)
/* uncomment the next line not to allow more than 10 contacts per AOR */
#modparam("registrar", "max_contacts", 10)

# ----- usrloc params -----
modparam("usrloc", "db_mode",   0)
/* uncomment the following lines if you want to enable DB persistency
   for location entries */
#modparam("usrloc", "db_mode",   2)
#modparam("usrloc", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")

# ----- uri_db params -----
/* by default we disable the DB support in the module as we do not need it
   in this configuration */
modparam("uri_db", "use_uri_table", 0)
modparam("uri_db", "db_url", "")

# ----- acc params -----
/* what sepcial events should be accounted ? */
modparam("acc", "early_media", 1)
modparam("acc", "report_ack", 1)
modparam("acc", "report_cancels", 1)
/* by default ww do not adjust the direct of the sequential requests.
   if you enable this parameter, be sure the enable "append_fromtag"
   in "rr" module */
modparam("acc", "detect_direction", 0)
/* account triggers (flags) */
modparam("acc", "failed_transaction_flag", 3)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 2)
/* uncomment the following lines to enable DB accounting also */
modparam("acc", "db_flag", 1)
modparam("acc", "db_missed_flag", 2)

# ----- auth_db params -----
/* uncomment the following lines if you want to enable the DB based
   authentication */
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
modparam("auth_db", "db_url",
 "mysql://opensips:opensipsrw@localhost/opensips")
modparam("auth_db", "load_credentials", "")

# ----- alias_db params -----
/* uncomment the following lines if you want to enable the DB based
   aliases */
#modparam("alias_db", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")

# ----- domain params -----
/* uncomment the following lines to enable multi-domain detection
   support */
#modparam("domain", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("domain", "db_mode", 1)   # Use caching

# ----- multi-module params -----
/* uncomment the following line if you want to enable multi-domain support
   in the modules (dafault off) */
#modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1)

# ----- presence params -----
/* uncomment the following lines if you want to enable presence */
#modparam("presence|presence_xml", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("presence_xml", "force_active", 1)
#modparam("presence", "server_address", "sip:192.168.1.2:5060")

####### Routing Logic ########

# main request routing logic
route{
 if (!mf_process_maxfwd_header("10")) {
  sl_send_reply("483","Too Many Hops");
  exit;
 }
 if (has_totag()) {
  # sequential request withing a dialog should
  # take the path determined by record-routing
  if (loose_route()) {
   if (is_method("BYE")) {
    setflag(1); # do accounting ...
    setflag(3); # ... even if the transaction fails
   } else if (is_method("INVITE")) {
    # even if in most of the cases is useless, do RR for
    # re-INVITEs alos, as some buggy clients do change route set
    # during the dialog.
    record_route();
   }
   # route it out to whatever destination was set by loose_route()
   # in $du (destination URI).
   route(1);
  } else {
   /* uncomment the following lines if you want to enable presence */
   ##if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") {
   ## # in-dialog subscribe requests
   ## route(2);
   ## exit;
   ##}
   if ( is_method("ACK") ) {
    if ( t_check_trans() ) {
     # non loose-route, but stateful ACK; must be an ACK after
     # a 487 or e.g. 404 from upstream server
     t_relay();
     exit;
    } else {
     # ACK without matching transaction ->
     # ignore and discard
     exit;
    }
   }  
   sl_send_reply("404","Not here");
  }
  exit;
 }
 #initial requests
 # CANCEL processing
 if (is_method("CANCEL"))
 {
  if (t_check_trans())
   t_relay();
  exit;
 }
 t_check_trans();
 # authenticate if from local subscriber (uncomment to enable auth)
 # authenticate all initial non-REGISTER request that pretend to be
 # generated by local subscriber (domain from FROM URI is local)
 if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
 ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
 {
  if (!proxy_authorize("", "subscriber")) {
   proxy_challenge("", "0");
   exit;
  }
  if (!check_from()) {
   sl_send_reply("403","Forbidden auth ID");
   exit;
  }
 
  consume_credentials();
  # caller authenticated
 }
 # preloaded route checking
 if (loose_route()) {
  xlog("L_ERR",
  "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
  if (!is_method("ACK"))
   sl_send_reply("403","Preload Route denied");
  exit;
 }
 # record routing
 if (!is_method("REGISTER|MESSAGE"))
  record_route();
 # account only INVITEs
 if (is_method("INVITE")) {
  setflag(1); # do accounting
 }
 if (!uri==myself)
 ## replace with following line if multi-domain support is used
 ##if (!is_uri_host_local())
 {
  append_hf("P-hint: outbound\r\n");
  # if you have some interdomain connections via TLS
  ##if($rd=="tls_domain1.net") {
  ## t_relay("tls:domain1.net");
  ## exit;
  ##} else if($rd=="tls_domain2.net") {
  ## t_relay("tls:domain2.net");
  ## exit;
  ##}
  route(1);
 }
 # requests for my domain
 ## uncomment this if you want to enable presence server
 ##   and comment the next 'if' block
 ##   NOTE: uncomment also the definition of route[2] from  below
 ##if( is_method("PUBLISH|SUBSCRIBE"))
 ##  route(2);
 if (is_method("PUBLISH"))
 {
  sl_send_reply("503", "Service Unavailable");
  exit;
 }
 
 if (is_method("REGISTER"))
 {
  # authenticate the REGISTER requests (uncomment to enable auth)
  if (!www_authorize("", "subscriber"))
  {
   www_challenge("", "0");
   exit;
  }
  if (!check_to())
  {
   sl_send_reply("403","Forbidden auth ID");
   exit;
  }
  if (!save("location"))
   sl_reply_error();
  exit;
 }
 if ($rU==NULL) {
  # request with no Username in RURI
  sl_send_reply("484","Address Incomplete");
  exit;
 }
 # apply DB based aliases (uncomment to enable)
 ##alias_db_lookup("dbaliases");
 if (!lookup("location")) {
  switch ($retcode) {
   case -1:
   case -3:
    t_newtran();
    t_reply("404", "Not Found");
    exit;
   case -2:
    sl_send_reply("405", "Method Not Allowed");
    exit;
  }
 }
 # when routing via usrloc, log the missed calls also
 setflag(2);
 route(1);
}

route[1] {
 # for INVITEs enable some additional helper routes
 if (is_method("INVITE")) {
  t_on_branch("2");
  t_on_reply("2");
  t_on_failure("1");
 }
 if (!t_relay()) {
  sl_reply_error();
 };
 exit;
}

# Presence route
/* uncomment the whole following route for enabling presence
   NOTE: do not forget to enable the call of this route from the main
     route */
##route[2]
##{
## if (!t_newtran())
## {
##  sl_reply_error();
##  exit;
## };
##
## if(is_method("PUBLISH"))
## {
##  handle_publish();
##  t_release();
## }
## else
## if( is_method("SUBSCRIBE"))
## {
##  handle_subscribe();
##  t_release();
## }
##
## exit;
##}

branch_route[2] {
 xlog("new branch at $ru\n");
}

onreply_route[2] {
 xlog("incoming reply\n");
}

failure_route[1] {
 if (t_was_cancelled()) {
  exit;
 }
 # uncomment the following lines if you want to block client
 # redirect based on 3xx replies.
 ##if (t_check_status("3[0-9][0-9]")) {
 ##t_reply("404","Not found");
 ## exit;
 ##}
 # uncomment the following lines if you want to redirect the failed
 # calls to a different new destination
 ##if (t_check_status("486|408")) {
 ## sethostport("192.168.2.100:5060");
 ## # do not set the missed call flag again
 ## t_relay();
 ##}
}




_______________________________________________
Users mailing list
Users@...
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




--
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +92 334 422 40 88
MSN: shari_786pk@...
Email: shaheryarkh@...





--
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +92 334 422 40 88
MSN: shari_786pk@...
Email: shaheryarkh@...



-----Inline Attachment Follows-----

_______________________________________________
Users mailing list
Users@...
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
voipmagazine.wordpress.com/
Reply | Threaded
Open this post in threaded view
|

Re: I never see 404 not found

Binan83
In reply to this post by sajjad purmohseni
hej Sajjad,
If you mean the "username" in Authorization header is invalid in step-3 you can do:
adjust your script to send "404 Not Found" since the proxy_authorize and www_ authorize return value is number and if this number is equal to -1 (invalid user) - authentication user does not exist.
http://www.opensips.org/html/docs/modules/devel/auth_db.html#id250235

//Binan

--- On Fri, 9/7/12, sajjad purmohseni <[hidden email]> wrote:

From: sajjad purmohseni <[hidden email]>
Subject: Re: [OpenSIPS-Users] I never see 404 not found
To: "Muhammad Shahzad" <[hidden email]>, "[hidden email]" <[hidden email]>
Date: Friday, September 7, 2012, 7:45 AM

Hello Muhammad; thanks for your pursuing;

Yes, second Invite or Register contains authentication header; this is the scenario I mean

client -------------------------------Invite------------------------------->  proxy
2 client <-------------------407 with nonce----------------------------  Proxy
3 client ------------Invite with calculated nonce-------------------> Proxy
4 client <----------------100 giving a try--------------------------------- Proxy
5 client <----------------180 ringing--------------------------------------- Proxy

I mean when client uses invalid "From URI" in authentication header in the third step; proxy should send an "404 not found"; but as I see; server just sends 407 message. As you know, if URI is valid, and calculated response in authentication header is invalid server sends 407 message too. This causes I cannot understand the URI binding is valid or not. I except if "from URI" binding is invalid in authentication process; server send me an 404 not found message. Is it possible and typical option in SIP proxy servers? 

Thank you

--------------------------------------------------
kind regards;
        Sajad Pourmohseni

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
voipmagazine.wordpress.com/