Flexisip is a complete, modular and scalable SIP server suite written in C++11, comprising proxy, presence and group chat functions.
Flexisip offers an easy-to-install SIP server solution, offering all the features required to deploy your own SIP service tuned for mobile or desktop applications, “out of the box”.
Flexisip can be integrated into your SIP infrastructure for various purposes :
FLEXISIP IN THE CLOUD
Flexisip instances can be deployed on server machines to run a SIP VoIP service.
The free linphone.org SIP service has run on Flexisip since 2011, and enables Linphone users to create SIP addresses in order to connect with each other.
FLEXISIP EMBEDDED
Thanks to its modular architecture and its limited number of required dependencies, Flexisip can run perfectly on small hardware systems (embedded systems).
FLEXISIP PUSH GATEWAY
The Push Gateway is a specific operation mode of Flexisip, and was developed by Belledonne Communications to deliver SIP incoming calls or text messages on mobile device platforms where push notifications are required to receive information when the app is not active in the foreground.
Supporting push notifications was already highly recommended and has now become mandatory in some OS (iOS ≥ 10, Android ≥ 8). The push system is promoted as an efficient, highly reliable, bug-free system for receiving information while the phone is switched off.
Flexisip Push Gateway can be integrated into existing SIP infrastructures that do not support push notifications, and in most cases without requiring any configuration changes.
Flexisip installation on CentOS 7
This guide will show you how to install and configure Flexisip on CentOS 7.
1. Install “Extra Packages for Enterprise Linux (EPEL)” repository ; it is used for some Flexisip dependencies like Hiredislibrary.
|
1 |
yum -y install epel-release |
2. Add Belledonne Communications’ repository by creating /etc/yum.repos.d/BelledonneCom.repo with following content:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# keep this repository enabled even if you enable beta/alpha repositories [Belledonne-stable] name=Belledonne-stable baseurl=http://www.linphone.org/snapshots/centos/$releasever/stable enabled=1 gpgcheck=0 # enable this if you want pre-release packages [Belledonne-beta] name=Belledonne-beta baseurl=http://www.linphone.org/snapshots/centos/$releasever/beta enabled=1 gpgcheck=0 # enable this to have development (unstable) packages [Belledonne-alpha] name=Belledonne-alpha baseurl=http://www.linphone.org/snapshots/centos/$releasever/alpha enabled=0 gpgcheck=0 |
Add MariaDB repository to get the latest MariaDB packages by creating /etc/yum.repos.d/MariaDB.repo with following content:
|
1 2 3 4 5 6 7 |
# MariaDB 10.4 CentOS repository list - created 2020-02-07 07:47 UTC # http://downloads.mariadb.org/mariadb/repositories/ [mariadb] name = MariaDB baseurl = http://yum.mariadb.org/10.4/centos7-amd64 gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB gpgcheck=1 |
3. Update yum and install Flexisip and additional components if you need MariaDB and Redis
|
1 2 |
yum update yum install bc-flexisip redis mariadb-server mariadb-client |
4. Set paths for binary and library
Binary Path: /opt/belledonne-communications/bin
Library Path: /opt/belledonne-communications/lib64
Export binary path
Add the following line at the tail in .bashrc under home folder.
|
1 |
export PATH=$PATH:/opt/belledonne-communications/bin |
Export library path
|
1 |
$ echo "/opt/belledonne-communications/lib64" > /etc/ld.so.conf.d/flexisip.conf |
Activate library path
|
1 |
$ sudo ldconfig |
Temporary
|
1 2 |
$ export PATH=$PATH:/opt/belledonne-communications/bin $ export LD_LIBRARY_PATH=/opt/belledonne-communications/lib |
5. Configure Redis
Modify /etc/redis.conf, set the items “bind“, “systemd” and “password”
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
sudo nano /etc/redis.conf ################################## NETWORK ##################################### # By default, if no "bind" configuration directive is specified, Redis listens # for connections from all the network interfaces available on the server. # It is possible to listen to just one or multiple selected interfaces using # the "bind" configuration directive, followed by one or more IP addresses. bind 127.0.0.1 ################################# GENERAL ##################################### # By default Redis does not run as a daemon. Use 'yes' if you need it. # Note that Redis will write a pid file in /var/run/redis.pid when daemonized. daemonize yes # If you run Redis from upstart or systemd, Redis can interact with your # supervision tree. Options: # supervised no - no supervision interaction # supervised upstart - signal upstart by putting Redis into SIGSTOP mode # supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET # supervised auto - detect upstart or systemd method based on # UPSTART_JOB or NOTIFY_SOCKET environment variables # Note: these supervision methods only signal "process is ready." # They do not enable continuous liveness pings back to your supervisor. supervised systemd ################################## SECURITY ################################### # Require clients to issue AUTH before processing any other # commands. This might be useful in environments in which you do not trust # others with access to the host running redis-server. # # This should stay commented out for backward compatibility and because most # people do not need auth (e.g. they run their own servers). # # Warning: since Redis is pretty fast an outside user can try up to # 150k passwords per second against a good box. This means that you should # use a very strong password otherwise it will be very easy to break. # requirepass xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
6. Install and configure SNMP (optional)
Install SNMP daemon to monitor and manage the SIP server status(CPU, Memory, Disk, Network usage and so on).
SNMP: “Simple Network Management Protocol.” Install the following pakages.
https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/SNMP/
Modify /etc/snmp/snmpd.conf
|
1 |
$ sudo yum install snmp snmpd snmp-mibs-downloader |
To enable SNMP Manager import the MIB file, Commented out “mibs :” in /etc/snmp/snmp.conf.
|
1 2 3 4 |
# As the snmp packages come without MIB files due to license reasons, loading # of MIBs is disabled by default. If you added the MIBs you can reenable # loading them by commenting out the following line. #mibs : comment out |
Modify /etc/snmp/snmpd.conf
|
1 2 3 4 5 6 7 8 9 10 |
sudo nano /etc/snmp/snmpd.conf agentAddress udp:127.0.0.1:161 master agentx rocommunity public localhost rwcommunity private localhost rouser authOnlyUser rwuser authPrivUser priv |
7. Configure MariaDB
Enable at start:
|
1 |
$ systemctl enable mariadb |
|
1 |
$ systemctl start mariadb |
Password setting
|
1 |
$ sudo mysql_secure_installation |
Login by root
|
1 |
$ mysql -u root -p |
Make user “flexisip” and database “flexisip”, exit root login and re-login by user “flexisip”, and make a table “accounts”.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |
MariaDB [(none)]> create user 'flexisip'@'localhost' identified by 'password'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> grant all privileges on flexisip.* to 'flexisip'@'localhost'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> create database flexisip; MariaDB [(none)]> system mysql -u flexisip -p MariaDB [(none)]> use flexisip; MariaDB [flexisip]> create table if not exists accounts ( registerID INT UNSIGNED NOT NULL AUTO_INCREMENT, login VARCHAR(20) NOT NULL DEFAULT 'loginid', domain VARCHAR(20) NOT NULL DEFAULT 'sip.server.com', authid VARCHAR(20) NOT NULL DEFAULT 'authid', password VARCHAR(40) NOT NULL DEFAULT 'dd02c7c2232759874e1c205587017bed', algorithm VARCHAR(10) NOT NULL DEFAULT 'MD5', phone VARCHAR(20) NOT NULL DEFAULT '818012345678', PRIMARY KEY (registerID) ); Query OK, 0 rows affected (0.51 sec) MariaDB [flexisip]> SHOW TABLES; +--------------------+ | Tables_in_flexisip | +--------------------+ | accounts | +--------------------+ 1 row in set (0.00 sec) MariaDB [flexisip]> DESCRIBE accounts; +------------+------------------+------+-----+----------------------------------+----------------+ | Field | Type | Null | Key | Default | Extra | +------------+------------------+------+-----+----------------------------------+----------------+ | registerID | int(10) unsigned | NO | PRI | NULL | auto_increment | | login | varchar(20) | NO | | loginid | | | domain | varchar(20) | NO | | sip.server.com | | | authid | varchar(20) | NO | | authid | | | password | varchar(40) | NO | | dd02c7c2232759874e1c205587017bed | | | algorithm | varchar(10) | NO | | MD5 | | | phone | varchar(20) | NO | | 818012345678 | | +------------+------------------+------+-----+----------------------------------+----------------+ 7 rows in set (0.00 sec) MariaDB [flexisip]> SHOW CREATE TABLE accounts \G *************************** 1. row *************************** Table: accounts Create Table: CREATE TABLE `accounts` ( `registerID` int(10) unsigned NOT NULL AUTO_INCREMENT, `login` varchar(20) NOT NULL DEFAULT 'loginid', `domain` varchar(20) NOT NULL DEFAULT 'sip.server.com', `authid` varchar(20) NOT NULL DEFAULT 'authid', `password` varchar(40) NOT NULL DEFAULT 'dd02c7c2232759874e1c205587017bed', `algorithm` varchar(10) NOT NULL DEFAULT 'MD5', `phone` varchar(20) NOT NULL DEFAULT '818012345678', PRIMARY KEY (`registerID`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 1 row in set (0.01 sec) MariaDB [flexisip]> INSERT INTO accounts VALUES (1001, 'friend1','sip.server.com', 'friend1', '', '', ''); Query OK, 1 row affected (0.06 sec) MariaDB [flexisip]> select * from accounts; +------------+---------+----------------------+---------+----------+------------+-------+ | registerID | login | domain | authid | password | algorithm | phone | +------------+---------+----------------------+---------+----------+------------+-------+ | 1001 | friend1 | sip.server.com | friend1 | | | | +------------+---------+----------------------+---------+----------+------------+-------+ 1 row in set (0.00 sec) |
8. Configure the Flexisip and run
Output the Flexisip default configuration file “flexisip.conf” to /etc/flexisip/ directory.
|
1 |
$ sudo /opt/belledonne-communications/bin/flexisip --dump-default all > /etc/flexisip/flexisip.conf |
Modify /etc/flexisip/flexisip.conf. There are many options for functions, so the following settings might not be optimized.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 |
[global] log-directory=/var/opt/belledonne-communications/log/flexisip log-level=debug syslog-level=error user-errors-logs=false contextual-log-filter= contextual-log-level=debug dump-corefiles=false auto-respawn=true aliases=localhost yourdomain.org default-servers=proxy transports=sip:* tls-certificates-dir=/etc/flexisip/tls/ tls-ciphers=HIGH:!SSLv2:!SSLv3:!TLSv1:!EXP:!ADH:!RC4:!3DES:!aNULL:!eNULL idle-timeout=3600 keepalive-interval=1800 proxy-to-proxy-keepalive-interval=0 require-peer-certificate=false transaction-timeout=32000 udp-mtu=1460 enable-snmp=false unique-id= plugins-dir=/opt/belledonne-communications/lib64/flexisip/plugins plugins= [cluster] enabled=false cluster-domain= nodes= internal-transport=sip:%auto:5059;transport=tcp [mdns-register] enabled=false mdns-priority=0 mdns-weight=100 mdns-ttl=3600 [event-logs] enabled=true logger=filesystem dir=/var/log/flexisip database-backend=mysql database-connection-string=db='mydb' user='myuser' password='mypass' host='myhost.com' database-max-queue-size=100 database-nb-threads-max=10 [monitor] enabled=false test-interval=30 logfile=/etc/flexisip/flexisip_monitor.log switch-port=12345 password-salt= [stun-server] enabled=true bind-address=0.0.0.0 port=3478 [presence-server] enabled=true transports=sip:127.0.0.1:5065;transport=tcp expires=600 notify-limit=200 leak-detector=false long-term-enabled=true bypass-condition=false external-list-subscription-request= soci-connection-string=db=flexisip user=flexisip password='password' host=localhost max-thread=50 max-thread-queue-size=50 [conference-server] enabled=true transport=sip:127.0.0.1:6064;transport=tcp conference-factory-uri=sip:conference-factory@yourdomain.org enable-one-to-one-chat-room=true outbound-proxy=sip:127.0.0.1:5070;transport=tcp database-backend=mysql database-connection-string=db=flexisip user=flexisip password='password' host=localhost check-capabilities=true [module::DoSProtection] enabled=true filter= time-period=15000 packet-rate-limit=20 ban-time=2 iptables-chain=FLEXISIP [module::SanityChecker] enabled=true filter= [module::GarbageIn] enabled=false filter=false [module::NatHelper] enabled=true filter= contact-verified-param=verified fix-record-routes=false fix-record-routes-policy=safe [module::Authentication] enabled=true filter= auth-domains=localhost yourdomain.org available-algorithms= disable-qop-auth=false no-403=false nonce-expires=3600 realm-regex= trusted-hosts= db-implementation=soci datasource= cache-expire=1800 reject-wrong-client-certificates=false tls-client-certificate-required-subject= new-auth-on-407=false enable-test-accounts-creation=false trust-domain-certificates=false soci-password-request=select password, algorithm from accounts where login = :id and domain = :domain soci-user-with-phone-request=select login from accounts where phone = :phone soci-users-with-phones-request=select login, domain, phone from accounts where phone in (:phones) soci-poolsize=100 soci-backend=mysql soci-connection-string=db=flexisip user=flexisip password='password' host=localhost soci-max-queue-size=1000 [module::Redirect] enabled=false filter= contact= [module::Presence] enabled=true filter=is_request && (request.method-name == 'PUBLISH' || request.method-name == 'NOTIFY' || request.method-name == 'SUBSCRIBE') presence-server=sip:127.0.0.1:5065;transport=tcp only-list-subscription=false check-domain-in-presence-results=false [module::Registrar] enabled=true filter= reg-domains=localhost yourdomain.org reg-on-response=false max-contacts-by-aor=12 unique-id-parameters=+sip.instance pn-tok line max-expires=86400 min-expires=60 force-expires=-1 static-records-file= static-records-timeout=600 db-implementation=redis redis-server-domain=localhost redis-server-port=6379 redis-auth-password=verylongpasswordfromredis.conf redis-server-timeout=1500 redis-record-serializer=protobuf redis-slave-check-period=60 service-route= name-message-expires=message-expires register-expire-randomizer-max=0 [module::StatisticsCollector] enabled=false filter=is_request && request.method-name == 'PUBLISH' collector-address= [module::Router] enabled=true filter= use-global-domain=false fork=true stateful=true fork-late=false fork-no-global-decline=false treat-decline-as-urgent=false treat-all-as-urgent=false call-fork-timeout=90 call-fork-urgent-timeout=5 call-fork-current-branches-timeout=10 call-push-response-timeout=0 message-fork-late=true message-delivery-timeout=3600 message-accept-timeout=15 fallback-route= allow-target-factorization=false permit-self-generated-provisional-response=true generated-contact-route= generated-contact-expected-realm= generate-contact-even-on-filled-aor=false preroute= resolve-routes=false parent-domain-fallback=false [module::PushNotification] enabled=true filter= timeout=5 max-queue-size=100 time-to-live=2592000 retransmission-count=0 retransmission-interval=5 apple=true apple-certificate-dir=/etc/flexisip/apn apple-silent-push-type=pushkit google=true google-projects-api-keys= firebase=true firebase-projects-api-keys= windowsphone=true windowsphone-package-sid= windowsphone-application-secret= no-badge=false external-push-uri= external-push-method=GET [module::MediaRelay] enabled=true filter= nortpproxy=nortpproxy sdp-port-range-min=1024 sdp-port-range-max=65535 bye-orphan-dialogs=false max-calls=0 force-relay-for-non-ice-targets=true prevent-loops=true early-media-relay-single=true max-early-media-per-call=0 inactivity-period=3600 force-public-ip-for-sdp-masquerading=false [module::Transcoder] enabled=false filter= jb-nom-size=0 rc-user-agents= audio-codecs=speex/8000 amr/8000 iLBC/8000 gsm/8000 pcmu/8000 pcma/8000 telephone-event/8000 remove-bw-limits=false block-retransmissions=false [module::Forward] enabled=true filter= route= add-path=true rewrite-req-uri=false default-transport=udp params-to-remove=pn-tok pn-type app-id pn-msg-str pn-call-str pn-call-snd pn-msg-snd pn-timeout pn-silent [inter-domain-connections] accept-domain-registrations=false assume-unique-domains=false domain-registrations=/etc/flexisip/domain-registrations.conf verify-server-certs=true keepalive-interval=30 reg-when-needed=false |
9. Start the services
|
1 |
systemctl start flexisip-proxy flexisip-presence flexisip-conference |
10. Check Flexisip Server status
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
$ sudo service flexisip-proxy status ● flexisip-proxy.service - Flexisip proxy server Loaded: loaded (/lib/systemd/system/flexisip-proxy.service; disabled; vendor preset: enabled) Active: active (running) since Mon 2020-02-02 9:17:44 EET; 1h ago Docs: http://www.linphone.org/technical-corner/flexisip/overview Process: 26504 ExecStart=/opt/belledonne-communications/bin/flexisip --server proxy --daemon --syslog --pidfile /var/run/flexisip-proxy.pid (code=exited, status=0/SUCCESS) Main PID: 26527 (flexisipwd-prox) Tasks: 110 (limit: 4915) CGroup: /system.slice/flexisip-proxy.service ├─26527 /opt/belledonne-communications/bin/flexisip --server proxy --daemon --syslog --pidfile /var/run/flexisip-proxy.pid └─26528 /opt/belledonne-communications/bin/flexisip --server proxy --daemon --syslog --pidfile /var/run/flexisip-proxy.pid 11:06:42 flexiserver systemd[1]: Starting Flexisip proxy server... 11:06:42 flexiserver flexisip[26504]: Writing logs in : /var/opt/belledonne-communications/log/flexisip/flexisip-proxy.log 11:06:42 flexiserver flexisip[26504]: [LAUNCHER] Watchdog PID: 26527 11:06:43 flexiserver flexisip[26504]: NET-SNMP version 5.7.3 AgentX subagent connected 11:06:43 flexiserver systemd[1]: Started Flexisip proxy server. |
Now try to access to Flexisip SIP Server with the external devices from remote. Use the Linphone or ZoiPer as the SIP-VoIP Application.
Order SIP Port 5070/tcp(Depend on flexisip.conf)
DTMF:SIP
STUN server domain and port should be same as Flexisip domain and port.
Order Outbound Proxy(Call via SIP Proxy)
Configure MD5 or SHA-256 encryption in Flexisip
Not common to insert the password directly into the database, it should be encrypted.
Flexisip corresponds MD5 and SHA-256 encryption, but SHA-256 will be better.
Flexisip reads and write the password by the following format.
“youserID:domain:password”
MD5:
MD5(‘accountID:domain:password’)
SHA-256:
SHA2(‘accountID:domain:password’,256)
Examples:
MD5
|
1 |
mysql> update table_name set password = MD5('user1:test.site.com:secretpass') where id=1; |
SHA-256
|
1 2 |
mysql> update table_name set password = SHA2('user1:test.site.com:secretpass', 256) where id=1; |
Reference : Flexisip soci code
https://github.com/BelledonneCommunications/flexisip/blob/master/src/authdb-soci.cc
Flexisip TLS Confuguration(Works under Docker Container)
https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/
cafile.pem created from fullchain.pem which is chained the medium certificate:chain.pem and the server certificate(issued from the certificate agency)cert.pem.
agent.pem created from the server certificate:cert.pem and the private key:key.pem.
|
1 |
$ docker exec -ti ubuntu(debian)-flexisip bash |
|
1 2 3 4 5 6 |
# cd /etc/flexisip/tls/www.example.com # ls account_key.json cert.pem chain.pem fullchain.pem key.pem # cp fullchain.pem cafile.pem # awk 1 key.pem cert.pem > agent.pem |
Edit the following items in /etc/flexisip/flexisip.conf
|
1 2 3 |
transports=sip:www.example.com:5070;maddr=172.18.0.5 sips:www.example.com:5071;maddr=172.18.0.5 tls-certificates-dir=/etc/flexisip/tls/www.example.com/ |
