From 93840e83a4f267e08d0e7471b98f6d8b45e748c5 Mon Sep 17 00:00:00 2001 From: Daniel Pocock Date: Fri, 21 Sep 2012 19:48:00 +0000 Subject: [PATCH] add reSIProcate (SIP proxy and TURN server) package -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I've packaged the reSIProcate SIP stack (shared library), repro proxy and reTurn, the ICE/STUN/TURN server. Please find the Makefile and related artifacts attached Benefits to OpenWRT: This provides a comprehensive platform for true federated VoIP from OpenWRT, thanks to the following: - - repro has a built-in web interface and no database dependency, so it highly suitable for a router - - repro provides strong mutual TLS authentication - - reTurn provides robust and efficient NAT traversal for RTP streams Dependencies: This depends on my previous patches today, for building the C++ support for db47, and also adding libasio package Testing: I've tested the binaries on a TP-Link TL-WR1043ND with 32MB RAM and 8MB flash. This seems to be the bare minimum amount of flash for the combination of reSIProcate + openssl + libdb + other dependencies http://wiki.openwrt.org/toh/tp-link/tl-wr1043nd More info on reSIProcate: http://www.resiprocate.org/ and a quick start HowTo guide for federated VoIP with reSIProcte: http://www.opentelecoms.org/federated-voip-quick-start-howto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJQXNJ/AAoJEOm1uwJp1aqDsxcP/2EXMsVZl0tAet7nU+XJOA3U Nxm8d/aPjOcI11VsZXo909Eiuo2MLmVqT3o044GARwxY5lWlMl3kQUGFbhNdho2m 6ffmvlqkjQn+DOEkHo3Bz4sAidYpuoTqr8Uz2YgpSLXQ1JYUpqch8SjqK0XFrX7E pbq5haCL9kqeZmDiyHoKS/MihZfBw+vDTaQMsczICGnqCSnXuF09rrUa4kGZ2xb3 vx3k/DCnLZVLCGG0TwRpoM65ov/6xYBhtTyglJHCQslZ5wCRR5Q4O6F4u7YPIpMO mACwsAWT4li88kM4mvBz5ikmGMSIEPMPIFceKxZAB45VWQy82SH4tTt89ER6Zt/2 39lABgPj+0iyWnckwvHF/C6Uzchjakp3qVsI6QarNtVBxE0jUO4c/msYghOmYUNS hWkyU3Aefuc9kyN+kHWtlAg14q+NeEhJr0ONIJmZ3M6VRPdcSRj91tb5pbG04/X0 55Ae8veYPn4MT3l0vbID1hcfBPaRVwavaEO3MrBOwzKXTYNHbYH6jmeQH/BAif3w Tbeh44hF+yXdkdBr1HNqrDkewmpAle9/bcQ36XXZIShdlx3m1sBPyozDAhozxDoA DIeBo9MMu18C7r1i14KRujqfxo6GhN2evElnKwMmXWRvLKDvHNoVTArdSsHBoC07 kAFcj3K2LPlRwkNSlEBL =TTUm -----END PGP SIGNATURE----- --- net/resiprocate/Makefile | 108 ++++ net/resiprocate/files/reTurnServer.config | 33 ++ net/resiprocate/files/reTurnServer.init | 20 + net/resiprocate/files/repro.config | 677 ++++++++++++++++++++++ net/resiprocate/files/repro.init | 20 + net/resiprocate/patches/001-csignal.patch | 8 + 6 files changed, 866 insertions(+) create mode 100644 net/resiprocate/Makefile create mode 100644 net/resiprocate/files/reTurnServer.config create mode 100644 net/resiprocate/files/reTurnServer.init create mode 100644 net/resiprocate/files/repro.config create mode 100644 net/resiprocate/files/repro.init create mode 100644 net/resiprocate/patches/001-csignal.patch diff --git a/net/resiprocate/Makefile b/net/resiprocate/Makefile new file mode 100644 index 0000000..303c269 --- /dev/null +++ b/net/resiprocate/Makefile @@ -0,0 +1,108 @@ +# +# Copyright (C) 2012 OpenWrt.org +# Copyright (C) 2012 Daniel Pocock +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=resiprocate +PKG_VERSION:=1.8.5 +PKG_RELEASE:=1 + +PKG_BUILD_DIR:=$(BUILD_DIR)/resiprocate-$(PKG_VERSION) +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://www.resiprocate.org/files/pub/reSIProcate/releases/ +PKG_MD5SUM:=70754747edf22cfd752a39eb81f0d2a1 + +PKG_INSTALL:=1 +PKG_BUILD_PARALLEL:=1 +PKG_BUILD_DEPENDS:=+libasio + +include $(INCLUDE_DIR)/package.mk + +#TARGET_CFLAGS += $(FPIC) +TARGET_LDFLAGS += -lcrypto + +define Package/resiprocate/Default + SECTION:=net + CATEGORY:=Network + SUBMENU:=Telephony + DEFAULT:=m + TITLE:=reSIProcate + URL:=http://www.resiprocate.org/ + DEPENDS:=+libopenssl +libdb47 +libcares +boost +libstdcpp +endef + +define Package/libresiprocate +$(call Package/resiprocate/Default) + SECTION:=libs + CATEGORY:=Libraries + TITLE+= libraries +endef + +define Package/repro +$(call Package/resiprocate/Default) + TITLE+= repro SIP proxy + DEPENDS+= +libresiprocate +endef + +define Package/resiprocate-turn-server +$(call Package/resiprocate/Default) + TITLE+= repro TURN server (reTurn) + DEPENDS+= +libresiprocate +endef + +define Package/resiprocate/description + SIP stack, proxy, ICE/STUN/TURN implementation +endef + +define Package/repro/conffiles +/etc/repro/repro.config +endef + +define Package/resiprocate-turn-server/conffiles +/etc/reTurnServer.config +endef + +define Build/Configure + $(call Build/Configure/Default, --enable-shared --disable-static --with-ssl --with-c-ares ) +endef + +define Build/Compile + $(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) +endef + +define Package/libresiprocate/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/librutil*.so* $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libresip*.so* $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libdum*.so* $(1)/usr/lib/ +endef + +define Package/repro/install + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/repro/repro $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/librepro*.so* $(1)/usr/lib/ + $(INSTALL_DIR) $(1)/etc/repro/ssl + $(INSTALL_CONF) ./files/repro.config $(1)/etc/repro/ + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/repro.init $(1)/etc/init.d/repro +endef + +define Package/resiprocate-turn-server/install + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/reTurn/reTurnServer $(1)/usr/sbin/ + $(INSTALL_CONF) ./files/reTurnServer.config $(1)/etc/ + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/reTurnServer.init $(1)/etc/init.d/reTurnServer +endef + +$(eval $(call BuildPackage,libresiprocate)) +$(eval $(call BuildPackage,repro)) +$(eval $(call BuildPackage,resiprocate-turn-server)) + + diff --git a/net/resiprocate/files/reTurnServer.config b/net/resiprocate/files/reTurnServer.config new file mode 100644 index 0000000..9b04314 --- /dev/null +++ b/net/resiprocate/files/reTurnServer.config @@ -0,0 +1,33 @@ +TurnPort = 3478 +TlsTurnPort = 5349 +AltStunPort = 0 +TurnAddress = 0.0.0.0 +AltStunAddress = 0.0.0.0 +AuthenticationMode = 2 +AuthenticationRealm = reTurn +NonceLifetime = 3600 +AllocationPortRangeMin = 49152 +AllocationPortRangeMax = 65535 +DefaultAllocationLifetime = 600 +MaxAllocationLifetime = 3600 +MaxAllocationsPerUser = 0 +TlsServerCertificateFilename = server.pem +TlsTempDhFilename = dh512.pem +# leave blank if key is not encrypted +#TlsPrivateKeyPassword = +# Logging Type: syslog|cerr|cout|file +LoggingType = syslog +# Logging level: NONE|CRIT|ERR|WARNING|INFO|DEBUG|STACK +LoggingLevel = INFO +LogFilename = reTurnServer.log +LogFileMaxLines = 50000 +# It is highly recommended that these values are NOT left at their +# default setting +LongTermAuthUsername = test +LongTermAuthPassword = 1234 +# Must be true or false, default = false, not supported on Windows +Daemonize = true +# On UNIX it is normal to create a PID file +# if unspecified, no attempt will be made to create a PID file +#PidFile = /var/run/reTurnServer/reTurnServer.pid + diff --git a/net/resiprocate/files/reTurnServer.init b/net/resiprocate/files/reTurnServer.init new file mode 100644 index 0000000..c4733a7 --- /dev/null +++ b/net/resiprocate/files/reTurnServer.init @@ -0,0 +1,20 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2012 Daniel Pocock + +START=80 +STOP=20 + +SERVICE_USE_PID=1 + +start() { + group_exists return 123 || group_add return 123 + user_exists return 123 || user_add return 123 123 return /var/lib/return + mkdir -p /var/lib/return + chown -R return:return /var/lib/return + service_start /usr/sbin/reTurnServer --Daemonize=true --LoggingType=syslog --PidFile=/var/run/reTurnServer.pid +} + +stop() { + service_stop /usr/sbin/reTurnServer +} + diff --git a/net/resiprocate/files/repro.config b/net/resiprocate/files/repro.config new file mode 100644 index 0000000..63c5dd5 --- /dev/null +++ b/net/resiprocate/files/repro.config @@ -0,0 +1,677 @@ +######################################################## +# repro configuration file +######################################################## + + +######################################################## +# Log settings +######################################################## + +# Logging Type: syslog|cerr|cout|file +# Note: Logging to cout can negatively effect performance. +# When repro is placed into production 'file' or +# 'syslog' should be used. +LoggingType = syslog + +# Logging level: NONE|CRIT|ERR|WARNING|INFO|DEBUG|STACK +LogLevel = INFO + +# Log Filename +LogFilename = repro.log + +# Log file Max Bytes +LogFileMaxBytes = 5242880 + + +######################################################## +# Transport settings +######################################################## + +# Local IP Address to bind SIP transports to. If left blank +# repro will bind to all adapters. +#IPAddress = 192.168.1.106 +#IPAddress = 2001:5c0:1000:a::6d +IPAddress = + +# Local port to listen on for SIP messages over UDP - 0 to disable +UDPPort = 5060 + +# Local port to listen on for SIP messages over TCP - 0 to disable +TCPPort = 5060 + +# Local port to listen on for SIP messages over TLS - 0 to disable +#TLSPort = 5061 +TLSPort = 0 + +# Local port to listen on for SIP messages over DTLS - 0 to disable +DTLSPort = 0 + +# TLS domain name for this server (note: domain cert for this domain must be present) +TLSDomainName = + +# Whether or not we ask for (Optional) or expect (Mandatory) TLS +# clients to present a client certificate +# Possible values: +# None: client can connect without any cert, if a cert is sent, it is not checked +# Optional: client can connect without any cert, if a cert is sent, it must be acceptable to us +# Mandatory: client can not connect without any cert, cert must be acceptable to us +# How we decide if a cert is acceptable: it must meet two criteria: +# 1. it must be signed by a CA that we trust (see CADirectory) +# 2. the domain or full sip: URI in the cert must match the From: URI of all +# SIP messages coming from the peer +TLSClientVerification = None + +# Whether we accept the subjectAltName email address as if it was a SIP +# address (when checking the validity of a client certificate) +# Very few commercial CAs offer support for SIP addresses in subjectAltName +# For many purposes, an email address subjectAltName may be considered +# equivalent within a specific domain. +# Currently, this accepts such certs globally (for any incoming connection), +# not just for connections from the local users. +TLSUseEmailAsSIP = false + +# Alternate and more flexible method to specify transports to bind to. If specified here +# then IPAddress, and port settings above are ignored. +# Transports MUST be numbered in sequential order, starting from 1. Possible settings are: +# TransportInterface = : +# TransportType = <'TCP'|'UDP'|'TLS'|'DTLS'> - default is UDP if missing +# TransportTlsDomain = - only required if transport is TLS or DTLS +# TransportTlsClientVerification = <'None'|'Optional'|'Mandatory'> - default is None +# TransportRecordRouteUri = <'auto'|URI> - if set to auto then record route URI +# is automatically generated from the other +# transport settings. Otherwise explicity +# enter the full URI you want repro to use. +# Do not specify 'auto' if you specified +# the IPAddress as INADDR_ANY (0.0.0.0). +# If nothing is specified then repro will +# use the global RecordRouteUri setting. +# +# TransportRcvBufLen = - currently only applies to UDP transports, +# leave empty to use OS default +# Example: +# Transport1Interface = 192.168.1.106:5060 +# Transport1Type = TCP +# Transport1RecordRouteUri = auto +# +# Transport2Interface = 192.168.1.106:5060 +# Transport2Type = UDP +# Transport2RecordRouteUri = auto +# Transport2RcvBufLen = 10000 +# +# Transport3Interface = 192.168.1.106:5061 +# Transport3Type = TLS +# Transport3TlsDomain = sipdomain.com +# Transport3TlsClientVerification = Mandatory +# Transport3RecordRouteUri = sip:h1.sipdomain.com;transport=TLS + + +# Comma separated list of DNS servers, overrides default OS detected list (leave blank +# for default) +DNSServers = + +# Enable IPv6 +EnableIPv6 = false + +# Enable IPv4 +DisableIPv4 = false + +# Port on which to run the HTTP configuration interface and/or certificate server +# 0 to disable (default: 5080) +HttpPort = 5080 + +# disable HTTP challenges for web based configuration GUI +DisableHttpAuth = false + +# Web administrator password +HttpAdminPassword = admin + +# Port on which to listen for and send XML RPC messaging used in command processing +# 0 to disable (default: 5081) +CommandPort = 5081 + +# Port on which to listen for and send XML RPC messaging used in registration sync +# process - 0 to disable (default: 0) +RegSyncPort = 0 + +# Hostname/ip address of another instance of repro to synchronize registrations with +# (note xmlrpcport must also be specified) +RegSyncPeer = + + +######################################################## +# Misc settings +######################################################## + +# Must be true or false, default = false, not supported on Windows +Daemonize = true + +# On UNIX it is normal to create a PID file +# if unspecified, no attempt will be made to create a PID file +PidFile = /var/run/repro/repro.pid + +# Path to load certificates from (default: "$(HOME)/.sipCerts on *nix, and c:\sipCerts +# on windows) +# Note that repro loads ALL root certificates found by the settings +# CertificatePath, CADirectory and CAFile. Setting one option does +# not disable the other options. +# Certificates in this location have to match one of the filename +# patterns expected by the legacy reSIProcate SSL code: +# domain_cert_NAME.pem, root_cert_NAME.pem, ... +CertificatePath = /etc/repro/ssl + +# Path to load root certificates from +# Iff this directory is specified, all files in the directory +# will be loaded as root certificates, prefixes and suffixes are +# not considered +# Note that repro loads ALL root certificates found by the settings +# CertificatePath, CADirectory and CAFile. Setting one option does +# not disable the other options. +# On Debian, the typical location is /etc/ssl/certs +CADirectory = /etc/ssl/certs + +# Specify a single file containing one or more root certificates +# and possible chain/intermediate certificates to be loaded +# Iff this filename is specified, the certificates in the file will +# be loaded as root certificates +# +# This does NOT currently support bundles of unrelated root certificates +# stored in the same PEM file, it ONLY supports related/chained root +# certificates. If multiple roots must be supported, use the CADirectory +# option. +# +# In the future, this behavior may change to load a bundle, +# such as /etc/ssl/certs/ca-certificates.txt on Debian and +# /etc/pki/tls/cert.pem on Red Hat/CentOS +# +# Note that repro loads ALL root certificates found by the settings +# CertificatePath, CADirectory and CAFile. Setting one option does +# not disable the other options. +# +# This example loads just the CACert.org chain, which typically +# includes the class 1 root and the class 3 root (signed by the class 1 root) +#CAFile = /etc/ssl/certs/cacert.org.pem + +# The Path to read and write Berkely DB database files +DatabasePath = /etc/repro/home + +# The hostname running MySQL server to connect to, leave blank to use BerkelyDB +# The value of host may be either a host name or an IP address. If host is "localhost", +# a connection to the local host is assumed. For Windows, the client connects using a +# shared-memory connection, if the server has shared-memory connections enabled. Otherwise, +# TCP/IP is used. For Unix, the client connects using a Unix socket file. For a host value of +# "." on Windows, the client connects using a named pipe, if the server has named-pipe +# connections enabled. If named-pipe connections are not enabled, an error occurs. +# WARNING: repro must be compiled with the USE_MYSQL flag in order for this work. +MySQLServer = + +# The MySQL login ID to use when connecting to the MySQL Server. If user is empty string "", +# the current user is assumed. Under Unix, this is the current login name. Under Windows, +# the current user name must be specified explicitly. +MySQLUser = root + +# The password for the MySQL login ID specified. +MySQLPassword = root + +# The database name on the MySQL server that contains the repro tables +MySQLDatabaseName = repro + +# If port is not 0, the value is used as the port number for the TCP/IP connection. Note that +# the host parameter determines the type of the connection. +MySQLPort = 3306 + +# The Users and MessageSilo database tables are different from the other repro configuration +# database tables, in that they are accessed at runtime as SIP requests arrive. It may be +# desirable to use BerkeleyDb for the other repro tables (which are read at starup time, then +# cached in memory), and MySQL for the runtime accessed tables; or two seperate MySQL instances +# for these different table sets. Use the following settings in order to specify a seperate +# MySQL instance for use by the Users and MessageSilo tables. +# +# WARNING: repro must be compiled with the USE_MYSQL flag in order for this work. +# +# Note: If this setting is left blank then repro will fallback all remaining my sql +# settings to use the global MySQLServer settings. If the MySQLServer setting is also +# blank, then repro will use BerkelyDB for all configuration tables. See the +# documentation on the global MySQLServer settings for more details on the following +# individual settings. +RuntimeMySQLServer = +RuntimeMySQLUser = root +RuntimeMySQLPassword = root +RuntimeMySQLDatabaseName = repro +RuntimeMySQLPort = 3306 + +# If you would like to be able to authenticate uses from a MySQL source other than the repro user +# database table itself, then specify the query here. The following conditions apply: +# 1. The database table must reside on the same MySQL server instance as the repro database +# or Runtime tables database. +# 2. The statement provided will be UNION'd with the hardcoded repro query, so that auth from +# both sources is possible. Note: If the same user exists in both tables, then the repro +# auth info will be used. +# 3. The provided SELECT statement must return the SIP A1 password hash of the user in question. +# 4. The provided SELECT statement must contain two tags embedded into the query: $user and $domain +# These tags should be used in the WHERE clause, and repro will replace these tags with the +# actual user and domain being queried. +# Example: SELECT sip_password_ha1 FROM directory.users WHERE sip_userid = '$user' AND +# sip_domain = '$domain' AND account_status = 'active' +MySQLCustomUserAuthQuery = + +# Run a Certificate Server - Allows PUBLISH and SUBSCRIBE for certificates +EnableCertServer = false + +# Value of server header for local UAS responses +ServerText = + +# Enables Congestion Management +CongestionManagement = true + +# Congestion Management Metric - can take one of the following values: +# SIZE : Based solely on the number of messages in each fifo +# TIME_DEPTH : Based on the age of the oldest (front-most) message +# in each fifo. +# WAIT_TIME : Based on the expected wait time for each fifo; this is +# calculated by multiplying the size by the average service time. +# This is the recommended metric. +CongestionManagementMetric = WAIT_TIME + +# Congestion Management Tolerance for the given metric. This determines when the RejectionBehavior +# changes. +# 0-80 percent of max tolerance -> NORMAL (Not rejecting any work.) +# 80-100 percent of max tolerance -> REJECTING_NEW_WORK (Refuses new work, +# not continuation of old work.) +# >100 percent of max tolerance -> REJECTING_NON_ESSENTIAL (Rejecting all work +# that is non-essential to the health of the system (ie, if dropping +# something is liable to cause a leak, instability, or state-bloat, don't drop it. +# Otherwise, reject it.) +# Units specified are dependent on Metric specified above: +# If Metric is SIZE then units are number of messages +# If Metric is TIME_DEPTH then units are the number seconds old the oldest message is +# If Metric is WAIT_TIME then units are the expected wait time of each fifo in milliseconds +CongestionManagementTolerance = 200 + +# Specify the number of seconds between writes of the stack statistics block to the log files. +# Specifying 0 will disable the statistics collection entirely. If disabled the statistics +# also cannot be retreived using the reprocmd interface. +StatisticsLogInterval = 3600 + +# Use MultipleThreads stack processing. +ThreadedStack = true + +# The number of worker threads used to asynchronously retrieve user authentication information +# from the database store. +NumAuthGrabberWorkerThreads = 2 + +# The number of worker threads in Async Processor tread pool. Used by all Async Processors +# (ie. RequestFilter) +NumAsyncProcessorWorkerThreads = 2 + +# Specify domains for which this proxy is authorative (in addition to those specified on web +# interface) - comma separate list +# Notes: * Domains specified here cannot be used when creating users, domains used in user +# AORs must be specified on the web interface. +# * In previous versions of repro, localhost, 127.0.0.1, the machine's hostname, +# and all interface addresses would automatically be appended to this +# configuration parameter. From now on, such values must be listed +# here explicitly if required, e.g. +# +# Domains = localhost, 127.0.0.1, sip-server.example.org, 10.83.73.80 +# +# although when using TLS only, it is not desirable or necessary to +# add such values. +# +Domains = + +# Uri to use as Record-Route +RecordRouteUri = + +# Force record-routing +# WARNING: Before enabling this, ensure you have a RecordRouteUri setup, or are using +# the alternate transport specification mechanism and defining a RecordRouteUri per +# transport: TransportXRecordRouteUri +ForceRecordRouting = false + +# Assume path option +AssumePath = false + +# Disable registrar +DisableRegistrar = false + +# Specify a comma separate list of enum suffixes to search for enum dns resolution +EnumSuffixes = + +# Specify the target domain(s) for ENUM logic support. When a dialed SIP URI +# is addressed to +number@somedomain, +# where somedomain is an element of EnumDomains, +# the ENUM logic will be applied for the number +# If empty, ENUM is never used +EnumDomains = + +# Specify length of timer C in sec (0 or negative will disable timer C) - default 180 +TimerC = 180 + +# Override the default value of T1 in ms (you probably should not change this) - leave +# as 0 to use default of 500ms) +TimerT1 = 0 + +# Disable outbound support (RFC5626) +# WARNING: Before enabling this, ensure you have a RecordRouteUri setup, or are using +# the alternate transport specification mechanism and defining a RecordRouteUri per +# transport: TransportXRecordRouteUri +DisableOutbound = true + +# Set the draft version of outbound to support (default: RFC5626) +# Other accepted values are the versions of the IETF drafts, before RFC5626 was issued +# (ie. 5, 8, etc.) +OutboundVersion = 5626 + +# There are cases where the first hop in a particular network supports the concept of outbound +# and ensures all messaging for a client is delivered over the same connection used for +# registration. This could be a SBC or other NAT traversal aid router that uses the Path +# header. However such endpoints may not be 100% compliant with outbound RFC and may not +# include a ;ob parameter in the path header. This parameter is required in order for repro +# to have knowledge that the first hop does support outbound, and it will reject registrations +# that appear to be using outboud (ie. instanceId and regId) with a 439 (First Hop Lacks Outbound +# Support). In this case it can be desirable when using repro as the registrar to not reject +# REGISTRATION requests that contain an instanceId and regId with a 439. +# If this setting is enabled, then repro will assume the first hop supports outbound +# and not return this error. +AssumeFirstHopSupportsOutbound = false + +# Enable use of flow-tokens in non-outbound cases +# WARNING: Before enabling this, ensure you have a RecordRouteUri setup, or are using +# the alternate transport specification mechanism and defining a RecordRouteUri per +# transport: TransportXRecordRouteUri +EnableFlowTokens = false + +# Enable use of flow-tokens in non-outbound cases for clients detected to be behind a NAT. +# This a more selective flow token hack mode for clients not supporting RFC5626. The +# original flow token hack (EnableFlowTokens) will use flow tokens on all client requests. +# Possible values are: DISABLED, ENABLED and PRIVATE_TO_PUBLIC. +# WARNING: Before enabling this, ensure you have a RecordRouteUri setup, or are using +# the alternate transport specification mechanism and defining a RecordRouteUri per +# transport: TransportXRecordRouteUri +ClientNatDetectionMode = DISABLED + +# Set to greater than 0 to enable addition of Flow-Timer header to REGISTER responses if +# outbound is enabled (default: 0) +FlowTimer = 0 + + +######################################################## +# CertificateAuthenticator Monkey Settings +######################################################## + +# Enables certificate authenticator - note you MUST use a TlsTransport +# with TlsClientVerification set to Optional or Mandatory. +# There are two levels of checking: +# a) cert must be signed by a CA trusted by the stack +# b) the CN or one of the subjectAltName values must match the From: +# header of each SIP message on the TlsConnection +# Examples: +# Cert 1: +# common name = daniel@pocock.com.au +# => From: is the only value that will pass +# Cert 2: +# subjectAltName = pocock.com.au +# => From: <@pocock.com.au> will be accepted +# Typically, case 1 is for a real client connection (e.g. Jitsi), case 2 +# (whole domain) is for federated SIP proxy-to-proxy communication (RFC 5922) +EnableCertificateAuthenticator = false + +# A static text file that contains mappings of X.509 Common Names to +# permitted SIP `From:' addresses +# +# Without this file, the default behavior of the CertificateAuthenticator +# ensures that the `From:' address in SIP messages must match the +# Common Name or one of the subjectAltNames from the X.509 certificate +# +# When this file is supplied, the CertificateAuthenticator will continue +# to allow SIP messages where there is an exact match between the +# certificate and the `From:' address, but it will also allow +# the holder of a particular certificate to use any of the `mapped' +# `From:' addresses specified in the mappings file +# +# File format: +# common name,,... +# +# where: +# is exactly one tab +# is `user@domain' or just `domain' +# +CommonNameMappings = /etc/repro/tlsUserMappings.txt + + +######################################################## +# DigestAuthenticator Monkey Settings +######################################################## + +# Disable DIGEST challenges - disables this monkey +DisableAuth = false + +# Http hostname for this server (used in Identity headers) +HttpHostname = + +# Disable adding identity headers +DisableIdentity = false + +# Enable addition and processing of P-Asserted-Identity headers +EnablePAssertedIdentityProcessing = false + +# Disable auth-int DIGEST challenges +DisableAuthInt = false + +# Send 403 if a client sends a bad nonce in their credentials (will send a new +# challenge otherwise) +RejectBadNonces = false + +# allow To tag in registrations +AllowBadReg = false + + +######################################################## +# RequestFilter Monkey Settings +######################################################## + +# Disable RequestFilter monkey processing +DisableRequestFilterProcessor = false + +# Default behavior for when no matching filter is found. Leave empty to allow +# request processing to continue. Otherwise set to a SIP status error code +# (400-699) that should be used to reject the request (ie. 500, Server Internal +# Error). +# The status code can optionally be followed by a , and SIP reason text. +RequestFilterDefaultNoMatchBehavior = + +# Default behavior for SQL Query db errors. Leave empty to allow request processing +# to continue. Otherwise set to a SIP status error code (400-699) that should be +# used to reject the request (ie. 500 - Server Internal Error). +# The status code can optionally be followed by a , and SIP reason text. +# Note: DB support for this action requires MySQL support. +RequestFilterDefaultDBErrorBehavior = 500, Server Internal DB Error + +# The hostname running MySQL server to connect to for any blocked entries +# that are configured to used a SQL statement. +# WARNING: repro must be compiled with the USE_MYSQL flag in order for this work. +# +# Note: If this setting is left blank then repro will fallback all remaining my sql +# settings to use the global RuntimeMySQLServer or MySQLServer settings. See the +# documentation on the global MySQLServer settings for more details on the following +# individual settings. +RequestFilterMySQLServer = + +# The MySQL login ID to use when connecting to the MySQL Server. +# Note: If the RequestFilterMySQLServer setting is left blank then repro will fallback to +# using the global MySQL settings. +RequestFilterMySQLUser = root + +# The password for the MySQL login ID specified. +# Note: If the RequestFilterMySQLServer setting is left blank then repro will fallback to +# using the global MySQL settings. +RequestFilterMySQLPassword = root + +# The database name on the MySQL server that contains the repro tables +# Note: If the RequestFilterMySQLServer setting is left blank then repro will fallback to +# using the global MySQL settings. +RequestFilterMySQLDatabaseName = + +# If port is not 0, the value is used as the port number for the TCP/IP connection. Note that +# the host parameter determines the type of the connection. +# Note: If the RequestFilterMySQLServer setting is left blank then repro will fallback to +# using the global MySQL settings. +RequestFilterMySQLPort = 3306 + + +######################################################## +# StaticRoute Monkey Settings +######################################################## + +# Specify where to route requests that are in this proxy's domain - disables the +# routes in the web interface and uses a SimpleStaticRoute monkey instead. +# A comma seperated list of routes can be specified here and each route will +# be added to the outbound Requests with the RequestUri left in tact. +Routes = + +# Parallel fork to all matching static routes +ParallelForkStaticRoutes = false + +# By default (false) we will stop looking for more Targets if we have found +# matching routes. Setting this value to true will allow the LocationServer Monkey +# to run after StaticRoutes have been found. In this case the matching +# StaticRoutes become fallback targets, processed only after all location server +# targets fail. +ContinueProcessingAfterRoutesFound = false + + +######################################################## +# Message Silo Monkey Settings +######################################################## + +# Specify where the Message Silo is enabled or not. If enabled, +# then repro will store MESSAGE requests for users that are not online. +# When the user is back online (ie. registers with repro), the stored +# messages will be delivered. +MessageSiloEnabled = false + +# A regular expression that can be used to filter which URI's not to +# do message storage (siloing) for. Destination/To URI's matching +# this regular expression will not be silo'd. +MessageSiloDestFilterRegex = + +# A regular expression that can be used to filter which body/content/mime +# types not to do message storage (siloing) for. Content-Type's matching +# this regular expression will not be silo'd. +MessageSiloMimeTypeFilterRegex = application\/im\-iscomposing\+xml + +# The number of seconds a message request will be stored in the message silo. +# Messages older than this time, are candidates for deletion. +# Default (259200 seconds = 30 days) +MessageSiloExpirationTime = 2592000 + +# Flag to indicate if a Date header should be added to replayed SIP +# MESSAGEs from the silo, when a user registers. +MessageSiloAddDateHeader = true + +# Defines the maximum message content length (bytes) that will be stored in +# the message silo. Messages with a Content-Length larger than this +# value will be discarded. +# WARNING: Do not increasing this value beyond the capabilities of the +# database storage or internal buffers. +# Note: AbstractDb uses a read buffer size of 8192 - do not exceed this size. +MessageSiloMaxContentLength = 4096 + +# The status code returned to the sender when a messages is successfully +# silo'd. +MessageSiloSuccessStatusCode = 202 + +# The status code returned to the sender when a messages mime-type matches +# the MessageSiloMimeTypeFilterRegex. Can be used to avoid sending errors +# to isComposing mime bodies that don't need to be silod. Set to 0 to use +# repro standard response (ie. 480). +MessageSiloFilteredMimeTypeStatusCode = 200 + +# The status code returned to the sender when a messages is not silo'd due +# to the MaxContentLength being exceeded. +MessageSiloFailureStatusCode = 480 + + +######################################################## +# Recursive Redirect Lemur Settings +######################################################## + +# Handle 3xx responses in the proxy - enables the Recursive Redirect Lemur +RecursiveRedirect = false + + +######################################################## +# Geo Proximity Target Sorter Baboon Settings +######################################################## + +# If enabled, then this baboon can post-process the target list. +# This includes targets from the StaticRoute monkey and/or targets +# from the LocationServer monkey. Requests that meet the filter +# criteria will have their Target list, flatened (serialized) and +# ordered based on the proximity of the target to the client sending +# the request. Proximity is determined by looking for a +# x-repro-geolocation="," parameter on the Contact +# header of a received request, or the Contact headers of Registration +# requests. If this parameter is not found, then this processor will +# attempt to determine the public IP address closest to the client or +# target and use the MaxMind Geo IP library to lookup the geo location. +GeoProximityTargetSorting = false + +# Specify the full path to the IPv4 Geo City database file +# Note: A free version of the database can be downloaded from here: +# http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz +# For a more accurate database, please see the details here: +# http://www.maxmind.com/app/city +GeoProximityIPv4CityDatabaseFile = GeoLiteCity.dat + +# Specify the full path to the IPv6 Geo City database file +# Note: A free version of the database can be downloaded from here: +# http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/ +# For a more accurate database, please see the details here: +# http://www.maxmind.com/app/city +# Leave blank to disable V6 lookups. Saves memory (if not required). +#GeoProximityIPv6CityDatabaseFile = GeoLiteCityv6.dat +GeoProximityIPv6CityDatabaseFile = + +# This setting specifies a PCRE compliant regular expression to attempt +# to match against the request URI of inbound requests. Any requests +# matching this expression, will have its Targets sorted as described +# above. Leave blank to match all requests. +GeoProximityRequestUriFilter = ^sip:mediaserver.*@mydomain.com$ + +# The distance (in Kilometers) to use for proximity sorting, when the +# Geo Location of a target cannot be determined. +GeoProximityDefaultDistance = 0 + +# If enabled, then targets that are determined to be of equal distance +# from the client, will be placed in a random order. +LoadBalanceEqualDistantTargets = true + + +######################################################## +# Q-Value Target Handler Baboon Settings +######################################################## + +# Enable sequential q-value processing - enables the Baboon +QValue = true + +# Specify forking behavior for q-value targets: FULL_SEQUENTIAL, EQUAL_Q_PARALLEL, +# or FULL_PARALLEL +QValueBehavior = EQUAL_Q_PARALLEL + +# Whether to cancel groups of parallel forks after the period specified by the +# QValueMsBeforeCancel parameter. +QValueCancelBetweenForkGroups = true + +# msec to wait before cancelling parallel fork groups when QValueCancelBetweenForkGroups +# is true +QValueMsBeforeCancel = 30000 + +# Whether to wait for parallel fork groups to terminate before starting new fork-groups. +QValueWaitForTerminateBetweenForkGroups = true + +# msec to wait before starting new groups of parallel forks when +# QValueWaitForTerminateBetweenForkGroups is false +QValueMsBetweenForkGroups = 3000 + + diff --git a/net/resiprocate/files/repro.init b/net/resiprocate/files/repro.init new file mode 100644 index 0000000..dfcb771 --- /dev/null +++ b/net/resiprocate/files/repro.init @@ -0,0 +1,20 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2012 Daniel Pocock + +START=80 +STOP=20 + +SERVICE_USE_PID=1 + +start() { + group_exists repro 123 || group_add repro 123 + user_exists repro 123 || user_add repro 123 123 repro /etc/repro/home + mkdir -p /etc/repro/home + chown -R repro:repro /etc/repro/home + service_start /usr/sbin/repro --Daemonize=true --LoggingType=syslog --PidFile=/var/run/repro.pid +} + +stop() { + service_stop /usr/sbin/repro +} + diff --git a/net/resiprocate/patches/001-csignal.patch b/net/resiprocate/patches/001-csignal.patch new file mode 100644 index 0000000..1650792 --- /dev/null +++ b/net/resiprocate/patches/001-csignal.patch @@ -0,0 +1,8 @@ +--- a/reTurn/reTurnServer.cxx 2012-08-08 14:48:07.000000000 +0200 ++++ b/reTurn/reTurnServer.cxx 2012-09-21 20:20:26.441310748 +0200 +@@ -1,4 +1,5 @@ + #include ++#include + #include + #include + #include