flexisip.conf.sample

##
## This is the default Flexisip (v2.3.0-alpha-29-gb19a1ce5) configuration
## file
##





##
## Some global settings of the flexisip proxy.
##
[global]

# Servers started by default when no --server option is specified
# on command line. Possible values are 'proxy', 'presence', 'conference',
# 'regevent' separated by whitespaces.
# Default: proxy
#default-servers=proxy

# Automatically respawn flexisip in case of abnormal termination
# (crashes). This has an effect if Flexisip has been launched with
# '--daemon' option only
# Default: true
#auto-respawn=true

# Path to the directory where plugins can be found.
# Default: /opt/belledonne-communications/lib/flexisip/plugins
#plugins-dir=/opt/belledonne-communications/lib/flexisip/plugins

# Plugins to load. Look at <prefix>/lib/flexisip/plugins to know
# the list of installed plugin. The name of a plugin can be derivated
# from the according library name by striping out the extension
# part and the leading 'lib' prefix.
# E.g. putting 'jweauth' in this setting will make libjweauth.so
# library to be load on runtime.
# Default: 
#plugins=

# Generate a core file on crash.
# On GNU/Linux, the action to do on core dump is defined by the
# kernel file '/proc/sys/kernel/core_pattern'. On recent distributions
# like RHEL 8, the generated cores is given by default to the core
# manager of SystemD and the core can be easily listed by using
# coredumpctl(1) command.
# On older distributions, the cores are often written in '/' directory.
# If your root directory has little available space, it is recommended
# to relocate your core dumps in another place by modifying the
# 'core_pattern' file on system boot. This may be done by adding
# this line in '/etc/rc.local':
#     echo '/home/cores/core.%e.%t.%p' > /proc/sys/kernel/core_pattern
# 
# See core(5) manual for more information about core handling on
# GNU/Linux.
# Default: false
#dump-corefiles=false

# Enable SNMP.
# Default: false
#enable-snmp=false

# Directory where to create log files. Create logs are named as
# 'flexisip-<server_type>.log'. If If several server types have
# been specified by '--server' option or 'global/default-servers'
# parameter, then <server_type> is expanded by a concatenation of
# all the server types joined with '+' character.
# WARNING: Flexisip has no embedded log rotation system but provides
# a configuration file for logrotate. Please ensure that logrotate
# is installed and running on your system if you want to have Flexisip's
# logs rotated. Log rotation can be customized by editing /etc/logrotate.d/flexisip-logrotate.
# Default: /var/opt/belledonne-communications/log/flexisip
#log-directory=/var/opt/belledonne-communications/log/flexisip

# Name of the log file. Any occurences of '{server}' will be replaced
# by the server type which has been given by '--server' option or
# 'default-servers' parameter. If several server types have been
# given, then '{server}' will be replaced by the concatenation of
# these separated by '+' character (e.g. 'proxy+presence')
# Default: flexisip-{server}.log
#log-filename=flexisip-{server}.log

# Log file verbosity. Possible values are debug, message, warning
# and error
# Default: error
#log-level=error

# Syslog verbosity. Possible values are debug, message, warning
# and error
# Default: error
#syslog-level=error

# Log (on a different log domain) user errors like authentication,
# registration, routing, etc...
# Default: false
#user-errors-logs=false

# A boolean expression applied to current SIP message being processed.
# When matched, logs are output provided that there level is greater
# than the value defined in contextual-log-level. The definition
# of the SIP boolean expression is the same as for entry filters
# of modules, which is documented here: https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Default: 
#contextual-log-filter=

# Verbosity of contextual logs to output when the condition defined
# in 'contextual-log-filter' is met.
# Default: debug
#contextual-log-level=debug

# Filter expression applied to all messages, if true message body
# is shown, if false not. Can not be empty, use 'true' or 'false'
# constants instead. The definition of the SIP boolean expression
# is documented here: https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Example : content-type == 'application/sdp' && request.method
# == 'MESSAGE'
# Default: content-type == 'application/sdp'
#show-body-for=content-type == 'application/sdp'

# List of white space separated SIP URIs where the proxy must listen.
# Wildcard (*) can be used to mean 'all local ip addresses'. If
# 'transport' parameter is unspecified, it will listen to both udp
# and tcp. A local address to bind onto can be indicated in the
# 'maddr' parameter, while the domain part of the uris are used
# as public domain or ip address.
# The 'sips' transport definitions accept two optional parameters:
#  - 'tls-certificates-dir' taking for value a path, with the same
#    meaning as the 'tls-certificates-dir' property of this section
#    and overriding it for this given transport.
#  - 'tls-certificates-file' taking for value a file path, with
#    the same meaning as the 'tls-certificates-file' property of this
#    section and overriding it for this given transport.
#  - 'tls-certificates-private-key' taking for value a file path,
#    with the same meaning as the 'tls-certificates-private-key' property
#    of this section and overriding it for this given transport.
#  - 'tls-certificates-ca-file' taking for value a file path, with
#    the same meaning as the 'tls-certificates-ca-file' property of
#    this section and overriding it for this given transport.
#  - 'tls-verify-incoming' taking for value '0' or '1', to indicate
#    whether clients connecting are required to present a valid client
#    certificate. Default value is 0.
#  - 'tls-allow-missing-client-certificate' taking for value '0'
#    or '1', to allow connections from clients which have no certificate
#    even if `tls-verify-incoming` has been enabled. That's useful
#    if you wish to have Flexisip to ask for a client certificate,
#    but without failing if the client cannot provide one.
#  - 'tls-verify-outgoing' taking for value '0' or '1', whether
#    flexisip should check the peer certificate when it make an outgoing
#    TLS connection to another server. Default value is 1.
#  - 'require-peer-certificate' (deprecated) same as tls-verify-incoming
# 
# It is HIGHLY RECOMMENDED to specify a canonical name for 'sips'
# transport, so that the proxy can advertise this information in
# Record-Route headers, which allows TLS cname check to be performed
# by clients.
# Specifying a sip uri with transport=tls is not allowed: the 'sips'
# scheme must be used instead. As requested by SIP RFC, IPv6 address
# must be enclosed within brakets.
# Here are some examples to understand:
#  - listen on all local interfaces for udp and tcp, on standard
#    port:
# 	transports=sip:*
#  - listen on all local interfaces for udp,tcp and tls, on standard
#    ports:
# 	transports=sip:* sips:*
#  - listen only a specific IPv6 interface, on standard ports, with
#    udp, tcp and tls
# 	transports=sip:[2a01:e34:edc3:4d0:7dac:4a4f:22b6:2083] sips:[2a01:e34:edc3:4d0:7dac:4a4f:22b6:2083]
#  - listen on tls localhost with 2 different ports and SSL certificates:
# 	transports=sips:localhost:5061;tls-certificates-dir=path_a sips:localhost:5062;tls-certificates-dir=path_b
#  - listen on tls localhost with 2 peer certificate requirements:
# 	transports=sips:localhost:5061;tls-verify-incoming=0 sips:localhost:5062;tls-verify-incoming=1
#  - listen on 192.168.0.29:6060 with tls, but public hostname is
#    'sip.linphone.org' used in SIP messages. Bind address won't appear
#    in messages:
# 	transports=sips:sip.linphone.org:6060;maddr=192.168.0.29
# Default: sip:*
#transports=sip:*

# List of white space separated host names pointing to this machine.
# This is to prevent loops while routing SIP messages.
# Default: localhost
#aliases=localhost

# Time interval in seconds after which inactive connections are
# closed.
# Default: 3600
#idle-timeout=3600

# Time interval in seconds for sending "\r\n\r\n" keepalives packets
# on inbound and outbound connections. A value of zero stands for
# no keepalive. The main purpose of sending keepalives is to keep
# connection alive accross NATs, but it also helps in detecting
# silently broken connections which can reduce the number socket
# descriptors used by flexisip.
# Default: 1800
#keepalive-interval=1800

# Time interval in seconds for sending "\r\n\r\n" keepalives packets
# specifically for proxy to proxy connections. Indeed, while it
# is undesirable to send frequent keepalives to mobile clients because
# it drains their battery, sending frequent keepalives has proven
# to be helpful to keep connections up between proxy nodes in a
# very popular US virtualized datacenter. A value of zero stands
# for no keepalive.
# Default: 0
#proxy-to-proxy-keepalive-interval=0

# SIP transaction timeout in milliseconds. It is T1*64 (32000 ms)
# by default.
# Default: 32000
#transaction-timeout=32000

# The UDP MTU. Flexisip will fallback to TCP when sending a message
# whose size exceeds the UDP MTU. Please read http://sofia-sip.sourceforge.net/refdocs/nta/nta__tag_8h.html#a6f51c1ff713ed4b285e95235c4cc999a
# for more details. If sending large packets over UDP is not a problem,
# then set a big value such as 65535. Unlike the recommandation
# of the RFC, the default value of UDP MTU is 1460 in Flexisip (instead
# of 1300).
# Default: 1460
#udp-mtu=1460

# You can specify the bind address for all RTP streams (MediaRelay
# and Transcoder). This parameter is only useful for some specific
# networks, keeping the default value is recommended.
# Default: 0.0.0.0 ::0
#rtp-bind-address=0.0.0.0 ::0

# Path to the file containing the server certificate chain. The
# file must be in PEM format, see OpenSSLSSL_CTX_use_certificate_chain_file
# documentation. If used tls-certificates-private-key MUST be set.
# Default: 
#tls-certificates-file=

# Path to the file containing the private key. See OpenSSL SSL_CTX_use_PrivateKey_file
# documentation. If used tls-certificates-file MUST be set.
# Default: 
#tls-certificates-private-key=

# Path to the file contain CA certificates. See OpenSSL SSL_CTX_load_verify_locations
# and SSL_CTX_set_client_CA_list documentation. Can be empty.
# Default: 
#tls-certificates-ca-file=

# Ciphers string to pass to OpenSSL in order to limit the cipher
# suites to use while establishing TLS sessions. Please take a look
# to ciphers(1) UNIX manual to get the list of keywords supported
# by your current version of OpenSSL. You might visit https://www.openssl.org/docs/manmaster/man1/ciphers.html
# too. The default value set by Flexisip should provide a high level
# of security while keeping an acceptable level of interoperability
# with currenttly deployed clients on the market.
# Default: HIGH:!SSLv2:!SSLv3:!TLSv1:!EXP:!ADH:!RC4:!3DES:!aNULL:!eNULL
#tls-ciphers=HIGH:!SSLv2:!SSLv3:!TLSv1:!EXP:!ADH:!RC4:!3DES:!aNULL:!eNULL

# Ask for client certificate on TLS session establishing.
# Default: false
#require-peer-certificate=false

# Unique ID used to identify that instance of Flexisip. It must
# be a randomly generated 16-sized hexadecimal number. If empty,
# it will be randomly generated on each start of Flexisip.
# Default: 
#unique-id=

# Number of SIP message that sofia can queue in a tport (a connection).
# It is 64 by default, hardcoded in sofia-sip (sofia-sip also used
# to hardcode a max value, 1000). This is not sufficient for IM.
# Default: 1000
#tport-message-queue-size=1000






##
## This section contains some parameters useful when the current
## proxy is part of a network of proxies (cluster) which serve the
## same domain.
##
[cluster]

# Enable cluster mode. If 'false', the parameters of [cluster] section
# won't have any effect.
# Default: false
#enabled=false

# Domain name that enables external SIP agents to access to the
# cluster. Such domain is often associated to DNS SRV records for
# each proxy of the cluster, so that DNS resolution returns the
# address of a specific proxy randomly.
# Flexisip uses that domain when it needs to insert a 'Path' or
# 'Record-route' header addressing the cluster instead of itself.
# Default: 
#cluster-domain=

# List of IP addresses of all the proxies present in the cluster.
# SIP messages coming from these addresses won't be challenged by
# the authentication module and won't have any rate limit applied
# by the DoS protection module.
# Default: 
#nodes=

# Transport to use for communication with the other proxies of the
# cluster. This is useful only when no transport declared in 'global/transport'
# parameter can be used to reach the other proxies e.g. when inter-proxy
# communications are to be made through a private network.
# Ex: sip:10.0.0.8:5059;transport=tcp
# Default: 
#internal-transport=






##
## Should the server be registered on a local domain, to be accessible
## via multicast DNS.
##
[mdns-register]

# Set to 'true' to enable multicast DNS register
# Default: false
#enabled=false

# Priority of this instance, lower value means more preferred.
# 'n': priority of n (example 10)
# 'n-m': random priority between n and m (example 10-50)
# Default: 0
#mdns-priority=0

# A relative weight for Flexisips with the same priority, higher
# value means more preferred.
# For example, if two Flexisips are registered on the same local
# domain with one at 20 and the other at 80, then 20% of Flexisip
# traffic will be redirected to the first Flexisip and 80% to the
# other one.
# The sum of all the weights of Flexisips on the same local domain
# must be 100.
# Default: 100
#mdns-weight=100

# Time To Live of any mDNS query that will ask for this Flexisip
# instance
# Default: 3600
#mdns-ttl=3600






##
## Event logs contain per domain and user information about processed
## registrations, calls and messages.
## See: https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Event%20logs%20and%20queries/
## for architecture and queries.
##
[event-logs]

# Enable event logs.
# Default: false
#enabled=false

# Define logger for storing logs. It supports "filesystem" and "database".
# Default: filesystem
#logger=filesystem

# Directory where event logs are written as a filesystem (case when
# filesystem output is choosed).
# Default: /var/log/flexisip
#filesystem-directory=/var/log/flexisip

# Choose the type of backend that Soci will use for the connection.
# Depending on your Soci package and the modules you installed,
# the supported databases are:`mysql`, `sqlite3` and `postgresql`
# Default: mysql
#database-backend=mysql

# The configuration parameters of the backend.
# The basic format is "key=value key2=value2". For a mysql backend,
# this is a valid config: "db=mydb user=user password='pass' host=myhost.com".
# Please refer to the Soci documentation of your backend, for instance:
# http://soci.sourceforge.net/doc/master/backends/#supported-backends-and-features
# Default: db='mydb' user='myuser' password='mypass' host='myhost.com'
#database-connection-string=db='mydb' user='myuser' password='mypass' host='myhost.com'

# Amount of queries that will be allowed to be queued before bailing
# password requests.
# This value should be chosen accordingly with 'database-nb-threads-max',
# so that you have a coherent behavior.
# This limit is here mainly as a safeguard against out-of-control
# growth of the queue in the event of a flood or big delays in the
# database backend.
# Default: 100
#database-max-queue-size=100

# Maximum number of threads for writing in database.
# If you get a `database is locked` error with sqlite3, you must
# set this variable to 1.
# Default: 10
#database-nb-threads-max=10






##
## STUN server parameters.
##
[stun-server]

# Enable or disable stun server.
# Default: true
#enabled=true

# Local ip address where to bind the socket.
# Default: 0.0.0.0
#bind-address=0.0.0.0

# STUN server port number.
# Default: 3478
#port=3478






##
## Flexisip presence server parameters.
##
[presence-server]

# Enable presence server
# Default: true
#enabled=true

# List of white space separated SIP URIs where the presence server
# must listen. Must not be tls.
# Default: sip:127.0.0.1:5065;transport=tcp
#transports=sip:127.0.0.1:5065;transport=tcp

# Default expires of PUBLISH request in second.
# Default: 600
#expires=600

# Max number of presentity sent in a single NOTIFY by default.
# Default: 200
#notify-limit=200

# Enable long-term presence notifies
# Default: false
#long-term-enabled=false

# Soci connection string for the resource list database.
# Default: 
#rls-database-connection=

# SQL request to obtain the list of the users corresponding to an
# resource list subscription.
# Named parameters are:
#  * ':from' : the URI of the sender of the SUBSCRIBE. (mandatory)
#  * ':to' : the URI of the users list which the sender want to
#    subscribe to. (mandatory)
#    
# Default: 
#rls-database-request=

# Max number of threads.
# Default: 50
#rls-database-max-thread=50

# Max legnth of threads queue.
# Default: 50
#rls-database-max-thread-queue-size=50

# Soci SQL request used to obtain the username associated with a
# phone alias.
# The string MUST contains the ':phone' keyword which will be replaced
# by the phone number to look for.
# The result of the request is a 1x1 table containing the name of
# the user associated with the phone number.
# 
# Example: select login from accounts where phone = :phone 
# Default: 
#soci-user-with-phone-request=

# Same as 'soci-user-with-phone-request' but allows to fetch several
# users by a unique SQL request.
# The string MUST contains the ':phones' keyword which will be replaced
# by the list of phone numbers to look for. Each element of the
# list is seperated by a comma character and is protected by simple
# quotes (e.g. '0336xxxxxxxx','0337yyyyyyyy','034zzzzzzzzz').
# If you use phone number linked accounts you'll need to select
# login, domain, phone in your request for flexisip to work.
# Example: select login, domain, phone from accounts where phone
# in (:phones)
# Default: 
#soci-users-with-phones-request=






##
## Flexisip conference server parameters. The flexisip conference
## server is a user-agent that handles session-based chat (yes, text
## only at this time). It requires a mysql database in order to persisently
## store chatroom state (participants and their devices). It will
## use the Registrar backend (see section module::Registrar) to discover
## devices (or client instances) of each participant.
##
[conference-server]

# Enable conference server
# Default: true
#enabled=true

# URI where the conference server must listen. Only one URI can
# be specified.
# Default: sip:127.0.0.1:6064;transport=tcp
#transport=sip:127.0.0.1:6064;transport=tcp

# List of SIP uris used by clients to create a conference. This
# implicitely defines the list of SIP domains managed by the conference
# server. For example:
# conference-factory-uris=sip:conference-factory@sip.linphone.org
# sip:conference-factory@sip.linhome.org
# Default: 
#conference-factory-uris=

# uri used as conference server contact address. For example:
# conference-focus-uris=sip:conference-factory@sip.linphone.org
# sip:conference-factory@sip.linhome.org
# Default: 
#conference-focus-uris=

# The Flexisip proxy URI to which the conference server should sent
# all its outgoing SIP requests.
# Default: sip:127.0.0.1:5060;transport=tcp
#outbound-proxy=sip:127.0.0.1:5060;transport=tcp

# Domains managed by the local SIP service, ie domains for which
# user registration information can be found directly from the local
# registrar database (redis database). For external domains (not
# in this list), a 'reg' SUBSCRIBE (RFC3680) will be emitted.It
# is not necessary to list here domains that appear in the 'conference-factory-uris'
# property. They are assumed to be local domains already.
# Ex: local-domains=sip.linphone.org conf.linphone.org linhome.org
# Default: 
#local-domains=

# Choose the type of backend that linphone will use for the connection.
# Depending on your Soci package and the modules you installed,
# the supported databases are: `mysql`, `sqlite3`
# Default: mysql
#database-backend=mysql

# The configuration parameters of the backend.
# The basic format is "key=value key2=value2". For a mysql backend,
# this is a valid config: "db=mydb user=user password='pass' host=myhost.com".
# Please refer to the Soci documentation of your backend, for instance:
# http://soci.sourceforge.net/doc/3.2/backends/mysql.htmlhttp://soci.sourceforge.net/doc/3.2/backends/sqlite3.html
# Default: db='mydb' user='myuser' password='mypass' host='myhost.com'
#database-connection-string=db='mydb' user='myuser' password='mypass' host='myhost.com'

# Whether the conference server shall check device capabilities
# before inviting them to a session.
# The capability check is currently limited to Linphone client that
# put a +org.linphone.specs contact parameter in order to indicate
# whether they support group chat and secured group chat.
# Default: true
#check-capabilities=true

# List of media supported by the conference server.
# Valid values are: audio, video and text. For example:
# supported-media-types=audio video text
# Default: text
#supported-media-types=text

# The preferred encryption the conference server will offer in the
# outgoing transactions.
# Valid values are: none, sdes, zrtp and dtls.
# Default: none
#encryption=none

# Public host name or IP addresses of the conference server machine.
# Configuring this property is required when the conference server
# is deployed behind a firewall, so that the public IP address (v4,
# v6) can be advertised in SDP, as ICE server-reflexive candidates
# in order for the conference server to receive RTP media packets
# from clients. If no hostname is given, the v4 and v6 IP address
# can be listed separated by whitespaces, in any order. It is not
# possible  to configure several v4 addresses or several v6 addresses.For
# example:
# nat-addresses=conference.linphone.org
# nat-addresses=5.135.31.160   2001:41d0:303:3aee::1
# Default: 
#nat-addresses=






##
## Flexisip RegEvent server parameters.The regevent server is in
## charge of responding to SIP SUBSCRIBEs for the 'reg' event as
## defined by RFC3680 - A Session Initiation Protocol (SIP) Event
## Package for Registrations - https://tools.ietf.org/html/rfc3680
## .To generate the outgoing NOTIFY, it will rely upon the registrar
## database, as setup in module::Registrar section.
##
[regevent-server]

# SIP uri on which the RegEvent server is listening on.
# Default: sip:127.0.0.1:6065;transport=tcp
#transport=sip:127.0.0.1:6065;transport=tcp






##
## Flexisip back-to-back user agent server parameters.
##
[b2bua-server]

# The type of application that will handle calls bridged through
# the B2BUA. Possible values:
# - `trenscrypter` Bridge different encryption types on both ends
# transparently.
# - `sip-bridge` Bridge calls through an external SIP provider.
# (e.g. for PSTN gateways)
# Default: trenscrypter
#application=trenscrypter

# SIP uri on which the back-to-back user agent server is listening
# on.
# Default: sip:127.0.0.1:6067;transport=tcp
#transport=sip:127.0.0.1:6067;transport=tcp

# Directory where to store b2bua core local files
# Default
# Default: /var/opt/belledonne-communications/flexisip/b2b
#data-directory=/var/opt/belledonne-communications/flexisip/b2b

# The Flexisip proxy URI to which the B2bua server should send all
# its outgoing SIP requests.
# Default: sip:127.0.0.1:5060;transport=tcp
#outbound-proxy=sip:127.0.0.1:5060;transport=tcp






##
## Encryption transcoder bridge parameters.
##
[b2bua-server::trenscrypter]

# Select the call outgoing encryption mode, this is a list of regular
# expressions and encryption mode.
# Valid encryption modes are: zrtp, dtls-srtp, sdes, none.
# 
# The list is formatted in the following mode:
# mode1 regex1 mode2 regex2 ... moden regexn
# regex use posix syntax, any invalid one is skipped
# Each regex is applied, in the given order, on the callee sip uri(including
# parameters if any). First match found determines the encryption
# mode. if no regex matches, the incoming call encryption mode is
# used.
# 
# Example: zrtp .*@sip\.secure-example\.org dtsl-srtp .*dtls@sip\.example\.org
# zrtp .*zrtp@sip\.example\.org sdes .*@sip\.example\.org
# In this example: the address is matched in order with
# .*@sip\.secure-example\.org so any call directed to an address
# on domain sip.secure-example-org uses zrtp encryption mode
# .*dtls@sip\.example\.org any call on sip.example.org to a username
# ending with dtls uses dtls-srtp encryption mode
# .*zrtp@sip\.example\.org any call on sip.example.org to a username
# ending with zrtp uses zrtp encryption mode
# The previous example will fail to match if the call is directed
# to a specific device(having a GRUU as callee address)
# To ignore sip URI parameters, use (;.*)? at the end of the regex.
# Example: .*@sip\.secure-example\.org(;.*)?
# Default:Selected encryption mode(if any) is enforced and the call
# will fail if the callee does not support this mode
# Default: 
#outgoing-enc-regex=

# Outgoing SRTP crypto suite in SDES encryption mode:
# Select the call outgoing SRTP crypto suite when outgoing encryption
# mode is SDES, this is a list of regular expressions and crypto
# suites list.
# Valid srtp crypto suites are :
# AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32
# AES_192_CM_HMAC_SHA1_80, AES_192_CM_HMAC_SHA1_32 // currently
# not supported
# AES_256_CM_HMAC_SHA1_80, AES_256_CM_HMAC_SHA1_80
# AEAD_AES_128_GCM, AEAD_AES_256_GCM
# 
# The list is formatted in the following mode:
# cryptoSuiteList1 regex1 cryptoSuiteList2 regex2 ... crytoSuiteListn
# regexn
# with cryptoSuiteList being a ; separated list of crypto suites.
# 
# Regex use posix syntax, any invalid one is skipped
# Each regex is applied, in the given order, on the callee sip uri(including
# parameters if any). First match found determines the crypto suite
# list used.
# 
# if no regex matches, core setting is applied
# or default to AES_CM_128_HMAC_SHA1_80;AES_CM_128_HMAC_SHA1_32;AES_256_CM_HMAC_SHA1_80;AES_256_CM_HMAC_SHA1_32
# when no core setting is available
# 
# Example:
# AES_256_CM_HMAC_SHA1_80;AES_256_CM_HMAC_SHA1_32 .*@sip\.secure-example\.org
# AES_CM_128_HMAC_SHA1_80 .*@sip\.example\.org
# 
# In this example: the address is matched in order with
# .*@sip\.secure-example\.org so any call directed to an address
# on domain sip.secure-example-org uses AES_256_CM_HMAC_SHA1_80;AES_256_CM_HMAC_SHA1_32
# suites (in that order)
# .*@sip\.example\.org any call directed to an address on domain
# sip.example.org use AES_CM_128_HMAC_SHA1_80 suite
# The previous example will fail to match if the call is directed
# to a specific device(having a GRUU as callee address)
# To ignore sip URI parameters, use (;.*)? at the end of the regex.
# Example: .*@sip\.secure-example\.org(;.*)?
# Default:
# Default: 
#outgoing-srtp-regex=






##
## External SIP Provider Bridge parameters.
##
[b2bua-server::sip-bridge]

# Path to a file containing the accounts to use for external SIP
# bridging, organised by provider, in JSON format.
# Here is a template of what should be in this file:
# [{"name": "<user-friendly provider name for CLI output>",
#   "pattern": "<regexp to match callee address>",
#   "outboundProxy": "<sip:some.provider.example.com;transport=tls>",
#   "registrationRequired": true,
#   "maxCallsPerLine": 42,
#   "accounts": [{
#     "uri": "sip:account1@some.provider.example.com",
#     "userid": "<optional (e.g. an API key)>",
#     "password": "<password or API token>"
#   }]
# }]
# Default: example-path.json
#providers=example-path.json






##
## This module bans user when they are sending too much packets within
## a given timeframe. To see the list of currently banned IPs/ports,
## use iptables -L. 
##
[module::DoSProtection]

# Indicate whether the module is activated.
# Default: true
#enabled=true

# A request/response enters module if the boolean filter evaluates
# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
# && (user-agent == 'Linphone v2'). You can consult the full filter
# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Default: 
#filter=

# Number of milliseconds to consider to compute the packet rate
# Default: 3000
#time-period=3000

# Maximum packet rate in packets/seconds,  averaged over [time-period]
# millisecond(s) to consider it as a DoS attack.
# Default: 20
#packet-rate-limit=20

# Number of minutes to ban the ip/port using iptables
# Default: 2
#ban-time=2

# Name of the chain flexisip will create to store the banned IPs
# Default: FLEXISIP
#iptables-chain=FLEXISIP

# List of IP addresses or hostnames for which no DoS protection
# is made. This is typically for trusted servers from which we can
# receive high traffic. Please note that nodes from the local flexisip
# cluster (see [cluster] section) are automatically added to the
# white list, as well as 127.0.0.1 and ::1.
# Example:
# white-list=sip.example.org sip.linphone.org 15.128.128.93
# Default: 
#white-list=






##
## The SanitChecker module checks that required fields of a SIP message
## are present to avoid unecessary checking while processing message
## further.
## If the message doesn't meet these sanity check criterias, then
## it is stopped and bad request response is sent.
##
[module::SanityChecker]

# Indicate whether the module is activated.
# Default: true
#enabled=true

# A request/response enters module if the boolean filter evaluates
# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
# && (user-agent == 'Linphone v2'). You can consult the full filter
# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Default: 
#filter=






##
## The GarbageIn module collects incoming garbage and prevent any
## further processing.
##
[module::GarbageIn]

# Indicate whether the module is activated.
# Default: false
#enabled=false

# A request/response enters module if the boolean filter evaluates
# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
# && (user-agent == 'Linphone v2'). You can consult the full filter
# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Default: false
#filter=false






##
## The NatHelper module executes small tasks to make SIP work smoothly
## despite firewalls. It corrects the Contact headers that contain
## obviously inconsistent addresses, and adds a Record-Route to ensure
## subsequent requests are routed also by the proxy, through the
## same UDP or TCP channel used for the initial request.
##
[module::NatHelper]

# Indicate whether the module is activated.
# Default: true
#enabled=true

# A request/response enters module if the boolean filter evaluates
# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
# && (user-agent == 'Linphone v2'). You can consult the full filter
# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Default: 
#filter=

# Internal URI parameter added to response contact by first proxy
# and cleaned by last one.
# Default: verified
#contact-verified-param=verified

# Fix record-routes, to workaround proxies behind firewalls but
# not aware of it.
# Default: false
#fix-record-routes=false

# Policy to recognize nat'd record-route and fix them. There are
# two modes: 'safe' and 'always'
# Default: safe
#fix-record-routes-policy=safe






##
## The authentication module challenges and authenticates SIP requests
## using two possible methods:
##  * if the request is received via a TLS transport and 'require-peer-certificate'
##    is set in transport definition in [Global] section for this transport,
##    then the From header of the request is matched with the CN claimed
##    by the client certificate. The CN must contain sip:user@domain
##    or alternate name with URI=sip:user@domain corresponding to the
##    URI in the from header for the request to be accepted. Optionnaly,
##    the property tls-client-certificate-required-subject may contain
##    a regular expression for additional checks to execute on certificate
##    subjects.
##  * if no TLS client based authentication can be performed, or
##    has failed, then a SIP digest authentication is performed. The
##    password verification is made by querying a database or a password
##    file on disk.
##
[module::Authentication]

# Indicate whether the module is activated.
# Default: false
#enabled=false

# A request/response enters module if the boolean filter evaluates
# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
# && (user-agent == 'Linphone v2'). You can consult the full filter
# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Default: 
#filter=

# List of whitespace-separated IP addresses which will be judged
# as trustful. Messages coming from these addresses won't be challenged.
# Default: 
#trusted-hosts=

# List of whitespace separated domains to challenge. Others are
# automatically denied. The wildcard domain '*' is accepted, which
# means that requests are challenged whatever the originating domain
# is. This is convenient for a proxy serving multiple SIP domains.
# 
# Default: localhost
#auth-domains=localhost

# List of digest algorithms to use for password hashing. Think this
# setting as filter applied after fetching the credentials of a
# user from the user database. For example, if a user has its password
# hashed by MD5 and SHA-256 but 'available-algorithms' only has
# MD5, then only a MD5-based challenged will be submited to the
# UAC.
# Furthermore, should a user have several hashed passwords and these
# are present in the list, then a challenge header will be put in
# the 401 response for each fetched password in the order given
# by the list.
# Supported algorithems are MD5 and SHA-256.
# Default: MD5
#available-algorithms=MD5

# Disable the QOP authentication method. Default is to use it, use
# this flag to disable it if needed.
# Default: false
#disable-qop-auth=false

# Don't reply 403 when authentication fails. Instead, generate a
# new 401 (or 407) response containing a new challenge.
# Default: false
#no-403=false

# Expiration time before generating a new nonce.
# Unit: second
# Default: 3600
#nonce-expires=3600

# The realm to use for digest authentication. It will used whatever
# the domain of the From-URI.
# If the value starts with 'regex:', then this parameter will have
# the same effect than 'realm-regex', using all the remaining string
# as regular expression.
# WARNING: this parameter is exclusive with 'realm-regex'
# 
# Examples:
# 	realm=sip.example.org
# 	realm=regex:sip:.*@sip\.(.*)\.com
# 
# Default: 
#realm=

# Extraction regex applied on the URI of the 'from' header (or P-Prefered-Identity
# header if present) in order to extract the realm. The realm is
# found out by getting the first slice of the URI that matches the
# regular expression. If it has one or more capturing parentheses,
# the content of the first one is used as realm.
# If no regex is specified, then the realm will be the domain part
# of the URI.
# 
# For instance, given auth-domains=sip.example.com, you might use
# 'sip:.*@sip\.(.*)\.com' in order to use 'example' as realm.
# 
# WARNING: this parameter is exclusive with 'realm'
# Default: 
#realm-regex=

# If set to true, the module will simply reject with "403 forbidden"
# any request coming from clients which have presented a bad TLS
# certificate (regardless of reason: improper signature, unmatched
# subjects). Otherwise, the module will fallback to a digest authentication.
# This policy applies only for transports configured which have
# 'required-peer-certificate=1' parameter; indeed no certificate
# is requested to the client otherwise. 
# Default: false
#reject-wrong-client-certificates=false

# An optional regular expression used to accept or deny a request
# basing on subject fields of the client certificate. The request
# is allowed if one of the subjects matches the regular expression.
# The list of subjects to check is built by extracting the following
# fields, in order:
# 	subjectAltNames.DNS, subjectAltNames.URI, subjectAltNames.IP
# and CN
# Default: 
#tls-client-certificate-required-subject=

# Accept requests which the client certificate enables to trust
# the domaine of its Request-URI.
# Default: false
#trust-domain-certificates=false

# When receiving a proxy authenticate challenge, generate a new
# challenge for this proxy.
# Default: false
#new-auth-on-407=false

# Database backend implementation for digest authentication [soci,file].
# Default: file
#db-implementation=file

# Duration of the validity of the credentials added to the cache
# in seconds.
# Default: 1800
#cache-expire=1800

# Path of the file in which user credentials are stored.
# The file must start with 'version:1' as the first line, and then
# contains lines in the form of:
# user@domain clrtxt:clear-text-password md5:md5-password sha256:sha256-password
# ;
# For example: 
# bellesip@sip.linphone.org clrtxt:secret ;
# bellesip@sip.linphone.org md5:97ffb1c6af18e5687bf26cdf35e45d30
# ;
# bellesip@sip.linphone.org clrtxt:secret md5:97ffb1c6af18e5687bf26cdf35e45d30
# sha256:d7580069de562f5c7fd932cc986472669122da91a0f72f30ef1b20ad6e4f61a3
# ;
# Default: 
#file-path=

# Choose the type of backend that Soci will use for the connection.
# Depending on your Soci package and the modules you installed,
# this could be 'mysql', 'oracle', 'postgresql' or something else.
# Default: mysql
#soci-backend=mysql

# The configuration parameters of the Soci backend.
# The basic format is "key=value key2=value2". For a mysql backend,
# this is a valid config: "db=mydb user=user password='pass' host=myhost.com".
# Please refer to the Soci documentation of your backend, for intance:
# http://soci.sourceforge.net/doc/release/4.0/backends/mysql/
# Default: db=mydb user=myuser password='mypass' host=myhost.com
#soci-connection-string=db=mydb user=myuser password='mypass' host=myhost.com

# Soci SQL request used to obtain the password of a given user.
# Each keywords starting with ':' character will be replaced by
# strings extracted from the SIP request to authenticate.
# 
# Only these keywords are supported: - ':id'     : the user found
# in the from header (mandatory)
#  - ':domain' : the authorization realm
#  - ':authid' : the authorization username
# 
# The request MUST returns a two-columns table, which columns are
# defined as follow:
#  - 1st column: hashed password of the user or plain password if
#    the associated algorithm is CLRTXT.
#  - 2nd column: the algorithm used to hash the associated password.
#    Supported values: 'CLRTXT', 'MD5', 'SHA-256'
# 
# Examples:
#  - the password and algorithm are both available in the database
# 	select password, algorithm from accounts where login = :id and
# domain = :domain
# 
#  - all the passwords from the database are MD5
# 	select password, 'MD5' from accounts where login = :id and domain
# = :domain
# Default: select password, 'MD5' from accounts where login = :id and domain = :domain
#soci-password-request=select password, 'MD5' from accounts where login = :id and domain = :domain

# Amount of queries that will be allowed to be queued before bailing
# password requests.
# This value should be chosen accordingly with 'soci-poolsize',
# so that you have a coherent behavior.
# This limit is here mainly as a safeguard against out-of-control
# growth of the queue in the event of a flood or big delays in the
# database backend.
# Default: 1000
#soci-max-queue-size=1000

# Size of the pool of connections that Soci will use. A thread is
# opened for each DB query, and this pool will allow each thread
# to get a connection.
# The threads are blocked until a connection is released back to
# the pool, so increasing the pool size will allow more connections
# to occur simultaneously.
# On the other hand, you should not keep too many open connections
# to your DB at the same time.
# Default: 100
#soci-poolsize=100






##
## This module redirect sip requests with a 302 move temporarily.
##
[module::Redirect]

# Indicate whether the module is activated.
# Default: false
#enabled=false

# A request/response enters module if the boolean filter evaluates
# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
# && (user-agent == 'Linphone v2'). You can consult the full filter
# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Default: 
#filter=

# A contact where to redirect requests. ex: <sip:127.0.0.1:5065>;expires=100
# Default: 
#contact=






##
## This module is in charge of routing 'reg' event SUBSCRIBE requests
## to the flexisip-regevent server.
##
[module::RegEvent]

# Indicate whether the module is activated.
# Default: false
#enabled=false

# A request/response enters module if the boolean filter evaluates
# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
# && (user-agent == 'Linphone v2'). You can consult the full filter
# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Default: 
#filter=

# A sip uri where to send all the reg-event related requests.
# Default: sip:127.0.0.1:6065;transport=tcp
#regevent-server=sip:127.0.0.1:6065;transport=tcp






##
## This module is in charge of intercepting calls and route them
## to the back-to-back user agent server
##
[module::B2bua]

# Indicate whether the module is activated.
# Default: false
#enabled=false

# A request/response enters module if the boolean filter evaluates
# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
# && (user-agent == 'Linphone v2'). You can consult the full filter
# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Default: 
#filter=

# A sip uri where to send all the relevent requests.
# Default: sip:127.0.0.1:6067;transport=tcp
#b2bua-server=sip:127.0.0.1:6067;transport=tcp






##
## This module transfers SIP presence messages, like subscribe/notify/publish
## to a presence server.
##
[module::Presence]

# Indicate whether the module is activated.
# Default: false
#enabled=false

# A request/response enters module if the boolean filter evaluates
# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
# && (user-agent == 'Linphone v2'). You can consult the full filter
# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Default: is_request && (request.method-name == 'PUBLISH' || request.method-name == 'NOTIFY' || request.method-name == 'SUBSCRIBE')
#filter=is_request && (request.method-name == 'PUBLISH' || request.method-name == 'NOTIFY' || request.method-name == 'SUBSCRIBE')

# A SIP URI where to send all presence related requests.
# Default: sip:127.0.0.1:5065;transport=tcp
#presence-server=sip:127.0.0.1:5065;transport=tcp

# If true, only manage list subscription.
# Default: false
#only-list-subscription=false

# When getting the list of users with phones, if this setting is
# enabled, it will limit the results to the ones that have the same
# domain.
# Default: false
#check-domain-in-presence-results=false






##
## The ModuleRegistrar module handles REGISTERs for domains it is
## in charge of, and store the address of record in order to allow
## routing requests destinated to the client who registered. REGISTERs
## for other domains are simply ignored and given to the next module.
##
[module::Registrar]

# Indicate whether the module is activated.
# Default: true
#enabled=true

# A request/response enters module if the boolean filter evaluates
# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
# && (user-agent == 'Linphone v2'). You can consult the full filter
# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Default: 
#filter=

# List of whitespace separated domain names which the registar is
# in charge of. It can eventually be the '*' (wildcard) in order
# to match any domain name.
# Default: localhost
#reg-domains=localhost

# Register users based on response obtained from a back-end server.
# This mode is for using flexisip as a front-end server to hold
# client connections but registeracceptance is deferred to backend
# server to which the REGISTER is routed.
# Default: false
#reg-on-response=false

# Maximum number of registered contacts per address of record.
# Default: 12
#max-contacts-by-aor=12

# List of contact URI parameters that can be used to identify a
# user's device. The contact parameters are searched in the order
# of the list, the first matching parameter is used and the others
# ignored.
# Default: +sip.instance pn-tok line
#unique-id-parameters=+sip.instance pn-tok line

# When supported by the client, assign a pub-gruu address to the
# client, returned in the response. 
# Default: true
#enable-gruu=true

# Maximum expire time for a REGISTER, in seconds.
# Default: 86400
#max-expires=86400

# Minimum expire time for a REGISTER, in seconds.
# Default: 60
#min-expires=60

# Set a value that will override expire times given by the REGISTER
# requests. A null or negative value disables that feature. If it
# is enabled, max-expires and min-expires will not have any effect.
# Default: -1
#force-expires=-1

# File containing the static records to add to database on startup.
# Format: one 'sip_uri contact_header' by line. Example:
# <sip:contact@domain> <sip:127.0.0.1:5460>,<sip:192.168.0.1:5160>
# Default: 
#static-records-file=

# Timeout in seconds after which the static records file is re-read
# and the contacts updated.
# Default: 600
#static-records-timeout=600

# Implementation used for storing the contact URIs of each address
# of record. Two backends are available:
#  - redis : contacts are stored in a Redis database, which allows
#    persistent and shared storage accross multiple Flexisip instances.
#  - internal : contacts are stored in RAM. Of course, if flexisip
#    is restarted, all the contact URIs are lost until clients update
#    their registration.
# The redis backend is recommended, the internal being more adapted
# to very small deployments.
# Default: internal
#db-implementation=internal

# Hostname or address of the Redis server. 
# Default: localhost
#redis-server-domain=localhost

# Port of the Redis server.
# Default: 6379
#redis-server-port=6379

# Authentication password for Redis. Empty to disable.
# Default: 
#redis-auth-password=

# Timeout in milliseconds of the Redis connection.
# Default: 1500
#redis-server-timeout=1500

# When Redis is configured in master-slave, Flexisip will periodically
# ask which Redis instances are the slaves and the master. This
# is the period with which it will query the server. It will then
# determine whether is is connected to the master, and if not, let
# go of the connection and migrate to the master.
# Note: This requires that all Redis instances have the same password.
# Otherwise the authentication will fail.
# Default: 60
#redis-slave-check-period=60

# Tell if Flexisip should try to connect to Redis slaves if master
# went down. Can be disabled if slaves hostname info are on private
# network for example.
# Default: true
#redis-use-slaves-as-backup=true

# Sequence of proxies (space-separated) where requests will be redirected
# through (RFC3608)
# Default: 
#service-route=

# Name of the custom Contact header parameter which is to indicate
# the expire time for chat message delivery.
# Default: message-expires
#message-expires-param-name=message-expires

# If not zero, the expire time put in the 200 OK response won't
# be the one required by the user agent, but will be slightly modified
# by substracting a random value. The value given by this parameter
# is the maximum percentage of the initial expire that can be substracted.
# If zero, no randomization is applied.
# Default: 0
#register-expire-randomizer-max=0






##
## The purpose of the StatisticsCollector module is to collect call
## statistics (RFC 6035) and store them on the server.
##
[module::StatisticsCollector]

# Indicate whether the module is activated.
# Default: false
#enabled=false

# A request/response enters module if the boolean filter evaluates
# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
# && (user-agent == 'Linphone v2'). You can consult the full filter
# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Default: is_request && request.method-name == 'PUBLISH'
#filter=is_request && request.method-name == 'PUBLISH'

# SIP URI of the statistics collector. Note that application/vq-rtcpxr
# messages for this address will be deleted by this module and thus
# not be delivered.
# Default: 
#collector-address=






##
## The Router module routes requests for domains it manages.
## The routing algorithm is as follows: 
##  - first skip route headers that directly point to this proxy.
##  - if a route header is found that doesn't point to this proxy,
##    then the request is not processed by the Router module, and will
##    be handled by the Forward module at the end of the processing
##    chain.
##  - examine the request-uri: if it is part of the domains managed
##    by this proxy (according to Registrar module 'reg-domains' definition,
##    then attempt to resolve the request-uri from the Registrar database.
##  - the results from the registrar database, in the form of contact
##    headers, are sorted by priority (q parameter), if any.
##  - for each set of contact with equal priorities, the request
##    is forked, and sent to their corresponding sip URI. After a timeout
##    defined by property 'call-fork-current-branches-timeout', a next
##    set of contact header is determined.
##  - responses are received from all attempted branches, and sent
##    back to the request originator, according to the procedure of
##    RFC3261 16.7 Response processing.
## The router module offers different variations of the routing logic,
## depending on whether it is an INVITE, a MESSAGE, or another type
## of request. The processing of MESSAGE request essentially differs
## from others because it allows to keep the MESSAGE for a later
## delivery, in which case the incoming transaction will be terminated
## with a 202 Accepted response.
##
[module::Router]

# Indicate whether the module is activated.
# Default: true
#enabled=true

# A request/response enters module if the boolean filter evaluates
# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
# && (user-agent == 'Linphone v2'). You can consult the full filter
# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Default: 
#filter=

# Store and retrieve contacts without using the domain.
# Default: false
#use-global-domain=false

# Fork invites to late registers.
# Default: false
#fork-late=false

# All the forked have to decline in order to decline the caller
# invite.
# Default: false
#fork-no-global-decline=false

# Treat 603 Declined answers as urgent. Only relevant if fork-no-global-decline
# is set to true.
# Default: false
#treat-decline-as-urgent=false

# During a fork procedure, treat all failure response as urgent.
# Default: false
#treat-all-as-urgent=false

# Maximum time for a call fork to try to reach a callee, in seconds.
# Default: 90
#call-fork-timeout=90

# Maximum time before delivering urgent responses during a call
# fork, in seconds. The typical fork process requires to wait the
# best response from all branches before transmitting it to the
# client. However some error responses are retryable immediately
# (like 415 unsupported media, 401, 407) thus it is painful for
# the client to need to wait the end of the transaction time (32
# seconds) for these error codes.
# Default: 5
#call-fork-urgent-timeout=5

# Maximum time in seconds before trying the next set of lower priority
# contacts.
# Default: 10
#call-fork-current-branches-timeout=10

# Fork MESSAGE requests to client registering lately.
# Default: true
#message-fork-late=true

# Maximum duration for delivering a MESSAGE request. This property
# applies only if message-fork-late is 'true'; otherwise, the duration
# can't exceed the normal transaction duration.
# Default: 604800
#message-delivery-timeout=604800

# Maximum duration (in seconds) for accepting a MESSAGE request
# if no response is received from any recipients. This property
# is meaningful when message-fork-late is set to true.
# Default: 5
#message-accept-timeout=5

# If 'true', the message that are waiting for delivery will be stored
# in database instead of memory.
# Default: false
#message-database-enabled=false

# Choose the type of backend that Soci will use for the connection.
# Depending on your Soci package and the modules you installed,
# the supported databases are:`mysql` (and `sqlite3` soon)
# Default: mysql
#message-database-backend=mysql

# The configuration parameters of the backend. The basic format
# is "key=value key2=value2". For a mysql backend, this is a valid
# config: "db=mydb user=user password='pass' host=myhost.com". Please
# refer to the Soci documentation of your backend, for instance:
# http://soci.sourceforge.net/doc/master/backends/#supported-backends-and-features
# Default: db='mydb' user='myuser' password='mypass' host='myhost.com'
#message-database-connection-string=db='mydb' user='myuser' password='mypass' host='myhost.com'

# Default route to apply when the recipient is unreachable or when
# when all attempted destination have failed.It is given as a SIP
# URI, for example: sip:example.org;transport=tcp (without surrounding
# brakets)
# Default: 
#fallback-route=

# During a call forking, allow several INVITEs going to the same
# next hop to be grouped into a single one. A proprietary custom
# header 'X-target-uris' is added to the INVITE to indicate the
# final targets of the INVITE.
# Default: false
#allow-target-factorization=false

# Whether the proxy is allowed to generate and send provisional
# responses during a call forking process. A typical example for
# this is the '110 Push sent' emitted by the proxy when at least
# one push notification has been sent to a target UA while routing
# an INVITE. Some old versions of Linphone (below linphone-sdk 4.2)
# suffer from an issue when receiving such kind of provisional responses
# that don't come from a remote client. This setting is mainly intended
# to temporarily workaround this situation.
# Default: true
#permit-self-generated-provisional-response=true

# Whether or not to resolve next hop in route header against registrar
# database. This is an extension to RFC3261, and should not be used
# unless in some specific deployment cases. A next hope in route
# header is otherwise resolved through standard DNS procedure by
# the Forward module.
# Default: false
#resolve-routes=false

# Whether or not to fallback to the parent domain if there is no
# fallback route set and the recipient is unreachable. For example,
# if routing to sip:bob@a.b.com returns no result, route the request
# to b.com. This is also a non-standard behavior.
# Default: false
#parent-domain-fallback=false

# Only use the fallback route if the expression is true.
# Default: true
#fallback-route-filter=true

# Max time, in seconds, the proxy will retain a request in order
# to maintain order.
# Default: 30
#max-request-retention-time=30






##
## This module performs push notifications to mobile phone notification
## systems: apple, android, windows, as well as a generic http get/post
## to a custom server to which actual sending of the notification
## is delegated. The push notification is sent when an INVITE or
## MESSAGE request is not answered by the destination of the request
## within a certain period of time, configurable hereunder by 'timeout'
## parameter. The PushNotification has an implicit dependency on
## the Router module, which is in charge of creating the incoming
## and outgoing transactions and the context associated with the
## request forking process. No push notification can hence be sent
## if the Router module isn't activated. The time-to-live of the
## push notification depends on event for which the push notification
## is generated.  - if it is for a call (INVITE), it will be set
## equal 'call-fork-timeout' property of the Router module, which
## corresponds to the maximum time for a call attempt.
##  - if it is for an IM (MESSAGE or INVITE for a text session),
##    then it will be set equal to the 'message-time-to-live' property.
##
[module::PushNotification]

# Indicate whether the module is activated.
# Default: false
#enabled=false

# A request/response enters module if the boolean filter evaluates
# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
# && (user-agent == 'Linphone v2'). You can consult the full filter
# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Default: 
#filter=

# Number of seconds to wait before sending a push notification to
# device. A value lesser or equal to zero will make the push notification
# to be sent immediately, which is recommended since most of the
# time devices can't have a permanent connection with the Flexisip
# server.
# Default: 0
#timeout=0

# Time to live for the push notifications related to IM messages,
# in seconds. The default value '0' is interpreted as using the
# same value as for message-delivery-timeout of Router module.
# Default: 0
#message-time-to-live=0

# Maximum number of notifications queued for each push notification
# service
# Default: 100
#max-queue-size=100

# Number of push notification request retransmissions sent to a
# client for a same event (call or message). Retransmissions cease
# when a response is received from the client. Setting a value of
# zero disables retransmissions.
# Default: 0
#retransmission-count=0

# Retransmission interval in seconds for push notification requests,
# when a retransmission-count has been specified above.
# Default: 5
#retransmission-interval=5

# Default interval between to subsequent PNs when remote push notifications
# are used to notify a call invite to a clients that haven't published
# any token for VoIP and background push notifications. In that
# case, several PNs are sent subsequently until the call is picked
# up, declined or canceled. This parameter can be overridden by
# the client by using the 'pn-call-remote-push-interval' push parameter.
# A value of zero will cause the deactivation of push notification
# repetitions and the sending of thefinal notification. Thus, only
# the first push notification will be sent.
# The value must be in [0;30]
# Default: 0
#call-remote-push-interval=0

# If true, the following key in the payload of the push request
# will be set:
#  * 'from-uri': the SIP URI of the caller or the message sender.
#  * 'display-name': the display name of the caller or the message
#    sender.
#  * 'loc-args': the display name if not empty or the SIP URI instead.
# 
# If false, the keys will be set but as empty.
# Default: false
#display-from-uri=false

# Enable push notification for apple devices
# Default: true
#apple=true

# Path to directory where to find Apple Push Notification service
# certificates. They should bear the appid of the application, suffixed
# by the release mode and .pem extension. For example: org.linphone.dev.pem
# org.linphone.prod.pem com.somephone.dev.pem etc... The files should
# be .pem format, and made of certificate followed by private key.
# This is also the path to the directory where to find Voice Over
# IP certificates (certicates to use PushKit). They should bear
# the appid of the application, suffixed by the release mode and
# .pem extension, and made of certificate followed by private key.
# For example: org.linphone.voip.dev.pem org.linphone.voip.prod.pem
# com.somephone.voip.dev.pem etc...
# Default: /etc/flexisip/apn
#apple-certificate-dir=/etc/flexisip/apn

# Set the badge value to 0 for Apple push
# Default: false
#no-badge=false

# Enable push notification for Android devices.
# Default: true
#firebase=true

# List of couples [Firebase Project Number]:[Firebase Cloud Messaging
# API (Legacy) Server Key] (without []) for each Android project
# that supports push notifications.
# Default: 
#firebase-projects-api-keys=

# Enable push notification for Windows Phone 8 devices
# Default: true
#windowsphone=true

# Unique identifier for your Windows Store app.
# For example: ms-app://s-1-15-2-2345030743-3098444494-743537440-5853975885-5950300305-5348553438-505324794
# Default: 
#windowsphone-package-sid=

# Client secret. For example: Jrp1UoVt4C6CYpVVJHUPdcXLB1pEdRoB
# Default: 
#windowsphone-application-secret=

# Instead of having Flexisip sending the push notification directly
# to the Google/Apple/Microsoft push servers, send an http request
# to a server with all required information encoded in the URL,
# to which the actual sending of the push notification is delegated.
# The following arguments can be substitued in the http request
# uri, with the following values:
#  - $type      : apple, google, wp, firebase
#  - $token     : device token
#  - $api-key   : the api key to use (google and firebase only)
#  - $app-id    : application ID
#  - $from-name : the display name in the from header
#  - $from-uri  : the sip uri of the from header
#  - $from-tag  : the tag of the from header 
#  - $to-uri    : the sip uri of the to header
#  - $call-id   : the call-id of the INVITE or MESSAGE request
#  - $event     : call, message
#  - $sound     : the sound file to play with the notification
#  - $msgid     : the message id to put in the notification
#  - $uid       : 
#  
# The content of the text message is put in the body of the http
# request as text/plain, if any.
# Example: http://292.168.0.2/$type/$event?from-uri=$from-uri&tag=$from-tag&callid=$callid&to=$to-uri
# Default: 
#external-push-uri=

# Method for reaching external-push-uri, typically GET or POST
# Default: GET
#external-push-method=GET

# Send service push notification every n minutes to all devices
# that are about to expire and should wake up to REGISTER back.
# 0 to disable. Recommended value: 30
# Default: 0
#register-wakeup-interval=0






##
## The MediaRelay module masquerades SDP message so that all RTP
## and RTCP streams go through the proxy. When the client has set
## ICE candidates in the SDP offer, then the MediaRelay module will
## automatically add ICE relay candidates. The RTP and RTCP streams
## are then routed so that each client receives the stream of the
## other. MediaRelay makes sure that RTP is ALWAYS established, even
## with uncooperative firewalls.
##
[module::MediaRelay]

# Indicate whether the module is activated.
# Default: true
#enabled=true

# A request/response enters module if the boolean filter evaluates
# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
# && (user-agent == 'Linphone v2'). You can consult the full filter
# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Default: 
#filter=

# The name of the SDP attribute to set by the first proxy to forbid
# subsequent proxies to provide relay. Use 'disable' to disable.
# Default: nortpproxy
#nortpproxy=nortpproxy

# The minimal value of SDP port range
# Default: 1024
#sdp-port-range-min=1024

# The maximal value of SDP port range
# Default: 65535
#sdp-port-range-max=65535

# Sends a ACK and BYE to 200Ok for INVITEs not belonging to any
# established call. This is to solve the race condition that happens
# when two callees answer the same call at the same time. According
# to RFC3261, the caller is expected to send an ACK followed by
# a BYE to the loser callee. This is not the case in RFC2543, where
# the proxy was supposed to do this. When set to true, the MediaRelay
# module will implement the RFC2543 behavior. Note that it may sound
# inappropriate to bundle this property with the media relay feature.
# However the MediaRelay module is the only one in Flexisip that
# has the visibility of SIP dialogs, which is necessary to implement
# this feature.
# Default: false
#bye-orphan-dialogs=false

# Maximum concurrent calls processed by the media-relay. Calls arriving
# when the limit is exceed will be rejected. A value of 0 means
# no limit.
# Default: 0
#max-calls=0

# When true, the 'c=' line and port number are set to the relay
# ip/port even if ICE candidates are present in the request, while
# the standard behavior is to leave the c= line and port number
# as they are in the original offer sent by the client. This variation
# allows callees that do not support ICE at all to benefit from
# the media relay service.
# Default: true
#force-relay-for-non-ice-targets=true

# Prevent media-relay ports to loop between them, which can cause
# 100% cpu on the media relay thread. You need to set this property
# to false if you are running test calls from clients running on
# the same IP address as the flexisip server
# Default: true
#prevent-loops=true

# In case multiples '183 Early media' responses are received for
# a call, only the first one will have RTP streams forwarded back
# to caller. This feature prevents the caller to receive 'mixed'
# streams, but it breaks scenarios where multiple servers play early
# media announcement in sequence.
# Default: true
#early-media-relay-single=true

# Maximum number of relayed early media streams per call. This is
# useful to limit the cpu usage due to early media relaying on embedded
# systems. A value of 0 stands for unlimited.
# Default: 0
#max-early-media-per-call=0

# Period of time in seconds, after which a relayed call without
# any activity is considered as no longer running. Activity counts
# RTP/RTCP packets exchanged through the relay and SIP messages.
# Default: 3600
#inactivity-period=3600

# Force the media relay to use the public address of Flexisip to
# relay calls. It not enabled, Flexisip will deduce a suitable IP
# address by basing on data from SIP messages, which could fail
# in tricky situations e.g. when Flexisip is behind a TCP proxy.
# Default: false
#force-public-ip-for-sdp-masquerading=false






##
## The purpose of the Transcoder module is to transparently transcode
## from one audio codec to another to make the communication possible
## between clients that do not share the same set of supported codecs.
## Concretely, it adds all missing codecs into the INVITEs it receives,
## and adds codecs matching the original INVITE into the 200Ok. Rtp
## ports and addresses are masqueraded so that the streams can be
## processed by the proxy. The transcoding job is done in the background
## by the Mediastreamer2 library, as consequence the set of supported
## codecs is exactly the the same as the codec set supported by Mediastreamer2,
## including the possible plugins you may installed to extend Mediastreamer2.
## 
## WARNING: this module can conflict with the MediaRelay module as
## they are both changing the SDP. Make sure to configure them with
## different to-domains or from-domains filter if you want to enable
## both of them.
##
[module::Transcoder]

# Indicate whether the module is activated.
# Default: false
#enabled=false

# A request/response enters module if the boolean filter evaluates
# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
# && (user-agent == 'Linphone v2'). You can consult the full filter
# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Default: 
#filter=

# Nominal size of RTP jitter buffer, in milliseconds. A value of
# 0 means no jitter buffer (packet processing).
# Default: 0
#jb-nom-size=0

# Whitespace separated list of user-agent strings for which audio
# rate control is performed.
# Default: 
#rc-user-agents=

# Whitespace seprated list of audio codecs, in order of preference.
# The 'telephone-event' codec is necessary for inband DTMF processing.
# Default: speex/8000 amr/8000 iLBC/8000 gsm/8000 pcmu/8000 pcma/8000 telephone-event/8000
#audio-codecs=speex/8000 amr/8000 iLBC/8000 gsm/8000 pcmu/8000 pcma/8000 telephone-event/8000

# Remove the bandwidth limitations from SDP offers and answers
# Default: false
#remove-bw-limits=false

# If true, retransmissions of INVITEs will be blocked. The purpose
# of this option is to limit bandwidth usage and server load on
# reliable networks.
# Default: false
#block-retransmissions=false






##
## This module executes the basic routing task of SIP requests and
## pass them to the transport layer. It must always be enabled.
##
[module::Forward]

# Indicate whether the module is activated.
# Default: true
#enabled=true

# A request/response enters module if the boolean filter evaluates
# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
# && (user-agent == 'Linphone v2'). You can consult the full filter
# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# Default: 
#filter=

# A path to a configuration file describing routes to be prepended
# before forwarding a request, when specific conditions for the
# SIP request being forwarded are met. The condition is described
# using flexisip's filter syntax, as described on 
# https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
# The configuration file comprises lines using the following syntax:
# <sip route>   <condition expressed as a filter expression> 
# Comments are allowed with '#'.
# Conditions can spread over multiples lines provided that the continuation
# line starts with either spaces or tabs.
# The special condition '*' matches every request.
# The conditions are matched in the order they appear in the configuration
# file. The first fulfilled condition determines the route that
# is prepended.If the request does not match any condition, no route
# is prepended.
# The file may be empty, or no path may be specified, in which case
# no route is preprended either. Here is a an example of a valid
# routes configuration file:
# <sip:example.org;transport=tls>     request.uri.domain == 'example.org'
# <sip:10.0.0.2:5070;transport=tcp>   request.uri.params contains
# 'user=phone'
# 
# Beware: that is not just a SIP URI, but a route. As a result,
# when the URI has parameters, brackets must enclose the URI, otherwise
# the parameters will be parsed as route parameters.
# Default: 
#routes-config-path=

# Add a path header of this proxy
# Default: true
#add-path=true

# For SIP URIs, in asbsence of transport parameter, assume the given
# transport is to be used. Possible values are udp, tcp or tls.
# Default: udp
#default-transport=udp

# List of URL and contact params to remove
# Default: pn-tok pn-type app-id pn-msg-str pn-call-str pn-call-snd pn-msg-snd pn-timeout pn-silent pn-provider pn-prid pn-param
#params-to-remove=pn-tok pn-type app-id pn-msg-str pn-call-str pn-call-snd pn-msg-snd pn-timeout pn-silent pn-provider pn-prid pn-param






##
## Inter domain connections is a set of feature allowing to dynamically
## connect several Flexisip servers together in order to manage SIP
## routing at local and global scope. Let's suppose you have two
## SIP network a.example.net and b.example.net run privately and
## independently (no one from a.example.net needs to call someone
## at b.example.net). However, when people from a and b are outside
## of their network, they register to a worldwide available Flexisip
## instance running on 'global.example.net'. It is then possible
## to:
##  * have calls made within a.example.net routed locally and sent
##    to global.example.net in order to reach users inside and outside
##    of a's network. Example: 1@a.example.net calls 2@a.example.net.
##    If 2 is registered on a.example.net then the call is routed locally.
##    On the contrary if 2 is absent and registered, the call is then
##    sent to global.example.net and then routed by the global proxy.
##  * when global.example.net receives a call from a user not within
##    its native network (ex: 1@a.example.net calls 2@a.example.net),
##    it can route this call to the proxy that is responsible for managing
##    the local domain (a.example.net).
## 
## This system is dynamic: the physical IP address of a and b network
## can change (dynamic ip address allocation)
## .This scenario is achieved with two key features:
##  * a.example.net sends a REGISTER to global.example.net to indicate
##    that it is the responsible for the entire domain a.example.net.
##    The global.example.net authenticates this REGISTER thanks to TLS
##    client certificate presented by a.example.net.
##  * global.example.net is configured to accept this domain registration
##    and route all calls it receives directly and destinated to a.example.net
##    domain through the connection established by a.example.net during
##    the domain registration.
##
[inter-domain-connections]

# Whether Flexisip shall accept registrations for entire domains
# Default: false
#accept-domain-registrations=false

# Whether Flexisip shall assume that there is a unique server per
# registered domain, which allows to clean old registrations and
# simplifies the routing logic.
# Default: false
#assume-unique-domains=false

# Path to a text file describing the domain registrations to make.
# This file must contains lines like:
#  <local domain name> <SIP URI of proxy/registrar where to send
# the domain REGISTER> [password]>
#  where:
#  <local domain name> is a domain name managed locally by this
# proxy
#  <SIP URI of proxy/registrar> is the SIP URI where the domain
# registration will be sent. The special uri parameter 'tls-certificates-dir'
# is understood in order to specify a TLS client certificate to
# present to the remote proxy.
#  [password] is the password to use if the remote proxy/registrar
# requests a digest authentication. It is optional.
#  If the file is absent or empty, no registrations are done.An
# example of such line is:
# belledonne.linphone.org <sips:sip.linphone.org;tls-certificates-dir=/etc/flexisip/client-cert>
# gghhiioozz
# Default: /etc/flexisip/domain-registrations.conf
#domain-registrations=/etc/flexisip/domain-registrations.conf

# When submitting a domain registration to a server over TLS, verify
# the certificate presented by the server. Disabling this option
# is only for test, because it is a security flaw
# Default: true
#verify-server-certs=true

# Interval in seconds for sending \r\n\r\n keepalives through the
# outgoing domain registration connection.A value of zero disables
# keepalives.
# Default: 30
#keepalive-interval=30

# Delay in milliseconds after which TCP/TLS connections will be
# considered as broken if no CRLF pong has beenreceived from the
# remote peer. A delay of 0 means that no pong is expected after
# ping.
# Warning: This parameter must be strictly lower than “keepalive-interval”.
# Default: 0
#ping-pong-timeout-delay=0

# Delay in seconds before creating a new connection after connection
# is known as broken. Set '0' in order the connection be recreated
# immediately.
# Default: 5
#reconnection-delay=5

# Whether Flexisip shall only send a domain registration when a
# device is registered
# Default: false
#reg-when-needed=false

# Route received REGISTER request to the server in charge of the
# domain, according to accepted domain registrations. This option
# is intended to be used with 'reg-on-response' mode of Registrar
# module, and 'accept-domain-registrations' enabled too.The 'reg-on-response'
# mode typically allows Flexisip to forward an incoming REGISTER
# to an upstream server, and record the client's contact address
# upon receiving the 200 Ok response from the upstream server. When
# 'relay-reg-to-domains' is enabled, the routing to the upstream
# server is performed according to the domain registrations received
# previously by flexisip, instead of usual DNS-based procedures.
# Default: false
#relay-reg-to-domains=false

# regex to match domain names (host part of URL) for which the register
# requests should be routed to the upstream server.This option is
# intended to be used with 'relay-reg-to-domains' mode enabled.
# Default: 
#relay-reg-to-domains-regex=