Authentication
Documentation based on repostory git version commit 2.4.0-alpha-163-g766e8a2f
Module Authentication
The authentication module challenges and authenticates SIP requests using two possible methods:
- if the request is received via a TLS transport and 'require-peer-certificate' is set in transport definition in [Global] section for this transport, then the From header of the request is matched with the CN claimed by the client certificate. The CN must contain sip:user@domain or alternate name with URI=sip:user@domain corresponding to the URI in the from header for the request to be accepted. Optionnaly, the property tls-client-certificate-required-subject may contain a regular expression for additional checks to execute on certificate subjects.
- if no TLS client based authentication can be performed, or has failed, then a SIP digest authentication is performed. The password verification is made by querying a database or a password file on disk.
----
Configuration options:
Name | Description | Default Value | Default Unit | Type |
---|---|---|---|---|
enabled | Indicate whether the module is activated. | false | Boolean | |
filter | A request/response enters module if the boolean filter evaluates to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org') && (user-agent == 'Linphone v2'). You can consult the full filter documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/ | BooleanExpr | ||
trusted-hosts | List of whitespace-separated IP addresses which will be judged as trustful. Messages coming from these addresses won't be challenged. | StringList | ||
auth-domains | List of whitespace separated domains to challenge. Others are automatically denied. The wildcard domain '*' is accepted, which means that requests are challenged whatever the originating domain is. This is convenient for a proxy serving multiple SIP domains. | localhost | StringList | |
available-algorithms | List of digest algorithms to use for password hashing. Think this setting as filter applied after fetching the credentials of a user from the user database. For example, if a user has its password hashed by MD5 and SHA-256 but 'available-algorithms' only has MD5, then only a MD5-based challenged will be submited to the UAC. | MD5 | StringList | |
disable-qop-auth | Disable the QOP authentication method. Default is to use it, use this flag to disable it if needed. | false | Boolean | |
no-403 | Don't reply 403 when authentication fails. Instead, generate a new 401 (or 407) response containing a new challenge. | false | BooleanExpr | |
nonce-expires | Expiration time before generating a new nonce. | 3600 | second | DurationS |
realm | The realm to use for digest authentication. It will used whatever the domain of the From-URI. Examples: | String | ||
realm-regex | Extraction regex applied on the URI of the 'from' header (or P-Prefered-Identity header if present) in order to extract the realm. The realm is found out by getting the first slice of the URI that matches the regular expression. If it has one or more capturing parentheses, the content of the first one is used as realm. For instance, given auth-domains=sip.example.com, you might use 'sip:.*@sip\.(.*)\.com' in order to use 'example' as realm. WARNING: this parameter is exclusive with 'realm' | String | ||
reject-wrong-client-certificates | If set to true, the module will simply reject with "403 forbidden" any request coming from clients which have presented a bad TLS certificate (regardless of reason: improper signature, unmatched subjects). Otherwise, the module will fallback to a digest authentication. | false | Boolean | |
tls-client-certificate-required-subject | An optional regular expression used to accept or deny a request basing on subject fields of the client certificate. The request is allowed if one of the subjects matches the regular expression. | String | ||
trust-domain-certificates | Accept requests which the client certificate enables to trust the domaine of its Request-URI. | false | Boolean | |
new-auth-on-407 | When receiving a proxy authenticate challenge, generate a new challenge for this proxy. | false | Boolean | |
db-implementation | Database backend implementation for digest authentication [soci,file]. | file | String | |
cache-expire | Duration of the validity of the credentials added to the cache. | 1800 | second | DurationS |
file-path | Path of the file in which user credentials are stored. | String | ||
soci-backend | Choose the type of backend that Soci will use for the connection. | mysql | String | |
soci-connection-string | The configuration parameters of the Soci backend. | db=mydb user=myuser password='mypass' host=myhost.com | String | |
soci-password-request | Soci SQL request used to obtain the password of a given user. Only these keywords are supported: - ':id' : the user found in the from header (mandatory) The request MUST returns a two-columns table, which columns are defined as follow: Examples: - all the passwords from the database are MD5 | select password, 'MD5' from accounts where login = :id and domain = :domain | String | |
soci-max-queue-size | Amount of queries that will be allowed to be queued before bailing password requests. | 1000 | Integer | |
soci-poolsize | Size of the pool of connections that Soci will use. A thread is opened for each DB query, and this pool will allow each thread to get a connection. | 100 | Integer |