# # $Id$ # # OpenSIPS residential configuration script # by OpenSIPS Solutions # # This script was generated via "make menuconfig", from # the "Residential" scenario. # You can enable / disable more features / functionalities by # re-generating the scenario with different options.# # # Please refer to the Core CookBook at: # http://www.opensips.org/Resources/DocsCookbooks # for a explanation of possible statements, functions and parameters. # ####### Global Parameters ######### debug=3 log_stderror=yes log_facility=LOG_LOCAL0 fork=yes children=4 /* uncomment the following lines to enable debugging */ #debug=6 #fork=no #log_stderror=yes /* uncomment the next line to enable the auto temporary blacklisting of not available destinations (default disabled) */ #disable_dns_blacklist=no /* uncomment the next line to enable IPv6 lookup after IPv4 dns lookup failures (default disabled) */ #dns_try_ipv6=yes /* comment the next line to enable the auto discovery of local aliases based on revers DNS on IPs */ auto_aliases=no listen=udp:127.0.0.1:5060 # CUSTOMIZE ME listen=tcp:127.0.0.1:5060 # CUSTOMIZE ME dst_blacklist = local_gw : {(tcp, 192.228.2.200, 5060, ""), (any, 192.238.2.201, 0, "")} ####### Modules Section ######## #set module path mpath="modules/" #### SIGNALING module loadmodule "signaling.so" loadmodule "textops.so" #### StateLess module loadmodule "sl.so" #### Transaction Module loadmodule "tm.so" modparam("tm", "fr_timeout", 5) modparam("tm", "fr_inv_timeout", 30) modparam("tm", "restart_fr_on_each_reply", 0) modparam("tm", "onreply_avp_mode", 1) #### Record Route Module loadmodule "rr.so" /* do not append from tag to the RR (no need for this script) */ modparam("rr", "append_fromtag", 0) #### MAX ForWarD module loadmodule "maxfwd.so" #### SIP MSG OPerationS module loadmodule "sipmsgops.so" #### FIFO Management Interface loadmodule "mi_fifo.so" modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo") modparam("mi_fifo", "fifo_mode", 0666) #### URI module loadmodule "uri.so" modparam("uri", "use_uri_table", 0) loadmodule "dialplan.so" #### MYSQL module loadmodule "db_mysql.so" #### USeR LOCation module loadmodule "usrloc.so" modparam("usrloc", "nat_bflag", "NAT") modparam("usrloc", "db_mode", 0) #### REGISTRAR module loadmodule "registrar.so" modparam("registrar", "tcp_persistent_flag", "TCP_PERSISTENT") /* uncomment the next line not to allow more than 10 contacts per AOR */ #modparam("registrar", "max_contacts", 10) #### ACCounting module loadmodule "acc.so" /* what special events should be accounted ? */ modparam("acc", "early_media", 0) modparam("acc", "report_cancels", 0) /* by default we do not adjust the direct of the sequential requests. if you enable this parameter, be sure the enable "append_fromtag" in "rr" module */ modparam("acc", "detect_direction", 0) modparam("acc", "failed_transaction_flag", "ACC_FAILED") /* account triggers (flags) */ modparam("acc", "log_flag", "ACC_DO") modparam("acc", "log_missed_flag", "ACC_MISSED") #### AUTHentication modules loadmodule "auth.so" loadmodule "auth_db.so" modparam("auth_db", "calculate_ha1", yes) modparam("auth_db", "password_column", "password") modparam("auth_db|dialplan|uri", "db_url", "mysql://opensips:opensipsrw@localhost/opensips") # CUSTOMIZE ME modparam("auth_db", "load_credentials", "") #### ALIAS module loadmodule "alias_db.so" modparam("alias_db", "db_url", "mysql://opensips:opensipsrw@localhost/opensips") # CUSTOMIZE ME #### DIALOG module loadmodule "dialog.so" modparam("dialog", "dlg_match_mode", 1) modparam("dialog", "default_timeout", 21600) # 6 hours timeout modparam("dialog", "db_mode", 2) modparam("dialog", "db_url", "mysql://opensips:opensipsrw@localhost/opensips") # CUSTOMIZE ME loadmodule "proto_udp.so" loadmodule "proto_tcp.so" ####### Routing Logic ######## # main request routing logic /* * Authorization part of SIP digest auth. Also limits amount of retries. */ route [auth_with_block] { $var(rc) = proxy_authorize("", "subscriber"); switch ($var(rc)) { case -5: # generic error case -4: # no credentials proxy_challenge("", "0"); exit; break; case -3: # stale nonce case -2: # invalid passwd case -1: # no such user if (cache_fetch("local", "authF_$si", $avp(c_counter))) { if ( $(avp(c_counter){s.int}) >= 10 ) { xlog("SECURITY:ALERT: $(avp(c_counter){s.int}) failed auth from $si\n"); # # INSERT FAVOURITE BLOCK METHOD HERE # send_reply("403", "Forbidden"); exit; } $avp(c_counter) = $(avp(c_counter){s.int}) + 1; cache_store("local", "authF_$si", "$avp(c_counter)", 10); } else { cache_store("local", "authF_$si", "1", 10); } proxy_challenge("", "0"); exit; break; }; cache_remove("local", "authF_$si"); } /* * Absorb SIP requests from commonly used scanning software */ route [absorb_sipscan] { if (dp_translate("1", "$ua/$var(out)")) { xlog("L_INFO", "SCRIPT:DBG: malicious SIP UA - $ci | $ua | $rm | $ru | $ct\n"); exit; } } /* * Do not allow domain names in Contact URI at all */ route [reject_fqdn_contact] { if (not $ct.fields(uri) =~ "[^@]*[0-9]{1,3}(\.[0-9]{1,3}){3}.*") { xlog("L_INFO", "SCRIPT:DBG: FQDN in Contact - $ci | $ua | $rm | $ru | $ct\n"); sl_send_reply("476", "FQDN in Contact"); exit; } } /* * Stateful relaying, also resilient to malicious Request-URI domains */ route [relay_nonlocal] { use_blacklist("local_gw"); if (!t_relay()) send_reply("500", "Internal Error"); unuse_blacklist("local_gw"); } route { route(absorb_sipscan); if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; } if (has_totag()) { # sequential request withing a dialog should # take the path determined by record-routing if (loose_route()) { # validate the sequential request against dialog if ( $DLG_status!=NULL && !validate_dialog() ) { xlog("In-Dialog $rm from $si (callid=$ci) is not valid according to dialog\n"); ## exit; } if (is_method("BYE")) { setflag(ACC_DO); # do accounting ... setflag(ACC_FAILED); # ... even if the transaction fails } else if (is_method("INVITE")) { # even if in most of the cases is useless, do RR for # re-INVITEs alos, as some buggy clients do change route set # during the dialog. record_route(); } # route it out to whatever destination was set by loose_route() # in $du (destination URI). route(relay); } else { if ( is_method("ACK") ) { if ( t_check_trans() ) { # non loose-route, but stateful ACK; must be an ACK after # a 487 or e.g. 404 from upstream server t_relay(); exit; } else { # ACK without matching transaction -> # ignore and discard exit; } } sl_send_reply("404","Not here"); } exit; } # CANCEL processing if (is_method("CANCEL")) { if (t_check_trans()) t_relay(); exit; } t_check_trans(); if ( !(is_method("REGISTER") ) ) { if (from_uri==myself) { route(auth_with_block); if (!db_check_from()) { sl_send_reply("403","Forbidden auth ID"); exit; } consume_credentials(); # caller authenticated } else { # if caller is not local, then called number must be local if (!uri==myself) { send_reply("403","Rely forbidden"); exit; } } } # preloaded route checking if (loose_route()) { xlog("L_ERR", "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]"); if (!is_method("ACK")) sl_send_reply("403","Preload Route denied"); exit; } # record routing if (!is_method("REGISTER|MESSAGE")) record_route(); # account only INVITEs if (is_method("INVITE")) { # create dialog with timeout if ( !create_dialog("B") ) { send_reply("500","Internal Server Error"); exit; } setflag(ACC_DO); # do accounting } if (!uri==myself) { append_hf("P-hint: outbound\r\n"); route(relay); } # requests for my domain if (is_method("PUBLISH|SUBSCRIBE")) { sl_send_reply("503", "Service Unavailable"); exit; } if (is_method("REGISTER")) { route(reject_fqdn_contact); route(auth_with_block); if (!db_check_to()) { sl_send_reply("403","Forbidden auth ID"); exit; } if ( proto==TCP || 0 ) setflag(TCP_PERSISTENT); if (!save("location")) sl_reply_error(); exit; } if ($rU==NULL) { # request with no Username in RURI sl_send_reply("484","Address Incomplete"); exit; } # apply DB based aliases alias_db_lookup("dbaliases"); # do lookup with method filtering if (!lookup("location","m")) { if (!db_does_uri_exist()) { send_reply("420","Bad Extension"); exit; } t_newtran(); t_reply("404", "Not Found"); exit; } # when routing via usrloc, log the missed calls also setflag(ACC_MISSED); route(relay); } route[relay] { # for INVITEs enable some additional helper routes if (is_method("INVITE")) { t_on_branch("per_branch_ops"); t_on_reply("handle_nat"); t_on_failure("missed_call"); } route(relay_nonlocal); exit; } branch_route[per_branch_ops] { xlog("new branch at $ru\n"); } onreply_route[handle_nat] { xlog("incoming reply\n"); } failure_route[missed_call] { if (t_was_cancelled()) { exit; } # uncomment the following lines if you want to block client # redirect based on 3xx replies. ##if (t_check_status("3[0-9][0-9]")) { ##t_reply("404","Not found"); ## exit; ##} } local_route { if (is_method("BYE") && $DLG_dir=="UPSTREAM") { acc_log_request("200 Dialog Timeout"); } }