[Serusers] Ser 0.9.0 + Mediaproxy 1.3.1 - Problems with NATed Clients Authentication
Greger V. Teigre
greger at teigre.com
Wed May 25 09:36:26 CEST 2005
Could they be caught by the check_to() for some reason? Add some log entries
in your config file to find out where it stops. And an ngrep trace always
helps...
g-)
Felipe Martins wrote:
> Hi everybody,
>
> I've configured SER to work with mediaproxy, I also configured
> mediaproxy.ini. My clients are authenticating normally, but only the
> clients that has a Public IP (ex. 200.201.145.146), all the cliets
> that are behind NAT can't REGISTER. What may be wrong ? Do anyone
> uses SER 0.9.0 with mysql authentication and Mediaproxy that could
> give me a hand ?
> My ser.cfg and mediaproxy.ini are as follows
>
>
> ================== ser.cfg ======================
> debug=3
> fork=yes
> log_stderror=no
>
> listen=192.0.2.13 # put your server IP address here
> port=5060
> children=4
>
> dns=no
> rev_dns=no
>
> fifo="/tmp/ser_fifo"
> fifo_db_url="mysql://ser:heslo@localhost/ser"
>
> loadmodule "/usr/local/lib/ser/modules/mysql.so"
> loadmodule "/usr/local/lib/ser/modules/sl.so"
> loadmodule "/usr/local/lib/ser/modules/tm.so"
> loadmodule "/usr/local/lib/ser/modules/rr.so"
> loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
> loadmodule "/usr/local/lib/ser/modules/usrloc.so"
> loadmodule "/usr/local/lib/ser/modules/registrar.so"
> loadmodule "/usr/local/lib/ser/modules/auth.so"
> loadmodule "/usr/local/lib/ser/modules/auth_db.so"
> loadmodule "/usr/local/lib/ser/modules/uri.so"
> loadmodule "/usr/local/lib/ser/modules/uri_db.so"
> loadmodule "/usr/local/lib/ser/modules/domain.so"
> loadmodule "/usr/local/lib/ser/modules/mediaproxy.so"
> loadmodule "/usr/local/lib/ser/modules/nathelper.so"
> loadmodule "/usr/local/lib/ser/modules/textops.so"
>
> modparam("auth_db|uri_db|usrloc", "db_url",
> "mysql://ser:heslo@localhost/ser")
> modparam("auth_db", "calculate_ha1", 1)
> modparam("auth_db", "password_column", "password")
>
> modparam("nathelper", "rtpproxy_disable", 1)
> modparam("nathelper", "natping_interval", 0)
>
> modparam("mediaproxy","natping_interval", 30)
> modparam("mediaproxy","mediaproxy_socket", "/var/run/mediaproxy.sock")
> modparam("mediaproxy","sip_asymmetrics","/usr/local/etc/ser/sip-clients")
> modparam("mediaproxy","rtp_asymmetrics","/usr/local/etc/ser/rtp-clients")
>
> modparam("usrloc", "db_mode", 2)
>
> modparam("registrar", "nat_flag", 6)
>
> modparam("rr", "enable_full_lr", 1)
>
> route {
>
> #
>
>
>
>
>
>
> ----------------------------------------------------------------- #
> Sanity Check Section #
> ----------------------------------------------------------------- if
> (!mf_process_maxfwd_header("10")) { sl_send_reply("483", "Too Many
> Hops"); break; };
>
> if (msg:len > max_len) {
> sl_send_reply("513", "Message Overflow");
> break;
> };
>
> #
>
>
>
>
>
>
>
>
> ----------------------------------------------------------------- #
> Record Route Section #
> ----------------------------------------------------------------- if
> (method=="INVITE" && client_nat_test("3")) { # INSERT YOUR IP ADDRESS
> HERE record_route_preset("192.0.2.13:5060;nat=yes"); } else if
> (method!="REGISTER") { record_route(); };
>
> #
>
>
>
>
>
> ----------------------------------------------------------------- #
> Call Tear Down Section #
> ----------------------------------------------------------------- if
> (method=="BYE" || method=="CANCEL") { end_media_session(); };
>
> #
>
>
>
> ----------------------------------------------------------------- #
> Loose Route Section #
> ----------------------------------------------------------------- if
> (loose_route()) {
>
> if (has_totag() && (method=="INVITE" ||
> method=="ACK")) {
>
> if (client_nat_test("3") ||
> search("^Route:.*;nat=yes")) {
> setflag(6); use_media_proxy();
> };
> };
>
> route(1);
> break;
> };
>
> #
>
>
> ----------------------------------------------------------------- #
> Call Type Processing Section #
> -----------------------------------------------------------------
>
> if (uri!=myself) {
> route(1);
> break;
> };
>
> if (uri==myself) {
>
> if (method=="CANCEL") {
> route(3);
> break;
> } else if (method=="INVITE") {
> route(3);
> break;
> } else if (method=="REGISTER") {
> route(2);
> break;
> };
>
> lookup("aliases");
> if (uri!=myself) {
> route(1);
> break;
> };
>
> if (!lookup("location")) {
> sl_send_reply("404", "User Not Found");
> break;
> };
> };
>
> route(1);
> }
>
> route[1] {
>
> #
>
>
> ----------------------------------------------------------------- #
> Default Message Handler #
> -----------------------------------------------------------------
>
> t_on_reply("1");
>
> if (!t_relay()) {
>
> if (method=="INVITE" || method=="ACK") {
> end_media_session();
> };
>
> sl_reply_error();
> };
> }
>
> route[2] {
>
> #
>
>
> ----------------------------------------------------------------- #
> REGISTER Message Handler #
> ----------------------------------------------------------------
>
> sl_send_reply("100", "Trying");
>
> if (!search("^Contact:\ +\*") && client_nat_test("7")) {
> setflag(6);
> fix_nated_register();
> force_rport();
> };
>
> if (!www_authorize("","subscriber")) {
> www_challenge("","0");
> break;
> };
>
> if (!check_to()) {
> sl_send_reply("401", "Unauthorized");
> break;
> };
>
> consume_credentials();
>
> if (!save("location")) {
> sl_reply_error();
> };
> }
>
> route[3] {
>
> #
>
>
> ----------------------------------------------------------------- #
> CANCEL and INVITE Message Handler #
> -----------------------------------------------------------------
>
> if (client_nat_test("3")) {
> setflag(7);
> force_rport();
> fix_nated_contact();
> };
>
> lookup("aliases");
> if (uri!=myself) {
> route(1);
> break;
> };
>
> if (!lookup("location")) {
> sl_send_reply("404", "User Not Found");
> break;
> };
>
> if (method=="CANCEL") {
> route(1);
> break;
> };
>
> if (!proxy_authorize("","subscriber")) {
> proxy_challenge("","0");
> break;
> } else if (!check_from()) {
> sl_send_reply("403", "Use From=ID");
> break;
> };
>
> consume_credentials();
>
> if (isflagset(6) || isflagset(7)) {
> use_media_proxy();
> };
>
> route(1);
> }
>
> onreply_route[1] {
>
> if ((isflagset(6) || isflagset(7)) &&
> (status=~"(180)|(183)|2[0-9][0-9]")) {
>
> if (!search("^Content-Length:\ +0")) {
> use_media_proxy();
> };
> };
>
> if (client_nat_test("1")) {
> fix_nated_contact();
> };
> }
>
> ================== End of ser.cfg ======================
>
>
> =================== mediaproxy.ini ======================
> ;
> ; Configuration file for MediaProxy
> ;
>
> [Dispatcher]
> ;
> ; Section for configuring the proxy dispatcher
> ;
> ; The following options are available here:
> ;
> ; start Boolean value that specifies if to start the
> dispatcher. ; Default value: Yes
> ;
> ; socket Path to the UNIX socket where the dispatcher receives
> ; commands from SER. This should match the value for
> ; mediaproxy_socket in ser.cfg
> ; Default value: /var/run/proxydispatcher.sock
> ;
> ; group Put the socket in this group and make it group
> writable. ; Default value: ser
> ;
> ; defaultProxy Default mediaproxy to use in case the From/To domains
> ; involved in the call don't define any.
> ; Valid values for this are:
> ;
> ; - None
> ; don't use any default proxies. domains without
> ; mediaproxy SRV records won't work
> ; - /path/to/unix/socket
> ; use a single MediaProxy server identified by the
> given ; UNIX socket path
> ; - IP_or_hostname[:port]
> ; use a single MediaProxy server identified by its
> network ; address. The network address consists of
> an IP address ; or a hostname and an optional port
> number separated by ; a double colon. If port is
> missing 25060 will be assumed. ; Examples:
> ; 10.0.0.1 (connect to 10.0.0.1 on port
> 25060) ; 10.0.0.1:90 (connect to 10.0.0.1 on
> port 90) ; mp1.mydomain.com
> ; mp1.mydomain.com:7000
> ; - domain://domain_name
> ; Use all MediaProxies defined by domain_name,
> honoring ; their priority and weight to create a
> cluster of proxies ; with fallback and load
> balancing capabilities. ;
> ; Default value: /var/run/mediaproxy.sock
> ;
> start = yes
> socket = /var/run/proxydispatcher.sock
> group = ser
> defaultProxy = /var/run/mediaproxy.sock
>
> [MediaProxy]
> ;
> ; Section for configuring the MediaProxy server
> ;
> ; The following options are available here:
> ;
> ; start Boolean value that specifies if to start the RTP
> proxy server. ; Default value: Yes
> ;
> ; socket Path to the UNIX socket where MediaProxy receives
> ; commands from the dispatcher or SER.
> ; Default value: /var/run/mediaproxy.sock
> ;
> ; group Put the socket in this group and make it group
> writable. ; Default value: ser
> ;
> ; listen Network address where MediaProxy receives commands
> from ; a remote dispatcher.
> ; Valid values for this are:
> ;
> ; - None
> ; don't listen for network connections at all
> ; - address[:port]
> ; listen on the specified address and port
> ; address can be an IP a hostname or the keyword
> Any ; (in which case it will listen on 0.0.0.0).
> If address is ; a hostname, that should map in DNS
> to an IP address ; present on the machine through
> an A record. ; If port is missing assume 25060.
> ;
> ; Default value: None
> ;
> ; allow List of addresses that are allowed to connect to this
> ; MediaProxy server and send commands.
> ; They are specified as a comma separated list of
> entries, with ; each entry being specified in the CIDR
> network/mask notation ; (ex. 10.0.0.0/8)
> ;
> ; In addition simple IP addresses or hostnames are
> allowed, in ; which case the mask is considered to be
> 32. ;
> ; In addition to network ranges/addresses 2 keywords
> can be used ; for this option:
> ; None to specify that none is allowed to connect
> (not very ; useful but this is the default
> for security reasons) ; Any to specify that
> anyone is allowed to connect ; (dangerous!)
> ;
> ; Example: allow = 10.0.0.0/24, home-pc.mydomain.com,
> 1.2.3.4 ;
> ; Default value: None
> ;
> ; proxyIP IP address to use to talk to the phones. If not
> specified, the ; first found will be used. However
> first found usually means ; first defined in /etc/hosts
> which may not be what you want. ; If you find that the
> address that's automatically selected is ; not the one
> you want, you can specify the right one using this ;
> option. The address must be one that's present on one of the ;
> host's interfaces. ;
> ; portRange The range of ports to use for proxying the rtp
> streams. ; This option is specified as minport:maxport
> with minport and ; maxport being even numbers in the
> range 1024-65536 ; Default value: 35000:65000
> ;
> ; TOS Unless you know what TOS means, leave this option
> alone. ; The TOS value can be specified either as a
> decimal number or ; as a hex number in the 0xnn format.
> ; Default value: 0xb8
> ;
> ; idleTimeout Expire idle sessions after this much time.
> ; Default 60 seconds
> ;
> ; holdTimeout Expire calls on hold after this much time.
> ; Default value is 3600 seconds
> ;
> ; forceClose Forcibly close a RTP session after this many seconds
> even if ; it's still active. If forceClose is 0, then a
> session is never ; closed no matter how long it lasts.
> ; Default value: 0
> ;
> start = yes
> socket = /var/run/mediaproxy.sock
> group = ser
> listen = 200.142.103.114
> allow = any
> ;proxyIP = 10.0.0.1
> portRange = 35000:36000
> ;TOS = 0xb8
> idleTimeout = 60
> holdTimeout = 3600
> forceClose = 0
> accounting = off
>
> [Accounting]
> user = ser
> password = heslo
> host = any
> database = ser
> table = ser
>
> #[Accounting]
> #user = dbuser
> #password = dbpass
> #host = dbhost
> #database = radius
> #table = radacct
>
> =================== End of mediaproxy.ini ======================
More information about the sr-users
mailing list