oversip 0.9.0

data/lib/oversip/syslogger_process.rb

@@ -0,0 +1,119 @@
+# Ruby built-in libraries.
+
+require "syslog"
+
+
+# Ruby external gems.
+
+gem "eventmachine-le", ">= 1.1.0"
+require "eventmachine-le"
+
+gem "em-posixmq", ">= 0.2.3"
+require "em-posixmq"
+
+# OverSIP libraries.
+# (not required to be loaded as needed ones have been already
+# loaded before forking).
+
+
+
+module OverSIP
+
+  module SysLoggerProcess
+
+    SYSLOG_FACILITY_MAPPING = {
+      "kern"    => Syslog::LOG_KERN,
+      "user"    => Syslog::LOG_USER,
+      "daemon"  => Syslog::LOG_DAEMON,
+      "local0"  => Syslog::LOG_LOCAL0,
+      "local1"  => Syslog::LOG_LOCAL1,
+      "local2"  => Syslog::LOG_LOCAL2,
+      "local3"  => Syslog::LOG_LOCAL3,
+      "local4"  => Syslog::LOG_LOCAL4,
+      "local5"  => Syslog::LOG_LOCAL5,
+      "local6"  => Syslog::LOG_LOCAL6,
+      "local7"  => Syslog::LOG_LOCAL7
+    }
+
+    class SysLoggerWatcher < ::EM::PosixMQ::Watcher
+
+      def receive_message string, priority
+        level = string.getbyte 0
+        msg   = string[1..-1].gsub(/%/,"%%").gsub(/\x00/,"")
+
+        case level
+        when 48  # "0" =>DEBUG
+          ::Syslog.debug sprintf("%7s %s", "DEBUG:", msg)
+        when 49  # "1" => INFO
+          ::Syslog.info sprintf("%7s %s", "INFO:", msg)
+        when 50  # "2" => NOTICE
+          ::Syslog.notice sprintf("%7s %s", "NOTICE:", msg)
+        when 51  # "3" => WARN
+          ::Syslog.warning sprintf("%7s %s", "WARN:", msg)
+        when 52  # "4" => ERR
+          ::Syslog.err sprintf("%7s %s", "ERROR:", msg)
+        when 53  # "5" => CRIT
+          ::Syslog.crit sprintf("%7s %s", "CRIT:", msg)
+        when 54  # "6" => ALERT
+          ::Syslog.alert sprintf("%7s %s", "ALERT:", msg)
+        when 55  # "7" => EMERG
+          ::Syslog.emerg sprintf("%7s %s", "EMERG:", msg)
+        else  # Shouldn't occur.
+          ::Syslog.err sprintf("%7s %s", "UNKNOWN:", msg)
+        end
+      end
+
+    end  # class SysLoggerWatcher
+
+    def self.run options={}
+      $0 = ::OverSIP.master_name + "_syslogger"
+
+      syslog_options = ::Syslog::LOG_PID | ::Syslog::LOG_NDELAY
+      syslog_facility = SYSLOG_FACILITY_MAPPING[::OverSIP.configuration[:core][:syslog_facility]]
+      ::Syslog.open(::OverSIP.master_name, syslog_options, syslog_facility)
+
+      ppid = ::Process.ppid
+
+      at_exit do
+        ::Syslog.notice sprintf("%7s %s", "INFO:", "<syslogger> syslogger process terminated")
+        exit!
+      end
+
+      EM.run do
+        begin
+          syslogger_mq = ::POSIX_MQ.new ::OverSIP.syslogger_mq_name, ::IO::RDONLY | ::IO::NONBLOCK
+          ::EM::PosixMQ.run syslogger_mq, SysLoggerWatcher
+
+          # Change process permissions if requested.
+          ::OverSIP::Launcher.set_user_group(options[:user], options[:group])
+
+        rescue => e
+          ::Syslog.crit sprintf("%7s %s", "CRIT:", "<syslogger> #{e.class}: #{e}")
+          ::Syslog.crit sprintf("%7s %s", "CRIT:", "<syslogger> syslogger process terminated")
+          exit! 1
+        end
+
+        # Periodically check that master process remains alive and
+        # die otherwise.
+        ::EM.add_periodic_timer(1) do
+          if ::Process.ppid != ppid
+            # Wait 0.5 seconds. Maybe the master process has been killed properly and just now
+            # it's sending us the QUIT signal.
+            ::EM.add_timer(0.5) do
+              ::Syslog.crit sprintf("%7s %s", "CRIT:", "<syslogger> master process died, syslogger process terminated")
+              exit! 1
+            end
+          end
+        end
+
+        ::EM.error_handler do |e|
+          ::Syslog.crit sprintf("%7s %s", "CRIT:", "<syslogger> error raised during event loop and rescued by EM.error_handler: #{e.message} (#{e.class})\n#{(e.backtrace || [])[0..3].join("\n")}")
+        end
+
+        ::Syslog.info sprintf("%7s %s", "INFO:", "<syslogger> syslogger process (PID #{$$}) ready")
+      end
+    end
+
+  end  # module SysLoggerProcess
+
+end

data/lib/oversip/tls.rb

@@ -0,0 +1,179 @@
+module OverSIP
+
+  module TLS
+
+    extend ::OverSIP::Logger
+
+    TLS_PEM_CHAIN_REGEXP = /-{5}BEGIN CERTIFICATE-{5}\n.*?-{5}END CERTIFICATE-{5}\n/m
+
+
+    def self.log_id
+      @log_id ||= "TLS"
+    end
+
+
+    def self.module_init
+      configuration = ::OverSIP.configuration
+      if configuration[:tls][:public_cert] and configuration[:tls][:private_cert]
+        log_system_info "TLS enabled"
+
+        ::OverSIP.tls = true
+        ::OverSIP.tls_public_cert = configuration[:tls][:public_cert]
+        ::OverSIP.tls_private_cert = configuration[:tls][:private_cert]
+
+        if (::OverSIP.tls_proxy_ipv4 = configuration[:tls][:tls_proxy_ipv4])
+          log_system_info "TLS proxy enabled from IPv4 #{::OverSIP.tls_proxy_ipv4}"
+        end
+        if (::OverSIP.tls_proxy_ipv6 = configuration[:tls][:tls_proxy_ipv6])
+          log_system_info "TLS proxy enabled from IPv6 #{::OverSIP.tls_proxy_ipv6}"
+        end
+
+      else
+        log_system_info "TLS dissabled"
+        return
+      end
+
+      if (ca_dir = configuration[:tls][:ca_dir])
+        @store = ::OpenSSL::X509::Store.new
+        num_certs_added = 0
+
+        ::Dir.chdir ca_dir
+        ca_files = ::Dir["*"]
+        ca_files.select! { |ca_file| ::File.file?(ca_file) and ::File.readable?(ca_file) }
+        ca_files.each do |ca_file|
+          log_system_info "inspecting CA file '#{ca_file}'..."
+
+          ca_file_content = ::File.read(ca_file)
+          unless ca_file_content.valid_encoding?
+            log_system_error "ignoring '#{ca_file}', invalid symbols found"
+            next
+          end
+
+          pems = ca_file_content.scan(TLS_PEM_CHAIN_REGEXP).flatten
+          num_pems = pems.size
+
+          if num_pems == 0
+            log_system_warn "'#{ca_file}': no public certificates found"
+            next
+          end
+          log_system_info "'#{ca_file}': #{num_pems} public certificates found"
+
+          now = ::Time.now
+          certs = []
+          pems.each do |pem|
+            begin
+              certs << ::OpenSSL::X509::Certificate.new(pem)
+            rescue => e
+              log_system_error "ignoring invalid X509 certificate: #{e.message} (#{e.class})"
+              num_pems -= 1
+            end
+          end
+
+          certs.reject! { |cert| cert.not_after < now }
+          if certs.size != num_pems
+            log_system_info "'#{ca_file}': ignoring #{num_pems - certs.size} expired certificates"
+          end
+
+          certs.each do |cert|
+            begin
+              @store.add_cert cert
+              num_certs_added += 1
+            # This occurs when a certificate is repeated.
+            rescue ::OpenSSL::X509::StoreError => e
+              log_system_warn "'#{ca_file}': ignoring certificate: #{e.message} (#{e.class})"
+            end
+          end
+        end
+
+        if num_certs_added == 0
+          log_system_notice "zero public certificates found in '#{ca_dir}' directory, dissabling TLS validation"
+          @store = nil
+        end
+        log_system_info "#{num_certs_added} public certificates available for TLS validation"
+      end
+
+    end  # def self.module_init
+
+
+    # Return an array with the result of the TLS certificate validation as follows:
+    #   validated, cert, tls_error, tls_error_string
+    # where:
+    # - validated: true if the given certificate(s) have been validated, false otherwise
+    #              and nil if no certificate is provided by peer or no CA's were configured
+    #              for TLS validation.
+    # - cert:      the ::OpenSSL::X509::Certificate instance of the first PEM provided by
+    #              the peer, nil otherwise.
+    # - tls_error: OpenSSL validation error code (Fixnum) in case of validation error.
+    # - tls_error_string: OpenSSL validation error string in case of validation error.
+    def self.validate pem, intermediate_pems=nil
+      return nil, nil, nil, "no CAs provided, validation dissabled"  unless @store
+      return nil, nil, nil, "no certificate provided by peer"  unless pem
+
+      begin
+        cert = ::OpenSSL::X509::Certificate.new pem
+
+        if intermediate_pems and intermediate_pems.any?
+          intermediate_certs = []
+          intermediate_pems.each do |pem|
+            intermediate_certs << ::OpenSSL::X509::Certificate.new(pem)
+          end
+        else
+          intermediate_certs = nil
+        end
+
+        if @store.verify cert, intermediate_certs
+          return true, cert
+        else
+          return false, cert, @store.error, @store.error_string
+        end
+
+      rescue => e
+        log_system_error "exception validating a certificate: #{e.class}: #{e.message}"
+        return false, nil, e.class, e.message
+      end
+    end  # def self.validate
+
+
+    def self.get_sip_identities cert
+      verify_subjectAltName_DNS = true
+      verify_CN = true
+      subjectAltName_URI_sip_entries = []
+      subjectAltName_DNS_entries = []
+      sip_identities = {}
+
+      cert.extensions.each do |ext|
+        next if ext.oid != "subjectAltName"
+        verify_CN = false
+
+        ext.value.split(/,\s+/).each do |name|
+          if /^URI:sip:([^@]*)/i =~ name
+            verify_subjectAltName_DNS = false
+            subjectAltName_URI_sip_entries << $1.downcase
+          elsif verify_subjectAltName_DNS && /^DNS:(.*)/i =~ name
+            subjectAltName_DNS_entries << $1.downcase
+          end
+        end
+      end
+
+      unless verify_CN
+        unless verify_subjectAltName_DNS
+          subjectAltName_URI_sip_entries.each {|domain| sip_identities[domain] = true}
+        else
+          subjectAltName_DNS_entries.each {|domain| sip_identities[domain] = true}
+        end
+
+      else
+        cert.subject.to_a.each do |oid, value|
+          if oid == "CN"
+            sip_identities[value.downcase] = true
+            break
+          end
+        end
+      end
+
+      return sip_identities
+    end
+
+  end
+
+end

data/lib/oversip/utils.rb

@@ -0,0 +1,25 @@
+module OverSIP
+
+  module Utils
+
+    # It ensures that two identical byte secuences are matched regardless
+    # they have different encoding.
+    # For example in Ruby the following returns false:
+    #   "iñaki".force_encoding(::Encoding::BINARY) == "iñaki"
+    def self.string_compare string1, string2
+      string1.force_encoding(::Encoding::BINARY) == string2.force_encoding(::Encoding::BINARY)
+    end
+
+    # This avoid "invalid byte sequence in UTF-8" when the directly doing:
+    #   string =~ /EXPRESSION/
+    # and string has invalid UTF-8 bytes secuence.
+    # NOTE: expression argument must be a Regexp expression (with / symbols at the
+    # begining and at the end).
+    def self.regexp_compare string, expression
+      return false  unless string && string.valid_encoding?
+      string.force_encoding(::Encoding::BINARY) =~ expression
+    end
+
+  end
+
+end

data/lib/oversip/version.rb

@@ -0,0 +1,23 @@
+# -*- encoding: utf-8 -*-
+
+module OverSIP
+
+  module Version
+    MAJOR = 0
+    MINOR = 9
+    TINY  = 0
+  end
+
+  PROGRAM_NAME     = "OverSIP"
+  PROGRAM_NAME_LOW = PROGRAM_NAME.downcase
+  PROGRAM_DESC     = "OverSIP Server"
+  VERSION = [Version::MAJOR, Version::MINOR, Version::TINY].join('.')
+  AUTHOR = "Iñaki Baz Castillo"
+  AUTHOR_EMAIL = "ibc@aliax.net"
+  DESCRIPTION = "#{PROGRAM_NAME} #{VERSION}\n2012, #{AUTHOR} <#{AUTHOR_EMAIL}>"
+
+  module GemVersion
+    VERSION = ::OverSIP::VERSION
+  end
+
+end

data/lib/oversip/websocket/constants.rb

@@ -0,0 +1,56 @@
+module OverSIP::WebSocket
+
+  CRLF = "\r\n"
+
+  REASON_PHARSE = {
+    100 => "Continue",
+    101 => "Switching Protocols",
+    200 => "OK",
+    201 => "Created",
+    202 => "Accepted",
+    203 => "Non-Authoritative Information",
+    204 => "No Content",
+    205 => "Reset Content",
+    206 => "Partial Content",
+    300 => "Multiple Choices",
+    301 => "Moved Permanently",
+    302 => "Found",
+    303 => "See Other",
+    304 => "Not Modified",
+    305 => "Use Proxy",
+    307 => "Temporary Redirect",
+    400 => "Bad Request",
+    401 => "Unauthorized",
+    402 => "Payment Required",
+    403 => "Forbidden",
+    404 => "Not Found",
+    405 => "Method Not Allowed",
+    406 => "Not Acceptable",
+    407 => "Proxy Authentication Required",
+    408 => "Request Timeout",
+    409 => "Conflict",
+    410 => "Gone",
+    411 => "Length Required",
+    412 => "Precondition Failed",
+    413 => "Request Entity Too Large",
+    414 => "Request-URI Too Long",
+    415 => "Unsupported Media Type",
+    416 => "Requested Range Not Satisfiable",
+    417 => "Expectation Failed",
+    426 => "Upgrade Required",  # RFC 2817
+    500 => "Server Internal Error",
+    501 => "Not Implemented",
+    502 => "Bad Gateway",
+    503 => "Service Unavailable",
+    504 => "Gateway Time-out",
+    505 => "HTTP Version Not Supported"
+  }
+
+  REASON_PHARSE_NOT_SET = "Reason Phrase Not Set"
+
+  HDR_SERVER = "Server: #{::OverSIP::PROGRAM_DESC}/#{::OverSIP::VERSION}"
+
+  WS_SIP_PROTOCOL = "sip"
+  WS_AUTOBAHN_PROTOCOL = "autobahn"
+
+end

data/lib/oversip/websocket/default_policy.rb

@@ -0,0 +1,19 @@
+module OverSIP::WebSocket
+
+  module DefaultPolicy
+
+    def check_hostport host=nil, port=nil
+      true
+    end
+
+    def check_origin origin=nil
+      true
+    end
+
+    def check_request_uri path=nil, query=nil
+      true
+    end
+
+  end
+
+end

data/lib/oversip/websocket/http_request.rb

@@ -0,0 +1,63 @@
+module OverSIP::WebSocket
+
+  class HttpRequest < ::Hash
+
+    include ::OverSIP::Logger
+
+    # HTTP related attributes.
+    attr_accessor :transport
+    attr_accessor :source_ip
+    attr_accessor :source_ip_type
+    attr_accessor :source_port
+    attr_accessor :connection
+
+    # HTTP request attributes.
+    attr_reader :http_method
+    attr_reader :http_version
+    attr_reader :uri_scheme
+    attr_reader :uri
+    attr_reader :uri_path
+    attr_reader :uri_query
+    attr_reader :uri_fragment
+    attr_reader :host
+    attr_reader :port
+    attr_reader :content_length
+    attr_reader :hdr_connection
+    attr_reader :hdr_upgrade
+    attr_reader :hdr_origin
+    attr_reader :hdr_sec_websocket_version
+    attr_reader :hdr_sec_websocket_key
+    attr_reader :hdr_sec_websocket_protocol
+
+
+    def log_id
+      @log_id ||= "HTTP Request #{@connection.connection_log_id}"
+    end
+
+    def unknown_method?  ;  @is_unknown_method  end
+
+
+    def reply status_code, reason_phrase=nil, extra_headers={}
+      reason_phrase ||= REASON_PHARSE[status_code] || REASON_PHARSE_NOT_SET
+      extra_headers ||= {}
+
+      response = "#{@http_version} #{status_code} #{reason_phrase}\r\n"
+
+      extra_headers.each {|header| response << header << "\r\n"}
+
+      response << HDR_SERVER << "\r\n\r\n"
+
+      log_system_debug "replying #{status_code} \"#{reason_phrase}\""  if $oversip_debug
+
+      if @connection.error?
+        log_system_warn "cannot send response, TCP connection is closed"
+        return false
+      end
+
+      @connection.send_data response
+      return true
+    end
+
+  end  # class HttpRequest
+
+end

data/lib/oversip/websocket/launcher.rb

@@ -0,0 +1,207 @@
+module OverSIP::WebSocket
+
+  module Launcher
+
+    extend OverSIP::Logger
+
+    IP_TYPE = {
+      :ipv4 => "IPv4",
+      :ipv6 => "IPv6"
+    }
+
+
+    def self.log_id
+      @log_id ||= "WebSocket launcher"
+    end
+
+
+    def self.run enabled, ip_type, ip, port, transport, ws_protocol, virtual_ip=nil, virtual_port=nil
+      uri_ip = case ip_type
+        when :ipv4 ; ip
+        when :ipv6 ; "[#{ip}]"
+        end
+
+      if virtual_ip
+        uri_virtual_ip = case ip_type
+          when :ipv4 ; virtual_ip
+          when :ipv6 ; "[#{virtual_ip}]"
+          end
+      end
+
+      klass = case transport
+        when :tcp
+          case ip_type
+            when :ipv4 ; OverSIP::WebSocket::IPv4TcpServer
+            when :ipv6 ; OverSIP::WebSocket::IPv6TcpServer
+            end
+        when :tls
+          case ip_type
+            when :ipv4 ; OverSIP::WebSocket::IPv4TlsServer
+            when :ipv6 ; OverSIP::WebSocket::IPv6TlsServer
+            end
+        when :tls_tunnel
+          case ip_type
+            when :ipv4 ; OverSIP::WebSocket::IPv4TlsTunnelServer
+            when :ipv6 ; OverSIP::WebSocket::IPv6TlsTunnelServer
+            end
+        end
+
+      case ws_protocol
+
+      when OverSIP::WebSocket::WS_SIP_PROTOCOL
+
+        ws_app_klass = case transport
+          when :tcp
+            case ip_type
+              when :ipv4 ; OverSIP::WebSocket::IPv4WsSipApp
+              when :ipv6 ; OverSIP::WebSocket::IPv6WsSipApp
+              end
+          when :tls, :tls_tunnel
+            case ip_type
+              when :ipv4 ; OverSIP::WebSocket::IPv4WssSipApp
+              when :ipv6 ; OverSIP::WebSocket::IPv6WssSipApp
+              end
+          end
+
+        ws_app_klass.ip = virtual_ip || ip
+        ws_app_klass.port = virtual_port || port
+
+        case
+
+          when klass == OverSIP::WebSocket::IPv4TcpServer
+            ws_app_klass.via_core = "SIP/2.0/WS #{uri_ip}:#{port}"
+            ws_app_klass.record_route = "<sip:#{uri_ip}:#{port};transport=ws;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid}>"
+            ws_app_klass.outbound_record_route_fragment = "@#{uri_ip}:#{port};transport=ws;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid}>"
+            ws_app_klass.outbound_path_fragment = "@#{uri_ip}:#{port};transport=ws;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid};ob>"
+
+            if enabled
+              EM.start_server(ip, port, klass) do |conn|
+                conn.ws_protocol = ws_protocol
+                conn.ws_app_klass = ws_app_klass
+                conn.post_connection
+                conn.set_comm_inactivity_timeout 3600  # TODO
+              end
+            end
+
+          when klass == OverSIP::WebSocket::IPv6TcpServer
+            ws_app_klass.via_core = "SIP/2.0/WS #{uri_ip}:#{port}"
+            ws_app_klass.record_route = "<sip:#{uri_ip}:#{port};transport=ws;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid}>"
+            ws_app_klass.outbound_record_route_fragment = "@#{uri_ip}:#{port};transport=ws;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid}>"
+            ws_app_klass.outbound_path_fragment = "@#{uri_ip}:#{port};transport=ws;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid};ob>"
+
+            if enabled
+              EM.start_server(ip, port, klass) do |conn|
+                conn.ws_protocol = ws_protocol
+                conn.ws_app_klass = ws_app_klass
+                conn.post_connection
+                conn.set_comm_inactivity_timeout 3600  # TODO
+              end
+            end
+
+          when klass == OverSIP::WebSocket::IPv4TlsServer
+            ws_app_klass.via_core = "SIP/2.0/WSS #{uri_ip}:#{port}"
+            rr_host = ::OverSIP.configuration[:sip][:record_route_hostname_tls_ipv4] || uri_ip
+            ws_app_klass.record_route = "<sip:#{rr_host}:#{port};transport=wss;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid}>"
+            ws_app_klass.outbound_record_route_fragment = "@#{rr_host}:#{port};transport=wss;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid}>"
+            ws_app_klass.outbound_path_fragment = "@#{rr_host}:#{port};transport=wss;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid};ob>"
+
+            if enabled
+              EM.start_server(ip, port, klass) do |conn|
+                conn.ws_protocol = ws_protocol
+                conn.ws_app_klass = ws_app_klass
+                conn.post_connection
+                conn.set_comm_inactivity_timeout 3600  # TODO
+              end
+            end
+
+          when klass == OverSIP::WebSocket::IPv6TlsServer
+            ws_app_klass.via_core = "SIP/2.0/WSS #{uri_ip}:#{port}"
+            rr_host = ::OverSIP.configuration[:sip][:record_route_hostname_tls_ipv6] || uri_ip
+            ws_app_klass.record_route = "<sips:#{rr_host}:#{port};transport=ws;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid}>"
+            ws_app_klass.outbound_record_route_fragment = "@#{rr_host}:#{port};transport=wss;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid}>"
+            ws_app_klass.outbound_path_fragment = "@#{rr_host}:#{port};transport=wss;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid};ob>"
+
+            if enabled
+              EM.start_server(ip, port, klass) do |conn|
+                conn.ws_protocol = ws_protocol
+                conn.ws_app_klass = ws_app_klass
+                conn.post_connection
+                conn.set_comm_inactivity_timeout 3600  # TODO
+              end
+            end
+
+          when klass == OverSIP::WebSocket::IPv4TlsTunnelServer
+            ws_app_klass.via_core = "SIP/2.0/WSS #{uri_virtual_ip}:#{virtual_port}"
+            rr_host = ::OverSIP.configuration[:sip][:record_route_hostname_tls_ipv4] || uri_virtual_ip
+            ws_app_klass.record_route = "<sip:#{rr_host}:#{virtual_port};transport=wss;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid}>"
+            ws_app_klass.outbound_record_route_fragment = "@#{rr_host}:#{virtual_port};transport=wss;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid}>"
+            ws_app_klass.outbound_path_fragment = "@#{rr_host}:#{virtual_port};transport=wss;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid};ob>"
+
+            if enabled
+              EM.start_server(ip, port, klass) do |conn|
+                conn.ws_protocol = ws_protocol
+                conn.ws_app_klass = ws_app_klass
+                conn.post_connection
+                conn.set_comm_inactivity_timeout 3600  # TODO
+              end
+            end
+
+          when klass == OverSIP::WebSocket::IPv6TlsTunnelServer
+            ws_app_klass.via_core = "SIP/2.0/WSS #{uri_virtual_ip}:#{virtual_port}"
+            rr_host = ::OverSIP.configuration[:sip][:record_route_hostname_tls_ipv6] || uri_virtual_ip
+            ws_app_klass.record_route = "<sip:#{rr_host}:#{virtual_port};transport=wss;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid}>"
+            ws_app_klass.outbound_record_route_fragment = "@#{rr_host}:#{virtual_port};transport=wss;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid}>"
+            ws_app_klass.outbound_path_fragment = "@#{rr_host}:#{virtual_port};transport=wss;lr;ovid=#{OverSIP::SIP::Tags.value_for_route_ovid};ob>"
+
+            if enabled
+              EM.start_server(ip, port, klass) do |conn|
+                conn.ws_protocol = ws_protocol
+                conn.ws_app_klass = ws_app_klass
+                conn.post_connection
+                conn.set_comm_inactivity_timeout 3600  # TODO
+              end
+            end
+
+          end  # case
+
+
+      when OverSIP::WebSocket::WS_AUTOBAHN_PROTOCOL
+
+        ws_app_klass = case transport
+          when :tcp
+            case ip_type
+              when :ipv4 ; OverSIP::WebSocket::WsAutobahnApp
+              end
+          when :tls
+            case ip_type
+              when :ipv4 ; OverSIP::WebSocket::WsAutobahnApp
+              end
+          end
+
+        EM.start_server(ip, port, klass) do |conn|
+          conn.ws_protocol = ws_protocol
+          conn.ws_app_klass = ws_app_klass
+          conn.post_connection
+          conn.set_comm_inactivity_timeout 60
+        end
+
+
+      else
+        fatal "unknown WebSocket protocol: #{ws_protocol}"
+
+      end  # case
+
+      transport_str = case transport
+        when :tls_tunnel ; "TLS-Tunnel"
+        else             ; transport.to_s.upcase
+        end
+
+      if enabled
+        log_system_info "WebSocket #{transport_str} server listening on #{IP_TYPE[ip_type]} #{uri_ip}:#{port} provides '#{ws_protocol}' WS subprotocol"
+      end
+
+    end  # def self.run
+
+  end
+
+end