#
# $Id$
#
-# This a very basic config file w aliases and anamed route but
+# This a very basic config file w/ aliases and a named route but
# w/o authentication, accounting, database, multi-domain support etc.
# Please refer to sip-router.cfg for a more complete example
#
+# Direct your questions about this file to: <sr-users@lists.sip-router.org>.
+#
+# For more information about the various parameters, functions and statements
+# try http://sip-router.org/wiki/ .
+#
+
+#------------ Features -----------------------------------------------
+# Several extra features can be enabled by adding #!define WITH_<FEATURE>
+# statements to the config file, or by starting sr/ser with -A WITH_<FEATURE>.
+# E.g.: ser -f /etc/ser/sip-router-basic.cfg -A WITH_TLS
+
+# run in debug mode:
+##!define WITH_DEBUG
+
+# enable tls support:
+##!define WITH_TLS
+
+# started from compile directory (not installed)
+##!define LOCAL_TEST_RUN
+
# ----------- global configuration parameters ------------------------
+#!ifdef WITH_DEBUG
+debug=5
+log_stderror=yes
+fork=no
+#!else
debug=2 # debug level (cmd line: -dddddddddd)
+#!endif
+
#memdbg=10 # memory debug message level
#memlog=10 # memory statistics log level
#log_facility=LOG_LOCAL0 # sets the facility used for logging (see syslog(3))
-/* Uncomment these lines to enter debugging mode
-fork=no
-log_stderror=yes
-*/
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
#disable_core=yes #disables core dumping
#open_fd_limit=1024 # sets the open file descriptors limit
#mhomed=yes # usefull for multihomed hosts, small performance penalty
-#disable_tcp=yes
+#disable_tcp=yes
#tcp_accept_aliases=yes # accepts the tcp alias via option (see NEWS)
+#!ifdef WITH_TLS
+enable_tls=yes
+#!endif
+
#
# ------------------ module loading ----------------------------------
-#loadpath "modules:modules_s"
+#!ifdef LOCAL_TEST_RUN
+loadpath "modules:modules_s"
+#!else
loadpath "/usr/lib/sip-router/modules:/usr/lib/sip-router/modules_s"
+#!endif
-loadmodule "sl"
loadmodule "tm"
+loadmodule "sl"
loadmodule "rr"
loadmodule "textops"
loadmodule "maxfwd"
loadmodule "registrar"
loadmodule "ctl"
loadmodule "cfg_rpc"
+#!ifdef WITH_TLS
+loadmodule "tls"
+#!endif
# ----------------- setting module-specific parameters ---------------
# ctl params
# by default ctl listens on unixs:/tmp/sip-router_ctl if no other address is
# specified in modparams; this is also the default for sercmd
-modparam("ctl", "binrpc", "unixs:/tmp/sip-router_ctl")
+modparam("ctl", "binrpc", "unixs:/tmp/ser_ctl")
# listen on the "standard" fifo for backward compatibility
-modparam("ctl", "fifo", "fifo:/tmp/sip-router_fifo")
+modparam("ctl", "fifo", "fifo:/tmp/ser_fifo")
# listen on tcp, localhost
-#modparam("ctl", "binrpc", "tcp:localhost:2046")
+modparam("ctl", "binrpc", "tcp:127.0.0.1:2046")
+
+#!ifdef WITH_TLS
+modparam("tls", "verify_certificate", 0)
+#!ifdef LOCAL_TEST_RUN
+modparam("tls", "certificate", "./modules/tls/sip-router-selfsigned.pem")
+modparam("tls", "private_key", "./modules/tls/sip-router-selfsigned.key")
+#separate TLS config file
+#modparam("tls", "config", "./modules/tls/tls.cfg")
+#!else
+modparam("tls", "certificate", "ser-selfsigned.pem")
+modparam("tls", "private_key", "ser-selfsigned.key")
+#separate TLS config file
+#modparam("tls", "config", "tls.cfg")
+#!endif
+#!endif
+
+
+
+#!endif
# ------------------------- request routing logic -------------------
# If you look for a simpler version with a lot less dependencies
# please refer to the sip-router-basic.cfg file in your SER distribution.
#
+# If you look for documentation, try http://sip-router.org/wiki/.
+# The right mailing lists for questions about this file is
+# <sr-users@lists.sip-router.org>.
+#
# Requirements:
# ---------------
# running DB, running RTP proxy, one public IP address
# $ ser_ctl domain add DOMAINNAME
# $ ser_ctl user add USERNAME@DOMAINNAME -p PASSWORD
#
+# (ser_ctl can be obtained from
+# http://ftp.iptel.org/pub/serctl/daily-snapshots/ )
+#
# If you want to have P-Asserted-ID header for your user
#
# $ ser_attr add uid=UID asserted_id="PID"
# Alternatively, you can simple uncomment the relevant line in this file
# right at the beginning of the main route.
#
-# You can also use serweb to set all the values above.
+# You can also use serweb to set all the values above
+# (http://ftp.iptel.org/pub/serweb/daily-snapshots/ or
+# http://developer.berlios.de/projects/serweb).
#
# Users with permission to call PSTN using this script must have
# the $gw_acl attribute set properly, and shall have $asserted_id
#
# .... that's it, enough of yadiyada, here the real config begins!
+# ----------- Global Defines / Extra Features -------------------------------
+# (can be enabled either by uncommenting the corresponding #!define
+# statement or by starting with -A WITH_<FEATURE_NAME>, e.g.
+# ser -A WITH_TLS -f /etc/ser/ser-oob.cfg )
+
+# enable TLS
+##!define WITH_TLS
+
+#enable xmlrpc support
+##!define WITH_XMLRPC
+
+# xmlrpc allowed only if it comes on TLS from a client with a valid cert
+##!define XMLRPC_TLS_ONLY
+
+# xmlrpc allowed subnets (if defined XMLRPC requests with source ip matching
+# this network addresses will be allowed, if no XMLRPC_ALLOWED_SUBNETx is
+# defined only requests coming from localhost will be allowed).
+# E.g.: ser -A XMLRPC_ALLOW_NET1=192.168.1.0/24 -f ser-oob.cfg
+##!define XMLRPC_ALLOW_NET1 192.168.0.0/16
+##!define XMLRPC_ALLOW_NET2 10.0.0.0/255.0.0.0
+##!define XMLRPC_ALLOW_NET3 172.16.0.0/12
+
+
+# started from compile directory (not installed)
+##!define LOCAL_TEST_RUN
# ----------- Global Configuration Parameters -------------------------------
#DEBCONF-LISTEN-END
# sip.mcast.net for REGISTER replication
#DEBCONF-LISTEN_REPL-START
-listen=224.0.1.75
+listen=udp:224.0.1.75
#DEBCONF-LISTEN_REPL-END
# administrative interface -- needed for example for multicast source
# or XML-RPC
dns_try_naptr=yes
dns_srv_lb=yes # srv based load balancing
dns_udp_pref=3 # prefer udp (when resolving naptr record)
-dns_tcp_pref=2 # if no udp availbale accept tcp (for naptr)
+dns_tcp_pref=2 # if no udp available accept tcp (for naptr)
+dns_sctp_pref=2 # same preference as tcp
+#!ifdef WITH_TLS
+dns_tls_pref=1 # low preference (heavy resource use)
+#!else
dns_tls_pref=-1 # ignore / don't accept tls (for naptr)
+#!endif
# dns_cache_delete_nonexpired=no
# ------------------- Blacklist Parameters ----------------------------------
tcp_connection_lifetime=3600
#tcp_max_connections=10240 # default is 2048
tcp_connect_timeout=1
+tcp_async=yes
# ------------------- TLS Parameters ----------------------------------------
+#!ifdef WITH_TLS
# Enable TLS hooks so that the TLS module can be used
tls_enable=yes
-# This option is required if you want to use TLS as the TLS
-# module does not support the new async TCP mode yet
-tcp_async=no
+#!endif
# -------------------- Custom Parameters ------------------------------------
# These parameters can be modified runtime via RPC interface,
#DEBCONF-RTP_ENABLE-END
# ------------------ Module Loading -----------------------------------------
-
-#loadpath "modules:modules_s"
+#!ifdef LOCAL_TEST_RUN
+loadpath "modules:modules_s"
+#!else
loadpath "/usr/lib/sip-router/modules:/usr/lib/sip-router/modules_s"
+#!endif
# load a SQL database for authentication, domains, user AVPs etc.
loadmodule "db_mysql"
#loadmodule "postgres"
-loadmodule "sl"
loadmodule "tm"
+loadmodule "sl"
loadmodule "rr"
loadmodule "maxfwd"
loadmodule "usrloc"
loadmodule "avp"
loadmodule "avp_db"
loadmodule "acc_db"
-#loadmodule "xmlrpc"
+#!ifdef WITH_XMLRPC
+loadmodule "xmlrpc"
+#!endif
loadmodule "options"
loadmodule "sanity"
loadmodule "nathelper"
loadmodule "cfg_rpc"
loadmodule "eval"
loadmodule "enum"
-#loadmodule "tls"
+#!ifdef WITH_TLS
+loadmodule "tls"
+#!endif
# ----------------- Declaration of Script Flags -----------------------------
flags
#
#DEBCONF-DBURL-START
modparam("speeddial|auth_db|usrloc|domain|uri_db|gflags|avp_db|db_ops",
- "db_url", "mysql://sip-router:heslo@127.0.0.1/sip-router")
+ "db_url", "mysql://ser:heslo@127.0.0.1/ser")
#DEBCONF-DBURL-END
# specify the path to your database for accounting
#DEBCONF-DBURLACC-START
-modparam("acc_db", "db_url", "mysql://sip-router:heslo@127.0.0.1/sip-router")
+modparam("acc_db", "db_url", "mysql://ser:heslo@127.0.0.1/ser")
#DEBCONF-DBURLACC-END
# By default, ctl listens on unixs:/tmp/sip-router_ctl if no other address is
# specified in modparams; this is also the default for sercmd.
-modparam("ctl", "binrpc", "unixs:/tmp/sip-router_ctl")
+modparam("ctl", "binrpc", "unixs:/tmp/ser_ctl")
# Listen on the "standard" fifo for backward compatibility.
-modparam("ctl", "fifo", "fifo:/tmp/sip-router_fifo")
+modparam("ctl", "fifo", "fifo:/tmp/ser_fifo")
# Listen on tcp on localhost.
-#modparam("ctl", "binrpc", "tcp:localhost:2046")
+modparam("ctl", "binrpc", "tcp:127.0.0.1:2046")
# -- acc_db --
# -- xmlrpc --
+#!ifdef WITH_XMLRPC
# Use a sub-route. This is a lot safer then relying on the request method
# to distinguish HTTP from SIP
-#modparam("xmlrpc", "route", "RPC");
+modparam("xmlrpc", "route", "XMLRPC");
+#!endif
# -- nathelper --
modparam("timer", "declare_timer",
"ON_1MIN_TIMER=ON_1MIN_TIMER,60000,slow,enable");
+#!ifdef WITH_TLS
# -- tls --
-#modparam("tls", "config", "tls.cfg");
+#!ifdef LOCAL_TEST_RUN
+modparam("tls", "config", "./modules/tls/tls.cfg");
+#!else
+modparam("tls", "config", "tls.cfg");
+#!endif
+#!endif
# -- db_ops --
db_close("gattr_reload");
}
+
+#!ifdef WITH_XMLRPC
+# handle xmlrpcs
+route[XMLRPC]{
+ # accept xmlrpc requests only from localhost
+ if (src_ip!=127.0.0.1
+ #!ifdef XMLRPC_ALLOW_NET1
+ && src_ip != XMLRPC_ALLOW_NET1
+ #!endif
+ #!ifdef XMLRPC_ALLOW_NET2
+ && src_ip != XMLRPC_ALLOW_NET2
+ #!endif
+ #!ifdef XMLRPC_ALLOW_NET3
+ && src_ip != XMLRPC_ALLOW_NET3
+ #!endif
+ ) {
+ xmlrpc_reply("400", "xmlrpc not allowed from this address");
+ return;
+ }
+ if (method!="POST" && method!="GET") {
+ xmlrpc_reply("400", "unsupported HTTP method");
+ return;
+ }
+ if (msg:len >= 8192) {
+ xmlrpc_reply("513", "request too big");
+ return;
+ }
+#!ifdef XMLRPC_TLS_ONLY
+ # allow xmlrpc only on TLS and only if the client certificate is valid
+ if (proto!=TLS){
+ xmlrpc_reply("400", "xmlrpc allowed only over TLS");
+ return;
+ }
+ if (@tls.peer.verified!=""){
+ xmlrpc_reply("400", "Unauthorized");
+ return;
+ }
+#!endif
+
+ # close connection only for xmlrpclib user agents (there is a bug in
+ # xmlrpclib: it waits for EOF before interpreting the response).
+ if (search("^User-Agent:.*xmlrpclib"))
+ set_reply_close();
+ set_reply_no_connect(); # optional
+ dispatch_rpc();
+}
#
# $Id$
#
-
+# Example configuration file (simpler then ser-oob.cfg, but more
+# complex then ser-basic.cfg).
+#
# First start SER sample config script with:
# database, accounting, authentication, multi-domain support
# PSTN GW section, named flags, named routes, global-,
#
# If you look for a simpler version with a lot less dependencies
# please refer to the ser-basic.cfg file in your SER distribution.
+#
+# If you look for documentation, try http://sip-router.org/wiki/.
+# The right mailing lists for questions about this file is
+# <sr-users@lists.sip-router.org>.
# To get this config running you need to execute the following commands
# with the new serctl (the capital word are just place holders)
# - ser_ctl domain add DOMAINNAME
# - ser_ctl user add USERNAME@DOMAINNAME -p PASSWORD
+# ser_ctl can be obtained from
+# http://ftp.iptel.org/pub/serctl/daily-snapshots/.
+#
# If you want to have PID header for your user
# - ser_attr add uid=UID asserted_id="PID"
# If you want to have gateway support
# - ser_db add attr_types name=gw_ip rich_type=string raw_type=2 description="The gateway IP for the default ser.cfg" default_flags=33
# - ser_attr add global gw_ip=GATEWAY-IP
+
+# ----------- Global Defines / Extra Features -------------------------------
+# (can be enabled either by uncommenting the corresponding #!define
+# statement or by starting with -A WITH_<FEATURE_NAME>, e.g.
+# ser -A WITH_TLS -f /etc/ser/ser-oob.cfg )
+
+# enable TLS
+##!define WITH_TLS
+
+# started from compile directory (not installed)
+##!define LOCAL_TEST_RUN
+
+# xmlrpc allowed subnets (if defined XMLRPC requests with source ip matching
+# this network addresses will be allowed, if no XMLRPC_ALLOWED_SUBNETx is
+# defined only requests coming from localhost will be allowed).
+# E.g.: ser -A XMLRPC_ALLOW_NET1=192.168.1.0/24 -f ser-oob.cfg
+##!define XMLRPC_ALLOW_NET1 192.168.0.0/16
+##!define XMLRPC_ALLOW_NET2 10.0.0.0/255.0.0.0
+##!define XMLRPC_ALLOW_NET3 172.16.0.0/12
+
+
# ----------- global configuration parameters ------------------------
debug=2 # debug level (cmd line: -dddddddddd)
#mhomed=yes # usefull for multihomed hosts, small performance penalty
#disable_tcp=yes
#tcp_accept_aliases=yes # accepts the tcp alias via option (see NEWS)
+#!ifdef WITH_TLS
enable_tls=yes
+#!endif
#
# ------------------ module loading ----------------------------------
-#loadpath "modules:modules_s"
+#!ifdef LOCAL_TEST_RUN
+loadpath "modules:modules_s"
+#!else
loadpath "/usr/lib/ser/modules:/usr/lib/ser/modules_s"
+#!endif
# load a SQL database for authentication, domains, user AVPs etc.
loadmodule "db_mysql"
-loadmodule "sl"
loadmodule "tm"
+loadmodule "sl"
loadmodule "rr"
loadmodule "maxfwd"
loadmodule "usrloc"
loadmodule "avp_db"
loadmodule "acc_db"
loadmodule "xmlrpc"
-#loadmodule "tls"
+#!ifdef WITH_TLS
+loadmodule "tls"
+#!endif
# ----------------- setting script FLAGS -----------------------------
flags
# listen on the "standard" fifo for backward compatibility
modparam("ctl", "fifo", "fifo:/tmp/ser_fifo")
# listen on tcp, localhost
-#modparam("ctl", "binrpc", "tcp:localhost:2046")
+modparam("ctl", "binrpc", "tcp:127.0.0.1:2046")
# -- acc_db params --
# failed transactions (=negative responses) should be logged to
# restarts the resend timer (see INBOUND route below)
#modparam("tm", "restart_fr_on_each_reply", "0")
+#!ifdef WITH_TLS
+# -- tls params --
+modparam("tls", "verify_certificate", 0)
+#!ifdef LOCAL_TEST_RUN
+modparam("tls", "certificate", "./modules/tls/sip-router-selfsigned.pem")
+modparam("tls", "private_key", "./modules/tls/sip-router-selfsigned.key")
+#separate TLS config file
+#modparam("tls", "config", "./modules/tls/tls.cfg")
+#!else
+modparam("tls", "certificate", "ser-selfsigned.pem")
+modparam("tls", "private_key", "ser-selfsigned.key")
+#separate TLS config file
+#modparam("tls", "config", "tls.cfg")
+#!endif
+
+
# -- xmlrpc params --
# using a sub-route from the module is a lot safer then relying on the
# request method to distinguish HTTP from SIP
{
# allow XMLRPC from localhost
if ((method=="POST" || method=="GET") &&
- src_ip==127.0.0.1) {
+ (src_ip==127.0.0.1
+ #!ifdef XMLRPC_ALLOW_NET1
+ || src_ip == XMLRPC_ALLOW_NET1
+ #!endif
+ #!ifdef XMLRPC_ALLOW_NET2
+ || src_ip == XMLRPC_ALLOW_NET2
+ #!endif
+ #!ifdef XMLRPC_ALLOW_NET3
+ || src_ip == XMLRPC_ALLOW_NET3
+ #!endif
+ )) {
if (msg:len >= 8192) {
sl_reply("513", "Request to big");
drop;
}
+ # close connection only for xmlrpclib user agents (there is a bug in
+ # xmlrpclib: it waits for EOF before interpreting the response).
+ if (search("^User-Agent:.*xmlrpclib"))
+ set_reply_close();
+ set_reply_no_connect(); # optional
# lets see if a module wants to answer this
dispatch_rpc();
drop;
projects / sip-router / commitdiff