Understandig the NAT, MySQL and Auth kamailio.conf

From open-voip.org

Jump to: navigation, search
#
# $Id: kamailio.cfg 5881 2009-06-22 09:13:04Z henningw $

####### Global Parameters #########

debug=3
log_stderror=no
log_facility=LOG_LOCAL0

fork=yes
children=4

/* uncomment the following lines to enable debugging */
#debug=6
#fork=no
#log_stderror=yes

port=5060

/* uncomment and configure the following line if you want Kamailio to 
   bind on a specific interface/port/proto (default bind on all available) */
#listen=udp:192.168.1.2:5060

####### Modules Section ########

#set module path
mpath="//lib/kamailio/modules/"

/* uncomment next line for MySQL DB support */
loadmodule "db_mysql.so"
loadmodule "mi_fifo.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "pv.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "uri_db.so"
loadmodule "siputils.so"
loadmodule "xlog.so"
loadmodule "acc.so"
loadmodule "auth.so"
loadmodule "auth_db.so"
loadmodule "nathelper.so"

# ----------------- setting module-specific parameters ---------------

# ----- mi_fifo params -----
modparam("mi_fifo", "fifo_name", "/tmp/kamailio_fifo")

# ----- rr params -----
# add value to ;lr param to cope with most of the UAs
modparam("rr", "enable_full_lr", 1)
# do not append from tag to the RR (no need for this script)
modparam("rr", "append_fromtag", 0)

# ----- rr params -----
modparam("registrar", "method_filtering", 1)

# ----- uri_db params -----
/* by default we disable the DB support in the module as we do not need it
  in this configuration */
modparam("uri_db", "use_uri_table", 0)
modparam("uri_db", "db_url", "")

# ----- acc params -----
/* what sepcial events should be accounted ? */
modparam("acc", "early_media", 1)
modparam("acc", "report_ack", 1)
modparam("acc", "report_cancels", 1)
/* by default ww do not adjust the direct of the sequential requests.
   if you enable this parameter, be sure the enable "append_fromtag"
   in "rr" module */
modparam("acc", "detect_direction", 0)
/* account triggers (flags) */
modparam("acc", "failed_transaction_flag", 3)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 2)
modparam("acc", "log_extra", 
        "src_user=$fU;src_domain=$fd;dst_ouser=$tU;dst_user=$rU;dst_domain=$rd")
# ----- auth_db params -----
/* uncomment the following lines if you want to enable the DB based
   authentication */
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
modparam("auth_db", "db_url",

Change to your sql host user and pass

        "mysql://openser:asterisk@localhost/openser")
modparam("auth_db", "load_credentials", "") 

# -- nathelper
modparam("nathelper", "rtpproxy_sock", "udp:127.0.0.1:7722")
modparam("nathelper", "natping_interval", 30)
modparam("nathelper", "ping_nated_only", 1)
modparam("nathelper", "sipping_bflag", 7)
modparam("nathelper", "sipping_from", "sip:pinger@kamailio.org")
modparam("registrar|nathelper", "received_avp", "$avp(i:80)")
modparam("usrloc", "nat_bflag", 6)

####### Routing Logic ######## 


# main request routing logic

route{

       if (!mf_process_maxfwd_header("10")) {
               sl_send_reply("483","Too Many Hops");
               exit;
       }

       # NAT detection
       route(4);

       if (has_totag()) {
               # sequential request withing a dialog should
               # take the path determined by record-routing
               if (loose_route()) {
                       if (is_method("BYE")) {
                               setflag(1); # do accounting ...
                               setflag(3); # ... even if the transaction fails
                       }
                       route(1);
               } else {
                       if (is_method("SUBSCRIBE") && uri == myself) {
                               # in-dialog subscribe requests
                               route(2);
                               exit;
                       }
                       if ( is_method("ACK") ) {
                               if ( t_check_trans() ) {
                                       # non loose-route, but stateful ACK; must be an ACK after a 487 or e.g. 404 from upstream server
                                       t_relay();
                                       exit;
                               } else {
                                       # ACK without matching transaction ... ignore and discard.\n");
                                       exit;
                               }
                       }
                       sl_send_reply("404","Not here");
               }
               exit;
       }
       #initial requests
       # CANCEL processing
       if (is_method("CANCEL"))
       {
               if (t_check_trans())
                       t_relay();
               exit;
       }
       t_check_trans();
       # authentication
       route(3);

       # record routing
       if (!is_method("REGISTER|MESSAGE"))
               record_route();

       # account only INVITEs
       if (is_method("INVITE")) {
               setflag(1); # do accounting
       }
       if (!uri==myself)
       /* replace with following line if multi-domain support is used */

is_uri_host_local())- check the domain list in the MySQL db

       ##if (!is_uri_host_local())
       {
               append_hf("P-hint: outbound\r\n"); 
               route(1);
       }
       # requests for my domain
       if( is_method("PUBLISH|SUBSCRIBE"))
               route(2);

       if (is_method("REGISTER"))
       {

save("location") - will save the AOR in the Mysql location table

               if (!save("location"))
                       sl_reply_error();
               exit;
       }
       if ($rU==NULL) {
               # request with no Username in RURI
               sl_send_reply("484","Address Incomplete");
               exit;
       }
       # apply DB based aliases (uncomment to enable)
       ##alias_db_lookup("dbaliases");
       if (!lookup("location")) {
               switch ($retcode) {
                       case -1:
                       case -3:
                               t_newtran();
                               t_reply("404", "Not Found");
                               exit;
                       case -2:
                               sl_send_reply("405", "Method Not Allowed");
                               exit;
               }
       }
       # when routing via usrloc, log the missed calls also
       setflag(2);
       route(1);

} route[1] {

       if (check_route_param("nat=yes")) {
               setbflag(6);
       }
       if (isflagset(5) || isbflagset(6)) {
               route(5);
       }

       /* example how to enable some additional event routes */
       if (is_method("INVITE")) {
               #t_on_branch("1");
               t_on_reply("1");
               t_on_failure("1");
       }
       if (!t_relay()) {
               sl_reply_error();
       }
       exit;
}
# Presence route
/* uncomment the whole following route for enabling presence server */
route[2]
{
       # if presence enabled, this part will not be executed
       if (is_method("PUBLISH") || $rU==null)
       {
               sl_send_reply("404", "Not here");
               exit;
       }
       return;
}
# Authentication route
/* uncomment the whole following route for enabling authentication */
route[3] {
       if (is_method("REGISTER"))
       {

www_authorize(realm, table) - for registration authentication

               # authenticate the REGISTER requests (uncomment to enable auth)
               if (!www_authorize("", "subscriber"))
               {

www_challenge - will send "401 Unauthorized" to first Register

                       www_challenge("", "0");
                       exit;
               }
               if ($au!=$tU) 
               {
                       sl_send_reply("403","Forbidden auth ID");
                       exit;
               }
       } else {
               # authenticate if from local subscriber (uncomment to enable auth)
               if (from_uri==myself)
               {

proxy_authorize(realm, table) - authorize non-Register requests

                       if (!proxy_authorize("", "subscriber")) {

proxy_challenge - send 407 to challenge the INVITE

                               proxy_challenge("", "0");
                               exit;
                       }
                       if (is_method("PUBLISH"))
                       {
                               if ($au!=$tU) {
                                       sl_send_reply("403","Forbidden auth ID");
                                       exit;
                               }
                       } else {
                               if ($au!=$fU) {
                                       sl_send_reply("403","Forbidden auth ID");
                                       exit;
                               }
                       }

consume_credentials() - remove authentication detail after authentication, before forward the request - for security

                       consume_credentials();
                       # caller authenticated
               }
       }
       return;
}
# Caller NAT detection route
/* uncomment the whole following route for enabling Caller NAT Detection */
route[4]{
       force_rport();
       if (nat_uac_test("19")) {
               if (method=="REGISTER") {
                       fix_nated_register();
               } else {
                       fix_nated_contact();
               }
               setflag(5);
       }
       return;
}
# RTPProxy control
/* uncomment the whole following route for enabling RTPProxy Control */
route[5] {
       if (is_method("BYE")) {
               unforce_rtp_proxy();
       } else if (is_method("INVITE")){
               force_rtp_proxy();
       }
       if (!has_totag()) add_rr_param(";nat=yes");
       return;
}
branch_route[1] {
       xdbg("new branch at $ru\n");
}
onreply_route[1] {
       xdbg("incoming reply\n");
       if ((isflagset(5) || isbflagset(6)) && status=~"(183)|(2[0-9][0-9])") {
               force_rtp_proxy();
       }
       if (isbflagset(6)) {
               fix_nated_contact();
       }
}
failure_route[1] {
       if (is_method("INVITE")
                       && (isbflagset(6) || isflagset(5))) {
               unforce_rtp_proxy();
       }
       if (t_was_cancelled()) {
               exit;
       }
}
Personal tools