ruhnet
/
kazoo-configs-kamailio
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 183 Wiki Activity
Browse Source

Merge branch 'master' into 3.0

3.12
karl anderson 12 years ago
parent
d037c80e8b df3323467b
commit
81b46a3729
15 changed files with 388 additions and 138 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -0
      kamailio/certs/.placeholder
  2. +2
    -2
      kamailio/dbtext/dispatcher
  3. +1
    -0
      kamailio/dbtext/pua
  4. +1
    -0
      kamailio/dbtext/version
  5. +51
    -64
      kamailio/default.cfg
  6. +8
    -5
      kamailio/dispatcher-role.cfg
  7. +24
    -4
      kamailio/kamailio.cfg
  8. +86
    -44
      kamailio/local.cfg
  9. +2
    -0
      kamailio/nat-traversal-role.cfg
  10. +12
    -7
      kamailio/presence-role.cfg
  11. +3
    -4
      kamailio/registrar-role.cfg
  12. +0
    -8
      kamailio/roles.cfg
  13. +8
    -0
      kamailio/tls-role.cfg
  14. +52
    -0
      kamailio/tls.cfg
  15. +137
    -0
      kamailio/websockets-role.cfg

+ 1
- 0
kamailio/certs/.placeholder View File

@ -0,0 +1 @@
ensure certs directory gets created

+ 2
- 2
kamailio/dbtext/dispatcher View File

@ -6,5 +6,5 @@
### 20 - Registrar servers (if not locally handled)
# setid(integer) destination(sip uri) flags (integer, optional)
1 sip:127.0.0.1:11000 0
3 sips:127.0.0.1:11001 0
1 sip:10.26.0.83:11000 0
2 sip:10.26.0.84:11000 0

+ 1
- 0
kamailio/dbtext/pua View File

@ -0,0 +1 @@
id(int,auto) pres_uri(string) pres_id(string) event(int) expires(int) desired_expires(int) flag(int) etag(string) tuple_id(string,null) watcher_uri(string,null) call_id(string,null) to_tag(string,null) from_tag(string,null) cseq(int) record_route(string,null) contact(string,null) remote_contact(string,null) version(int) extra_headers(string,null)

+ 1
- 0
kamailio/dbtext/version View File

@ -1,3 +1,4 @@
table_name(string) table_version(int)
address:6
trusted:5
pua:7

+ 51
- 64
kamailio/default.cfg View File

@ -1,23 +1,5 @@
## NOTE: DO NOT CHANGE THIS FILE, EDIT local.cfg ##
#### Preprocessor Directives #########
#!define L_ALERT -5
#!define L_BUG -4
#!define L_CRIT2 -3
#!define L_CRIT -2
#!define L_ERR -1
#!define L_WARN 0
#!define L_NOTICE 1
#!define L_INFO 2
#!define L_DBG 3
#!define AVP_RECV_PARAM "recv_param"
#!define AVP_LOG_LEVEL "log_level"
#!define AVP_ROUTE_CNT "route_cnt"
#!define AVP_ASSOCIATED_SERVER "associated_server"
#!define AVP_ASSOCIATE_CONTACT "associate_contact"
#!define AVP_REDIRECT_KEY "redirect_key"
####### Flags #######
flags
FLAG_INTERNALLY_SOURCED: 1,
@ -27,11 +9,6 @@ flags
FLAG_TRUSTED_SOURCE: 5,
FLAG_SESSION_PROGRESS: 6;
#!define FLB_NATB 1
#!define FLB_NATSIPPING 2
#!define FLB_UAC_REDIRECT 3
#!define TRUSTED_ADR_GROUP 1
####### Global Parameters #########
fork = yes
children = 25
@ -98,15 +75,9 @@ dns_try_naptr = no
use_dns_failover = off
dns_srv_lb = off
####### TLS Parameters #########
enable_tls = yes
####### SCTP Parameters #########
disable_sctp = yes
####### Custom Parameters #########
####### Modules Section ########
mpath="/usr/lib64/kamailio/modules/"
@ -130,7 +101,7 @@ loadmodule "sl.so"
######## Record-Route and Route module ########
loadmodule "rr.so"
modparam("rr", "enable_full_lr", 1)
modparam("rr", "enable_double_rr", 0)
modparam("rr", "enable_double_rr", 1)
######## Max-Forward processor module ########
loadmodule "maxfwd.so"
@ -172,6 +143,14 @@ loadmodule "uac_redirect.so"
######## DoS prevention mdule ########
loadmodule "pike.so"
####### DB Text module ##########
loadmodule "db_text.so"
modparam("db_text", "db_mode", 1)
####### Kazoo Integration module ##########
loadmodule "db_kazoo.so"
modparam("db_kazoo", "node_hostname", "MY_HOSTNAME")
####### Role Configurations ##########
#!ifdef DISPATCHER-ROLE
include_file "dispatcher-role.cfg"
@ -185,15 +164,12 @@ include_file "presence-role.cfg"
#!ifdef NAT-TRAVERSAL-ROLE
include_file "nat-traversal-role.cfg"
#!endif
####### Kazoo Integration module ##########
#!ifdef INCLUDE-DB-KAZOO
loadmodule "db_kazoo.so"
#!ifdef WEBSOCKETS-ROLE
include_file "websockets-role.cfg"
#!endif
#!ifdef TLS-ROLE
include_file "tls-role.cfg"
#!endif
####### DB Text module ##########
loadmodule "db_text.so"
modparam("db_text", "db_mode", 1)
####### Permissions module ##########
loadmodule "permissions.so"
@ -209,8 +185,6 @@ route
xlog("L_INFO", "$ci|log|from $fu");
xlog("L_INFO", "$ci|log|to $tu");
remove_hf_re("Diversion: .*");
route(SANITY_CHECK);
#!ifdef DISPATCHER-ROLE
@ -221,6 +195,10 @@ route
route(DOS_PREVENTION);
#!endif
#!ifdef WEBSOCKETS-ROLE
route(HANDLE_WEBSOCKETS);
#!endif
route(HANDLE_OPTIONS);
route(HANDLE_NOTIFY);
@ -254,7 +232,7 @@ route
route(EXTERNAL_TO_INTERNAL_RELAY);
}
route[SANITY_CHECK]
route[SANITY_CHECK]
{
if (!mf_process_maxfwd_header("10")) {
xlog("L_WARN", "$ci|end|too much hops, not enough barley");
@ -262,12 +240,6 @@ route[SANITY_CHECK]
exit;
}
if ( msg:len > 6144 ) {
xlog("L_WARN", "$ci|end|message too large");
send_reply("513", "Message too large");
exit;
}
if (!sanity_check()) {
xlog("L_WARN", "$ci|end|message is insane");
exit;
@ -281,7 +253,7 @@ route[SANITY_CHECK]
}
}
route[HANDLE_OPTIONS]
route[HANDLE_OPTIONS]
{
if (is_method("OPTIONS")) {
if (isflagset(FLAG_INTERNALLY_SOURCED)) {
@ -298,7 +270,7 @@ route[HANDLE_OPTIONS]
}
}
route[HANDLE_NOTIFY]
route[HANDLE_NOTIFY]
{
if (is_method("NOTIFY")) {
if (isflagset(FLAG_INTERNALLY_SOURCED)) {
@ -344,13 +316,21 @@ route[HANDLE_MOVE_REQUEST]
}
}
route[HANDLE_IN_DIALOG_REQUESTS]
route[HANDLE_IN_DIALOG_REQUESTS]
{
if (has_totag()) {
if (is_method("INVITE")) {
record_route();
}
if (loose_route()) {
#!ifdef WEBSOCKETS-ROLE
if (isdsturiset() && !handle_ruri_alias()) {
xlog("L_INFO", "$ci|stop|bad alias <$ru>\n");
sl_send_reply("400", "Bad Request");
exit;
}
#!endif
xlog("L_INFO", "$ci|log|loose_route in-dialog message");
# Called on in-dialog requests
# If the request in an Invite for on hold from external to internal,
@ -374,7 +354,7 @@ route[HANDLE_IN_DIALOG_REQUESTS]
}
}
route[PREPARE_INITIAL_REQUESTS]
route[PREPARE_INITIAL_REQUESTS]
{
if (is_method("CANCEL")) {
if (t_check_trans()) {
@ -403,7 +383,7 @@ route[PREPARE_INITIAL_REQUESTS]
}
}
route[RELAY]
route[RELAY]
{
if (isflagset(FLAG_INTERNALLY_SOURCED)) {
route(INTERNAL_TO_EXTERNAL_RELAY);
@ -414,7 +394,7 @@ route[RELAY]
exit();
}
route[INTERNAL_TO_EXTERNAL_RELAY]
route[INTERNAL_TO_EXTERNAL_RELAY]
{
remove_hf_re("X-.*");
@ -425,7 +405,7 @@ route[INTERNAL_TO_EXTERNAL_RELAY]
t_relay();
}
route[EXTERNAL_TO_INTERNAL_RELAY]
route[EXTERNAL_TO_INTERNAL_RELAY]
{
#!ifdef NAT-TRAVERSAL-ROLE
if (!isflagset(FLAG_INTERNALLY_SOURCED)) {
@ -447,21 +427,21 @@ route[EXTERNAL_TO_INTERNAL_RELAY]
route[DOS_PREVENTION]
{
# allow request from internal network or from whitelist
if (isflagset(FLAG_INTERNALLY_SOURCED) || allow_source_address(TRUSTED_ADR_GROUP)) {
if (isflagset(FLAG_INTERNALLY_SOURCED) || allow_source_address(TRUSTED_ADR_GROUP) || is_myself($si)) {
xlog("L_INFO", "$ci|log|request from trusted IP");
setflag(FLAG_TRUSTED_SOURCE);
return;
}
# drop requests with no To domain or IP To domain (friendly-scanner)
if (is_method("REGISTER|SUBSCRIBE|OPTIONS") &&
if (is_method("REGISTER|SUBSCRIBE|OPTIONS") &&
($td == $null || $td=~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}")) {
xlog("L_WARN", "$ci|log|dropping request with IP domain in To header");
exit;
}
# drop Invite with IP auth realm
if (is_method("INVITE") && is_present_hf("Proxy-Authorization") &&
if (is_method("INVITE") && is_present_hf("Proxy-Authorization") &&
$ar =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}" ) {
xlog("L_WARN", "$ci|log|dropping request with IP domain in Proxy-Authorization header");
exit;
@ -477,10 +457,14 @@ route[DOS_PREVENTION]
}
}
onreply_route[EXTERNAL_REPLY]
onreply_route[EXTERNAL_REPLY]
{
xlog("L_INFO", "$ci|log|external reply $T_reply_code");
#!ifdef WEBSOCKETS-ROLE
route(NAT_WEBSOCKETS_CORRECT);
#!endif
#!ifdef NAT-TRAVERSAL-ROLE
route(NAT_TEST_AND_CORRECT);
#!endif
@ -492,11 +476,15 @@ onreply_route[INTERNAL_REPLY]
xlog("L_INFO", "$ci|start|recieved internal reply $T_reply_code $rr");
xlog("L_INFO", "$ci|log|source $si:$sp");
#!ifdef WEBSOCKETS-ROLE
route(NAT_WEBSOCKETS_CORRECT);
#!endif
if (is_method("INVITE") &&
!isflagset(FLAG_SESSION_PROGRESS) &&
t_check_status("(180)|(183)|(200)")
) {
if ($avp(AVP_REDIRECT_KEY) != $null &&
if ($avp(AVP_REDIRECT_KEY) != $null &&
$sht(redirects=>$avp(AVP_REDIRECT_KEY)) != $null
) {
xlog("L_INFO", "$ci|log|removing redirect mapping $avp(AVP_REDIRECT_KEY)");
@ -513,8 +501,7 @@ onreply_route[INTERNAL_REPLY]
$var(reply_reason) = $rr;
}
failure_route[INTERNAL_FAULT]
failure_route[INTERNAL_FAULT]
{
# this branch handles failures (>=300) to our media servers,
# which we can sometimes overcome by routing to another server
@ -529,7 +516,7 @@ failure_route[INTERNAL_FAULT]
# Handle redirects
if (t_check_status("302")) {
$var(redirect) = @from.uri.user + "@" + @from.uri.host + "->"
$var(redirect) = @from.uri.user + "@" + @from.uri.host + "->"
+ $T_rpl($(ct{tobody.user})) + "@" + $T_rpl($(ct{tobody.host}));
if($T_rpl($hdr(X-Redirect-Server)) != $null) {
$sht(redirects=>$var(redirect)) = $T_rpl($hdr(X-Redirect-Server));
@ -564,11 +551,11 @@ failure_route[INTERNAL_FAULT]
send_reply("486", "Insufficient Funds");
} else if (t_check_status("(4[0-9][0-9])|(5[0-9][0-9])")) {
xlog("L_INFO", "$ci|start|received failure reply $T_reply_code $rr");
#!ifdef DISPATCHER-ROLE
route(DISPATCHER_NEXT_ROUTE);
#!endif
send_reply("486", "Unable to Comply");
} else {
xlog("L_INFO", "$ci|log|failure route ignoring reply $T_reply_code $rr");


+ 8
- 5
kamailio/dispatcher-role.cfg View File

@ -18,6 +18,9 @@ modparam("dispatcher", "ds_ping_interval", 10)
modparam("dispatcher", "ds_probing_threshhold", 3)
modparam("dispatcher", "ds_probing_mode", 1)
modparam("dispatcher", "ds_ping_reply_codes", "501,403,404,400,200")
modparam("dispatcher", "ds_ping_from", "sip:sipcheck@MY_IP_ADDRESS")
# modparam("dispatcher", "ds_ping_sock", "udp:MY_IP_ADDRESS:5060")
## Dispatcher Groups:
## 1 - Primary media servers
@ -78,7 +81,7 @@ route[DISPATCHER_FIND_ROUTES]
sl_send_reply("480", "All servers busy");
exit;
}
}
}
$var(contact_uri) = $(ct{tobody.user}) + "@" + $(ct{tobody.host});
$var(redirect) = @from.uri.user + "@" + @from.uri.host + "->"
@ -98,7 +101,7 @@ route[DISPATCHER_FIND_ROUTES]
}
}
route[DISPATCHER_REORDER_ROUTES]
route[DISPATCHER_REORDER_ROUTES]
{
$var(i) = 0;
$var(found) = 0;
@ -111,7 +114,7 @@ route[DISPATCHER_REORDER_ROUTES]
$var(i) = $var(i) + 1;
}
if (!$var(found) && $var(ds_group) == 1 && ds_select_dst("2", "0")) {
$var(i) = 0;
while($(avp(ds_dst)[$var(i)]) != $null) {
@ -121,9 +124,9 @@ route[DISPATCHER_REORDER_ROUTES]
break;
}
$var(i) = $var(i) + 1;
}
}
}
if ($var(found)) {
xlog("L_INFO", "$ci|log|re-ordering the dispatcher list to maintain association with $var(prefered_route)");


+ 24
- 4
kamailio/kamailio.cfg View File

@ -1,12 +1,32 @@
## NOTE: DO NOT CHANGE THIS FILE, EDIT local.cfg ##
####### Roles Configuration ######
include_file "roles.cfg"
#### Preprocessor Directives #########
#!define L_ALERT -5
#!define L_BUG -4
#!define L_CRIT2 -3
#!define L_CRIT -2
#!define L_ERR -1
#!define L_WARN 0
#!define L_NOTICE 1
#!define L_INFO 2
#!define L_DBG 3
####### Default Configuration ######
include_file "default.cfg"
#!define AVP_RECV_PARAM "recv_param"
#!define AVP_LOG_LEVEL "log_level"
#!define AVP_ROUTE_CNT "route_cnt"
#!define AVP_ASSOCIATED_SERVER "associated_server"
#!define AVP_ASSOCIATE_CONTACT "associate_contact"
#!define AVP_REDIRECT_KEY "redirect_key"
#!define FLB_NATB 1
#!define FLB_NATSIPPING 2
#!define FLB_UAC_REDIRECT 3
#!define TRUSTED_ADR_GROUP 1
####### Local Configuration ########
include_file "local.cfg"
####### Default Configuration ######
include_file "default.cfg"
# vim: tabstop=4 softtabstop=4 shiftwidth=4 expandtab

+ 86
- 44
kamailio/local.cfg View File

@ -1,50 +1,92 @@
####### Logging Parameters #########
################################################################################
## LOGGING
################################################################################
debug = L_INFO
####### Alias Parameters #########
# alias = "mydomain.net"
################################################################################
## ROLES
################################################################################
## Enabled Roles
#!trydef DISPATCHER-ROLE
#!trydef NAT-TRAVERSAL-ROLE
#!trydef REGISTRAR-ROLE
#!trydef PRESENCE-ROLE
####### UDP Parameters #########
## NOTE: You must MATCH this to your network adapter!!
## If they do not match, all UDP packets over
## this limit WILL FAIL!
## Disabled Roles - remove all but the last '#' to enable
# # #!trydef TRAFFIC-FILTER-ROLE
# # #!trydef WEBSOCKETS-ROLE
# # #!trydef TLS-ROLE
################################################################################
## SERVER INFORMATION
################################################################################
## CHANGE "kamailio.2600hz.com" TO YOUR SERVERS HOSTNAME
#!substdef "!MY_HOSTNAME!kamailio.2600hz.com!g"
## CHANGE "127.0.0.1" TO YOUR SERVERS IP ADDRESS
## Usually your public IP. If you need
## to listen on addtional ports or IPs
## add them in "BINDINGS" at the bottom.
#!substdef "!MY_IP_ADDRESS!127.0.0.1!g"
## CHANGE "kazoo://guest:guest@127.0.0.1:5672" TO THE AMQP URL
## This should be the primary RabbitMQ server
## in the zone that this server will service.
#!substdef "!MY_AMQP_URL!kazoo://guest:guest@127.0.0.1:5672!g"
## This parameter is only required if you are using websockets
## This value must be present in the HTTP
## Origin header on a new websocket request
## or it will be rejected. If you remove
## it completely the validation will be disabled.
#!substdef "!MY_WEBSOCKET_DOMAIN!2600hz.com!g"
################################################################################
## UDP PARAMETERS
################################################################################
## This parameter is OPTIONAL
## If large UDP packets are dropped by the
## interface try uncommenting this option.
## However, you MUST match this to your
## network adapter! If they do not match,
## all UDP packets over this limit WILL FAIL!
## E.g.: Add MTU=1472 to the /etc/sysconfig/network-scripts/XXX
# udp4_raw_mtu = 1472
####### Binding Parameters #########
# mhomed=1
listen = tcp:127.0.0.1:5060
listen = udp:127.0.0.1:5060
listen = tcp:127.0.0.1:7000
listen = udp:127.0.0.1:7000
####### Dispatcher module ########
#!ifdef DISPATCHER-ROLE
modparam("dispatcher", "ds_ping_from", "sip:sipcheck@127.0.0.1")
# modparam("dispatcher", "ds_ping_sock", "udp:127.0.0.1:5060")
#!endif
######## NAT Traversal module - signaling functions ########
#!ifdef NAT-TRAVERSAL-ROLE
modparam("nathelper", "sipping_from", "sip:sipcheck@127.0.0.1")
# modparam("nathelper", "natping_socket", "127.0.0.1:5060")
#!endif
####### Kazoo Integration module ##########
#!ifdef INCLUDE-DB-KAZOO
## NOTE: The hostname that should be advertised to Kazoo
modparam("db_kazoo", "node_hostname", "kamailio.2600hz.com")
## NOTE: If you want a certain fs_path to be sent Kazoo,
## uncomment the next line and set the right value
# modparam("db_kazoo", "register_fs_path", "127.0.0.1:5060")
#!endif
####### Common Module Parameters ##########
#!ifdef REGISTRAR-ROLE
modparam("auth_db|usrloc", "db_url", "kazoo://guest:guest@127.0.0.1:5672/callmgr")
#!endif
#!ifdef PRESENCE-ROLE
modparam("presence", "db_url", "kazoo://guest:guest@127.0.0.1:5672/dialoginfo")
#!endif
# vim: tabstop=4 softtabstop=4 shiftwidth=4 expandtab
################################################################################
## BINDINGS
################################################################################
## This parameter is OPTIONAL.
## It will try to locate outbound interface
## on multihomed host. By default forward
## requests use the incoming socket disregarding
## the destination location. When enabled Kamailio
## will select a socket that can reach the
## destination. This reduces performance.
mhomed=0
## YOU SHOULD NOT HAVE TO CHANGE THESE!
## By setting MY_IP_ADDRESS above these will resolve
## to the proper bindings. These are here
## for those with complex layouts who know
## what they are doing :)
#!substdef "!UDP_SIP!udp:MY_IP_ADDRESS:5060!g"
#!substdef "!TCP_SIP!tcp:MY_IP_ADDRESS:5060!g"
#!substdef "!TLS_SIP!tls:MY_IP_ADDRESS:5061!g"
#!substdef "!UDP_AGL_SIP!udp:MY_IP_ADDRESS:7000!g"
#!substdef "!TCP_AGL_SIP!tcp:MY_IP_ADDRESS:7000!g"
#!substdef "!TLS_AGL_SIP!tls:MY_IP_ADDRESS:7001!g"
#!substdef "!TCP_WS!tcp:MY_IP_ADDRESS:8080!g"
#!substdef "!TLS_WSS!tls:MY_IP_ADDRESS:8443!g"
## YOU SHOULD NOT HAVE TO CHANGE THESE!
## This will bind the default SIP listeners
## as determined above. The tls-role and
## websocket-role will use the appropriate
## definitions if enabled. These are here
## for those with complex layouts who know
## what they are doing :)
listen=UDP_SIP
listen=TCP_SIP
listen=UDP_AGL_SIP
listen=TCP_AGL_SIP

+ 2
- 0
kamailio/nat-traversal-role.cfg View File

@ -3,6 +3,8 @@
loadmodule "nathelper.so"
#!endif
modparam("nathelper", "received_avp", "$avp(AVP_RECV_PARAM)")
modparam("nathelper", "sipping_from", "sip:sipcheck@MY_IP_ADDRESS")
# modparam("nathelper", "natping_socket", "MY_IP_ADDRESS:5060")
####### NAT Traversal Logic ########
route[NAT_TEST_AND_CORRECT]


+ 12
- 7
kamailio/presence-role.cfg View File

@ -1,20 +1,25 @@
#!trydef INCLUDE-DB-KAZOO
######## Generic Hash Table container in shared memory ########
modparam("htable", "htable", "dbkp=>size=16;autoexpire=7200")
######## Presence User Agent module ########
loadmodule "pua_dialoginfo.so"
modparam("pua_dialoginfo", "library_mode", 1)
######## Presence server module ########
loadmodule "presence.so"
loadmodule "presence_dialoginfo.so"
loadmodule "presence_mwi.so"
modparam("presence", "subs_db_mode", 1)
modparam("presence", "expires_offset", 60)
modparam("presence", "publ_cache", 0)
modparam("presence", "min_expires", 300)
#modparam("presence", "min_expires", 300)
modparam("presence", "max_expires", 3600)
modparam("presence", "db_url", "MY_AMQP_URL/dialoginfo")
######## Presence User Agent module ########
loadmodule "pua.so"
loadmodule "pua_dialoginfo.so"
modparam("pua_dialoginfo", "library_mode", 1)
modparam("pua", "db_url", "text:///etc/kazoo/kamailio/dbtext")
modparam("pua", "db_mode", 0)
modparam("pua", "min_expires", 300)
modparam("pua", "outbound_proxy", "sip:MY_IP_ADDRESS")
####### Presence Logic ########
route[HANDLE_SUBSCRIBE]


+ 3
- 4
kamailio/registrar-role.cfg View File

@ -1,5 +1,3 @@
#!trydef INCLUDE-DB-KAZOO
######## Generic Hash Table container in shared memory ########
modparam("htable", "htable", "auth_cache=>size=16;autoexpire=7200")
modparam("htable", "htable", "failed_auth_hash=>size=14;autoexpire=180;")
@ -36,6 +34,9 @@ modparam("registrar", "received_avp", "$avp(AVP_RECV_PARAM)")
modparam("registrar", "min_expires", 300)
modparam("registrar", "max_expires", 3600)
####### Common Module Parameters ##########
modparam("auth_db|usrloc", "db_url", "MY_AMQP_URL/callmgr")
####### Registrar Logic ########
route[HANDLE_REGISTER]
{
@ -57,11 +58,9 @@ route[HANDLE_REGISTER]
setbflag(FLB_NATB);
setbflag(FLB_NATSIPPING);
}
#!endif
if (is_present_hf("Authorization")) {
#!ifdef TRAFFIC-FILTER-ROLE
if (!route(PREVENT_BRUTEFORCE)) {
auth_challenge("$fd", "0");


+ 0
- 8
kamailio/roles.cfg View File

@ -1,8 +0,0 @@
####### Roles ########
#!trydef DISPATCHER-ROLE
#!trydef NAT-TRAVERSAL-ROLE
#!trydef REGISTRAR-ROLE
#!trydef PRESENCE-ROLE
# # #!trydef TRAFFIC-FILTER-ROLE
## vim:set tabstop=4 softtabstop=4 shiftwidth=4 expandtab

+ 8
- 0
kamailio/tls-role.cfg View File

@ -0,0 +1,8 @@
enable_tls = yes
listen=TLS_SIP
listen=TLS_ALG_SIP
####### TLS Parameters #########
loadmodule "tls.so"
modparam("tls", "config", "/etc/kazoo/kamailio/tls.cfg")

+ 52
- 0
kamailio/tls.cfg View File

@ -0,0 +1,52 @@
#
# $Id$
#
# Example Kamailio TLS Configuration File
#
# This is the default server domain, settings
# in this domain will be used for all incoming
# connections that do not match any other server
# domain in this configuration file.
#
# We do not enable anything else than TLSv1
# over the public internet. Clients do not have
# to present client certificates by default.
#
[server:default]
method = SSLv23
verify_certificate = no
require_certificate = no
#crl = /etc/kazoo/kamailio/certs/crl.pem
certificate = /etc/kazoo/kamailio/certs/cert.pem
private_key = /etc/kazoo/kamailio/certs/key.pem
ca_list = /etc/kazoo/kamailio/certs/ca.pem
# This is the default client domain, settings
# in this domain will be used for all outgoing
# TLS connections that do not match any other
# client domain in this configuration file.
# We require that servers present valid certificate.
#
[client:default]
verify_certificate = no
require_certificate = no
# This is an example server domain for TLS connections
# received from the loopback interface. We allow
# the use of SSLv2 and SSLv3 protocols here, we do
# not require that clients present client certificates
# but if they present it it must be valid. We also use
# a special certificate and CA list for loopback
# interface.
#
#[server:127.0.0.1:5061]
#method = SSLv23
#verify_certificate = yes
#require_certificate = no
#private_key = /etc/kazoo/kamailio/certs/local_key.pem
#certificate = /etc/kazoo/kamailio/certs/local_cert.pem
#verify_depth = 3
#ca_list = /etc/kazoo/kamailio/certs/local_ca.pem
#crl = /etc/kazoo/kamailio/certs/local_crl.pem

+ 137
- 0
kamailio/websockets-role.cfg View File

@ -0,0 +1,137 @@
tcp_accept_no_cl=yes
listen=TCP_WS
#!ifdef TLS-ROLE
listen=TLS_WSS
#!endif
######## NAT Traversal module - signaling functions ########
#!ifndef NATHELPER-LOADED
#!trydef NATHELPER-LOADED
loadmodule "nathelper.so"
#!endif
######## Generic Hash Table container in shared memory ########
modparam("htable", "htable", "websockets=>size=16;autoexpire=7200")
######## Basic HTTP request handling ########
loadmodule "xhttp.so"
######## Websocket module ########
loadmodule "websocket.so"
modparam("websocket", "keepalive_mechanism", 0)
modparam("websocket", "keepalive_timeout", 30)
modparam("websocket", "keepalive_processes", 1)
modparam("websocket", "keepalive_interval", 1)
modparam("websocket", "ping_application_data", "Kazoo encourages you to keep alive")
modparam("websocket", "sub_protocols", 1)
####### Websocket Logic ########
route[HANDLE_WEBSOCKETS]
{
# Do NAT traversal stuff for requests from a WebSocket
# connection - even if it is not behind a NAT!
# This won't be needed in the future if Kamailio and the
# WebSocket client support Outbound and Path.
if (nat_uac_test(64)) {
xlog("L_INFO", "$ci|log|this is a websocket request\n");
force_rport();
if (is_method("REGISTER")) {
fix_nated_register();
} else {
if (!add_contact_alias()) {
xlog("L_INFO", "$ci|stop|error aliasing contact <$ct>\n");
sl_send_reply("400", "Bad Request");
exit;
}
}
}
}
route[NAT_WEBSOCKETS_CORRECT]
{
# Do NAT traversal stuff for replies to a WebSocket connection
# - even if it is not behind a NAT!
# This won't be needed in the future if Kamailio and the
# WebSocket client support Outbound and Path.
if (nat_uac_test(64)) {
xlog("L_INFO", "$ci|log|this is a websocket request\n");
add_contact_alias();
}
}
event_route[xhttp:request]
{
set_reply_close();
set_reply_no_connect();
if (!($rm =~ "GET")) {
xlog("L_INFO", "websocket|log|rejecting HTTP request $rm from $si:$sp\n");
xhttp_reply("405", "Method Not Allowed", "", "");
exit;
}
if (!($hdr(Connection) =~ "Upgrade")) {
xlog("L_INFO", "websocket|log|rejecting HTTP connection $hdr(Connection) request from $si:$sp\n");
xhttp_reply("400", "Bad Request", "", "");
exit;
}
if (!($hdr(Upgrade) =~ "websocket")) {
xlog("L_INFO", "websocket|log|rejecting HTTP upgrade $hdr(Upgrade) request from $si:$sp\n");
xhttp_reply("400", "Bad Request", "", "");
exit;
}
if (!($hdr(Sec-WebSocket-Protocol) =~ "sip")) {
xlog("L_INFO", "websocket|log|rejecting request for websocket protocol $hdr(Sec-WebSocket-Protocol) from $si:$sp\n");
xhttp_reply("400", "Bad Request", "", "");
exit;
}
#!ifdef MY_WEBSOCKET_DOMAIN
if (!($hdr(Origin) =~ "MY_WEBSOCKET_DOMAIN")) {
xlog("L_INFO", "websocket|log|rejecting HTTP request with unknown origin $hdr(Origin) from $si:$sp\n");
xhttp_reply("400", "Bad Request", "", "");
exit;
}
#!endif
if($sht(websockets=>$si::count) == $null) {
$var(count) = 1;
} else {
$var(count) = $sht(websockets=>$si::count) + 1;
}
if($var(count) > 50) {
xlog("L_WARN", "websocket|log|$si:$sp is at the maximum allowable sockets per IP, rejecting request for another websocket\n");
xhttp_reply("403", "Forbidden", "", "");
exit;
}
if (ws_handle_handshake()) {
$sht(websockets=>$si::count) = $var(count);
xlog("L_INFO", "websocket|log|opened websocket $var(count) of 50 for $si:$sp\n");
exit;
}
xlog("L_INFO", "websocket|log|unhandled HTTP request $rm from $si:$sp\n");
xhttp_reply("404", "Not Found", "", "");
}
event_route[websocket:closed] {
if($sht(websockets=>$si::count) == $null) {
xlog("L_INFO", "websocket|log|closed websocket from $si:$sp\n");
exit();
}
$var(count) = $sht(websockets=>$si::count) - 1;
if ($var(count) < 1) {
xlog("L_INFO", "websocket|log|$si:$sp closed last websocket to that IP\n");
$sht(websockets=>$si::count) = $null;
} else {
$sht(websockets=>$si::count) = $var(count);
xlog("L_INFO", "websocket|log|closed websocket from $si:$sp, $var(count) remaining from that IP\n");
}
}

Write Preview
Loading…
Cancel
Save