[OpenSIPS-Users] I never see 404 not found

Binan AL Halabi binanalhalabi at yahoo.com
Thu Sep 13 12:00:09 CEST 2012


hej Sajjad,
If you mean the "username" in Authorization header is invalid in step-3 you can do:
adjust your script to send "404 Not Found" since the proxy_authorize and www_ authorize return value is number and if this number is equal to -1 (invalid user) - authentication user does
					not exist.
http://www.opensips.org/html/docs/modules/devel/auth_db.html#id250235

//Binan

--- On Fri, 9/7/12, sajjad purmohseni <spurmohseni at yahoo.com> wrote:

From: sajjad purmohseni <spurmohseni at yahoo.com>
Subject: Re: [OpenSIPS-Users] I never see 404 not found
To: "Muhammad Shahzad" <shaheryarkh at googlemail.com>, "users at lists.opensips.org" <users at lists.opensips.org>
Date: Friday, September 7, 2012, 7:45 AM

Hello Muhammad; thanks for your pursuing;
Yes, second Invite or Register contains authentication header; this is the scenario I mean
1 		client -------------------------------Invite------------------------------->  proxy2		client <-------------------407 with nonce----------------------------  Proxy3		client ------------Invite with calculated nonce-------------------> Proxy4		client <----------------100 giving a try--------------------------------- Proxy5		client <----------------180 ringing--------------------------------------- Proxy
I mean when client uses invalid "From URI" in authentication header in the third step; proxy should send an "404 not found"; but as I see; server just sends 407 message. As you know, if URI is valid, and calculated
 response in authentication header is invalid server sends 407 message too. This causes I cannot understand the URI binding is valid or not. I except if "from URI" binding is invalid in authentication process; server send me an 404 not found message. Is it possible and typical option in SIP proxy servers? 
Thank you
--------------------------------------------------	kind regards;        Sajad Pourmohseni 


        From: Muhammad Shahzad <shaheryarkh at googlemail.com>
 To: sajjad purmohseni
 <spurmohseni at yahoo.com> 
Cc: "users at lists.opensips.org" <users at lists.opensips.org> 
 Sent: Friday, September 7, 2012 6:07 PM
 Subject: Re: [OpenSIPS-Users] I never see 404 not found
   
Does second INVITE contains Proxy-Authorization header? Can you please paste SIP trace here?
Thank you.

On Fri, Sep 7, 2012 at 2:22 PM, sajjad purmohseni <spurmohseni at yahoo.com> wrote:

Hello Muhammad  thanks for reply.

I think you mean invalidity of the "To URI"; But I am telling about invalidity of the "From URI" or the caller contact. In authentication process I expect to receive "404 not found" after sending second Invite or Register messages; but I receive 401 or 407. Is int normal action by server or it can send "404 not found" about invalid "From URI" to tell client that the contact URI is invalid?

--------------------------------------------------
	kind regards;        Sajad Pourmohseni
 


  
      From: Muhammad Shahzad <shaheryarkh at googlemail.com>

 To: sajjad purmohseni <spurmohseni at yahoo.com>; OpenSIPS users mailling list <users at lists.opensips.org> 

 Sent: Friday, September 7, 2012 1:45 PM
 Subject: Re: [OpenSIPS-Users] I never see 404 not found
  
 

Yes because you have enabled proxy authentication of every method except REGISTER. Here is where you are doing this.
# authenticate if from local subscriber (uncomment to enable auth)


 # authenticate all initial non-REGISTER request that pretend to be

 # generated by local subscriber (domain from FROM URI is local)

 if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/

 ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/

 {

  if (!proxy_authorize("", "subscriber")) {

   proxy_challenge("", "0");

   exit;

  }
This gets called BEFORE you check for destination, which is right way to do it. The caller should authenticate itself before callee is checked.

Thank you.

On Thu, Sep 6, 2012 at 5:07 PM, sajjad purmohseni <spurmohseni at yahoo.com> wrote:




Hi all
 
I use sipp tool accompanying opensips server to generate normal SIP traffic. I successfuly enable authentication in opensips; added some users in database and performed authentication proccess in register and invite requests. I see valid authentication as username and passwords are valid and failure in authentication as password is invalid. After sending first invite and receiving 407 (proxy auth req) message; In my scenario an Invite message is sent with authentication header containing valid nonce. My problem is that when URI of re-Invite request is invalid I receive 407 instead of 404 (not found). 


I'm so grateful about any help.
 
 
This is my opensips config file (opensips.cfg):
 
 
 
 
 
#
# $Id: opensips.cfg 5503 2009-03-22 16:22:32Z bogdan_iancu $
#
# OpenSIPS basic configuration script
#     by Anca Vamanu <anca at voice-system.ro>


#
# Please refer to the Core CookBook at:
#      http://www.opensips.org/index.php?n=Resources.DocsCookbooks
# for a explanation of possible statements, functions and parameters.


#

####### Global Parameters #########
#debug=3
log_stderror=no
log_facility=LOG_LOCAL0
fork=yes
children=4
/* uncomment the following lines to enable debugging */
debug=6
#fork=no
#log_stderror=yes
/* uncomment the next line to disable TCP (default on) */
#disable_tcp=yes
/* uncomment the next line to enable the auto temporary blacklisting of 
   not available destinations (default disabled) */
#disable_dns_blacklist=no
/* uncomment the next line to enable IPv6 lookup after IPv4 dns 
   lookup failures (default disabled) */
#dns_try_ipv6=yes
/* uncomment the next line to disable the auto discovery of local aliases
   based on revers DNS on IPs (default on) */
#auto_aliases=no
/* uncomment the following lines to enable TLS support  (default off) */
#disable_tls = no
#listen = tls:your_IP:5061
#tls_verify_server = 1
#tls_verify_client = 1
#tls_require_client_certificate = 0


#tls_method = TLSv1
#tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
#tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
#tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"


port=5060
/* uncomment and configure the following line if you want opensips to 
   bind on a specific interface/port/proto (default bind on all available) */
listen=udp:194.225.238.244:5060



####### Modules Section ########
#set module path
mpath="/usr/local/lib64/opensips/modules/"
/* uncomment next line for MySQL DB support */
loadmodule "db_mysql.so"
loadmodule "signaling.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"


loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "mi_fifo.so"
loadmodule "uri_db.so"


loadmodule "uri.so"
loadmodule "xlog.so"
loadmodule "acc.so"
/* uncomment next lines for MySQL based authentication support 
   NOTE: a DB (like db_mysql) module must be also loaded */


loadmodule "auth.so"
loadmodule "auth_db.so"
/* uncomment next line for aliases support
   NOTE: a DB (like db_mysql) module must be also loaded */
#loadmodule "alias_db.so"
/* uncomment next line for multi-domain support


   NOTE: a DB (like db_mysql) module must be also loaded
   NOTE: be sure and enable multi-domain support in all used
 modules
         (see "multi-module params" section ) */
#loadmodule "domain.so"
/* uncomment the next two lines for presence server support
   NOTE: a DB (like db_mysql) module must be also loaded */


#loadmodule "presence.so"
#loadmodule "presence_xml.so"

# ----------------- setting module-specific parameters ---------------

# ----- mi_fifo params -----
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")

# ----- rr params -----
# add value to ;lr param to cope with most of the UAs
modparam("rr", "enable_full_lr", 1)
# do not append from tag to the RR (no need for this script)
modparam("rr", "append_fromtag", 0)



# ----- registrar params -----
modparam("registrar", "method_filtering", 1)
/* uncomment the next line to disable parallel forking via location */
# modparam("registrar", "append_branches", 0)


/* uncomment the next line not to allow more than 10 contacts per AOR */
#modparam("registrar", "max_contacts", 10)

# ----- usrloc params -----
modparam("usrloc", "db_mode",   0)
/* uncomment the following lines if you want to enable DB persistency
   for location entries */
#modparam("usrloc", "db_mode",   2)


#modparam("usrloc", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")

# ----- uri_db params -----
/* by default we disable the DB support in the module as we do not need it
   in this configuration */
modparam("uri_db", "use_uri_table", 0)
modparam("uri_db", "db_url", "")



# ----- acc params -----
/* what sepcial events should be accounted ? */
modparam("acc", "early_media", 1)
modparam("acc", "report_ack", 1)
modparam("acc", "report_cancels", 1)


/* by default ww do not adjust the direct of the sequential requests.
   if you enable this parameter, be sure the enable "append_fromtag"
   in "rr" module */
modparam("acc", "detect_direction", 0)


/* account triggers (flags) */
modparam("acc", "failed_transaction_flag", 3)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 2)
/* uncomment the following lines to enable DB accounting also */


modparam("acc", "db_flag", 1)
modparam("acc", "db_missed_flag", 2)

# ----- auth_db params -----
/* uncomment the following lines if you want to enable the DB based
   authentication */
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")


modparam("auth_db", "db_url",
 "mysql://opensips:opensipsrw@localhost/opensips")
modparam("auth_db", "load_credentials", "")

# ----- alias_db params -----
/* uncomment the following lines if you want to enable the DB based
   aliases */
#modparam("alias_db", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")



# ----- domain params -----
/* uncomment the following lines to enable multi-domain detection
   support */
#modparam("domain", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")


#modparam("domain", "db_mode", 1)   # Use caching

# ----- multi-module params -----
/* uncomment the following line if you want to enable multi-domain support
   in the modules (dafault off) */
#modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1)



# ----- presence params -----
/* uncomment the following lines if you want to enable presence */
#modparam("presence|presence_xml", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")


#modparam("presence_xml", "force_active", 1)
#modparam("presence", "server_address", "sip:192.168.1.2:5060")



####### Routing Logic ########

# main request routing logic
route{
 if (!mf_process_maxfwd_header("10")) {
  sl_send_reply("483","Too Many Hops");
  exit;
 }
 if (has_totag()) {
  # sequential request withing a dialog should
  # take the path determined by record-routing
  if (loose_route()) {
   if (is_method("BYE")) {
    setflag(1); # do accounting ...


    setflag(3); # ... even if the transaction fails
   } else if (is_method("INVITE")) {
    # even if in most of the cases is useless, do RR for
    # re-INVITEs alos, as some buggy clients do change route set


    # during the dialog.
    record_route();
   }
   # route it out to whatever destination was set by loose_route()
   # in $du (destination URI).
   route(1);
  } else {
   /* uncomment the following lines if
 you want to enable presence */
   ##if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") {
   ## # in-dialog subscribe requests
   ## route(2);
   ## exit;
   ##}


   if ( is_method("ACK") ) {
    if ( t_check_trans() ) {
     # non loose-route, but stateful ACK; must be an ACK after 
     # a 487 or e.g. 404 from upstream server
     t_relay();
     exit;


    } else {
     # ACK without matching transaction ->
     # ignore and discard
     exit;
    }
   }  
   sl_send_reply("404","Not
 here");
  }
  exit;
 }
 #initial requests
 # CANCEL processing
 if (is_method("CANCEL"))
 {
  if (t_check_trans())
   t_relay();
  exit;
 }
 t_check_trans();
 # authenticate if from local subscriber (uncomment to enable auth)
 # authenticate all initial non-REGISTER request that pretend to be
 # generated by local subscriber (domain from FROM URI is local)
 if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/


 ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
 {
  if (!proxy_authorize("", "subscriber")) {
   proxy_challenge("", "0");

   exit;

  }
  if (!check_from()) {
   sl_send_reply("403","Forbidden auth ID");
   exit;
  }
 
  consume_credentials();
  # caller authenticated
 }
 # preloaded route checking
 if (loose_route()) {
  xlog("L_ERR",
  "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
  if (!is_method("ACK"))
   sl_send_reply("403","Preload Route denied");


  exit;
 }
 # record routing
 if (!is_method("REGISTER|MESSAGE"))
  record_route();
 # account only INVITEs
 if (is_method("INVITE")) {
  setflag(1); # do accounting
 }
 if (!uri==myself)
 ## replace with following line if multi-domain support is used
 ##if (!is_uri_host_local())


 {
  append_hf("P-hint: outbound\r\n"); 
  # if you have some interdomain connections via TLS
  ##if($rd=="tls_domain1.net") {

  ## t_relay("tls:domain1.net");

  ## exit;
  ##} else if($rd=="tls_domain2.net") {
  ## t_relay("tls:domain2.net");

  ## exit;

  ##}
  route(1);
 }
 # requests for my domain
 ## uncomment this if you want to enable presence server 
 ##   and comment the next 'if' block
 ##   NOTE: uncomment also the definition of route[2] from  below
 ##if( is_method("PUBLISH|SUBSCRIBE"))


 ##  route(2);
 if (is_method("PUBLISH"))
 {
  sl_send_reply("503", "Service Unavailable");
  exit;
 }
 
 if (is_method("REGISTER"))
 {
  # authenticate the REGISTER requests (uncomment to enable auth)
  if (!www_authorize("", "subscriber"))
  {
   www_challenge("", "0");


   exit;
  }
  if (!check_to()) 
  {
   sl_send_reply("403","Forbidden auth ID");
   exit;
  }
  if (!save("location"))
   sl_reply_error();
  exit;
 }
 if ($rU==NULL) {
  # request with no Username in RURI
  sl_send_reply("484","Address Incomplete");
  exit;
 }
 # apply DB based aliases (uncomment to enable)
 ##alias_db_lookup("dbaliases");
 if (!lookup("location")) {
  switch ($retcode) {
   case -1:
   case -3:
    t_newtran();
    t_reply("404", "Not Found");
    exit;
   case -2:
    sl_send_reply("405", "Method Not Allowed");


    exit;
  }
 }
 # when routing via usrloc, log the missed calls also
 setflag(2);
 route(1);
}

route[1] {
 # for INVITEs enable some additional helper routes
 if (is_method("INVITE")) {
  t_on_branch("2");
  t_on_reply("2");
  t_on_failure("1");
 }


 if (!t_relay()) {
  sl_reply_error();
 };
 exit;
}

# Presence route
/* uncomment the whole following route for enabling presence
   NOTE: do not forget to enable the call of this route from the main
     route */
##route[2]
##{
## if (!t_newtran())


## {
##  sl_reply_error();
##  exit;
## };
##
## if(is_method("PUBLISH"))
## {
##  handle_publish();
##  t_release();
## }
## else
## if( is_method("SUBSCRIBE"))
## {


##  handle_subscribe();
##  t_release();
## }
##
## exit;
##}

branch_route[2] {
 xlog("new branch at $ru\n");
}

onreply_route[2] {
 xlog("incoming reply\n");
}

failure_route[1] {
 if (t_was_cancelled()) {
  exit;
 }
 # uncomment the following lines if you want to block client 
 # redirect based on 3xx replies.
 ##if (t_check_status("3[0-9][0-9]")) {
 ##t_reply("404","Not found");
 ## exit;


 ##}
 # uncomment the following lines if you want to redirect the failed 
 # calls to a different new destination
 ##if (t_check_status("486|408")) {
 ## sethostport("192.168.2.100:5060");


 ## # do not set the missed call flag again
 ## t_relay();
 ##}
}





_______________________________________________

Users mailing list

Users at lists.opensips.org

http://lists.opensips.org/cgi-bin/mailman/listinfo/users





-- 
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)


Cell: +92 334 422 40 88
MSN: shari_786pk at hotmail.com
Email: shaheryarkh at googlemail.com





    


-- 
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)

CISCO Certified Network Associate (CCNA)
Cell: +92 334 422 40 88
MSN: shari_786pk at hotmail.com
Email: shaheryarkh at googlemail.com





    
-----Inline Attachment Follows-----

_______________________________________________
Users mailing list
Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20120913/7c05cef6/attachment-0001.htm>


More information about the Users mailing list