Browse code

sip-router*.cfg: defines, links, test run support

- added links to docs, ser_ctl, serweb and sr-users mailing list
address

- feature defines compatible with kamailio.cfg: WITH_DEBUG,
WITH_TLS, WITH_XMLRPC (can be enabled by uncommenting the
corresponding #!define or by starting ser with -A WITH_XXXX)

- XMLRPC_TLS_ONLY define: when enabled XMLRPC will be allowed only
on TLS and only from clients with valid certificates.

- XMLRPC_ALLOW_NET1, XMLRPC_ALLOW_NET2, XMLRPC_ALLOW_NET3 defines:
when enabled they must contain a valid network address (e.g.
10.0.0.0/8). xmlrpc requests will be accepted only from
localhost (always) and from clients with source addresses
matching one of the XMLRPC_ALLOW_NET[1-3] defines.
E.g.: ser -A WITH_XMLRPC -A XMLRPC_ALLOW_NET1=10.0.0.0/8 ....

- LOCAL_TEST_RUN define: when enabled ser will assume it is
not installed and that it is started from the source/compile
directory (as opposed to an installed version). All the modules
will be searched in modules*/modulename/modulename.so and all the
other files referenced in the config will be relative to the
working directory (and not the ser config file directory).

- multicast replication listen address set to udp only (avoids
warnings on startup)

- load sl after tm (the new merged sl prints a warning if tm is
not loaded first)

- use ser instead of sip-router for the DB names/uris and ctl
sockets

- use a XMLRPC specific route

- XMLRPC bug workaround for xmlrpclib (which waits for an EOF
before interpreting the response).

Andrei Pelinescu-Onciul authored on 07/09/2010 16:20:40
Showing 3 changed files
... ...
@@ -1,22 +1,45 @@
1 1
 #
2 2
 # $Id$
3 3
 #
4
-# This a very basic config file w aliases and anamed route but
4
+# This a very basic config file w/ aliases and a named route but
5 5
 # w/o authentication, accounting, database, multi-domain support etc.
6 6
 # Please refer to sip-router.cfg for a more complete example
7 7
 #
8
+# Direct your questions about this file to: <sr-users@lists.sip-router.org>.
9
+#
10
+# For more information about the various parameters, functions and statements
11
+# try http://sip-router.org/wiki/ .
12
+#
13
+
14
+#------------ Features -----------------------------------------------
15
+# Several extra features can be enabled by adding #!define WITH_<FEATURE>
16
+# statements to the config file, or by starting sr/ser with -A WITH_<FEATURE>.
17
+# E.g.: ser -f /etc/ser/sip-router-basic.cfg -A WITH_TLS
18
+
19
+# run in debug mode:
20
+##!define WITH_DEBUG
21
+
22
+# enable tls support:
23
+##!define WITH_TLS
24
+
25
+# started from compile directory (not installed)
26
+##!define LOCAL_TEST_RUN
27
+
8 28
 
9 29
 # ----------- global configuration parameters ------------------------
10 30
 
31
+#!ifdef WITH_DEBUG
32
+debug=5
33
+log_stderror=yes
34
+fork=no
35
+#!else
11 36
 debug=2         # debug level (cmd line: -dddddddddd)
37
+#!endif
38
+
12 39
 #memdbg=10 # memory debug message level
13 40
 #memlog=10 # memory statistics log level
14 41
 #log_facility=LOG_LOCAL0 # sets the facility used for logging (see syslog(3))
15 42
 
16
-/* Uncomment these lines to enter debugging mode 
17
-fork=no
18
-log_stderror=yes
19
-*/
20 43
 
21 44
 check_via=no    # (cmd. line: -v)
22 45
 dns=no          # (cmd. line: -r)
... ...
@@ -28,18 +51,25 @@ rev_dns=no      # (cmd. line: -R)
28 51
 #disable_core=yes #disables core dumping
29 52
 #open_fd_limit=1024 # sets the open file descriptors limit
30 53
 #mhomed=yes  # usefull for multihomed hosts, small performance penalty
31
-#disable_tcp=yes 
54
+#disable_tcp=yes
32 55
 #tcp_accept_aliases=yes # accepts the tcp alias via option (see NEWS)
33 56
 
57
+#!ifdef WITH_TLS
58
+enable_tls=yes
59
+#!endif
60
+
34 61
 #
35 62
 
36 63
 # ------------------ module loading ----------------------------------
37 64
 
38
-#loadpath "modules:modules_s"
65
+#!ifdef LOCAL_TEST_RUN
66
+loadpath "modules:modules_s"
67
+#!else
39 68
 loadpath "/usr/lib/sip-router/modules:/usr/lib/sip-router/modules_s"
69
+#!endif
40 70
 
41
-loadmodule "sl"
42 71
 loadmodule "tm"
72
+loadmodule "sl"
43 73
 loadmodule "rr"
44 74
 loadmodule "textops"
45 75
 loadmodule "maxfwd"
... ...
@@ -47,6 +77,9 @@ loadmodule "usrloc"
47 77
 loadmodule "registrar"
48 78
 loadmodule "ctl"
49 79
 loadmodule "cfg_rpc"
80
+#!ifdef WITH_TLS
81
+loadmodule "tls"
82
+#!endif
50 83
 
51 84
 # ----------------- setting module-specific parameters ---------------
52 85
 
... ...
@@ -61,11 +94,30 @@ modparam("rr", "enable_full_lr", 1)
61 94
 # ctl params
62 95
 # by default ctl listens on unixs:/tmp/sip-router_ctl if no other address is
63 96
 # specified in modparams; this is also the default for sercmd
64
-modparam("ctl", "binrpc", "unixs:/tmp/sip-router_ctl")
97
+modparam("ctl", "binrpc", "unixs:/tmp/ser_ctl")
65 98
 # listen on the "standard" fifo for backward compatibility
66
-modparam("ctl", "fifo", "fifo:/tmp/sip-router_fifo")
99
+modparam("ctl", "fifo", "fifo:/tmp/ser_fifo")
67 100
 # listen on tcp, localhost
68
-#modparam("ctl", "binrpc", "tcp:localhost:2046")
101
+modparam("ctl", "binrpc", "tcp:127.0.0.1:2046")
102
+
103
+#!ifdef WITH_TLS
104
+modparam("tls", "verify_certificate", 0)
105
+#!ifdef  LOCAL_TEST_RUN
106
+modparam("tls", "certificate", "./modules/tls/sip-router-selfsigned.pem")
107
+modparam("tls", "private_key", "./modules/tls/sip-router-selfsigned.key")
108
+#separate TLS config file
109
+#modparam("tls", "config", "./modules/tls/tls.cfg")
110
+#!else
111
+modparam("tls", "certificate", "ser-selfsigned.pem")
112
+modparam("tls", "private_key", "ser-selfsigned.key")
113
+#separate TLS config file
114
+#modparam("tls", "config", "tls.cfg")
115
+#!endif
116
+#!endif
117
+
118
+
119
+
120
+#!endif
69 121
 
70 122
 # -------------------------  request routing logic -------------------
71 123
 
... ...
@@ -18,6 +18,10 @@
18 18
 # If you look for a simpler version with a lot less dependencies
19 19
 # please refer to the sip-router-basic.cfg file in your SER distribution.
20 20
 #
21
+# If you look for documentation, try http://sip-router.org/wiki/.
22
+# The right mailing lists for questions about this file is
23
+# <sr-users@lists.sip-router.org>.
24
+#
21 25
 # Requirements:
22 26
 # ---------------
23 27
 # running DB, running RTP proxy, one public IP address
... ...
@@ -32,6 +36,9 @@
32 36
 #    $ ser_ctl domain add DOMAINNAME
33 37
 #    $ ser_ctl user add USERNAME@DOMAINNAME -p PASSWORD
34 38
 #
39
+# (ser_ctl can be obtained from
40
+#   http://ftp.iptel.org/pub/serctl/daily-snapshots/ )
41
+#
35 42
 # If you want to have P-Asserted-ID header for your user
36 43
 #
37 44
 #    $ ser_attr add uid=UID asserted_id="PID"
... ...
@@ -45,7 +52,9 @@
45 52
 # Alternatively, you can simple uncomment the relevant line in this file
46 53
 # right at the beginning of the main route.
47 54
 #
48
-# You can also use serweb to set all the values above.
55
+# You can also use serweb to set all the values above
56
+# (http://ftp.iptel.org/pub/serweb/daily-snapshots/ or
57
+#  http://developer.berlios.de/projects/serweb).
49 58
 #
50 59
 # Users with permission to call PSTN using this script must have
51 60
 # the $gw_acl attribute set properly, and shall have $asserted_id
... ...
@@ -120,6 +129,31 @@
120 129
 #
121 130
 # .... that's it, enough of yadiyada, here the real config begins!
122 131
 
132
+# ----------- Global Defines / Extra Features -------------------------------
133
+# (can be enabled either by uncommenting the corresponding #!define 
134
+#  statement or by starting with -A WITH_<FEATURE_NAME>, e.g.
135
+#  ser -A WITH_TLS -f /etc/ser/ser-oob.cfg )
136
+
137
+# enable TLS
138
+##!define WITH_TLS
139
+
140
+#enable xmlrpc support
141
+##!define WITH_XMLRPC
142
+
143
+# xmlrpc allowed only if it comes on TLS from a client with a valid cert
144
+##!define XMLRPC_TLS_ONLY
145
+
146
+# xmlrpc allowed subnets (if defined XMLRPC requests with source ip matching
147
+# this network addresses will be allowed, if no XMLRPC_ALLOWED_SUBNETx is
148
+# defined only requests coming from localhost will be allowed).
149
+# E.g.: ser -A XMLRPC_ALLOW_NET1=192.168.1.0/24 -f ser-oob.cfg
150
+##!define XMLRPC_ALLOW_NET1  192.168.0.0/16
151
+##!define XMLRPC_ALLOW_NET2  10.0.0.0/255.0.0.0
152
+##!define XMLRPC_ALLOW_NET3  172.16.0.0/12
153
+
154
+
155
+# started from compile directory (not installed)
156
+##!define LOCAL_TEST_RUN
123 157
 
124 158
 # ----------- Global Configuration Parameters -------------------------------
125 159
 
... ...
@@ -163,7 +197,7 @@ listen=127.0.0.1
163 197
 #DEBCONF-LISTEN-END
164 198
 # sip.mcast.net for REGISTER replication 	 
165 199
 #DEBCONF-LISTEN_REPL-START 	 
166
-listen=224.0.1.75 	 
200
+listen=udp:224.0.1.75
167 201
 #DEBCONF-LISTEN_REPL-END
168 202
 # administrative interface -- needed for example for multicast source
169 203
 # or XML-RPC
... ...
@@ -199,8 +233,13 @@ dns_cache_gc_interval=60  # garbage collection every minute
199 233
 dns_try_naptr=yes
200 234
 dns_srv_lb=yes  # srv based load balancing
201 235
 dns_udp_pref=3  # prefer udp (when resolving naptr record)
202
-dns_tcp_pref=2  # if no udp availbale accept tcp (for naptr)
236
+dns_tcp_pref=2  # if no udp available accept tcp (for naptr)
237
+dns_sctp_pref=2 # same preference as tcp
238
+#!ifdef WITH_TLS
239
+dns_tls_pref=1  # low preference (heavy resource use)
240
+#!else
203 241
 dns_tls_pref=-1 # ignore / don't accept tls (for naptr)
242
+#!endif
204 243
 # dns_cache_delete_nonexpired=no
205 244
 
206 245
 # ------------------- Blacklist Parameters ----------------------------------
... ...
@@ -218,14 +257,14 @@ dst_blacklist_gc_interval=150 # 2.5 min
218 257
 tcp_connection_lifetime=3600
219 258
 #tcp_max_connections=10240  # default is 2048
220 259
 tcp_connect_timeout=1
260
+tcp_async=yes
221 261
 
222 262
 # ------------------- TLS Parameters ----------------------------------------
223 263
 
264
+#!ifdef WITH_TLS
224 265
 # Enable TLS hooks so that the TLS module can be used
225 266
 tls_enable=yes
226
-# This option is required if you want to use TLS as the TLS
227
-# module does not support the new async TCP mode yet
228
-tcp_async=no
267
+#!endif
229 268
 
230 269
 # -------------------- Custom Parameters ------------------------------------
231 270
 # These parameters can be modified runtime via RPC interface,
... ...
@@ -256,16 +295,18 @@ rtp_proxy.enabled = "detect" desc "indicates whether the RTP Proxy is enabled or
256 295
 #DEBCONF-RTP_ENABLE-END
257 296
 
258 297
 # ------------------ Module Loading -----------------------------------------
259
-
260
-#loadpath "modules:modules_s"
298
+#!ifdef LOCAL_TEST_RUN
299
+loadpath "modules:modules_s"
300
+#!else
261 301
 loadpath "/usr/lib/sip-router/modules:/usr/lib/sip-router/modules_s"
302
+#!endif
262 303
 
263 304
 # load a SQL database for authentication, domains, user AVPs etc.
264 305
 loadmodule "db_mysql"
265 306
 #loadmodule "postgres"
266 307
 
267
-loadmodule "sl"
268 308
 loadmodule "tm"
309
+loadmodule "sl"
269 310
 loadmodule "rr"
270 311
 loadmodule "maxfwd"
271 312
 loadmodule "usrloc"
... ...
@@ -281,7 +322,9 @@ loadmodule "uri_db"
281 322
 loadmodule "avp"
282 323
 loadmodule "avp_db"
283 324
 loadmodule "acc_db"
284
-#loadmodule "xmlrpc"
325
+#!ifdef WITH_XMLRPC
326
+loadmodule "xmlrpc"
327
+#!endif
285 328
 loadmodule "options"
286 329
 loadmodule "sanity"
287 330
 loadmodule "nathelper"
... ...
@@ -293,7 +336,9 @@ loadmodule "exec"
293 336
 loadmodule "cfg_rpc"
294 337
 loadmodule "eval"
295 338
 loadmodule "enum"
296
-#loadmodule "tls"
339
+#!ifdef WITH_TLS
340
+loadmodule "tls"
341
+#!endif
297 342
 
298 343
 # ----------------- Declaration of Script Flags -----------------------------
299 344
 flags
... ...
@@ -320,12 +365,12 @@ avpflags
320 365
 #
321 366
 #DEBCONF-DBURL-START
322 367
 modparam("speeddial|auth_db|usrloc|domain|uri_db|gflags|avp_db|db_ops",
323
-         "db_url", "mysql://sip-router:heslo@127.0.0.1/sip-router")
368
+         "db_url", "mysql://ser:heslo@127.0.0.1/ser")
324 369
 #DEBCONF-DBURL-END
325 370
 
326 371
 # specify the path to your database for accounting
327 372
 #DEBCONF-DBURLACC-START
328
-modparam("acc_db", "db_url", "mysql://sip-router:heslo@127.0.0.1/sip-router")
373
+modparam("acc_db", "db_url", "mysql://ser:heslo@127.0.0.1/ser")
329 374
 #DEBCONF-DBURLACC-END
330 375
 
331 376
 
... ...
@@ -435,11 +480,11 @@ modparam("domain", "load_domain_attrs", 1)
435 480
 
436 481
 # By default, ctl listens on unixs:/tmp/sip-router_ctl if no other address is
437 482
 # specified in modparams; this is also the default for sercmd.
438
-modparam("ctl", "binrpc", "unixs:/tmp/sip-router_ctl")
483
+modparam("ctl", "binrpc", "unixs:/tmp/ser_ctl")
439 484
 # Listen on the "standard" fifo for backward compatibility.
440
-modparam("ctl", "fifo", "fifo:/tmp/sip-router_fifo")
485
+modparam("ctl", "fifo", "fifo:/tmp/ser_fifo")
441 486
 # Listen on tcp on localhost.
442
-#modparam("ctl", "binrpc", "tcp:localhost:2046")
487
+modparam("ctl", "binrpc", "tcp:127.0.0.1:2046")
443 488
 
444 489
 
445 490
 # -- acc_db --
... ...
@@ -465,9 +510,11 @@ modparam("tm", "restart_fr_on_each_reply", 0)
465 510
 
466 511
 # -- xmlrpc --
467 512
 
513
+#!ifdef WITH_XMLRPC
468 514
 # Use a sub-route. This is a lot safer then relying on the request method
469 515
 # to distinguish HTTP from SIP
470
-#modparam("xmlrpc", "route", "RPC");
516
+modparam("xmlrpc", "route", "XMLRPC");
517
+#!endif
471 518
 
472 519
 
473 520
 # -- nathelper --
... ...
@@ -506,8 +553,14 @@ modparam("exec", "setvars", 0);
506 553
 modparam("timer", "declare_timer",
507 554
          "ON_1MIN_TIMER=ON_1MIN_TIMER,60000,slow,enable");
508 555
 
556
+#!ifdef WITH_TLS
509 557
 # -- tls --
510
-#modparam("tls", "config", "tls.cfg");
558
+#!ifdef LOCAL_TEST_RUN
559
+modparam("tls", "config", "./modules/tls/tls.cfg");
560
+#!else
561
+modparam("tls", "config", "tls.cfg");
562
+#!endif
563
+#!endif
511 564
 
512 565
 # -- db_ops --
513 566
 
... ...
@@ -1586,3 +1639,49 @@ route[ON_1MIN_TIMER] {
1586 1639
 	db_close("gattr_reload");
1587 1640
 }
1588 1641
 
1642
+
1643
+#!ifdef WITH_XMLRPC
1644
+# handle xmlrpcs
1645
+route[XMLRPC]{
1646
+	# accept xmlrpc requests only from localhost
1647
+	if (src_ip!=127.0.0.1
1648
+	#!ifdef XMLRPC_ALLOW_NET1
1649
+		&& src_ip != XMLRPC_ALLOW_NET1
1650
+	#!endif
1651
+	#!ifdef XMLRPC_ALLOW_NET2
1652
+		&& src_ip != XMLRPC_ALLOW_NET2
1653
+	#!endif
1654
+	#!ifdef XMLRPC_ALLOW_NET3
1655
+		&& src_ip != XMLRPC_ALLOW_NET3
1656
+	#!endif
1657
+		) {
1658
+		xmlrpc_reply("400", "xmlrpc not allowed from this address");
1659
+		return;
1660
+	}
1661
+	if (method!="POST" && method!="GET") {
1662
+		xmlrpc_reply("400", "unsupported HTTP method");
1663
+		return;
1664
+	}
1665
+	if (msg:len >= 8192) {
1666
+		xmlrpc_reply("513", "request too big");
1667
+		return;
1668
+	}
1669
+#!ifdef XMLRPC_TLS_ONLY
1670
+	# allow xmlrpc only on TLS and only if the client certificate is valid
1671
+	if (proto!=TLS){
1672
+		xmlrpc_reply("400", "xmlrpc allowed only over TLS");
1673
+		return;
1674
+	}
1675
+	if (@tls.peer.verified!=""){
1676
+		xmlrpc_reply("400", "Unauthorized");
1677
+		return;
1678
+	}
1679
+#!endif
1680
+
1681
+	# close connection only for xmlrpclib user agents (there is a bug in
1682
+	# xmlrpclib: it waits for EOF before interpreting the response).
1683
+	if (search("^User-Agent:.*xmlrpclib"))
1684
+		set_reply_close();
1685
+	set_reply_no_connect(); # optional
1686
+	dispatch_rpc();
1687
+}
... ...
@@ -1,7 +1,9 @@
1 1
 #
2 2
 # $Id$
3 3
 #
4
-
4
+# Example configuration file (simpler then ser-oob.cfg, but more
5
+# complex then ser-basic.cfg).
6
+#
5 7
 # First start SER sample config script with:
6 8
 #   database, accounting, authentication, multi-domain support
7 9
 #   PSTN GW section, named flags, named routes, global-,
... ...
@@ -11,17 +13,45 @@
11 13
 #
12 14
 # If you look for a simpler version with a lot less dependencies
13 15
 # please refer to the ser-basic.cfg file in your SER distribution.
16
+#
17
+# If you look for documentation, try http://sip-router.org/wiki/.
18
+# The right mailing lists for questions about this file is
19
+# <sr-users@lists.sip-router.org>.
14 20
 
15 21
 # To get this config running you need to execute the following commands
16 22
 # with the new serctl (the capital word are just place holders)
17 23
 # - ser_ctl domain add DOMAINNAME
18 24
 # - ser_ctl user add USERNAME@DOMAINNAME -p PASSWORD
25
+# ser_ctl can be obtained from
26
+# http://ftp.iptel.org/pub/serctl/daily-snapshots/.
27
+#
19 28
 # If you want to have PID header for your user
20 29
 # - ser_attr add uid=UID asserted_id="PID"
21 30
 # If you want to have gateway support
22 31
 # - ser_db add attr_types name=gw_ip rich_type=string raw_type=2 description="The gateway IP for the default ser.cfg" default_flags=33
23 32
 # - ser_attr add global gw_ip=GATEWAY-IP
24 33
 
34
+
35
+# ----------- Global Defines / Extra Features -------------------------------
36
+# (can be enabled either by uncommenting the corresponding #!define 
37
+#  statement or by starting with -A WITH_<FEATURE_NAME>, e.g.
38
+#  ser -A WITH_TLS -f /etc/ser/ser-oob.cfg )
39
+
40
+# enable TLS
41
+##!define WITH_TLS
42
+
43
+# started from compile directory (not installed)
44
+##!define LOCAL_TEST_RUN
45
+
46
+# xmlrpc allowed subnets (if defined XMLRPC requests with source ip matching
47
+# this network addresses will be allowed, if no XMLRPC_ALLOWED_SUBNETx is
48
+# defined only requests coming from localhost will be allowed).
49
+# E.g.: ser -A XMLRPC_ALLOW_NET1=192.168.1.0/24 -f ser-oob.cfg
50
+##!define XMLRPC_ALLOW_NET1  192.168.0.0/16
51
+##!define XMLRPC_ALLOW_NET2  10.0.0.0/255.0.0.0
52
+##!define XMLRPC_ALLOW_NET3  172.16.0.0/12
53
+
54
+
25 55
 # ----------- global configuration parameters ------------------------
26 56
 
27 57
 debug=2         # debug level (cmd line: -dddddddddd)
... ...
@@ -46,20 +76,25 @@ rev_dns=no      # (cmd. line: -R)
46 76
 #mhomed=yes  # usefull for multihomed hosts, small performance penalty
47 77
 #disable_tcp=yes 
48 78
 #tcp_accept_aliases=yes # accepts the tcp alias via option (see NEWS)
79
+#!ifdef WITH_TLS
49 80
 enable_tls=yes
81
+#!endif
50 82
 
51 83
 #
52 84
 
53 85
 # ------------------ module loading ----------------------------------
54 86
 
55
-#loadpath "modules:modules_s"
87
+#!ifdef LOCAL_TEST_RUN
88
+loadpath "modules:modules_s"
89
+#!else
56 90
 loadpath "/usr/lib/ser/modules:/usr/lib/ser/modules_s"
91
+#!endif
57 92
 
58 93
 # load a SQL database for authentication, domains, user AVPs etc.
59 94
 loadmodule "db_mysql"
60 95
 
61
-loadmodule "sl"
62 96
 loadmodule "tm"
97
+loadmodule "sl"
63 98
 loadmodule "rr"
64 99
 loadmodule "maxfwd"
65 100
 loadmodule "usrloc"
... ...
@@ -77,7 +112,9 @@ loadmodule "avp"
77 112
 loadmodule "avp_db"
78 113
 loadmodule "acc_db"
79 114
 loadmodule "xmlrpc"
80
-#loadmodule "tls"
115
+#!ifdef WITH_TLS
116
+loadmodule "tls"
117
+#!endif
81 118
 
82 119
 # ----------------- setting script FLAGS -----------------------------
83 120
 flags
... ...
@@ -128,7 +165,7 @@ modparam("ctl", "binrpc", "unixs:/tmp/ser_ctl")
128 165
 # listen on the "standard" fifo for backward compatibility
129 166
 modparam("ctl", "fifo", "fifo:/tmp/ser_fifo")
130 167
 # listen on tcp, localhost
131
-#modparam("ctl", "binrpc", "tcp:localhost:2046")
168
+modparam("ctl", "binrpc", "tcp:127.0.0.1:2046")
132 169
 
133 170
 # -- acc_db params --
134 171
 # failed transactions (=negative responses) should be logged to
... ...
@@ -142,6 +179,22 @@ modparam("acc_db", "log_flag", "FLAG_ACC")
142 179
 # restarts the resend timer (see INBOUND route below)
143 180
 #modparam("tm", "restart_fr_on_each_reply", "0")
144 181
 
182
+#!ifdef WITH_TLS
183
+# -- tls params --
184
+modparam("tls", "verify_certificate", 0)
185
+#!ifdef  LOCAL_TEST_RUN
186
+modparam("tls", "certificate", "./modules/tls/sip-router-selfsigned.pem")
187
+modparam("tls", "private_key", "./modules/tls/sip-router-selfsigned.key")
188
+#separate TLS config file
189
+#modparam("tls", "config", "./modules/tls/tls.cfg")
190
+#!else
191
+modparam("tls", "certificate", "ser-selfsigned.pem")
192
+modparam("tls", "private_key", "ser-selfsigned.key")
193
+#separate TLS config file
194
+#modparam("tls", "config", "tls.cfg")
195
+#!endif
196
+
197
+
145 198
 # -- xmlrpc params --
146 199
 # using a sub-route from the module is a lot safer then relying on the
147 200
 # request method to distinguish HTTP from SIP
... ...
@@ -244,13 +297,28 @@ route[RPC]
244 297
 {
245 298
 	# allow XMLRPC from localhost
246 299
 	if ((method=="POST" || method=="GET") &&
247
-		src_ip==127.0.0.1) {
300
+		(src_ip==127.0.0.1
301
+	#!ifdef XMLRPC_ALLOW_NET1
302
+		|| src_ip == XMLRPC_ALLOW_NET1
303
+	#!endif
304
+	#!ifdef XMLRPC_ALLOW_NET2
305
+		|| src_ip == XMLRPC_ALLOW_NET2
306
+	#!endif
307
+	#!ifdef XMLRPC_ALLOW_NET3
308
+		|| src_ip == XMLRPC_ALLOW_NET3
309
+	#!endif
310
+		)) {
248 311
 
249 312
 		if (msg:len >= 8192) {
250 313
 			sl_reply("513", "Request to big");
251 314
 			drop;
252 315
 		}
253 316
 
317
+		# close connection only for xmlrpclib user agents (there is a bug in
318
+		# xmlrpclib: it waits for EOF before interpreting the response).
319
+		if (search("^User-Agent:.*xmlrpclib"))
320
+			set_reply_close();
321
+		set_reply_no_connect(); # optional
254 322
 		# lets see if a module wants to answer this
255 323
 		dispatch_rpc();
256 324
 		drop;