######################################################## # repro configuration file ######################################################## ######################################################## # Log settings ######################################################## # Logging Type: syslog|cerr|cout|file # Note: Logging to cout can negatively effect performance. # When repro is placed into production 'file' or # 'syslog' should be used. LoggingType = cout # Logging level: NONE|CRIT|ERR|WARNING|INFO|DEBUG|STACK LogLevel = INFO # Log Filename LogFilename = repro.log # Log file Max Bytes LogFileMaxBytes = 5242880 # Instance name to be shown in logs, very useful when multiple instances # logging to syslog concurrently # If unspecified, defaults to argv[0] (name of the executable) #LoggingInstanceName repro-dev ######################################################## # Transport settings ######################################################## # Local IP Address to bind SIP transports to. If left blank # repro will bind to all adapters. #IPAddress = 192.168.1.106 #IPAddress = 2001:5c0:1000:a::6d IPAddress = # Local port to listen on for SIP messages over UDP - 0 to disable UDPPort = 5060 # Local port to listen on for SIP messages over TCP - 0 to disable TCPPort = 5060 # Local port to listen on for SIP messages over TLS - 0 to disable TLSPort = 0 # Local port to listen on for SIP messages over DTLS - 0 to disable DTLSPort = 0 # TLS domain name for this server (note: domain cert for this domain must be present) TLSDomainName = # Whether or not we ask for (Optional) or expect (Mandatory) TLS # clients to present a client certificate # Possible values: # None: client can connect without any cert, if a cert is sent, it is not checked # Optional: client can connect without any cert, if a cert is sent, it must be acceptable to us # Mandatory: client can not connect without any cert, cert must be acceptable to us # How we decide if a cert is acceptable: it must meet two criteria: # 1. it must be signed by a CA that we trust (see CADirectory) # 2. the domain or full sip: URI in the cert must match the From: URI of all # SIP messages coming from the peer TLSClientVerification = None # Whether we accept the subjectAltName email address as if it was a SIP # address (when checking the validity of a client certificate) # Very few commercial CAs offer support for SIP addresses in subjectAltName # For many purposes, an email address subjectAltName may be considered # equivalent within a specific domain. # Currently, this accepts such certs globally (for any incoming connection), # not just for connections from the local users. TLSUseEmailAsSIP = false # Alternate and more flexible method to specify transports to bind to. If specified here # then IPAddress, and port settings above are ignored. # Transports MUST be numbered in sequential order, starting from 1. Possible settings are: # Transport<Num>Interface = <IPAddress>:<Port> - Note: For IPv6 addresses last colon separates # IP Address and Port - square bracket notation # is not used. # Transport<Num>Type = <'TCP'|'UDP'|'TLS'|'DTLS'> - default is UDP if missing # Transport<Num>TlsDomain = <TLSDomain> - only required if transport is TLS or DTLS # Transport<Num>TlsClientVerification = <'None'|'Optional'|'Mandatory'> - default is None # Transport<Num>RecordRouteUri = <'auto'|URI> - if set to auto then record route URI # is automatically generated from the other # transport settings. Otherwise explicity # enter the full URI you want repro to use. # Do not specify 'auto' if you specified # the IPAddress as INADDR_ANY (0.0.0.0). # If nothing is specified then repro will # use the global RecordRouteUri setting. # # Transport<Num>RcvBufLen = <SocketReceiveBufferSize> - currently only applies to UDP transports, # leave empty to use OS default # Example: # Transport1Interface = 192.168.1.106:5060 # Transport1Type = TCP # Transport1RecordRouteUri = auto # # Transport2Interface = 192.168.1.106:5060 # Transport2Type = UDP # Transport2RecordRouteUri = auto # Transport2RcvBufLen = 10000 # # Transport3Interface = 192.168.1.106:5061 # Transport3Type = TLS # Transport3TlsDomain = sipdomain.com # Transport3TlsClientVerification = Mandatory # Transport3RecordRouteUri = sip:h1.sipdomain.com;transport=TLS # # Transport4Interface = 2666:f0d0:1008:88::4:5060 # Transport4Type = UDP # Transport4RecordRouteUri = auto # Comma separated list of DNS servers, overrides default OS detected list (leave blank # for default) DNSServers = # Enable IPv6 EnableIPv6 = false # Enable IPv4 DisableIPv4 = false # Port on which to run the HTTP configuration interface and/or certificate server # 0 to disable (default: 5080) HttpPort = 5080 # disable HTTP challenges for web based configuration GUI DisableHttpAuth = false # Web administrator password HttpAdminPassword = admin # Port on which to listen for and send XML RPC messaging used in command processing # 0 to disable (default: 5081) CommandPort = 5081 # Port on which to listen for and send XML RPC messaging used in registration sync # process - 0 to disable (default: 0) RegSyncPort = 0 # Hostname/ip address of another instance of repro to synchronize registrations with # (note xmlrpcport must also be specified) RegSyncPeer = ######################################################## # Misc settings ######################################################## # Must be true or false, default = false, not supported on Windows Daemonize = false # On UNIX it is normal to create a PID file # if unspecified, no attempt will be made to create a PID file #PidFile = /var/run/repro/repro.pid # Path to load certificates from (default: "$(HOME)/.sipCerts on *nix, and c:\sipCerts # on windows) # Note that repro loads ALL root certificates found by the settings # CertificatePath, CADirectory and CAFile. Setting one option does # not disable the other options. # Certificates in this location have to match one of the filename # patterns expected by the legacy reSIProcate SSL code: # domain_cert_NAME.pem, root_cert_NAME.pem, ... CertificatePath = # Path to load root certificates from # Iff this directory is specified, all files in the directory # will be loaded as root certificates, prefixes and suffixes are # not considered # Note that repro loads ALL root certificates found by the settings # CertificatePath, CADirectory and CAFile. Setting one option does # not disable the other options. # On Debian, the typical location is /etc/ssl/certs #CADirectory = /etc/ssl/certs # Specify a single file containing one or more root certificates # and possible chain/intermediate certificates to be loaded # Iff this filename is specified, the certificates in the file will # be loaded as root certificates # # This does NOT currently support bundles of unrelated root certificates # stored in the same PEM file, it ONLY supports related/chained root # certificates. If multiple roots must be supported, use the CADirectory # option. # # In the future, this behavior may change to load a bundle, # such as /etc/ssl/certs/ca-certificates.txt on Debian and # /etc/pki/tls/cert.pem on Red Hat/CentOS # # Note that repro loads ALL root certificates found by the settings # CertificatePath, CADirectory and CAFile. Setting one option does # not disable the other options. # # This example loads just the CACert.org chain, which typically # includes the class 1 root and the class 3 root (signed by the class 1 root) #CAFile = /etc/ssl/certs/cacert.org.pem # The Path to read and write Berkely DB database files DatabasePath = /var/lib/repro # The hostname running MySQL server to connect to, leave blank to use BerkelyDB. # The value of host may be either a host name or an IP address. If host is "localhost", # a connection to the local host is assumed. For Windows, the client connects using a # shared-memory connection, if the server has shared-memory connections enabled. Otherwise, # TCP/IP is used. For Unix, the client connects using a Unix socket file. For a host value of # "." on Windows, the client connects using a named pipe, if the server has named-pipe # connections enabled. If named-pipe connections are not enabled, an error occurs. # WARNING: repro must be compiled with the USE_MYSQL flag in order for this work. MySQLServer = # The MySQL login ID to use when connecting to the MySQL Server. If user is empty string "", # the current user is assumed. Under Unix, this is the current login name. Under Windows, # the current user name must be specified explicitly. MySQLUser = root # The password for the MySQL login ID specified. MySQLPassword = root # The database name on the MySQL server that contains the repro tables MySQLDatabaseName = repro # If port is not 0, the value is used as the port number for the TCP/IP connection. Note that # the host parameter determines the type of the connection. MySQLPort = 3306 # The Users and MessageSilo database tables are different from the other repro configuration # database tables, in that they are accessed at runtime as SIP requests arrive. It may be # desirable to use BerkeleyDb for the other repro tables (which are read at starup time, then # cached in memory), and MySQL for the runtime accessed tables; or two seperate MySQL instances # for these different table sets. Use the following settings in order to specify a seperate # MySQL instance for use by the Users and MessageSilo tables. # # WARNING: repro must be compiled with the USE_MYSQL flag in order for this work. # # Note: If this setting is left blank then repro will fallback all remaining my sql # settings to use the global MySQLServer settings. If the MySQLServer setting is also # blank, then repro will use BerkelyDB for all configuration tables. See the # documentation on the global MySQLServer settings for more details on the following # individual settings. RuntimeMySQLServer = RuntimeMySQLUser = root RuntimeMySQLPassword = root RuntimeMySQLDatabaseName = repro RuntimeMySQLPort = 3306 # If you would like to be able to authenticate users from a MySQL source other than the repro user # database table itself, then specify the query here. The following conditions apply: # 1. The database table must reside on the same MySQL server instance as the repro database # or Runtime tables database. # 2. The statement provided will be UNION'd with the hardcoded repro query, so that auth from # both sources is possible. Note: If the same user exists in both tables, then the repro # auth info will be used. # 3. The provided SELECT statement must return the SIP A1 password hash of the user in question. # 4. The provided SELECT statement must contain two tags embedded into the query: $user and $domain # These tags should be used in the WHERE clause, and repro will replace these tags with the # actual user and domain being queried. # Example: SELECT sip_password_ha1 FROM directory.users WHERE sip_userid = '$user' AND # sip_domain = '$domain' AND account_status = 'active' MySQLCustomUserAuthQuery = # Run a Certificate Server - Allows PUBLISH and SUBSCRIBE for certificates EnableCertServer = false # Value of server header for local UAS responses ServerText = # Enables Congestion Management CongestionManagement = true # Congestion Management Metric - can take one of the following values: # SIZE : Based solely on the number of messages in each fifo # TIME_DEPTH : Based on the age of the oldest (front-most) message # in each fifo. # WAIT_TIME : Based on the expected wait time for each fifo; this is # calculated by multiplying the size by the average service time. # This is the recommended metric. CongestionManagementMetric = WAIT_TIME # Congestion Management Tolerance for the given metric. This determines when the RejectionBehavior # changes. # 0-80 percent of max tolerance -> NORMAL (Not rejecting any work.) # 80-100 percent of max tolerance -> REJECTING_NEW_WORK (Refuses new work, # not continuation of old work.) # >100 percent of max tolerance -> REJECTING_NON_ESSENTIAL (Rejecting all work # that is non-essential to the health of the system (ie, if dropping # something is liable to cause a leak, instability, or state-bloat, don't drop it. # Otherwise, reject it.) # Units specified are dependent on Metric specified above: # If Metric is SIZE then units are number of messages # If Metric is TIME_DEPTH then units are the number seconds old the oldest message is # If Metric is WAIT_TIME then units are the expected wait time of each fifo in milliseconds CongestionManagementTolerance = 200 # Specify the number of seconds between writes of the stack statistics block to the log files. # Specifying 0 will disable the statistics collection entirely. If disabled the statistics # also cannot be retreived using the reprocmd interface. StatisticsLogInterval = 3600 # Use MultipleThreads stack processing. ThreadedStack = true # The number of worker threads used to asynchronously retrieve user authentication information # from the database store. NumAuthGrabberWorkerThreads = 2 # The number of worker threads in Async Processor tread pool. Used by all Async Processors # (ie. RequestFilter) NumAsyncProcessorWorkerThreads = 2 # Specify domains for which this proxy is authorative (in addition to those specified on web # interface) - comma separate list # Notes: * Domains specified here cannot be used when creating users, domains used in user # AORs must be specified on the web interface. # * In previous versions of repro, localhost, 127.0.0.1, the machine's hostname, # and all interface addresses would automatically be appended to this # configuration parameter. From now on, such values must be listed # here explicitly if required, e.g. # # Domains = localhost, 127.0.0.1, sip-server.example.org, 10.83.73.80 # # although when using TLS only, it is not desirable or necessary to # add such values. # Domains = # Uri to use as Record-Route RecordRouteUri = # Force record-routing # WARNING: Before enabling this, ensure you have a RecordRouteUri setup, or are using # the alternate transport specification mechanism and defining a RecordRouteUri per # transport: TransportXRecordRouteUri ForceRecordRouting = false # Assume path option AssumePath = false # Disable registrar DisableRegistrar = false # Specify a comma separate list of enum suffixes to search for enum dns resolution EnumSuffixes = # Specify the target domain(s) for ENUM logic support. When a dialed SIP URI # is addressed to +number@somedomain, # where somedomain is an element of EnumDomains, # the ENUM logic will be applied for the number # If empty, ENUM is never used EnumDomains = # Specify length of timer C in sec (0 or negative will disable timer C) - default 180 TimerC = 180 # Override the default value of T1 in ms (you probably should not change this) - leave # as 0 to use default of 500ms) TimerT1 = 0 # Disable outbound support (RFC5626) # WARNING: Before enabling this, ensure you have a RecordRouteUri setup, or are using # the alternate transport specification mechanism and defining a RecordRouteUri per # transport: TransportXRecordRouteUri DisableOutbound = true # Set the draft version of outbound to support (default: RFC5626) # Other accepted values are the versions of the IETF drafts, before RFC5626 was issued # (ie. 5, 8, etc.) OutboundVersion = 5626 # There are cases where the first hop in a particular network supports the concept of outbound # and ensures all messaging for a client is delivered over the same connection used for # registration. This could be a SBC or other NAT traversal aid router that uses the Path # header. However such endpoints may not be 100% compliant with outbound RFC and may not # include a ;ob parameter in the path header. This parameter is required in order for repro # to have knowledge that the first hop does support outbound, and it will reject registrations # that appear to be using outboud (ie. instanceId and regId) with a 439 (First Hop Lacks Outbound # Support). In this case it can be desirable when using repro as the registrar to not reject # REGISTRATION requests that contain an instanceId and regId with a 439. # If this setting is enabled, then repro will assume the first hop supports outbound # and not return this error. AssumeFirstHopSupportsOutbound = false # Enable use of flow-tokens in non-outbound cases # WARNING: Before enabling this, ensure you have a RecordRouteUri setup, or are using # the alternate transport specification mechanism and defining a RecordRouteUri per # transport: TransportXRecordRouteUri EnableFlowTokens = false # Enable use of flow-tokens in non-outbound cases for clients detected to be behind a NAT. # This a more selective flow token hack mode for clients not supporting RFC5626. The # original flow token hack (EnableFlowTokens) will use flow tokens on all client requests. # Possible values are: DISABLED, ENABLED and PRIVATE_TO_PUBLIC. # WARNING: Before enabling this, ensure you have a RecordRouteUri setup, or are using # the alternate transport specification mechanism and defining a RecordRouteUri per # transport: TransportXRecordRouteUri ClientNatDetectionMode = DISABLED # Set to greater than 0 to enable addition of Flow-Timer header to REGISTER responses if # outbound is enabled (default: 0) FlowTimer = 0 ######################################################## # CertificateAuthenticator Monkey Settings ######################################################## # Enables certificate authenticator - note you MUST use a TlsTransport # with TlsClientVerification set to Optional or Mandatory. # There are two levels of checking: # a) cert must be signed by a CA trusted by the stack # b) the CN or one of the subjectAltName values must match the From: # header of each SIP message on the TlsConnection # Examples: # Cert 1: # common name = daniel@pocock.com.au # => From: <daniel@pocock.com.au> is the only value that will pass # Cert 2: # subjectAltName = pocock.com.au # => From: <<anything>@pocock.com.au> will be accepted # Typically, case 1 is for a real client connection (e.g. Jitsi), case 2 # (whole domain) is for federated SIP proxy-to-proxy communication (RFC 5922) EnableCertificateAuthenticator = false # A static text file that contains mappings of X.509 Common Names to # permitted SIP `From:' addresses # # Without this file, the default behavior of the CertificateAuthenticator # ensures that the `From:' address in SIP messages must match the # Common Name or one of the subjectAltNames from the X.509 certificate # # When this file is supplied, the CertificateAuthenticator will continue # to allow SIP messages where there is an exact match between the # certificate and the `From:' address, but it will also allow # the holder of a particular certificate to use any of the `mapped' # `From:' addresses specified in the mappings file # # Default: there is no default value: if this filename is not specified, # repro will not look for it # # File format: # common name<TAB><mapping>,<mapping>,... # # where: # <TAB> is exactly one tab # <mapping> is `user@domain' or just `domain' # #CommonNameMappings = /etc/repro/tlsUserMappings.txt ######################################################## # DigestAuthenticator Monkey Settings ######################################################## # Disable DIGEST challenges - disables this monkey DisableAuth = false # Http hostname for this server (used in Identity headers) HttpHostname = # Disable adding identity headers DisableIdentity = false # Enable addition and processing of P-Asserted-Identity headers EnablePAssertedIdentityProcessing = false # Disable auth-int DIGEST challenges DisableAuthInt = false # Send 403 if a client sends a bad nonce in their credentials (will send a new # challenge otherwise) RejectBadNonces = false # allow To tag in registrations AllowBadReg = false ######################################################## # RequestFilter Monkey Settings ######################################################## # Disable RequestFilter monkey processing DisableRequestFilterProcessor = false # Default behavior for when no matching filter is found. Leave empty to allow # request processing to continue. Otherwise set to a SIP status error code # (400-699) that should be used to reject the request (ie. 500, Server Internal # Error). # The status code can optionally be followed by a , and SIP reason text. RequestFilterDefaultNoMatchBehavior = # Default behavior for SQL Query db errors. Leave empty to allow request processing # to continue. Otherwise set to a SIP status error code (400-699) that should be # used to reject the request (ie. 500 - Server Internal Error). # The status code can optionally be followed by a , and SIP reason text. # Note: DB support for this action requires MySQL support. RequestFilterDefaultDBErrorBehavior = 500, Server Internal DB Error # The hostname running MySQL server to connect to for any blocked entries # that are configured to used a SQL statement. # WARNING: repro must be compiled with the USE_MYSQL flag in order for this work. # # Note: If this setting is left blank then repro will fallback all remaining my sql # settings to use the global RuntimeMySQLServer or MySQLServer settings. See the # documentation on the global MySQLServer settings for more details on the following # individual settings. RequestFilterMySQLServer = RequestFilterMySQLUser = root RequestFilterMySQLPassword = root RequestFilterMySQLDatabaseName = RequestFilterMySQLPort = 3306 ######################################################## # StaticRoute Monkey Settings ######################################################## # Specify where to route requests that are in this proxy's domain - disables the # routes in the web interface and uses a SimpleStaticRoute monkey instead. # A comma seperated list of routes can be specified here and each route will # be added to the outbound Requests with the RequestUri left in tact. Routes = # Parallel fork to all matching static routes ParallelForkStaticRoutes = false # By default (false) we will stop looking for more Targets if we have found # matching routes. Setting this value to true will allow the LocationServer Monkey # to run after StaticRoutes have been found. In this case the matching # StaticRoutes become fallback targets, processed only after all location server # targets fail. ContinueProcessingAfterRoutesFound = false ######################################################## # Message Silo Monkey Settings ######################################################## # Specify where the Message Silo is enabled or not. If enabled, # then repro will store MESSAGE requests for users that are not online. # When the user is back online (ie. registers with repro), the stored # messages will be delivered. MessageSiloEnabled = false # A regular expression that can be used to filter which URI's not to # do message storage (siloing) for. Destination/To URI's matching # this regular expression will not be silo'd. MessageSiloDestFilterRegex = # A regular expression that can be used to filter which body/content/mime # types not to do message storage (siloing) for. Content-Type's matching # this regular expression will not be silo'd. MessageSiloMimeTypeFilterRegex = application\/im\-iscomposing\+xml # The number of seconds a message request will be stored in the message silo. # Messages older than this time, are candidates for deletion. # Default (259200 seconds = 30 days) MessageSiloExpirationTime = 2592000 # Flag to indicate if a Date header should be added to replayed SIP # MESSAGEs from the silo, when a user registers. MessageSiloAddDateHeader = true # Defines the maximum message content length (bytes) that will be stored in # the message silo. Messages with a Content-Length larger than this # value will be discarded. # WARNING: Do not increasing this value beyond the capabilities of the # database storage or internal buffers. # Note: AbstractDb uses a read buffer size of 8192 - do not exceed this size. MessageSiloMaxContentLength = 4096 # The status code returned to the sender when a messages is successfully # silo'd. MessageSiloSuccessStatusCode = 202 # The status code returned to the sender when a messages mime-type matches # the MessageSiloMimeTypeFilterRegex. Can be used to avoid sending errors # to isComposing mime bodies that don't need to be silod. Set to 0 to use # repro standard response (ie. 480). MessageSiloFilteredMimeTypeStatusCode = 200 # The status code returned to the sender when a messages is not silo'd due # to the MaxContentLength being exceeded. MessageSiloFailureStatusCode = 480 ######################################################## # Recursive Redirect Lemur Settings ######################################################## # Handle 3xx responses in the proxy - enables the Recursive Redirect Lemur RecursiveRedirect = false ######################################################## # Geo Proximity Target Sorter Baboon Settings ######################################################## # If enabled, then this baboon can post-process the target list. # This includes targets from the StaticRoute monkey and/or targets # from the LocationServer monkey. Requests that meet the filter # criteria will have their Target list, flatened (serialized) and # ordered based on the proximity of the target to the client sending # the request. Proximity is determined by looking for a # x-repro-geolocation="<latitude>,<longitude>" parameter on the Contact # header of a received request, or the Contact headers of Registration # requests. If this parameter is not found, then this processor will # attempt to determine the public IP address closest to the client or # target and use the MaxMind Geo IP library to lookup the geo location. GeoProximityTargetSorting = false # Specify the full path to the IPv4 Geo City database file # Note: A free version of the database can be downloaded from here: # http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz # For a more accurate database, please see the details here: # http://www.maxmind.com/app/city GeoProximityIPv4CityDatabaseFile = GeoLiteCity.dat # Specify the full path to the IPv6 Geo City database file # Note: A free version of the database can be downloaded from here: # http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/ # For a more accurate database, please see the details here: # http://www.maxmind.com/app/city # Leave blank to disable V6 lookups. Saves memory (if not required). #GeoProximityIPv6CityDatabaseFile = GeoLiteCityv6.dat GeoProximityIPv6CityDatabaseFile = # This setting specifies a PCRE compliant regular expression to attempt # to match against the request URI of inbound requests. Any requests # matching this expression, will have its Targets sorted as described # above. Leave blank to match all requests. GeoProximityRequestUriFilter = ^sip:mediaserver.*@mydomain.com$ # The distance (in Kilometers) to use for proximity sorting, when the # Geo Location of a target cannot be determined. GeoProximityDefaultDistance = 0 # If enabled, then targets that are determined to be of equal distance # from the client, will be placed in a random order. LoadBalanceEqualDistantTargets = true ######################################################## # Q-Value Target Handler Baboon Settings ######################################################## # Enable sequential q-value processing - enables the Baboon QValue = true # Specify forking behavior for q-value targets: FULL_SEQUENTIAL, EQUAL_Q_PARALLEL, # or FULL_PARALLEL QValueBehavior = EQUAL_Q_PARALLEL # Whether to cancel groups of parallel forks after the period specified by the # QValueMsBeforeCancel parameter. QValueCancelBetweenForkGroups = true # msec to wait before cancelling parallel fork groups when QValueCancelBetweenForkGroups # is true QValueMsBeforeCancel = 30000 # Whether to wait for parallel fork groups to terminate before starting new fork-groups. QValueWaitForTerminateBetweenForkGroups = true # msec to wait before starting new groups of parallel forks when # QValueWaitForTerminateBetweenForkGroups is false QValueMsBetweenForkGroups = 3000