# # iptel.org real world configuration for secondary host # # $Id$ # debug=3 # debug level (cmd line: -dddddddddd) #fork=yes fork=no #log_stderror=no # (cmd line: -E) log_stderror=yes # (cmd line: -E) check_via=yes # (cmd. line: -v) dns=on # (cmd. line: -r) rev_dns=yes # (cmd. line: -R) port=5060 children=1 # advertise IP address in Via (as opposed to advertising DNS name # which is annoying for downstream servers and some phones can # not handle DNS at all) listen=195.37.77.100 loadmodule "../sip_router/modules/sl/sl.so" loadmodule "../sip_router/modules/print/print.so" loadmodule "../sip_router/modules/tm/tm.so" loadmodule "../sip_router/modules/acc/acc.so" loadmodule "../sip_router/modules/rr/rr.so" loadmodule "../sip_router/modules/maxfwd/maxfwd.so" loadmodule "../sip_router/modules/mysql/mysql.so" loadmodule "../sip_router/modules/usrloc/usrloc.so" loadmodule "../sip_router/modules/auth/auth.so" loadmodule "../sip_router/modules/cpl/cpl.so" modparam("usrloc", "use_database", 1) modparam("usrloc", "use_database", 0) modparam("usrloc", "table", "location") modparam("usrloc", "user_column", "user") modparam("usrloc", "contact_column", "contact") modparam("usrloc", "expires_column", "expires") modparam("usrloc", "q_column", "q") modparam("usrloc", "callid_column", "callid") modparam("usrloc", "cseq_column", "cseq") modparam("usrloc", "flush_interval", 60) modparam("usrloc", "db_url", "sql://csps:47csps11@dbhost/csps107") modparam("auth", "db_url", "sql://csps:47csps11@dbhost/csps107") modparam("auth", "table", "subscriber") modparam("auth", "user_column", "user") route{ # filter local stateless ACK generated by authentication of mf replies sl_filter_ACK(); # filter too old messages log("Checking maxfwd\n"); if (!mf_process_maxfwd_header("10")) { log("Too many hops\n"); sl_send_reply("483","Too Many Hops"); break; }; # Do strict routing if route headers present rewriteFromRoute(); # divert voicemail requests if (uri=~"mail\.iptel\.org" | uri=~":5066") { log("Request is for voicemail\n"); sethost("iptel.org"); t_relay_to("fox.iptel.org", "5066"); break; }; # process requests for iptel.org (note the wildcard in # the regex end -- that captures URIs which have port # numbers or parameters in them); also include gateway # here too -- we RR to the gateway which means that its # address shows up in d-uri of subsequent requests after # having called rewriteFromRoute and we want the requests # to go through our PSTN authorization code if (uri=~"[@:]iptel\.org([;:].*)*" | uri=~"[@:]195\.37\.77\.101([;:].*)*" | uri=~"@195\.37\.77\.110([;:].*)*" ) { log("Request is for iptel.org\n"); # registers always MUST be authenticated to # avoid stealing incoming calls if (method=="REGISTER") { log("Request is REGISTER\n"); if (!authorize("iptel.org")) { log("REGISTER has no credentials, sending challenge\n"); challenge("iptel.org", "noqop"); break; }; # prohibit attempts to grab someone else's To address # using valid credentials if (!check_to()) { log("Cheating attempt\n"); sl_send_reply("403", "What a nasty guy you are"); break; }; # update Contact database log("REGISTER is authorized, saving location\n"); save_contact("location"); break; }; # various aliases (might use a database in future) if (uri=~"sip:9040@.*") { setuser("jiri"); }; # special measure for our US friends if (uri=~"sip:17@") { seturi("sip:henry@siptest.wcom.com"); }; # if (uri=~"sip:jiri@.*" & method=="INVITE") { # t_fork_to("001795061546@195.37.77.110"); # }; # if (uri=~"sip:jiri@.*" & method=="INVITE") { # t_fork_to("195.37.77.110", "5060"); # }; # now it's about PSTN destinations through our gateway; # note that 8.... is exempted for numerical destinations if (uri=~"sip:[0-79][0-9]*@.*") { # label this transaction to be accounted t_setflag("acc"); # free call destinations ... no authentication needed if (uri=~"sip:001795061546@.*" | uri=~"sip:0016097265544.*" | uri=~"sip:[79][0-9][0-9][0-9]@.*") { log("Free PSTN\n"); } else { # all other PSTN destinations only for authenticated users # (Cisco GW, which has no digest support, is authenticated # by its IP address -- that's for sure not very strong; # wth confirmed that we filter packets coming from outside # and bearing SRC IP address of a Fokus network) if (!(src_ip==195.37.77.110) & !(authorize("iptel.org"))) { challenge("iptel.org", "noqop"); break; }; # authorize only for INVITEs -- RR/Contact may result in weird # things showing up in d-uri that would break our logic; our # major concern is INVITE which causes PSTN costs anyway if (method=="INVITE") { # does the authenticated user have a permission for local # calls? (i.e., is he in the "local" group?) if (uri=~"sip:0[1-9][0-9]+@.*") { if (!is_in_group("local")) { sl_send_reply("403", "Local Toodle Noodle..."); break; }; # the same for long-distance } else if (uri=~"sip:00[1-9][0-9]+@.*") { if (uri=~"sip:001[089]" | uri=~"sip:00900.*" ) { sl_send_reply("403", "Added Value Destinations not permitted..."); break; }; if (!is_in_group("ld")) { sl_send_reply("403", "LD Toodle Noodle..."); break; }; # the same for international calls } else if (uri=~"sip:000[1-9][0-9]+@.*") { if (!is_in_group("int")) { sl_send_reply("403", "International Toodle Noodle..."); break; }; # everything else (e.g., interplanetary calls) is denied } else { sl_send_reply("403", "interplanetary Toodle Noodle..."); break; }; }; ; }; # requests to gateway must be record-route because the GW accepts # only reqeusts coming from our proxy if (method=="INVITE") addRecordRoute(); # if you have passed through all the checks, let your call go to GW! rewritehostport("195.37.77.110:5060"); } else { /* added by Bogdan for cpl demo - Dorgham request*/ if (uri=~"sip:test@.*" && method=="INVITE") { log("SER : runing CPL!! :)\n"); if ( !cpl_run_script() ) { log("SER : Error during running CPL script!\n"); }else{ if ( cpl_is_response_reject() ) { log("SER: reject"); sl_send_reply("603","I am not available!"); break; }else if ( cpl_is_response_redirect() ) { log("SER : redirect\n"); cpl_update_contact(); sl_send_reply("302","Moved temporarily"); break; }; }; }; # native SIP destinations are handled using our USRLOC DB if (!lookup_contact("location")) { log("Unable to lookup contact, sending 404\n"); sl_send_reply("404", "Not Found"); break; }; # requests from gateway should be RR-ed too if (src_ip==195.37.77.110 && method=="INVITE") { addRecordRoute(); }; }; } else { # outbound requests are allowed only for our users -- we don't # support relaying and don't like strangers bothering us # with resolving DNS log("that's a request to outside"); if (!(src_ip==195.37.77.110) & !(authorize("iptel.org"))) { challenge("iptel.org", "noqop"); break; }; # there should be check_from here too -- but I'm to tired # to test it tonight }; # we now know we may, we now where, let it go out now! t_relay(); }