Migrate from freeswitch to flexisip

3 files changed, 2537 insertions, 0 deletions

diff --git a/personal_infra/puppet/modules/flexisip/README.md b/personal_infra/puppet/modules/flexisip/README.md
new file mode 100644
index 00000000..f44a17bb
--- /dev/null
+++ b/personal_infra/puppet/modules/flexisip/README.md
@@ -0,0 +1,9 @@
+Baresip config:
+
+* account: `sip:ext@sip.pdp7.net;transport=tls`
+* password: ...
+* out proxy: `sip:sip.pdp7.net;transport=tls`
+* sip provider: `sip.pdp7.net`
+
+Ensure that certificate verification is disabled.
+Certificate verification might show as disabled when it is enabled.
diff --git a/personal_infra/puppet/modules/flexisip/manifests/init.pp b/personal_infra/puppet/modules/flexisip/manifests/init.pp
new file mode 100644
index 00000000..9ed962de
--- /dev/null
+++ b/personal_infra/puppet/modules/flexisip/manifests/init.pp
@@ -0,0 +1,51 @@
+class flexisip($flexisip_sdp_port_range_min, $flexisip_sdp_port_range_max, $flexisip_user_database, $flexisip_domain) {
+    file {'/etc/yum.repos.d/BelledonneCom.repo':
+      content => @(EOT)
+      # keep this repository enabled even if you enable beta/alpha repositories
+      [Belledonne-stable]
+      name=Belledonne-stable
+      baseurl=http://www.linphone.org/snapshots/$contentdir/$releasever/stable
+      enabled=1
+      gpgcheck=0
+
+      # enable this if you want post-release patches
+      [Belledonne-hotfix]
+      name=Belledonne-hotfix
+      baseurl=http://www.linphone.org/snapshots/$contentdir/$releasever/hotfix
+      enabled=1
+      gpgcheck=0
+
+      # enable this if you want next release beta packages
+      [Belledonne-beta]
+      name=Belledonne-beta
+      baseurl=http://www.linphone.org/snapshots/$contentdir/$releasever/beta
+      enabled=0
+      gpgcheck=0
+
+      # enable this to have development (unstable) packages
+      [Belledonne-alpha]
+      name=Belledonne-alpha
+      baseurl=http://www.linphone.org/snapshots/$contentdir/$releasever/alpha
+      enabled=0
+      gpgcheck=0
+      | EOT
+      ,
+    }
+    ->
+    package {'bc-flexisip':}
+    ->
+    file {'/etc/flexisip/flexisip.conf':
+      content => template('flexisip/flexisip.conf'),
+    }
+    ~>
+    service {'flexisip-proxy':
+        ensure => running,
+        enable => true,
+    }
+
+    file {'/etc/flexisip/users.db.txt':
+      content => $flexisip_user_database,
+      require => Package['bc-flexisip'],
+      notify => Service['flexisip-proxy'],
+    }
+}
diff --git a/personal_infra/puppet/modules/flexisip/templates/flexisip.conf b/personal_infra/puppet/modules/flexisip/templates/flexisip.conf
new file mode 100644
index 00000000..3fde5125
--- /dev/null
+++ b/personal_infra/puppet/modules/flexisip/templates/flexisip.conf
@@ -0,0 +1,2477 @@
+##
+## This is the default Flexisip (v2.4.2-30-g42e30f2d) configuration
+## file
+##
+
+
+
+
+
+##
+## Some global settings of the flexisip proxy.
+##
+[global]
+
+# Servers started by default when '--server' is not specified in
+# the command line. Possible values are: 'proxy', 'presence', 'conference',
+# 'regevent' and 'b2bua'. Each value must be separated by a whitespace.
+# Default: proxy
+#default-servers=proxy
+
+# Automatically respawn Flexisip in case of abnormal termination
+# (crashes). This only has an effect if Flexisip is launched with
+# '--daemon' option
+# Default: true
+#auto-respawn=true
+
+# Path to the directory that contains plugins.
+# Default: /opt/belledonne-communications/lib64/flexisip/plugins
+#plugins-dir=/opt/belledonne-communications/lib64/flexisip/plugins
+
+# Plugins to load.
+# The list of installed plugins can be found at <prefix>/lib/flexisip/plugins.
+# The name of a plugin can be built from the corresponding library
+# name by removing the extension and the 'lib' prefix.
+# Example: 'jweauth' will load libjweauth.so at runtime.
+# Default: 
+#plugins=
+
+# Generate a core dump on crash.
+# On GNU/Linux, the action to do on core dump is defined by the
+# kernel file '/proc/sys/kernel/core_pattern'.
+# On recent distributions like RHEL 8, the generated core dumps
+# are given by default to the core manager of SystemD. Core dumps
+# can easily be listed by using the coredumpctl(1) command.
+# On older distributions, core dumps are often written in the root
+# ('/') directory. If your root directory has little available space,
+# it is recommended to relocate your core dumps in another place
+# by modifying the 'core_pattern' file on system boot. This can
+# be done by adding the following line in '/etc/rc.local':
+#     echo '/home/cores/core.%e.%t.%p' > /proc/sys/kernel/core_pattern
+# 
+# See core(5) manual for more information about core handling on
+# GNU/Linux.
+# Default: false
+#dump-corefiles=false
+
+# Enable SNMP.
+# Default: false
+#enable-snmp=false
+
+# Path to the directory where log files will be created.
+# WARNING: Flexisip has no embedded log rotation system but provides
+# a configuration file for logrotate.
+# Please make sure that logrotate is installed and running on your
+# system in order to have Flexisip's logs rotated. Log rotation
+# can be customized by editing /etc/logrotate.d/flexisip-logrotate.
+# Default: /var/opt/belledonne-communications/log/flexisip
+#log-directory=/var/opt/belledonne-communications/log/flexisip
+
+# Name of the log file
+# .The string '{server}' is a placeholder that is replaced with
+# the corresponding server type. If several server types are specified,
+# then '{server}' will be replaced by the concatenation of all server
+# types separated by a '+' character.
+# Example: 'proxy+presence'.
+# Default: flexisip-{server}.log
+#log-filename=flexisip-{server}.log
+
+# Logging verbosity.
+# Possible values are: 'debug', 'message', 'warning' and 'error'
+# Default: error
+#log-level=error
+
+# Syslog logging verbosity.
+# Possible values are: 'debug', 'message', 'warning' and 'error'
+# Default: error
+#syslog-level=error
+
+# Sofia-SIP logging verbosity.
+# These logs are only displayed if 'log-level' is set to 'debug'
+# or if the program is started with the '-d' (--debug) option. The
+# verbosity levels range from 1 to 9:
+#     1 -> Critical errors
+#     2 -> Non-critical errors
+#     3 -> Warnings and progress messages
+#     5 -> Signaling protocol actions
+#     7 -> Media protocol actions
+#     9 -> Entering/exiting functions
+# Default: 5
+#sofia-level=5
+
+# Log user errors (on a different logging domain).
+# Examples: authentication operations, registration events, requests
+# routing, etc...
+# Default: false
+#user-errors-logs=false
+
+# A boolean expression applied to the processing of all SIP requests.
+# When the expression evaluates to 'true', use the 'contextual-log-level'
+# logging level for all the logs generated during the processing
+# of the current request. This is useful to debug a certain scenario
+# on a production environment.
+# The definition of SIP boolean expressions is the same as for entry
+# filters of modules, which is documented here: https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#contextual-log-filter=
+
+# Logging verbosity of contextual logs.
+# Default: debug
+#contextual-log-level=debug
+
+# A boolean expression applied to the processing of all SIP requests.
+# When the expression evaluates to 'true', log the request body.
+# Cannot be empty, use 'true' or 'false' instead.
+# The definition of SIP boolean expressions is documented here:
+# https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Example: content-type == 'application/sdp' && request.method ==
+# 'MESSAGE'
+# Default: content-type == 'application/sdp'
+#show-body-for=content-type == 'application/sdp'
+
+# List of whitespace separated SIP URIs where the proxy must listen.
+# Wildcard (*) means 'all local ip addresses'. If the 'transport'
+# parameter is not specified, the server will listen on both UDP
+# and TCP transports. A local address to bind onto can be specified
+# using the 'maddr' SIP URI parameter. The domain part of SIP URIs
+# are used as public domain or ip address.
+# The 'sips' transport definition accepts some optional parameters:
+#  - 'tls-certificates-dir': path, has the same meaning as the 'tls-certificates-dir'
+#    parameter of this section (overriding only applies for the current
+#    SIP URI).
+#  - 'tls-certificates-file': file path, has the same meaning as
+#    the 'tls-certificates-file' parameter of this section (overriding
+#    only applies for the current SIP URI).
+#  - 'tls-certificates-private-key': file path, has the same meaning
+#    as the 'tls-certificates-private-key' parameter of this section
+#    (overriding only applies for the current SIP URI).
+#  - 'tls-certificates-ca-file': file path, has the same meaning
+#    as the 'tls-certificates-ca-file' parameter of this section (overriding
+#    only applies for the current SIP URI).
+#  - 'tls-verify-incoming': value in {'0', '1'}, indicates whether
+#    clients are required to present a valid client certificate or
+#    not (defaults to '0').
+#  - 'tls-allow-missing-client-certificate': value in {'0', '1'},
+#    allow connections from clients that have no certificate even if
+#    `tls-verify-incoming` is enabled (useful if you want Flexisip
+#    to ask for a client certificate but do not fail if the client
+#    cannot provide one).
+#  - 'tls-verify-outgoing': value in {'0', '1'}, whether Flexisip
+#    should verify the peer certificate when it creates an outgoing
+#    TLS connection to another server (defaults to '1').
+#  - 'require-peer-certificate': (deprecated) same as 'tls-verify-incoming'
+# 
+# It is HIGHLY RECOMMENDED to specify a canonical name for 'sips'
+# transports, so that the proxy can advertise this information in
+# 'Record-Route' headers, which allows TLS cname verifications to
+# be performed by clients.
+# Specifying a SIP URI with 'transport=tls' is not allowed: the
+# 'sips' scheme must be used instead. As requested by SIP RFC, IPv6
+# addresses must be enclosed within brackets.
+# 
+# Here are some examples to understand:
+#  - listen on all local interfaces for UDP and TCP, on standard
+#    port:
+# 	transports=sip:*
+#  - listen on all local interfaces for UDP, TCP and TLS, on standard
+#    ports:
+# 	transports=sip:* sips:*
+#  - listen only a specific IPv6 interface, on standard ports, with
+#    UDP, TCP and TLS
+# 	transports=sip:[2a01:e34:edc3:4d0:7dac:4a4f:22b6:2083] sips:[2a01:e34:edc3:4d0:7dac:4a4f:22b6:2083]
+#  - listen on TLS localhost with 2 different ports and SSL certificates:
+# 	transports=sips:localhost:5061;tls-certificates-dir=path_a sips:localhost:5062;tls-certificates-dir=path_b
+#  - listen on TLS localhost with 2 peer certificate requirements:
+# 	transports=sips:localhost:5061;tls-verify-incoming=0 sips:localhost:5062;tls-verify-incoming=1
+#  - listen on 192.168.0.29:6060 with TLS, but public hostname is
+#    'sip.linphone.org' used in SIP requests. Bind address won't appear
+#    in requests:
+# 	transports=sips:sip.linphone.org:6060;maddr=192.168.0.29
+# Default: sip:*
+transports=sips:<%= @flexisip_domain %>;maddr=*
+
+# List of whitespace separated host names pointing to this machine.
+# This is to prevent loops while routing SIP requests.
+# Default: localhost
+aliases=<%= @flexisip_domain %>
+
+# Time interval after which inactive connections are closed.
+# Default: 3600
+# Default unit: second
+#idle-timeout=3600
+
+# Time interval for sending "\r\n\r\n" keepalive packets on inbound
+# and outbound connections.
+# The main purpose of sending keepalive packets is to keep connections
+# alive across NATs. It also helps to detect silently broken connections
+# which can reduce the number of socket descriptors used by Flexisip.
+# A value of zero deactivates this feature
+# Default: 1800
+# Default unit: second
+#keepalive-interval=1800
+
+# Time interval for sending "\r\n\r\n" keepalive packets for proxy-to-proxy
+# connections.
+# Indeed, while it is undesirable to send frequent keepalive packets
+# to mobile clients (it drains their battery), sending frequent
+# keepalive packets has proven to be helpful to keep connections
+# up between proxy nodes in a very popular US virtualized datacenter.
+# A value of zero deactivates this feature.
+# Default: 0
+# Default unit: second
+#proxy-to-proxy-keepalive-interval=0
+
+# SIP transaction timeout.
+# Set to T1*64 by default.
+# Default: 32000
+# Default unit: millisecond
+#transaction-timeout=32000
+
+# The UDP MTU.
+# Flexisip will fallback to TCP when sending a request whose size
+# exceeds the UDP MTU. Please read https://sofia-sip.sourceforge.net/refdocs/nta/nta__tag_8h.html#a6f51c1ff713ed4b285e95235c4cc999a
+# for more details. If sending large packets over UDP is not a problem,
+# then set a big value such as 65535. Unlike the recommendation
+# of the RFC, the default value of UDP MTU is 1460 in Flexisip (instead
+# of 1300).
+# Default: 1460
+#udp-mtu=1460
+
+# Maximum number of bytes read at once when extracting data from
+# a TCP socket. WARNING: a SIP request (headers + body) cannot exceed
+# this amount of bytes otherwise the parsing will fail
+# Default: 524288
+#tcp-max-read-size=524288
+
+# Bind address for all RTP streams (MediaRelay and Transcoder).
+# This parameter is only useful for some specific networks, keeping
+# the default value is recommended.
+# Default: 0.0.0.0 ::0
+#rtp-bind-address=0.0.0.0 ::0
+
+# Path to the file containing the server certificate chain.
+# The file must be in PEM format, see OpenSSL SSL_CTX_use_certificate_chain_file
+# documentation. If used, 'tls-certificates-private-key' MUST be
+# set.
+# Default: 
+tls-certificates-file=/etc/pki/tls/certs/localhost.crt
+
+# Path to the file containing the private key.
+# See OpenSSL SSL_CTX_use_PrivateKey_file documentation. If used,
+# 'tls-certificates-file' MUST be set.
+# Default: 
+tls-certificates-private-key=/etc/pki/tls/private/localhost.key
+
+# Path to the file containing CA certificates.
+# See OpenSSL SSL_CTX_load_verify_locations and SSL_CTX_set_client_CA_list
+# documentation. Can be empty.
+# Default: 
+#tls-certificates-ca-file=
+
+# Cipher strings to pass to OpenSSL in order to limit the cipher
+# suites to use while establishing TLS sessions.
+# Please take a look at ciphers(1) UNIX manual to get the list of
+# supported keywords by your current version of OpenSSL. You might
+# visit https://www.openssl.org/docs/manmaster/man1/ciphers.html
+# too. The default value set by Flexisip should provide a high level
+# of security while keeping an acceptable level of interoperability
+# with currently deployed clients on the market.
+# Default: HIGH:!SSLv2:!SSLv3:!TLSv1:!EXP:!ADH:!RC4:!3DES:!aNULL:!eNULL
+#tls-ciphers=HIGH:!SSLv2:!SSLv3:!TLSv1:!EXP:!ADH:!RC4:!3DES:!aNULL:!eNULL
+
+# Ask for client certificate on TLS session establishing.
+# Default: false
+#require-peer-certificate=false
+
+# Unique ID used to identify this Flexisip instance.
+# It must be a randomly generated 16-sized hexadecimal number. If
+# empty, it will be generated each time Flexisip starts.
+# Default: 
+#unique-id=
+
+# Number of SIP requests that Sofia-SIP can queue in a transport
+# (a connection). It is 64 by default, hardcoded in Sofia-SIP (Sofia-SIP
+# also used to hardcode a maximum value of 1000). This is not sufficient
+# for instant messaging applications.
+# Default: 1000
+#tport-message-queue-size=1000
+
+# Interval between logs about server memory usage.
+# This feature periodically logs the value occupied in RAM by the
+# process (VmRSS). These logs use debug level.
+# Only works on Linux.
+# Set to 0 in order to disable the feature.
+# Default: 0
+# Default unit: second
+#memory-usage-log-interval=0
+
+
+
+
+
+
+##
+## This section contains some parameters useful when the current
+## proxy is part of a network of proxies (cluster) which serve the
+## same domain.
+##
+[cluster]
+
+# Enable cluster mode.
+# If 'false', the parameters of the [cluster] section will not have
+# any effect.
+# Default: false
+#enabled=false
+
+# Domain name that enables external SIP agents to access to the
+# cluster.
+# Such domain is often associated to DNS SRV records for each proxy
+# of the cluster, so that DNS resolution returns the address of
+# a specific proxy randomly.
+# Flexisip uses that domain when it needs to insert a 'Path' or
+# 'Record-route' header addressing the cluster instead of itself.
+# Default: 
+#cluster-domain=
+
+# List of IP addresses of all the proxies present in the cluster.
+# SIP requests coming from these addresses won't be challenged by
+# the authentication module and will not be limited by the DosProtection
+# module.
+# Default: 
+#nodes=
+
+# Transport to use for communication with the other proxies of the
+# cluster.
+# This is only useful when no transport declared in 'global/transport'
+# parameter can be used to reach the other proxies (e.g. when inter-proxy
+# communications are to be made through a private network).
+# Example: sip:10.0.0.8:5059;transport=tcp
+# Default: 
+#internal-transport=
+
+
+
+
+
+
+##
+## Should the server be registered on a local domain, to be accessible
+## via multicast DNS.
+##
+[mdns-register]
+
+# Enable multicast DNS register
+# Default: false
+#enabled=false
+
+# Priority of this instance, lower value means more 'preferred'.
+# 'n': priority of n (example: 10)
+# 'n-m': random priority between n and m (example: 10-50)
+# Default: 0
+#mdns-priority=0
+
+# A relative weight for Flexisip instances with the same priority.
+# Higher values means more 'preferred'.
+# For example, if two Flexisip instances are registered on the same
+# local domain with one at '20' and the other at '80', then 20%
+# of the traffic will be redirected to the first instance and 80%
+# to the other one.
+# The sum of all the weights of Flexisip instances on the same local
+# domain must be 100.
+# Default: 100
+#mdns-weight=100
+
+# Time To Live of any mDNS query that will ask for this Flexisip
+# instance
+# Default: 3600
+# Default unit: millisecond
+#mdns-ttl=3600
+
+
+
+
+
+
+##
+## Event logs contain per domain and user information about processed
+## registrations, calls and messages.
+## See: https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Event%20logs%20and%20queries/
+## for architecture and queries.
+##
+[event-logs]
+
+# Enable event logs.
+# Default: false
+#enabled=false
+
+# Define logger for storing logs. It supports "filesystem", "database"
+# and "flexiapi".
+# Default: filesystem
+#logger=filesystem
+
+# Directory where event logs are written as a filesystem (case when
+# filesystem output is chosen).
+# Default: /var/log/flexisip
+#filesystem-directory=/var/log/flexisip
+
+# Type of backend that Soci will use for the connection.
+# Depending on your Soci package and the modules you installed,
+# the supported databases are:`mysql`, `sqlite3` and `postgresql`
+# Default: mysql
+#database-backend=mysql
+
+# Configuration parameters of the backend.
+# The basic format is "key=value key2=value2". For a mysql backend,
+# this is a valid config: "db=mydb user=user password='pass' host=myhost.com".
+# Please refer to the Soci documentation of your backend, for instance:
+# http://soci.sourceforge.net/doc/master/backends/#supported-backends-and-features
+# Default: db='mydb' user='myuser' password='mypass' host='myhost.com'
+#database-connection-string=db='mydb' user='myuser' password='mypass' host='myhost.com'
+
+# Amount of queries that will be allowed to be queued before bailing
+# password requests.
+# This value should be chosen accordingly with 'database-nb-threads-max',
+# so that you have a coherent behavior.
+# This limit is here mainly as a safeguard against out-of-control
+# growth of the queue in the event of a flood or big delays in the
+# database backend.
+# Default: 100
+#database-max-queue-size=100
+
+# Maximum number of threads for writing in database.
+# If you get a `database is locked` error with sqlite3, you must
+# set this variable to 1.
+# Default: 10
+#database-nb-threads-max=10
+
+# Domain name or IP address of the FlexiAPI host. This setting will
+# be used in combination with flexiapi-port and -prefix to contact
+# the API located at <flexiapi-host>:<flexiapi-port><flexiapi-prefix>
+# Default: localhost
+#flexiapi-host=localhost
+
+# Port on the FlexiAPI host. See `flexiapi-host` for details.
+# Default: 443
+#flexiapi-port=443
+
+# Path prefix for FlexiAPI requests. See `flexiapi-host` for details.
+# Default: /api/stats/
+#flexiapi-prefix=/api/stats/
+
+# API authentication key for the FlexiAPI
+# Default: 
+#flexiapi-api-key=
+
+
+
+
+
+
+##
+## STUN server parameters.
+##
+[stun-server]
+
+# Enable or disable stun server.
+# Default: true
+#enabled=true
+
+# Local ip address where to bind the socket.
+# Default: 0.0.0.0
+#bind-address=0.0.0.0
+
+# STUN server port number.
+# Default: 3478
+#port=3478
+
+
+
+
+
+
+##
+## Flexisip presence server parameters.
+##
+[presence-server]
+
+# Enable presence server
+# Default: true
+#enabled=true
+
+# List of white space separated SIP URIs where the presence server
+# must listen. Must not be tls.
+# Default: sip:127.0.0.1:5065;transport=tcp
+#transports=sip:127.0.0.1:5065;transport=tcp
+
+# Default expires of PUBLISH request.
+# Default: 600
+# Default unit: second
+#expires=600
+
+# Max number of presentity sent in a single NOTIFY by default.
+# Default: 200
+#notify-limit=200
+
+# Enable long-term presence notifies
+# Default: false
+#long-term-enabled=false
+
+# Soci connection string for the resource list database.
+# Default: 
+#rls-database-connection=
+
+# SQL request to obtain the list of the users corresponding to an
+# resource list subscription.
+# Named parameters are:
+#  * ':from' : the URI of the sender of the SUBSCRIBE. (mandatory)
+#  * ':to' : the URI of the users list which the sender want to
+#    subscribe to. (mandatory)
+#    
+# Default: 
+#rls-database-request=
+
+# Max number of threads.
+# Default: 50
+#rls-database-max-thread=50
+
+# Max legnth of threads queue.
+# Default: 50
+#rls-database-max-thread-queue-size=50
+
+# Soci SQL request used to obtain the username associated with a
+# phone alias.
+# The string MUST contains the ':phone' keyword which will be replaced
+# by the phone number to look for.
+# The result of the request is a 1x1 table containing the name of
+# the user associated with the phone number.
+# 
+# Example: select login from accounts where phone = :phone 
+# Default: 
+#soci-user-with-phone-request=
+
+# Same as 'soci-user-with-phone-request' but allows to fetch several
+# users by a unique SQL request.
+# The string MUST contains the ':phones' keyword which will be replaced
+# by the list of phone numbers to look for. Each element of the
+# list is seperated by a comma character and is protected by simple
+# quotes (e.g. '0336xxxxxxxx','0337yyyyyyyy','034zzzzzzzzz').
+# If you use phone number linked accounts you'll need to select
+# login, domain, phone in your request for flexisip to work.
+# Example: select login, domain, phone from accounts where phone
+# in (:phones)
+# Default: 
+#soci-users-with-phones-request=
+
+# Maximum number of presence element by identity saved in memory.
+# Default: 10
+#max-presence-elements=10
+
+# Duration in milliseconds during which the last activity is kept
+# in memory. Default is 1 day.
+# Default: 86400000
+#last-activity-retention-time=86400000
+
+
+
+
+
+
+##
+## Flexisip conference server parameters.
+## The Flexisip conference server manages group chat and audio/video
+## conferences.
+## It follows the concepts of RFC4579 for conference establishment
+## and management. Factory and focus URIs must be configured.
+## The server requires a MariaDB/MySQL database in order to store
+## chatroom or conference states (participants and their devices).
+## For chatting capabilities, the server requires a Registrar backend
+## (see section module::Registrar) to discover devices (or client
+## instances) of each participant. This requirement creates an explicit
+## dependency on the Flexisip proxy server. Please note that this
+## dependency is not required for audio/video conferences.
+##
+[conference-server]
+
+# Enable conference server
+# Default: true
+#enabled=true
+
+# Unique SIP URI on which the server is listening.
+# Default: sip:127.0.0.1:6064;transport=tcp
+#transport=sip:127.0.0.1:6064;transport=tcp
+
+# List of SIP URIs used by clients to create conferences. This implicitly
+# defines the list of SIP domains managed by the conference server.
+# Example:
+# sip:conference-factory@sip.linphone.org sip:conference-factory@sip.linhome.org
+# Default: 
+#conference-factory-uris=
+
+# List of template focus URIs to use when conferences are created
+# through the conference factory.
+# Focus URIs are unique SIP URIs targeting a specific conference.
+# A 'conf-id' URI parameter providing uniqueness is automatically
+# appended at runtime. Example, setting:
+# conference-focus-uris=sip:conference-focus@sip.linphone.org
+# instructs the server to generate conference URIs in the form of
+# 'sip:conference-focus@sip.linphone.org;conf-id=<random string>'
+# when a client requests to create a conference.
+# Default: 
+#conference-focus-uris=
+
+# The SIP proxy URI to which the server will send all outgoing requests.
+# Default: sip:127.0.0.1:5060;transport=tcp
+#outbound-proxy=sip:127.0.0.1:5060;transport=tcp
+
+# Domains managed by the local SIP service, i.e. domains for which
+# user registration information can be found directly in the local
+# registrar database (Redis database).
+# For external domains (not in this list), a 'reg' SUBSCRIBE (RFC3680)
+# will be emitted. It is not necessary to list domains that appear
+# in the 'conference-factory-uris' property. They are assumed to
+# be local domains already.
+# Example: sip.linphone.org conf.linphone.org linhome.org
+# Default: 
+#local-domains=
+
+# Audio port to use for RTP and RTCP traffic. You can set a specific
+# port, a range of ports or let the server ask the kernel for an
+# available port (special value: 0).
+# Examples: 'audio-port=0' or 'audio-port=12345' or 'audio-port=1024-65535'
+# Default: 0
+#audio-port=0
+
+# Video port to use for RTP and RTCP traffic. You can set a specific
+# port, a range of ports or let the server ask the kernel for an
+# available port (special value: 0).
+# Examples: 'video-port=0' or 'video-port=12345' or 'video-port=1024-65535'
+# Default: 0
+#video-port=0
+
+# Type of database the server will use to store chat room and conference
+# data. Provided that the required Soci modules are installed, the
+# supported databases are: `mysql`, `sqlite3`
+# Default: mysql
+#database-backend=mysql
+
+# Configuration parameters of the database to store chat room and
+# conference data.
+# The basic format is "key=value key2=value2".For MySQL, the following
+# is a valid configuration: db='mydb' user='myuser' password='mypass'
+# host='myhost.com'.
+# Please refer to the Soci documentation of your selected backend:
+# https://soci.sourceforge.net/doc/release/3.2/backends/mysql.html
+# https://soci.sourceforge.net/doc/release/3.2/backends/sqlite3.html
+# Default: db='mydb' user='myuser' password='mypass' host='myhost.com'
+#database-connection-string=db='mydb' user='myuser' password='mypass' host='myhost.com'
+
+# True to make the server check device capabilities before inviting
+# them to a session.
+# The capability check is currently limited to Linphone clients
+# that put a '+org.linphone.specs' contact parameter. This parameter
+# indicates whether they support group chat and secured group chat
+# or not.
+# Default: true
+#check-capabilities=true
+
+# List of media types supported by the server.
+# This allows to specify if this instance is able to provide chat
+# services or audio/video conference services, or both.
+# Valid values: audio, video, text.
+# Example: audio video text
+# Default: text
+#supported-media-types=text
+
+# Type of media encryption the server will offer when calling participants
+# to an audio or video conference.
+# Valid values: none, sdes, zrtp, dtls.
+# Default: none
+#encryption=none
+
+# Public host name or IP addresses of the server.
+# Setting this parameter is required when the conference server
+# is deployed behind a firewall. This way, public IP address (v4,
+# v6) can be advertised in SDP, as ICE server-reflexive candidates
+# in order for the server to receive RTP media packets from clients.
+# If no hostname is given, the v4 and v6 IP addresses can be listed,
+# in any order. It is not possible to configure several v4 addresses
+# or several v6 addresses.
+# Example:
+# nat-addresses=conference.linphone.org
+# nat-addresses=5.135.31.160   2001:41d0:303:3aee::1
+# Default: 
+#nat-addresses=
+
+# Server shall delete chat rooms that have no registered participants.
+# Default: true
+#empty-chat-room-deletion=true
+
+# Directory where the server state files are stored.
+# 
+# Default: /var/opt/belledonne-communications/lib/flexisip
+#state-directory=/var/opt/belledonne-communications/lib/flexisip
+
+# Server will kill all incoming calls that last longer than the
+# defined value.
+# Special value 0 disables this feature.
+# Default: 0
+# Default unit: second
+#call-timeout=0
+
+
+
+
+
+
+##
+## Flexisip RegEvent server parameters.
+## This server is in charge of responding to SIP SUBSCRIBE requests
+## for the 'reg' event as defined by RFC3680 (https://tools.ietf.org/html/rfc3680).
+## It relies on the registrar database setup in the 'module::Registrar'
+## section to generate outgoing NOTIFY requests
+##
+[regevent-server]
+
+# SIP URI on which the server is listening on.
+# WARNING: only 'TCP' transport is supported.
+# Default: sip:127.0.0.1:6065;transport=tcp
+#transport=sip:127.0.0.1:6065;transport=tcp
+
+
+
+
+
+
+##
+## Flexisip back-to-back user agent (B2BUA) server parameters.
+##
+[b2bua-server]
+
+# The type of application that will handle calls bridged through
+# the server. Possible values:
+# - `trenscrypter` Bridge different encryption types on both ends
+# transparently.
+# - `sip-bridge` Bridge calls through an external SIP provider.
+# (e.g. for PSTN gateways)
+# Default: trenscrypter
+#application=trenscrypter
+
+# Unique SIP URI on which the server is listening.
+# Default: sip:127.0.0.1:6067;transport=tcp
+#transport=sip:127.0.0.1:6067;transport=tcp
+
+# Audio port to use for RTP and RTCP traffic. You can set a specific
+# port, a range of ports or let the server ask the kernel for an
+# available port (special value: 0).
+# Examples: 'audio-port=0' or 'audio-port=12345' or 'audio-port=1024-65535'
+# Default: 0
+#audio-port=0
+
+# Video port to use for RTP and RTCP traffic. You can set a specific
+# port, a range of ports or let the server ask the kernel for an
+# available port (special value: 0).
+# Examples: 'video-port=0' or 'video-port=12345' or 'video-port=1024-65535'
+# Default: 0
+#video-port=0
+
+# Value of User-Agent header. Use the following syntax: <name>[/<version>]
+# where <version> can bet set to '{version}' that is a placeholder
+# for the Flexisip version.
+# It is also used by the module::B2bua to decide if requests should
+# be forwarded to the B2BUA server or not.
+# Default: Flexisip-B2BUA/{version}
+#user-agent=Flexisip-B2BUA/{version}
+
+# Directory where to store server local files
+# 
+# Default: /var/opt/belledonne-communications/flexisip/b2b
+#data-directory=/var/opt/belledonne-communications/flexisip/b2b
+
+# The SIP proxy URI to which the server will send all outgoing requests.
+# Default: sip:127.0.0.1:5060;transport=tcp
+#outbound-proxy=sip:127.0.0.1:5060;transport=tcp
+
+# Duration after which the server will terminate a call if no RTP
+# packets are received from the other call participant. For performance
+# reasons, this parameter cannot be disabled.
+# Default: 30
+# Default unit: second
+#no-rtp-timeout=30
+
+# The server will terminate any bridged call that has been running
+# for longer than this amount of time.
+# Set to 0 to disable and let calls run unbounded.
+# Default: 0
+# Default unit: second
+#max-call-duration=0
+
+# Force outgoing video call to use the specified codec. Leave empty
+# to disable this feature.
+# Warning: all outgoing calls will only list this codec, which means
+# incoming calls must use it too.
+# Default: 
+#video-codec=
+
+# The server shall use a separate connection (port) for each (external)
+# account it manages.
+# This can be used to work around DoS protection and rate-limiting
+# systems on external proxies.
+# Default: false
+#one-connection-per-account=false
+
+
+
+
+
+
+##
+## External SIP Provider Bridge parameters.
+##
+[b2bua-server::sip-bridge]
+
+# Path to a file containing the accounts to use for external SIP
+# bridging, organised by provider, in JSON format.
+# Here is a template of what should be in this file:
+# {
+# 	"schemaVersion": 2,
+# 	"providers": [
+# 		{
+# 			"name": "<user-friendly provider name for CLI output>",
+# 			"accountPool": "<name of an account pool described below>",
+# 			"triggerCondition": {
+# 				"strategy": "<MatchRegex|Always>"
+# 				"pattern": "<MatchRegexParam: regex>"
+# 			},
+# 			"accountToUse": {
+# 				"strategy": "FindInPool|Random",
+# 				"by": "<FindInPoolParam: alias|uri>",
+# 				"source": "<FindInPoolParam: {from}|{to}|{sip:{incoming.to.user}@{account.sipIdentity.hostport}{incoming.to.uriParameters}}>"
+# 			},
+# 			"onAccountNotFound": "nextProvider|decline",
+# 			"outgoingInvite": {
+# 				"to": "<{account.alias}|sip:{incoming.to.user}@{account.sipIdentity.hostport}{incoming.to.uriParameters}>",
+# 				"from": "<optional: {account.sipIdentity}|{sip:{incoming.from.user}@{account.sipIdentity.hostport}{incoming.from.uriParameters}>",
+# 				"outboundProxy": "<optional: sip:flexisip.example.org;transport=tcp>",
+# 				"enableAvpf": <optional: true|false>,
+# 				"mediaEncryption": "<optional: zrtp|sdes|dtls-srtp|none>"
+# 			}
+# 		}
+# 	],
+# 	"accountPools": {
+# 		"<name of account pool>": {
+# 			"outboundProxy": "<sip:some.provider.example.com;transport=tls>",
+# 			"registrationRequired": <true,false>,
+# 			"registrationThrottlingRateMs": <optional: number>,
+# 			"unregisterOnServerShutdown": <optional: true|false>,
+# 			"maxCallsPerLine": <number>,
+# 			"loader": {
+# 				"dbBackend": "<mysql|sqlite3>",
+# 				"initQuery": "<SQL query>"
+# 				"updateQuery": "<SQL query>",
+# 				"connection": "<db=sip_accounts user='flexisip-b2bua' password='secret'
+# host=db.example.org>"
+# 			}
+# 		},
+# 		"<name of another account pool>": {
+# 			"outboundProxy": "<sip:some.provider.example.com;transport=tls>",
+# 			"registrationRequired": <true,false>,
+# 			"registrationThrottlingRateMs": <optional: number>,
+# 			"unregisterOnServerShutdown": <optional: true|false>,
+# 			"maxCallsPerLine": <number>,
+# 			"loader": [
+# 				{
+# 					"uri": "<sip:account1@some.provider.example.com>",
+# 					"userid": "<optional: (e.g. an API key)>"
+# 					"secretType": "<registrationRequiredParam: ha1|clrtxt>",
+# 					"secret": "<registrationRequiredParam: password or API token>"
+# 					"realm": "<optional: realm.some.provider.example.com>"
+# 					"alias": "<optional: sip:anotherAccount1@some.provider.example.com>
+# 					"outboundProxy": "<optional: sip:another.providerOverridingPreviousOne.example.com;transport=tls>",
+# 				}
+# 			]
+# 		}
+# 	}
+# }
+# Full documentation is available here: https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Back-to-back%20User%20Agent%20%28b2bua%29/SIP%20Bridge/#sip-bridge
+# 
+# Default: example-path.json
+#providers=example-path.json
+
+
+
+
+
+
+##
+## Encryption transcoder bridge parameters.
+##
+[b2bua-server::trenscrypter]
+
+# Select the call outgoing encryption mode, this is a list of regular
+# expressions and encryption mode.
+# Valid encryption modes are: zrtp, dtls-srtp, sdes, none.
+# 
+# The list is formatted in the following mode:
+# mode1 regex1 mode2 regex2 ... moden regexn
+# regex use posix syntax, any invalid one is skipped
+# Each regex is applied, in the given order, on the callee sip uri(including
+# parameters if any). First match found determines the encryption
+# mode. if no regex matches, the incoming call encryption mode is
+# used.
+# 
+# Example: zrtp .*@sip\.secure-example\.org dtsl-srtp .*dtls@sip\.example\.org
+# zrtp .*zrtp@sip\.example\.org sdes .*@sip\.example\.org
+# In this example: the address is matched in order with
+# .*@sip\.secure-example\.org so any call directed to an address
+# on domain sip.secure-example-org uses zrtp encryption mode
+# .*dtls@sip\.example\.org any call on sip.example.org to a username
+# ending with dtls uses dtls-srtp encryption mode
+# .*zrtp@sip\.example\.org any call on sip.example.org to a username
+# ending with zrtp uses zrtp encryption mode
+# The previous example will fail to match if the call is directed
+# to a specific device(having a GRUU as callee address)
+# To ignore sip URI parameters, use (;.*)? at the end of the regex.
+# Example: .*@sip\.secure-example\.org(;.*)?
+# Default:Selected encryption mode(if any) is enforced and the call
+# will fail if the callee does not support this mode
+# Default: 
+#outgoing-enc-regex=
+
+# Outgoing SRTP crypto suite in SDES encryption mode:
+# Select the call outgoing SRTP crypto suite when outgoing encryption
+# mode is SDES, this is a list of regular expressions and crypto
+# suites list.
+# Valid srtp crypto suites are :
+# AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32
+# AES_192_CM_HMAC_SHA1_80, AES_192_CM_HMAC_SHA1_32 // currently
+# not supported
+# AES_256_CM_HMAC_SHA1_80, AES_256_CM_HMAC_SHA1_80
+# AEAD_AES_128_GCM, AEAD_AES_256_GCM
+# 
+# The list is formatted in the following mode:
+# cryptoSuiteList1 regex1 cryptoSuiteList2 regex2 ... crytoSuiteListn
+# regexn
+# with cryptoSuiteList being a ; separated list of crypto suites.
+# 
+# Regex use posix syntax, any invalid one is skipped
+# Each regex is applied, in the given order, on the callee sip uri(including
+# parameters if any). First match found determines the crypto suite
+# list used.
+# 
+# if no regex matches, core setting is applied
+# or default to AES_CM_128_HMAC_SHA1_80;AES_CM_128_HMAC_SHA1_32;AES_256_CM_HMAC_SHA1_80;AES_256_CM_HMAC_SHA1_32
+# when no core setting is available
+# 
+# Example:
+# AES_256_CM_HMAC_SHA1_80;AES_256_CM_HMAC_SHA1_32 .*@sip\.secure-example\.org
+# AES_CM_128_HMAC_SHA1_80 .*@sip\.example\.org
+# 
+# In this example: the address is matched in order with
+# .*@sip\.secure-example\.org so any call directed to an address
+# on domain sip.secure-example-org uses AES_256_CM_HMAC_SHA1_80;AES_256_CM_HMAC_SHA1_32
+# suites (in that order)
+# .*@sip\.example\.org any call directed to an address on domain
+# sip.example.org use AES_CM_128_HMAC_SHA1_80 suite
+# The previous example will fail to match if the call is directed
+# to a specific device(having a GRUU as callee address)
+# To ignore sip URI parameters, use (;.*)? at the end of the regex.
+# Example: .*@sip\.secure-example\.org(;.*)?
+# Default:
+# Default: 
+#outgoing-srtp-regex=
+
+
+
+
+
+
+##
+## Ban users when they send too much packets within a given timeframe.
+## Execute "iptables -L" to see the list of currently banned IPs/ports.
+##
+[module::DoSProtection]
+
+# Indicate whether the module is activated.
+# Default: true
+enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# Time to consider to compute the packet rate
+# Default: 3000
+# Default unit: millisecond
+#time-period=3000
+
+# Maximum packet rate in packets/seconds, averaged over [time-period]
+# millisecond(s) to consider it as a DoS attack.
+# Default: 20
+#packet-rate-limit=20
+
+# Time duration for which an ip/port is banned.
+# Default: 2
+# Default unit: minute
+#ban-time=2
+
+# Name of the chain the server will create to store banned IPs
+# Default: FLEXISIP
+#iptables-chain=FLEXISIP
+
+# List of IP addresses or hostnames for which no DoS protection
+# is applied. This is typically for trusted servers from which it
+# is planned to receive high traffic. Please note that nodes from
+# the local Flexisip cluster (see [cluster] section) are automatically
+# added to the white list, as well as 127.0.0.1 and ::1.
+# Example:
+# white-list=sip.example.org sip.linphone.org 15.128.128.93
+# Default: 
+#white-list=
+
+
+
+
+
+
+##
+## The SanitChecker module checks that required fields of a SIP message
+## are present to avoid unecessary checking while processing message
+## further.
+## If the message doesn't meet these sanity check criterias, then
+## it is stopped and bad request response is sent.
+##
+[module::SanityChecker]
+
+# Indicate whether the module is activated.
+# Default: true
+#enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+
+
+
+
+
+##
+## The GarbageIn module collects incoming garbage and prevent any
+## further processing.
+##
+[module::GarbageIn]
+
+# Indicate whether the module is activated.
+# Default: false
+#enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: false
+#filter=false
+
+
+
+
+
+
+##
+## Enable this module in order the proxy replies to OPTION requests
+## by “200 Ok”. Today, no supported header is added in the response,
+## so this mechanism cannot be used for capabilities introspection.
+## If the module is disabled, the request will be silently discarded.
+##
+[module::Capabilities]
+
+# Indicate whether the module is activated.
+# Default: true
+#enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+
+
+
+
+
+##
+## The NatHelper module executes small tasks to make SIP work smoothly
+## despite firewalls and NATs. There are two strategies available:
+## "contact-correction" and "flow-token".
+## Contact-Correction: corrects Contact headers that contain obviously
+## inconsistent addresses.
+## Flow-Token: add routing information in the Record-Routes as defined
+## in RFC 5626.
+## Both methods ensure that subsequent requests are correctly routed
+## by the proxy through the same UDP or TCP channel used for the
+## initial request.
+##
+[module::NatHelper]
+
+# Indicate whether the module is activated.
+# Default: true
+#enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# Strategy to manage client-initiated connections when SIP messages
+# are routed through NATs. You can choose between "contact-correction"
+# and "flow-token".
+# Default: contact-correction
+#nat-traversal-strategy=contact-correction
+
+# Boolean expression in order to force the use of flow-token under
+# specific conditions. This expression is only evaluated if the
+# "flow-token" strategy is used.
+# 
+# Default: user-agent contains 'Linphone'
+#force-flow-token=user-agent contains 'Linphone'
+
+# Path to the file containing the hash key used to hash flow tokens.
+# Default: /var/opt/belledonne-communications/lib/flexisip/flow-token-hash-key
+#flow-token-path=/var/opt/belledonne-communications/lib/flexisip/flow-token-hash-key
+
+# Internal URI parameter added to response contact by first proxy
+# and cleaned by last one. It indicates if the contact was already
+# verified and corrected.
+# Default: verified
+#contact-correction-param=verified
+
+# Fix record-routes, to workaround proxies behind firewalls but
+# not aware of it.
+# Default: false
+#fix-record-routes=false
+
+# Policy to recognize NATed record-route and fix them. There are
+# two modes: 'safe' and 'always'
+# Default: safe
+#fix-record-routes-policy=safe
+
+
+
+
+
+
+##
+## The authentication module challenges and authenticates SIP requests
+## using two possible methods:
+##  * if the request is received via a TLS transport and 'require-peer-certificate'
+##    is set in transport definition in [Global] section for this transport,
+##    then the From header of the request is matched with the CN claimed
+##    by the client certificate. The CN must contain sip:user@domain
+##    or alternate name with URI=sip:user@domain corresponding to the
+##    URI in the from header for the request to be accepted. Optionnaly,
+##    the property tls-client-certificate-required-subject may contain
+##    a regular expression for additional checks to execute on certificate
+##    subjects.
+##  * if no TLS client based authentication can be performed, or
+##    has failed, then a SIP digest authentication is performed. The
+##    password verification is made by querying a database or a password
+##    file on disk.
+##
+[module::Authentication]
+
+# Indicate whether the module is activated.
+# Default: false
+enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# List of whitespace-separated IP addresses which will be judged
+# as trustful. Messages coming from these addresses won't be challenged.
+# Default: 
+#trusted-hosts=
+
+# List of whitespace separated domains to challenge. Others are
+# automatically denied. The wildcard domain '*' is accepted, which
+# means that requests are challenged whatever the originating domain
+# is. This is convenient for a proxy serving multiple SIP domains.
+# 
+# Default: localhost
+auth-domains=<%= @flexisip_domain %>
+
+# List of digest algorithms to use for password hashing. Think this
+# setting as filter applied after fetching the credentials of a
+# user from the user database. For example, if a user has its password
+# hashed by MD5 and SHA-256 but 'available-algorithms' only has
+# MD5, then only a MD5-based challenged will be submitted to the
+# UAC.
+# Furthermore, should a user have several hashed passwords and these
+# are present in the list, then a challenge header will be put in
+# the 401 response for each fetched password in the order given
+# by the list.
+# Supported algorithms are MD5 and SHA-256.
+# Default: MD5
+#available-algorithms=MD5
+
+# Disable the QOP authentication method. Default is to use it, use
+# this flag to disable it if needed.
+# Default: false
+#disable-qop-auth=false
+
+# Don't reply 403 when authentication fails. Instead, generate a
+# new 401 (or 407) response containing a new challenge.
+# Default: false
+#no-403=false
+
+# Expiration time before generating a new nonce.
+# Default: 3600
+# Default unit: second
+#nonce-expires=3600
+
+# The realm to use for digest authentication. It will used whatever
+# the domain of the From-URI.
+# If the value starts with 'regex:', then this parameter will have
+# the same effect than 'realm-regex', using all the remaining string
+# as regular expression.
+# WARNING: this parameter is exclusive with 'realm-regex'
+# 
+# Examples:
+# 	realm=sip.example.org
+# 	realm=regex:sip:.*@sip\.(.*)\.com
+# 
+# Default: 
+#realm=
+
+# Extraction regex applied on the URI of the 'from' header (or P-Preferred-Identity
+# header if present) in order to extract the realm. The realm is
+# found out by getting the first slice of the URI that matches the
+# regular expression. If it has one or more capturing parentheses,
+# the content of the first one is used as realm.
+# If no regex is specified, then the realm will be the domain part
+# of the URI.
+# 
+# For instance, given auth-domains=sip.example.com, you might use
+# 'sip:.*@sip\.(.*)\.com' in order to use 'example' as realm.
+# 
+# WARNING: this parameter is exclusive with 'realm'
+# Default: 
+#realm-regex=
+
+# If set to true, the module will simply reject with "403 forbidden"
+# any request coming from clients which have presented a bad TLS
+# certificate (regardless of reason: improper signature, unmatched
+# subjects). Otherwise, the module will fallback to a digest authentication.
+# This policy applies only for transports configured which have
+# 'required-peer-certificate=1' parameter; indeed no certificate
+# is requested to the client otherwise. 
+# Default: false
+#reject-wrong-client-certificates=false
+
+# An optional regular expression used to accept or deny a request
+# basing on subject fields of the client certificate. The request
+# is allowed if one of the subjects matches the regular expression.
+# The list of subjects to check is built by extracting the following
+# fields, in order:
+# 	subjectAltNames.DNS, subjectAltNames.URI, subjectAltNames.IP
+# and CN
+# Default: 
+#tls-client-certificate-required-subject=
+
+# Accept requests which the client certificate enables to trust
+# the domaine of its Request-URI.
+# Default: false
+#trust-domain-certificates=false
+
+# When receiving a proxy authenticate challenge, generate a new
+# challenge for this proxy.
+# Default: false
+#new-auth-on-407=false
+
+# Database backend implementation for digest authentication [soci,file].
+# Default: file
+db-implementation=file
+
+# Duration of the validity of the credentials added to the cache.
+# Default: 1800
+# Default unit: second
+#cache-expire=1800
+
+# Path of the file in which user credentials are stored.
+# The file must start with 'version:1' as the first line, and then
+# contains lines in the form of:
+# user@domain clrtxt:clear-text-password md5:md5-password sha256:sha256-password
+# ;
+# For example: 
+# bellesip@sip.linphone.org clrtxt:secret ;
+# bellesip@sip.linphone.org md5:97ffb1c6af18e5687bf26cdf35e45d30
+# ;
+# bellesip@sip.linphone.org clrtxt:secret md5:97ffb1c6af18e5687bf26cdf35e45d30
+# sha256:d7580069de562f5c7fd932cc986472669122da91a0f72f30ef1b20ad6e4f61a3
+# ;
+# Default: 
+file-path=/etc/flexisip/users.db.txt
+
+# Choose the type of backend that Soci will use for the connection.
+# Depending on your Soci package and the modules you installed,
+# this could be 'mysql', 'oracle', 'postgresql' or something else.
+# Default: mysql
+#soci-backend=mysql
+
+# The configuration parameters of the Soci backend.
+# The basic format is "key=value key2=value2". For a mysql backend,
+# this is a valid config: "db=mydb user=user password='pass' host=myhost.com".
+# Please refer to the Soci documentation of your backend, for intance:
+# http://soci.sourceforge.net/doc/release/4.0/backends/mysql/
+# Default: db=mydb user=myuser password='mypass' host=myhost.com
+#soci-connection-string=db=mydb user=myuser password='mypass' host=myhost.com
+
+# Soci SQL request used to obtain the password of a given user.
+# Each keywords starting with ':' character will be replaced by
+# strings extracted from the SIP request to authenticate.
+# 
+# Only these keywords are supported: - ':id'     : the user found
+# in the from header (mandatory)
+#  - ':domain' : the authorization realm
+#  - ':authid' : the authorization username
+# 
+# The request MUST returns a two-columns table, which columns are
+# defined as follow:
+#  - 1st column: hashed password of the user or plain password if
+#    the associated algorithm is CLRTXT.
+#  - 2nd column: the algorithm used to hash the associated password.
+#    Supported values: 'CLRTXT', 'MD5', 'SHA-256'
+# 
+# Examples:
+#  - the password and algorithm are both available in the database
+# 	select password, algorithm from accounts where login = :id and
+# domain = :domain
+# 
+#  - all the passwords from the database are MD5
+# 	select password, 'MD5' from accounts where login = :id and domain
+# = :domain
+# Default: select password, 'MD5' from accounts where login = :id and domain = :domain
+#soci-password-request=select password, 'MD5' from accounts where login = :id and domain = :domain
+
+# Amount of queries that will be allowed to be queued before bailing
+# password requests.
+# This value should be chosen accordingly with 'soci-poolsize',
+# so that you have a coherent behavior.
+# This limit is here mainly as a safeguard against out-of-control
+# growth of the queue in the event of a flood or big delays in the
+# database backend.
+# Default: 1000
+#soci-max-queue-size=1000
+
+# Size of the pool of connections that Soci will use. A thread is
+# opened for each DB query, and this pool will allow each thread
+# to get a connection.
+# The threads are blocked until a connection is released back to
+# the pool, so increasing the pool size will allow more connections
+# to occur simultaneously.
+# On the other hand, you should not keep too many open connections
+# to your DB at the same time.
+# Default: 100
+#soci-poolsize=100
+
+
+
+
+
+
+##
+## This module redirect sip requests with a 302 move temporarily.
+##
+[module::Redirect]
+
+# Indicate whether the module is activated.
+# Default: false
+#enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# A contact where to redirect requests. ex: <sip:127.0.0.1:5065>;expires=100
+# Default: 
+#contact=
+
+
+
+
+
+
+##
+## This module is in charge of routing 'reg' event SUBSCRIBE requests
+## to the flexisip-regevent server.
+##
+[module::RegEvent]
+
+# Indicate whether the module is activated.
+# Default: false
+#enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# A sip uri where to send all the reg-event related requests.
+# Default: sip:127.0.0.1:6065;transport=tcp
+#regevent-server=sip:127.0.0.1:6065;transport=tcp
+
+
+
+
+
+
+##
+## This module is in charge of intercepting requests and routing
+## them to the back-to-back user agent server.
+## Requests filtering is based on the "User-Agent" header value,
+## thus 'b2bua-server/user-agent' values must match both on Proxy
+## and B2BUA servers.
+##
+[module::B2bua]
+
+# Indicate whether the module is activated.
+# Default: false
+#enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# A sip uri where to send all the relevant requests.
+# Default: sip:127.0.0.1:6067;transport=tcp
+#b2bua-server=sip:127.0.0.1:6067;transport=tcp
+
+
+
+
+
+
+##
+## This module transfers SIP presence messages, like subscribe/notify/publish
+## to a presence server.
+##
+[module::Presence]
+
+# Indicate whether the module is activated.
+# Default: false
+#enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: is_request && (request.method-name == 'PUBLISH' || request.method-name == 'NOTIFY' || request.method-name == 'SUBSCRIBE')
+#filter=is_request && (request.method-name == 'PUBLISH' || request.method-name == 'NOTIFY' || request.method-name == 'SUBSCRIBE')
+
+# A SIP URI where to send all presence related requests.
+# Default: sip:127.0.0.1:5065;transport=tcp
+#presence-server=sip:127.0.0.1:5065;transport=tcp
+
+# If true, only manage list subscription.
+# Default: false
+#only-list-subscription=false
+
+# When getting the list of users with phones, if this setting is
+# enabled, it will limit the results to the ones that have the same
+# domain.
+# Default: false
+#check-domain-in-presence-results=false
+
+
+
+
+
+
+##
+## The Registrar module handles REGISTER requests for domains it
+## is in charge of. It stores the address of record (AOR) in order
+## to allow routing requests intended to the client who registered.
+## REGISTER requests for other domains are simply ignored and transferred
+## to the next module.
+##
+[module::Registrar]
+
+# Indicate whether the module is activated.
+# Default: true
+enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# List of whitespace separated domain names which the registar is
+# in charge of. It can eventually be the '*' (wildcard) in order
+# to match any domain name.
+# Default: localhost
+reg-domains=<%= @flexisip_domain %>
+
+# Register users based on response obtained from a back-end server.
+# This mode is for using flexisip as a front-end server to hold
+# client connections but registeracceptance is deferred to backend
+# server to which the REGISTER is routed.
+# Default: false
+#reg-on-response=false
+
+# Maximum number of registered contacts per address of record.
+# Default: 12
+#max-contacts-by-aor=12
+
+# Limits the number of authorized "Contact:" headers in a REGISTER
+# request. If the number of "Contact:" headers exceeds this limit,
+# the request is rejected.
+# Default: 12
+#max-contacts-per-registration=12
+
+# List of contact URI parameters that can be used to identify a
+# user's device. The contact parameters are searched in the order
+# of the list, the first matching parameter is used and the others
+# ignored.
+# Default: +sip.instance pn-tok line
+#unique-id-parameters=+sip.instance pn-tok line
+
+# When supported by the client, assign a pub-gruu address to the
+# client, returned in the response. 
+# Default: true
+#enable-gruu=true
+
+# Maximum expiry value for a REGISTER.
+# Default: 86400
+# Default unit: second
+#max-expires=86400
+
+# Minimum expiry value for a REGISTER.
+# Default: 60
+# Default unit: second
+#min-expires=60
+
+# Default expiry value to be used if no value has been found in
+# the request headers or in 'Contact' header parameters.
+# Default: 10min
+# Default unit: millisecond
+#default-expires=10min
+
+# Set a value that will override expiry values indicated in a 'REGISTER'
+# request. A null or negative value disables this feature. If enabled,
+# 'max-expires', 'min-expires' and 'default-expires' will not have
+# any effect.
+# Default: 0
+# Default unit: second
+#force-expires=0
+
+# File containing the static records to add to database on startup.
+# Format: one 'sip_uri contact_header' by line. Example:
+# <sip:contact@domain> <sip:127.0.0.1:5460>,<sip:192.168.0.1:5160>
+# Default: 
+#static-records-file=
+
+# Timeout after which the static records file is re-read and the
+# contacts updated.
+# Default: 600
+# Default unit: second
+#static-records-timeout=600
+
+# Implementation used for storing the contact URIs of each address
+# of record. Two backends are available:
+#  - redis : contacts are stored in a Redis database, which allows
+#    persistent and shared storage accross multiple Flexisip instances.
+#  - internal : contacts are stored in RAM. Of course, if flexisip
+#    is restarted, all the contact URIs are lost until clients update
+#    their registration.
+# The redis backend is recommended, the internal being more adapted
+# to very small deployments.
+# Default: internal
+db-implementation=internal
+
+# Hostname or address of the Redis server. 
+# Default: localhost
+#redis-server-domain=localhost
+
+# Port of the Redis server.
+# Default: 6379
+#redis-server-port=6379
+
+# ACL username used to authenticate on Redis. Empty to disable.
+# Setting this but not `redis-auth-password` is a misconfiguration,
+# and will be ignored.
+# Default: 
+#redis-auth-user=
+
+# Authentication password for Redis. Empty to disable. If set but
+# `redis-auth-user` is left unset or empty, Flexisip will attempt
+# to register in legacy mode.
+# Default: 
+#redis-auth-password=
+
+# When Redis is configured in master-slave, Flexisip will periodically
+# ask which Redis instances are the slaves and the master. This
+# is the period at which it will query the server. It will then
+# determine whether it is connected to the master, and if not, will
+# terminate the connection and migrate to the master.
+# Note: This requires that all Redis instances have the same password.
+# Otherwise authentication will fail.
+# Default: 60
+# Default unit: second
+#redis-slave-check-period=60
+
+# Tell if Flexisip should try to connect to Redis slaves if master
+# went down. Can be disabled if slaves hostname info are on private
+# network for example.
+# Default: true
+#redis-use-slaves-as-backup=true
+
+# The frequency of activation of the subscription session keep alive
+# mechanism. Flexisip will periodically ping Redis subscription
+# session. It will then determine whether it is connected, and if
+# not, will try to reconnect.
+# Default: 60
+# Default unit: second
+#redis-subscription-keep-alive-check-period=60
+
+# Sequence of proxies (space-separated) where requests will be redirected
+# through (RFC3608)
+# Default: 
+#service-route=
+
+# Name of the custom Contact header parameter which is to indicate
+# the expire time for chat message delivery.
+# Default: message-expires
+#message-expires-param-name=message-expires
+
+# If not zero, the expire time put in the 200 OK response won't
+# be the one required by the user agent, but will be slightly modified
+# by subtracting a random value. The value given by this parameter
+# is the maximum percentage of the initial expire that can be subtracted.
+# If zero, no randomization is applied. Value must be in [0, 100].
+# Default: 0
+#register-expire-randomizer-max=0
+
+
+
+
+
+
+##
+## The purpose of the StatisticsCollector module is to collect call
+## statistics (RFC 6035) and store them on the server.
+##
+[module::StatisticsCollector]
+
+# Indicate whether the module is activated.
+# Default: false
+#enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: is_request && request.method-name == 'PUBLISH'
+#filter=is_request && request.method-name == 'PUBLISH'
+
+# SIP URI of the statistics collector. Note that application/vq-rtcpxr
+# messages for this address will be deleted by this module and thus
+# not be delivered.
+# Default: 
+#collector-address=
+
+
+
+
+
+
+##
+## The Router module routes requests for domains it manages.
+## The routing algorithm is as follows: 
+##  - first skip route headers that directly point to this proxy.
+##  - if a route header is found that doesn't point to this proxy,
+##    then the request is not processed by the Router module, and will
+##    be handled by the Forward module at the end of the processing
+##    chain.
+##  - examine the request-uri: if it is part of the domains managed
+##    by this proxy (according to Registrar module 'reg-domains' definition,
+##    then attempt to resolve the request-uri from the Registrar database.
+##  - the results from the registrar database, in the form of contact
+##    headers, are sorted by priority (q parameter), if any.
+##  - for each set of contact with equal priorities, the request
+##    is forked, and sent to their corresponding sip URI. After a timeout
+##    defined by property 'call-fork-current-branches-timeout', a next
+##    set of contact header is determined.
+##  - responses are received from all attempted branches, and sent
+##    back to the request originator, according to the procedure of
+##    RFC3261 16.7 Response processing.
+## The router module offers different variations of the routing logic,
+## depending on whether it is an INVITE, a MESSAGE, or another type
+## of request. The processing of MESSAGE request essentially differs
+## from others because it allows to keep the MESSAGE for a later
+## delivery, in which case the incoming transaction will be terminated
+## with a 202 Accepted response.
+##
+[module::Router]
+
+# Indicate whether the module is activated.
+# Default: true
+#enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# Store and retrieve contacts without using the domain.
+# Default: false
+#use-global-domain=false
+
+# Fork invites to late registers.
+# Default: false
+#fork-late=false
+
+# All the forked have to decline in order to decline the caller
+# invite.
+# Default: false
+#fork-no-global-decline=false
+
+# Treat 603 Declined answers as urgent. Only relevant if fork-no-global-decline
+# is set to true.
+# Default: false
+#treat-decline-as-urgent=false
+
+# During a fork procedure, treat all failure response as urgent.
+# Default: false
+#treat-all-as-urgent=false
+
+# Maximum time for a call fork to try to reach a callee.
+# Default: 90
+# Default unit: second
+#call-fork-timeout=90
+
+# Maximum time before delivering urgent responses during a call
+# fork. The typical fork process requires to wait the best response
+# from all branches before transmitting it to the client. However
+# some error responses are retryable immediately (like 415 unsupported
+# media, 401, 407) thus it is painful for the client to need to
+# wait the end of the transaction time (32 seconds) for these error
+# codes.
+# Default: 5
+# Default unit: second
+#call-fork-urgent-timeout=5
+
+# Maximum time before trying the next set of lower priority contacts.
+# Default: 10
+# Default unit: second
+#call-fork-current-branches-timeout=10
+
+# Fork MESSAGE requests to client registering lately.
+# Default: true
+#message-fork-late=true
+
+# Maximum duration for delivering a MESSAGE request. This property
+# applies only if message-fork-late is 'true'; otherwise, the duration
+# can't exceed the normal transaction duration.
+# Default: 604800
+# Default unit: second
+#message-delivery-timeout=604800
+
+# Maximum duration for accepting a MESSAGE request if no response
+# is received from any recipients. This property is meaningful when
+# message-fork-late is set to true.
+# Default: 5
+# Default unit: second
+#message-accept-timeout=5
+
+# If 'true', the message that are waiting for delivery will be stored
+# in database instead of memory.
+# Default: false
+#message-database-enabled=false
+
+# Choose the type of backend that Soci will use for the connection.
+# Depending on your Soci package and the modules you installed,
+# the supported databases are:`mysql` (and `sqlite3` soon)
+# Default: mysql
+#message-database-backend=mysql
+
+# The configuration parameters of the backend. The basic format
+# is "key=value key2=value2". For a mysql backend, this is a valid
+# config: "db=mydb user=user password='pass' host=myhost.com". Please
+# refer to the Soci documentation of your backend, for instance:
+# http://soci.sourceforge.net/doc/master/backends/#supported-backends-and-features
+# Default: db='mydb' user='myuser' password='mypass' host='myhost.com'
+#message-database-connection-string=db='mydb' user='myuser' password='mypass' host='myhost.com'
+
+# Size of the pool of connections that Soci will use for accessing
+# the message database.
+# Default: 100
+#message-database-pool-size=100
+
+# Default route to apply when the recipient is unreachable or when
+# when all attempted destination have failed.It is given as a SIP
+# URI, for example: sip:example.org;transport=tcp (without surrounding
+# brackets)
+# Default: 
+#fallback-route=
+
+# During a call forking, allow several INVITEs going to the same
+# next hop to be grouped into a single one. A proprietary custom
+# header 'X-target-uris' is added to the INVITE to indicate the
+# final targets of the INVITE.
+# Default: false
+#allow-target-factorization=false
+
+# Whether the proxy is allowed to generate and send provisional
+# responses during a call forking process. A typical example for
+# this is the '110 Push sent' emitted by the proxy when at least
+# one push notification has been sent to a target UA while routing
+# an INVITE. Some old versions of Linphone (below linphone-sdk 4.2)
+# suffer from an issue when receiving such kind of provisional responses
+# that don't come from a remote client. This setting is mainly intended
+# to temporarily workaround this situation.
+# Default: true
+#permit-self-generated-provisional-response=true
+
+# Whether or not to resolve next hop in route header against registrar
+# database. This is an extension to RFC3261, and should not be used
+# unless in some specific deployment cases. A next hope in route
+# header is otherwise resolved through standard DNS procedure by
+# the Forward module.
+# Default: false
+#resolve-routes=false
+
+# Whether or not to fallback to the parent domain if there is no
+# fallback route set and the recipient is unreachable. For example,
+# if routing to sip:bob@a.b.com returns no result, route the request
+# to b.com. This is also a non-standard behavior.
+# Default: false
+#parent-domain-fallback=false
+
+# Only use the fallback route if the expression is true.
+# Default: true
+#fallback-route-filter=true
+
+# Max time the proxy will retain a request in order to maintain
+# order.
+# Default: 30
+# Default unit: second
+#max-request-retention-time=30
+
+# List of sip addresses that are always added to the list of contacts
+# fetched from the registrar database when routing INVITE and MESSAGE
+# requests.
+# Default: 
+#static-targets=
+
+
+
+
+
+
+##
+## The PushNotification module sends push notifications to mobile
+## phone notification systems: apple, firebase (android), as well
+## as generic HTTP GET/POST APIs (custom server to which actual sending
+## of the notification is delegated). Push notifications are sent
+## when an INVITE or MESSAGE request is not answered by thedestination
+## of the request within a certain period of time (configurable hereunder
+## by 'timeout' parameter). This module has an implicit dependency
+## on the Router module, which is in charge of creating the incoming
+## and outgoing transactions as well as the context associated with
+## the request forking process. No push notification can be sent
+## if the Router module is not enabled. The time-to-live (ttl) of
+## the push notification depends on the type of event for which the
+## push notification is sent:
+##  - If it is for a call (INVITE), ttl will be set equal to 'module::Router/call-fork-timeout',
+##    which corresponds to the maximum time for a call attempt.
+##  - If it is for an IM (MESSAGE or INVITE for a text session),
+##    ttl will be set equal to 'message-time-to-live'.
+##
+[module::PushNotification]
+
+# Indicate whether the module is activated.
+# Default: false
+#enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# Time to wait before sending a push notification to a device.
+# A negative or zero value will cause the push notification to be
+# sent immediately. This behavior is recommended as mobile devices
+# do not have a permanent connection with Flexisip most of the time.
+# Default: 0
+# Default unit: second
+#timeout=0
+
+# Time to live for the push notifications related to IM messages.
+# The default value zero is interpreted as using the same value
+# as for 'module::Router/message-delivery-timeout'.
+# Default: 0
+# Default unit: second
+#message-time-to-live=0
+
+# Maximum number of push notifications queued for each push notification
+# service.
+# Default: 100
+#max-queue-size=100
+
+# Number of push notification request retransmissions sent to a
+# client for a same event (call or message).
+# Retransmissions cease when a response is received from the client.
+# The value zero disables retransmissions.
+# Default: 0
+#retransmission-count=0
+
+# Retransmission interval for push notification requests, when a
+# 'retransmission-count' has been specified above.
+# Default: 5
+# Default unit: second
+#retransmission-interval=5
+
+# Default interval between two subsequent push notifications when
+# remote push notifications are used to notify a call invitation
+# to a client that has not published any token for VoIP and background
+# push notifications.
+# In that case, several push notifications are sent subsequently
+# until the call is picked up, declined or canceled. This parameter
+# can be overridden by the client by using the 'pn-call-remote-push-interval'
+# push parameter.
+# A value of zero deactivates push notification repetitions and
+# the sending of the final notification. Thus, only the first push
+# notification will be sent. The value must be in [0;30].
+# Default: 0
+# Default unit: second
+#call-remote-push-interval=0
+
+# If true, the following key in the payload of the push request
+# will be set:
+#  * 'from-uri': the SIP URI of the caller or the message sender.
+#  * 'display-name': the display name of the caller or the message
+#    sender.
+#  * 'loc-args': the display name if not empty or the SIP URI instead.
+# 
+# If false, the keys will be set empty.
+# Default: false
+#display-from-uri=false
+
+# Enable push notification for Apple devices.
+# Default: true
+#apple=true
+
+# Path to directory where Apple Push Notification service certificates
+# are located.
+# The file names MUST bear the appid of the application, suffixed
+# by the release mode and '.pem' extension. Examples: org.linphone.dev.pem,
+# org.linphone.prod.pem, com.somephone.dev.pem, etc... The files
+# MUST be '.pem' format, and made of certificates followed by the
+# private key.
+# This directory may also contain Voice Over IP certificates (certificates
+# to use PushKit). They MUST bear the appid of the application,
+# suffixed by the release mode and '.pem' extension, and made of
+# certificate followed by the private key. Examples: org.linphone.voip.dev.pem,
+# org.linphone.voip.prod.pem, com.somephone.voip.dev.pem, etc...
+# Default: /etc/flexisip/apn
+#apple-certificate-dir=/etc/flexisip/apn
+
+# Set the badge value to 0 for Apple push notifications.
+# Default: false
+#no-badge=false
+
+# Enable push notification for Android devices.
+# Default: true
+#firebase=true
+
+# List of pairs of <Firebase Project Number>:<Firebase Cloud Messaging
+# API (Legacy) Server Key> for each Android project that supports
+# push notifications.
+# Default: 
+#firebase-projects-api-keys=
+
+# List of pairs of <Firebase Project Number>:<Path to service account
+# json file> for each Android project that supports push notifications.
+# Default: 
+#firebase-service-accounts=
+
+# Time to execute the access token refresh operation just before
+# the current access token expires. This parameter is used to control
+# overlapping access token lifetimes.
+# Default: 300
+# Default unit: second
+#firebase-token-expiration-anticipation-time=300
+
+# Default interval to execute the access token refresh operation
+# in the event that the access token has not been successfully obtained.
+# Default: 60
+# Default unit: second
+#firebase-default-refresh-interval=60
+
+# Allows you to route push notification requests through a designated
+# server instead of directly communicating with Apple and Google
+# servers.
+# Using this setup, the server sends an HTTP request to the specified
+# server, embedding all required information within the URL. Various
+# placeholders can be used within the HTTP request URI:
+# 
+#  - $type: Type of push notification, distinguishing between Apple
+#    ('apple') and Android ('firebase') notifications.
+#  - $token: Value of the 'pn-prid' push parameter. For Apple devices,
+#    'pn-prid' may contain multiple tokens depending on the notification
+#    type ('remote' or 'voip'). In such cases, $token is replaced by
+#    the relevant token matching the notification type.
+#  - $api-key: Deprecated placeholder for the Firebase API key.
+#    It is advised that the designated server manages the authentication
+#    credentials.
+#  - $app-id: Application identifier. On Android, it matches the
+#    value of 'pn-param'. On Apple, it matches the string between the
+#    first and last dot ('.') of 'pn-param'. For example, if 'pn-param'
+#    is 'ABCD1234.org.my-app.remote&voip', $app-id becomes 'org.my-app'.
+#  - $from-name: Display name in the 'From' header of the triggering
+#    request for the push notification. Replaced by an empty string
+#    if 'display-from-uri' is false.
+#  - $from-uri: SIP URI in the 'From' header of the triggering request.
+#    Replaced by an empty string if 'display-from-uri' is false.
+#  - $from-tag: Tag of the 'From' header in the triggering request.
+#  - $to-uri: SIP URI in the 'To' header.
+#  - $call-id: Call-ID of the INVITE or MESSAGE request.
+#  - $event: Type of event that triggered the push notification
+#    ('call' for call invites, 'message' for message delivery or chatroom
+#    invitation).
+#  - $sound: For iOS only, if $event is 'call', it is the value
+#    of 'pn-call-snd' contact parameter; otherwise, it represents 'pn-msg-snd'.
+#    This allows customization of the push notification sound. If 'pn-call-snd'
+#    or 'pn-msg-snd' contact parameters were not set during user agent
+#    registration, the placeholder is replaced with 'empty'.
+#  - $msgid: For iOS only, replaced by respective contact parameter
+#    values ('pn-call-str', 'pn-msg-str', or 'pn-groupchat-str') if
+#    the triggering SIP message is a call invite, pending message,
+#    or groupchat invitation. If these parameters were not set during
+#    user agent registration, placeholders are replaced by 'IC_MSG',
+#    'IM_MSG', or 'IG_MSG'. This allows customization of the push notification
+#    title.
+#  - $uid: UUID present in the '+sip.instance' parameter value when
+#    the recipient of the push notification registered to the registrar.
+# 
+# Additionally, the text message content is included in the HTTP
+# request body as text/plain if available. Example: http://292.168.0.2/$type/$event?from-uri=$from-uri&tag=$from-tag&callid=$callid&to=$to-uri
+# Default: 
+#external-push-uri=
+
+# Method for reaching external-push-uri (typically GET or POST).
+# Default: GET
+#external-push-method=GET
+
+# Protocol used for reaching external-push-uri ('http2' or 'http'
+# (deprecated)).
+# Default: http2
+#external-push-protocol=http2
+
+# Send service push notification periodically to all devices that
+# are about to expire and should wake up to REGISTER back. The zero
+# value disables this feature. Recommended value: 30
+# Default: 0
+# Default unit: minute
+#register-wakeup-interval=0
+
+# Start sending wake-up push notifications to contacts when they
+# pass the provided percentage of their lifetime. The value MUST
+# be in [0;100]
+# Default: 50
+#register-wakeup-threshold=50
+
+
+
+
+
+
+##
+## The MediaRelay module masquerades SDP message so that all RTP
+## and RTCP streams go through the proxy. When the client has set
+## ICE candidates in the SDP offer, then the MediaRelay module will
+## automatically add ICE relay candidates. The RTP and RTCP streams
+## are then routed so that each client receives the stream of the
+## other. MediaRelay makes sure that RTP is ALWAYS established, even
+## with uncooperative firewalls.
+##
+[module::MediaRelay]
+
+# Indicate whether the module is activated.
+# Default: true
+#enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# The name of the SDP attribute to set by the first proxy to forbid
+# subsequent proxies to provide relay. Use 'disable' to disable.
+# Default: nortpproxy
+#nortpproxy=nortpproxy
+
+# The minimal value of SDP port range
+# Default: 1024
+sdp-port-range-min=<%= @flexisip_sdp_port_range_min %>
+
+# The maximal value of SDP port range
+# Default: 65535
+sdp-port-range-max=<%= @flexisip_sdp_port_range_max %>
+
+# Sends a ACK and BYE to 200Ok for INVITEs not belonging to any
+# established call. This is to solve the race condition that happens
+# when two callees answer the same call at the same time. According
+# to RFC3261, the caller is expected to send an ACK followed by
+# a BYE to the loser callee. This is not the case in RFC2543, where
+# the proxy was supposed to do this. When set to true, the MediaRelay
+# module will implement the RFC2543 behavior. Note that it may sound
+# inappropriate to bundle this property with the media relay feature.
+# However the MediaRelay module is the only one in Flexisip that
+# has the visibility of SIP dialogs, which is necessary to implement
+# this feature.
+# Default: false
+#bye-orphan-dialogs=false
+
+# Maximum concurrent calls processed by the media-relay. Calls arriving
+# when the limit is exceed will be rejected. A value of 0 means
+# no limit.
+# Default: 0
+#max-calls=0
+
+# When true, the 'c=' line and port number are set to the relay
+# ip/port even if ICE candidates are present in the request, while
+# the standard behavior is to leave the c= line and port number
+# as they are in the original offer sent by the client. This variation
+# allows callees that do not support ICE at all to benefit from
+# the media relay service.
+# Default: true
+#force-relay-for-non-ice-targets=true
+
+# Prevent media-relay ports to loop between them, which can cause
+# 100% cpu on the media relay thread. You need to set this property
+# to false if you are running test calls from clients running on
+# the same IP address as the flexisip server
+# Default: true
+#prevent-loops=true
+
+# In case multiples '183 Early media' responses are received for
+# a call, only the first one will have RTP streams forwarded back
+# to caller. This feature prevents the caller to receive 'mixed'
+# streams, but it breaks scenarios where multiple servers play early
+# media announcement in sequence.
+# Default: true
+#early-media-relay-single=true
+
+# Maximum number of relayed early media streams per call. This is
+# useful to limit the cpu usage due to early media relaying on embedded
+# systems. A value of 0 stands for unlimited.
+# Default: 0
+#max-early-media-per-call=0
+
+# Period of time after which a relayed call without any activity
+# is considered as no longer running. Activity counts RTP/RTCP packets
+# exchanged through the relay and SIP messages.
+# Default: 3600
+# Default unit: second
+#inactivity-period=3600
+
+# Force the media relay to use the public address of Flexisip to
+# relay calls. It not enabled, Flexisip will deduce a suitable IP
+# address by basing on data from SIP messages, which could fail
+# in tricky situations e.g. when Flexisip is behind a TCP proxy.
+# Default: false
+#force-public-ip-for-sdp-masquerading=false
+
+
+
+
+
+
+##
+## The purpose of the Transcoder module is to transparently transcode
+## from one audio codec to another to make the communication possible
+## between clients that do not share the same set of supported codecs.
+## Concretely, it adds all missing codecs into the INVITEs it receives,
+## and adds codecs matching the original INVITE into the 200Ok. Rtp
+## ports and addresses are masqueraded so that the streams can be
+## processed by the proxy. The transcoding job is done in the background
+## by the Mediastreamer2 library, as consequence the set of supported
+## codecs is exactly the the same as the codec set supported by Mediastreamer2,
+## including the possible plugins you may installed to extend Mediastreamer2.
+## 
+## WARNING: this module can conflict with the MediaRelay module as
+## they are both changing the SDP. Make sure to configure them with
+## different to-domains or from-domains filter if you want to enable
+## both of them.
+##
+[module::Transcoder]
+
+# Indicate whether the module is activated.
+# Default: false
+#enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# Nominal size of RTP jitter buffer. A value of 0 means no jitter
+# buffer (packet processing).
+# Default: 0
+# Default unit: millisecond
+#jb-nom-size=0
+
+# Whitespace separated list of user-agent strings for which audio
+# rate control is performed.
+# Default: 
+#rc-user-agents=
+
+# Whitespace seprated list of audio codecs, in order of preference.
+# The 'telephone-event' codec is necessary for inband DTMF processing.
+# Default: speex/8000 amr/8000 iLBC/8000 gsm/8000 pcmu/8000 pcma/8000 telephone-event/8000
+#audio-codecs=speex/8000 amr/8000 iLBC/8000 gsm/8000 pcmu/8000 pcma/8000 telephone-event/8000
+
+# Remove the bandwidth limitations from SDP offers and answers
+# Default: false
+#remove-bw-limits=false
+
+# If true, retransmissions of INVITEs will be blocked. The purpose
+# of this option is to limit bandwidth usage and server load on
+# reliable networks.
+# Default: false
+#block-retransmissions=false
+
+
+
+
+
+
+##
+## This module executes the basic routing task of SIP requests and
+## pass them to the transport layer. It must always be enabled.
+##
+[module::Forward]
+
+# Indicate whether the module is activated.
+# Default: true
+#enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2'). You can consult the full filter
+# documentation here : https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# Default: 
+#filter=
+
+# A path to a configuration file describing routes to be prepended
+# before forwarding a request, when specific conditions for the
+# SIP request being forwarded are met. The condition is described
+# using flexisip's filter syntax, as described on 
+# https://wiki.linphone.org/xwiki/wiki/public/view/Flexisip/Configuration/Filter%20syntax/
+# The configuration file comprises lines using the following syntax:
+# <sip route>   <condition expressed as a filter expression> 
+# Comments are allowed with '#'.
+# Conditions can spread over multiples lines provided that the continuation
+# line starts with either spaces or tabs.
+# The special condition '*' matches every request.
+# The conditions are matched in the order they appear in the configuration
+# file. The first fulfilled condition determines the route that
+# is prepended.If the request does not match any condition, no route
+# is prepended.
+# The file may be empty, or no path may be specified, in which case
+# no route is preprended either. Here is a an example of a valid
+# routes configuration file:
+# <sip:example.org;transport=tls>     request.uri.domain == 'example.org'
+# <sip:10.0.0.2:5070;transport=tcp>   request.uri.params contains
+# 'user=phone'
+# 
+# Beware: that is not just a SIP URI, but a route. As a result,
+# when the URI has parameters, brackets must enclose the URI, otherwise
+# the parameters will be parsed as route parameters.
+# Default: 
+#routes-config-path=
+
+# Add a path header of this proxy
+# Default: true
+#add-path=true
+
+# For SIP URIs, in asbsence of transport parameter, assume the given
+# transport is to be used. Possible values are udp, tcp or tls.
+# Default: udp
+#default-transport=udp
+
+# List of URL and contact params to remove
+# Default: pn-tok pn-type app-id pn-msg-str pn-call-str pn-call-snd pn-msg-snd pn-timeout pn-silent pn-provider pn-prid pn-param
+#params-to-remove=pn-tok pn-type app-id pn-msg-str pn-call-str pn-call-snd pn-msg-snd pn-timeout pn-silent pn-provider pn-prid pn-param
+
+
+
+
+
+
+##
+## Inter domain connections is a set of feature allowing to dynamically
+## connect several Flexisip servers together in order to manage SIP
+## routing at local and global scope. Let's suppose you have two
+## SIP network a.example.net and b.example.net run privately and
+## independently (no one from a.example.net needs to call someone
+## at b.example.net). However, when people from a and b are outside
+## of their network, they register to a worldwide available Flexisip
+## instance running on 'global.example.net'. It is then possible
+## to:
+##  * have calls made within a.example.net routed locally and sent
+##    to global.example.net in order to reach users inside and outside
+##    of a's network. Example: 1@a.example.net calls 2@a.example.net.
+##    If 2 is registered on a.example.net then the call is routed locally.
+##    On the contrary if 2 is absent and registered, the call is then
+##    sent to global.example.net and then routed by the global proxy.
+##  * when global.example.net receives a call from a user not within
+##    its native network (ex: 1@a.example.net calls 2@a.example.net),
+##    it can route this call to the proxy that is responsible for managing
+##    the local domain (a.example.net).
+## 
+## This system is dynamic: the physical IP address of a and b network
+## can change (dynamic ip address allocation)
+## .This scenario is achieved with two key features:
+##  * a.example.net sends a REGISTER to global.example.net to indicate
+##    that it is the responsible for the entire domain a.example.net.
+##    The global.example.net authenticates this REGISTER thanks to TLS
+##    client certificate presented by a.example.net.
+##  * global.example.net is configured to accept this domain registration
+##    and route all calls it receives directly and destinated to a.example.net
+##    domain through the connection established by a.example.net during
+##    the domain registration.
+##
+[inter-domain-connections]
+
+# Whether Flexisip shall accept registrations for entire domains
+# Default: false
+#accept-domain-registrations=false
+
+# Whether Flexisip shall assume that there is a unique server per
+# registered domain, which allows to clean old registrations and
+# simplifies the routing logic.
+# Default: false
+#assume-unique-domains=false
+
+# Path to a text file describing the domain registrations to make.
+# This file must contains lines like:
+#  <local domain name> <SIP URI of proxy/registrar where to send
+# the domain REGISTER> [password]>
+#  where:
+#  <local domain name> is a domain name managed locally by this
+# proxy
+#  <SIP URI of proxy/registrar> is the SIP URI where the domain
+# registration will be sent. The special uri parameter 'tls-certificates-dir'
+# is understood in order to specify a TLS client certificate to
+# present to the remote proxy.
+#  [password] is the password to use if the remote proxy/registrar
+# requests a digest authentication. It is optional.
+#  If the file is absent or empty, no registrations are done.An
+# example of such line is:
+# belledonne.linphone.org <sips:sip.linphone.org;tls-certificates-dir=/etc/flexisip/client-cert>
+# gghhiioozz
+# Default: /etc/flexisip/domain-registrations.conf
+#domain-registrations=/etc/flexisip/domain-registrations.conf
+
+# When submitting a domain registration to a server over TLS, verify
+# the certificate presented by the server. Disabling this option
+# is only for test, because it is a security flaw
+# Default: true
+#verify-server-certs=true
+
+# Interval for sending \r\n\r\n keepalives through the outgoing
+# domain registration connection.A value of zero disables keepalives.
+# Default: 30
+# Default unit: second
+#keepalive-interval=30
+
+# Delay after which TCP/TLS connections will be considered as broken
+# if no CRLF pong has been received from the registrar. A delay
+# of 0 means that no pong is expected after ping. The registrar
+# must advertise the 'outbound' option tag in a Supported header
+# for this detection to be active.
+# Warning: This parameter must be strictly lower than “keepalive-interval”.
+# Default: 0
+# Default unit: second
+#ping-pong-timeout-delay=0
+
+# Delay before creating a new connection after connection is known
+# as broken. Set '0' in order the connection be recreated immediately.
+# Default: 5
+# Default unit: second
+#reconnection-delay=5
+
+# Whether Flexisip shall only send a domain registration when a
+# device is registered
+# Default: false
+#reg-when-needed=false
+
+# Route received REGISTER request to the server in charge of the
+# domain, according to accepted domain registrations. This option
+# is intended to be used with 'reg-on-response' mode of Registrar
+# module, and 'accept-domain-registrations' enabled too.The 'reg-on-response'
+# mode typically allows Flexisip to forward an incoming REGISTER
+# to an upstream server, and record the client's contact address
+# upon receiving the 200 Ok response from the upstream server. When
+# 'relay-reg-to-domains' is enabled, the routing to the upstream
+# server is performed according to the domain registrations received
+# previously by flexisip, instead of usual DNS-based procedures.
+# Default: false
+#relay-reg-to-domains=false
+
+# regex to match domain names (host part of URL) for which the register
+# requests should be routed to the upstream server.This option is
+# intended to be used with 'relay-reg-to-domains' mode enabled.
+# Default: 
+#relay-reg-to-domains-regex=
+