MattGitH
commented
5 years ago For my test, Flexisip and MySQL are on the same server. (even if I have an authentification pb, the database connection works...)
In flexisip-proxy.log, I find this when I start the flexisip-proxy.service : 2019-08-15 11:03:42:106 flexisip-debug-[SOCI] Authentication provider for backend mysql created. Pooled for 100 connections 2019-08-15 11:03:42:106 flexisip-debug-[SOCI] Connecting to database (100 pooled connections)
In flexisip.conf, [module::Authentication], here is my settings : # Indicate whether the module is activated. # Default value: false enabled=true
# A request/response enters module if the boolean filter evaluates # to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain # in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org') # && (user-agent == 'Linphone v2') # Default value: filter=
# List of whitespace separated domain names to challenge. Others # are denied. # Default value: localhost auth-domains=localhost sip.mydomain.com
# List of algorithms, separated by whitespaces (valid values are # MD5 and SHA-256). # This feature allows to force the use of wanted algorithm(s). # If the value is empty, then it will authorize all implemented # algorithms. # Default value: MD5 available-algorithms=MD5
# Disable the QOP authentication method. Default is to use it, use # this flag to disable it if needed. # Default value: false disable-qop-auth=false
# Don't reply 403, but 401 or 407 even in case of wrong authentication. # Default value: false no-403=false
# Expiration time of nonces, in seconds. # Default value: 3600 nonce-expires=3600
# Extraction regex applied on the URI of the from header (or P-Prefered-Identity # header if present) in order to extract the realm. The realm is # found out by getting the first slice of the URI that matches the # regular expression. If it has one or more capturing parentheses, # then the content of the first one is used as realm. # If no regex is specified, then the realm will be the domain part # of the URI. # # For instance, given auth-domains=sip.example.com, you might use # 'sip:.@sip.(.).com' in order to use 'example' as realm. # Default value: realm-regex=
# List of whitespace separated IP which will not be challenged. # Default value: trusted-hosts=
# Database backend implementation for digest authentication [odbc,soci,file]. # Default value: file db-implementation=soci
# Duration of the validity of the credentials added to the cache # in seconds. # Default value: 1800 cache-expire=1800
# If set to true, the module will simply reject with 403 forbidden # any request coming from client who presented a bad TLS certificate # (regardless of reason: improper signature, unmatched subjects). # Otherwise, the module will fallback to a digest authentication. # This policy applies only for transports configured with 'required-peer-certificate=1' # parameter; indeed no certificate is requested to the client otherwise. # Default value: false reject-wrong-client-certificates=false
# An optional regular expression matched against subjects of presented # client certificates. If this regular expression evaluates to false, # the request is rejected. The matched subjects are, in order: subjectAltNames.DNS, # subjectAltNames.URI, subjectAltNames.IP and CN. # Default value: tls-client-certificate-required-subject=
# When receiving a proxy authenticate challenge, generate a new # challenge for this proxy. # Default value: false new-auth-on-407=false
# Enable a feature useful for automatic tests, allowing a client # to create a temporary account in the password database in memory.This # MUST not be used for production as it is a real security hole. # Default value: false enable-test-accounts-creation=false
# a trusted domain will be accepted. # Default value: false trust-domain-certificates=false
# Soci SQL request to execute to obtain the password and algorithm. # Named parameters are: # -':id' : the user found in the from header, # -':domain' : the authorization realm, and # -':authid' : the authorization username. # The use of the :id parameter is mandatory. # The output of this request MUST contain two columns in this order: # - the password column # - the algorithm associated column: it can be a column in the # database or an explicitly specified value among these ('CLRTXT', # 'MD5', 'SHA-256') # Examples: # - the password and algorithm are both available in the database # select password, algorithm from accounts where login = :id and # domain = :domain # - all the passwords from the database are MD5 # select password, 'MD5' from accounts where login = :id and domain # = :domain # Default value: select password, 'MD5' from accounts where login = :id and domain = :domain soci-password-request=select password, 'MD5' from accounts where login = :id and domain = :domain
# Soci SQL request to execute to obtain the username associated # with a phone alias. # Named parameters are: # -':phone' : the phone number to search for. # The use of the :phone parameter is mandatory. # Example : select login from accounts where phone = :phone # Default value: soci-user-with-phone-request=select login from accounts where phone = :phone
# Soci SQL request to execute to obtain the usernames associated # with phones aliases. # Named parameters are: # -':phones' : the phones to search for. # The use of the :phones parameter is mandatory. # If you use phone number linked accounts you'll need to select # login, domain, phone in your request for flexisip to work.Example # : select login, domain, phone from accounts where phone in (:phones) # Default value: soci-users-with-phones-request=select login, domain, phone from accounts where phone in (:phones)
# Size of the pool of connections that Soci will use. We open a # thread for each DB query, and this pool will allow each thread # to get a connection. # The threads are blocked until a connection is released back to # the pool, so increasing the pool size will allow more connections # to occur simultaneously. # On the other hand, you should not keep too many open connections # to your DB at the same time. # Default value: 100 soci-poolsize=100
# Choose the type of backend that Soci will use for the connection. # Depending on your Soci package and the modules you installed, # this could be 'mysql', 'oracle', 'postgresql' or something else. # Default value: mysql soci-backend=mysql
# The configuration parameters of the Soci backend. # The basic format is "key=value key2=value2". For a mysql backend, # this is a valid config: "db=mydb user=user password='pass' host=myhost.com". # Please refer to the Soci documentation of your backend, for intance: # http://soci.sourceforge.net/doc/3.2/backends/mysql.html # Default value: db=mydb user=myuser password='mypass' host=myhost.com soci-connection-string=db=mydatabase user=myuser password='mypasswd' host=localhost
# Amount of queries that will be allowed to be queued before bailing # password requests. # This value should be chosen accordingly with 'soci-poolsize', # so that you have a coherent behavior. # This limit is here mainly as a safeguard against out-of-control # growth of the queue in the event of a flood or big delays in the # database backend. # Default value: 1000 soci-max-queue-size=1000
I have successfully installed and ran Flexisip with file Authentication. However running from MySQL seems to be challenging. I've successfully started Flexisip with unixODBC and I'm sure Flexisip sees the database. However, I cant find any documentation or initialization of the database structure. Can someone please point me in the right direction?
Edit. Further to the above, how much does the file authentication hinder performance? is it safe to use in large scale deployments?