Example configurations

These are minimal configurations that may take you to a working flexisip instance.

Minimal registrar with authentication

This configuration will query a local file for authenticating the REGISTER messages. The registrar DB is stored in memory, so a reboot of Flexisip will loose the registered sessions (for reliability, use the Redis registrarDB). 

[global]
debug=false
aliases=sip.example.org

[module::Registrar]
enabled=true
reg-domains=sip.example.org
db-implementation=internal

[module::Authentication]
enabled=true
auth-domains=sip.example.org
db-implementation=file
datasource=/etc/flexisip/users.db.txt

The file /etc/flexisip/users.db.txt looks like this:

toto@sip.example.org totoPassW0rd
titi@sip.example.org titiP4ssW0rd

For details, see the pages module::Registrar and module::Authentication.

TLS access, Registrar with redis, authentication from database and media relay

[global]
aliases=sip.example.org
debug=true
transports=sips:* sip:*
tls-certificates-dir=/etc/flexisip/tls

[module::Registrar]
reg-domains=sip.example.org
db-implementation=redis
redis-server-domain=172.16.0.1
redis-server-port=6379
redis-record-serializer=protobuf
redis-auth-password=the_random_very_long_string_also_defined_in_redis.conf_83cb1dfd2e3617

[module::MediaRelay]
enabled=true

[module::Authentication]
enabled=true
auth-domains=sip.example.org
db-implementation=soci
soci-password-request=select password from accounts where login = :id and activated = "1"
soci-connection-string=db=mydb user=dbuser password='database_password' host=database.example.org

 

Transport configuration

Configuring SIP transport in Flexisip

Enabling UDP and TCP on port 5060

[global]
transports=sip:*

or force just one transport

[global]
transports=sip:*;transport=tcp

TLS

For TLS, you need an SSL certificate.

[global]
transports=sips:*

with specific port

[global]
transports=sips:*:5223

For more information on configuration options, please refer to Global settings

TLS certificates

To configure the TLS certificates used to accept SSL connections, you will need at least the agent.pem file, which consists of the concatenation of the server certificate (that you obtained from a certificate authority) and the private key that you used to obtain the certificate, both in .pem format. The certificates are stored in /etc/flexisip/tls.If you have intermediate chain certificates delivered by the certificate authority, they should be placed in this directory in a file named "cafile.pem". Missing intermediate certificates can cause connection failure from some clients .

Flexisip firewall rules

If the default iptables ruleset will block SIP traffic, you need to allow it.

UDP/TCP on port 5060

iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT

or use -I to insert the rules at specified rule number (the first
rule is numbered 1) 

iptables -I INPUT 4 -p tcp -m tcp --dport 5060 -j ACCEPT

TLS on port 5061

iptables -A INPUT -p udp -m udp --dport 5061 -j ACCEPT

STUN on port 3478

iptables -A INPUT -p udp -m udp --dport 3478 -j ACCEPT

RTP (if media relay is enabled)

you need to allow a port range related to the port range configure in flexisip.conf 

iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

Setting up push notifications

Flexisip configuration for push notification

Assign large values for registration expires, so that the app remains joinable even when killed, and text messages can be kept by Flexisip when their destination is not reachable. Late forking allows a call or message fork context to remain active until the push notification arrives to the device, so that immediately after the device register, the call or message is expedited to it.

[module::Registrar]
max-expires=604800
[module::Router]
fork-late=true
message-delivery-timeout=604800

Be care to make your firewall authorize connexions on gateway.sandbox.push.apple.com:2195 and gateway.push.apple.com:2195 with TCP.

Creating and installing push certificates

Apple

Generate a certificate

  • On your MacOSX, open Keychain Access > Certificate Assistant > Request a certificate from a Certificate Authority. Enter your email and check "Saved to disk" box (this file will be deleted soon).
  • Connect to [https://developer.apple.com/account/ios/certificate/certificateCreate.action apple developer website] and ask for a Apple Push Notification service SSL certificate (either SandBox or Production)
  • Select your application in the list and when asked for a CSR file, select the file you generated at first step. Finalize the procedure.
  • Now you must export your certificate (named "Apple Development iOS Push Services: <bundle-id>") including private key from Keychain Access to p12 format.
  • Then you need to export from P12 format to PEM (mandatory for push notification on flexisip, no PEM passphrase!) withopenssl pkcs12 -nodes -in <generated-file>.p12 -out <bundle-id>.dev.pem for Sandbox or openssl pkcs12 -nodes -in <generated-file>.p12 -out <bundle-id>.prod.pem for Production.

Configure Flexisip

Finally configure your server (see below) and put these files on your flexisip installation (default is /etc/flexisip/apn/, backup old ones first if any!) and restart your flexisip instance. If everything is working fine, you may consider revoking your old certificates if any (or wait for them to expire).

Configuring Linphone iOS

If your application is properly configured, check that a  Contact header is emitted in REGISTER with push notification related parameters (pn-*):

SIP/2.0 200 Registration successful
Via: SIP/2.0/TLS <...>
From: <sip:username@sip.linphone.org>;tag=jrKCpF4oO
To: <sip:username@sip.linphone.org>;tag=6H3eKQXDD4jFg
Call-ID: wnyKVyry0N
CSeq: 21 REGISTER
Contact: <sip:username@52.243.117.188:49469;app-id=org.linphone.phone.dev;pn-type=apple;pn-tok=ABA3D8A75E1A4F2CF5D148F6A96871EF2AB23A3EA6C25D043D53566BD7E97457;pn-msg-str=IM_MSG;pn-call-str=IC_MSG;pn-call-snd=notes_of_the_optimistic.caf;pn-msg-snd=msg.caf;transport=tls>;expires=3600;q=0.00
Contact: <sip:username@52.243.117.188:64651;transport=tls>;expires=347041;q=0.00
Server: Flexisip/1.0.8 (sofia-sip-nta/2.0)
Content-Length: 0

If it is not working, check application code. linphone_proxy_config_set_contact_uri_parameters() should be invoked by application: didRegisterForRemoteNotificationsWithDeviceToken:.

Google

First you need a Google Account. If you don't have one yet, create it.

Then go to https://console.developers.google.com/ and log in.

Create a project

If you haven't created a "project" yet, do it now. Otherwise go to the next paragraph.

Click on "Project", "Create a project" on the top right corner of your screen.

Open a new tab to https://console.cloud.google.com/home/ and keep somewhere the project number (not id). It is a very large number in parenthesis after the ID (without the #).

Enable Push Notifications

Now that you have a project id, click on "Google Cloud Messaging" link under the green Droid (mobile API section).

Somewhere on the page, there is an "Enable" button. Click on it. 

/!\ If the button's label is "Disable", don't click it.

Create an API key

Now click on the left panel on the "Credentials" link.

Click on "create credentials" and choose "API Key" and then "Server key".

Give it a name, and the IP(s) of the server(s) it will be used on (this isn't mandatory but I strongly recommend you do it).

Finally, click on "Create". 

You'll have a pop-up with an API key. This is the second value we need to configure Flexisip.

Configure Flexisip

Now you should have a project id and an API key.

Go to your flexisip.conf file and configure the push notification for Android like this:

google-projects-api-keys=<project_number>:<API_key>

Configure Linphone Android

Edit the "res/values/non_localizable_custom.xml" file in the Android project and replace the "push_sender_id" value by the <project_number>.

Testing

You may test that your server-side configuration is ok by using the flexisip-pusher tool embedded in the Flexisip installation package. It enable to manually send a notification request to the push notification server. You may invoke flexisip-pusher using the following:

./flexisip_pusher --pntype <platform> --appid <appid> --pntok <device token> --debug

Testing on iOS

To send a push request to the Apple's server, one may use:

./flexisip_pusher --pntype apple --appid <bundle-id>.dev --pntok <tok> --debug

If it is alright, the ouput should look like:

Feb 14 06:42:14 ns3002422 flexisip: PushNotificationClient org.linphone.phone.voip.prod.pem PNR 0x7f3e04e79af8 sent 105/105 data
Feb 14 06:42:14 ns3002422 flexisip: PushNotificationClient org.linphone.phone.voip.prod.pem PNR 0x7f3e04e79af8 waiting for server response 

Feb 14 06:42:15 ns3002422 flexisip: PushNotificationClient org.linphone.phone.voip.prod.pem PNR 0x7f3e04e79af8 nothing read, assuming success

If you get the following error:

E: PNR 0x7fed1a449858 with identifier 1 failed with error 8 (Invalid token)

It probably means that you are using the wrong application id. Note: to test the production certificate, you must generate an adhoc IPA and install it manually!

Flexisip logs

Enabling debug mode

[global]
debug=true

Configuring system logs on Centos 7

To enable persistent storage for Journal, create the journal directory manually as shown in the following example. As root type:
mkdir -p /var/log/journal
Then, restart journald to apply the change:
systemctl restart systemd-journald

Reference from this article: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-Using_the_Journal.html

Viewing logs on Centos 7

By default, journald's default rate limiting policy may drop many logs especially when debug logs are enabled.

You may tweak the rate limiting policy, see https://www.freedesktop.org/software/systemd/man/journald.conf.html

journalctl -u flexisip -f -a -l

Viewing logs on Debian 7

As debug logs can be very verbose, it might be required first of all to adapt the rate limiting of rsyslog, otherwise logs will be very incomplete. See http://www.rsyslog.com/tag/rate-limiting/

To view logs in real-time, you can do:

tail -f /var/log/syslog
Created by SandrineAvakian on 2017/01/06 10:32