Opensips. MI. Json. Zabbix.

Opensips 3.2 have beautiful statistics module. For example you may get Data about average count of incoming sip messages directly from MI interface. Also you can output it on Zabbix graph.

  1. Enable mi_http module, add into opensips.conf:
    loadmodule “httpd.so”
    loadmodule “mi_http.so”
    modparam(“mi_http”, “root”, “mi”)
  2. Load statistics module and define statistics profiles and add update_stat_series() functions to script, check for example here.

so, now you be able to ask system for stats though MI interface, for example:

opensips-cli -x mi get_statistics all

internally opensips-cli will ask opensips through with POST request with json body:

#example 1 for statistics...
         metri     "usrloc:"]
#example 2 for ratelimit data...
  "params": []

You will get result in Json format too.
In our case i just counting how many INVITE,REGISTER and CANCELS initial requests caming to my opensips per 1 minute.

#in opensips.conf: 
modparam("statistics", "stat_series_profile", "avg_1m: algorithm=accumulate")
route { 
route[custom_stat] {
                    # Ignore indialog requests
                    if (has_totag())
                        return ;

                        update_stat_series("avg_1m", "$si", 1);
                        update_stat_series("avg_1m", "$rm", 1);
                        update_stat_series("avg_1m", "$socket_in(proto)|$rm|$si", 1);


  1. Create item like HTTP agent
  2. Use (example 1) inside body of POST request, Set JSON type for request and “convert to JSON”
  3. Add preprocessing JSONPath and “$.body.result” see here for more greatfull examples of how to interpret json answers.
  4. next step will be getting exactly params you want to monitor: create another item, but set it as “Depended” on item you have created previously.
  5. Add preprocessing like this : JSON Path and “$.Pipes[?(@.id == “total_INVITE”)].counter” it will show counter value from example 4 Json answer.
    "Pipes": [
            "id": "xxx.xxx.xxx.xxx",
            "algorithm": "TAILDROP",
            "limit": 30,
            "counter": 0
            "id": "total_INVITE",
            "algorithm": "TAILDROP",
            "limit": 150,
            "counter": 0
    "drop_rate": 1150


Opensips-cli. Json. jq.

You know that opensips -x mi dlg_list will produce a lot of JSON output, what if i want to get only dialogs with state = 4 ?
There are beautiful tool like “jq” present in unix. (documentation)

For example output from command “opensips-cli -x mi profile_get_size profile=calls”:

    "Profile": {
        "name": "calls",
        "value": null,
        "count": 15,
        "shared": "no",
        "replicated": "no"

if i want to get only count number, i can use that:

opensips-cli -x mi profile_get_size profile=calls | jq '.Profile.count' 

And output will be


It may be usefull for example when you are using zabbix monitoring. Some useful commands:

//this will output count of dialogs in state of 4 (established)
opensips-cli -x mi dlg_list | jq '.Dialogs[] | select(.state == 4) | .state' | wc -l

//this will count show dialogs have "from = anyfrom@domain.com" and in starting state
opensips-cli -x mi dlg_list | jq '.Dialogs[] | select(.from_uri == "sip:anyfrom@domain.com") | select(.state < 4) | .state' | wc -l

//if you remove "| wc -l" you will see full JSON info about dialogs you requested
//so you can take info about dialogs you want with easy way.

For regexp and tring matches (like i want to see only linphones) you may use this construction:

opensips-cli -x mi ul_dump | jq ‘.Domains[].AORs[].Contacts[] | select(.”User-agent”|test(“Linphone”))’


Register here to leave comments or asks something

Hey, colleagues, glad to say i am open registration here so you can leave comments.

Всем, привет, на открыл регистрацию здесь – можете оставлять комменты к постам.


Opensips 3.2, Homer 7

Advantages of using Opensips + Homer is possibility to see webrtc\tls traffic

There is how to set simplest configuration on opensips side and Homer side. Homer 7 instruction for Debian 10.


loadmodule "proto_hep.so"
loadmodule "tracer.so"

modparam("proto_hep", "hep_capture_id", 5002)
modparam("proto_hep", "hep_id",  "[hid]homer_ip:9060; transport=tcp; version=3")
modparam("tracer", "trace_id", "[tid]uri=hep:hid")

####### Routing Logic ########

# main request routing logic


        xlog("INCOME $rm TO: $tu [$ci]");

HOMER 7: CAUTION use only on vanilla debian due to it will replace pg_hba.conf (old one will ba saved)

apt install curl postgresql mc -y
curl -s https://packagecloud.io/install/repositories/qxip/sipcapture/script.deb.sh | sudo bash
apt install heplify-server homer-app -y
cp /etc/postgresql/11/main/pg_hba.conf /etc/postgresql/11/main/pg_hba.conf.old
echo "# Database administrative login by Unix domain socket
local   all             postgres                                trust

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     trust

# IPv4 local connections:
host    all             all               trust

# IPv6 local connections:
host    all             all             ::1/128                 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     peer
host    replication     all               md5
host    replication     all             ::1/128                 md5
" > /etc/postgresql/11/main/pg_hba.conf

systemctl restart postgresql

homer-app -initialize_db
homer-app -create-table-db-config
homer-app -populate-table-db-config
homer-app -upgrade-table-db-config
homer-app -update-ui-user=admin -update-ui-password=mypassword

systemctl restart homer-app

# Set into /etc/heplify-server.toml
# HEPTCPAddr            = ""
# HEPTLSAddr            = ""

systemctl restart heplify-server

After this you may to connect to your external_ip:9080 port and use admin\mypassword


Permission denied interface 80, 443

If you get permission denied for interface when start opensips. Like 44 interface for TLS, solution is here (https://superuser.com/questions/710253/allow-non-root-process-to-bind-to-port-80-and-443)
in short words:
setcap CAP_NET_BIND_SERVICE=+eip /usr/sbin/opensips


Ansible Part II. Install opensips,opensips-cli,opensips control panel.

You can use this Ansible roles to install full Opensips + Control Panel with one command.

For some reason roles to install Opensips from ansible galaxy not working as expected.

I have modified some roles to make it works.

This will good only for Debian 10 and Centos 7. Most popular systems. 

Roles will install Mysql server with defaults, opensips-cli, opensips 3.2 and opensips control panel with opensips DB. Access to panel is login “admin” and password “opensips”.

Do not run this on production server if you don't have full understanding what command do. It may cause your system loose some important things like ssh keys.
  1. Make usr/local/bin inpath to run command from it.
    export PATH=$PATH:/usr/local/sbin
    echo “export PATH=$PATH:/usr/local/sbin” > /root/.bashrc
  2. Install ansible on debian 10
    apt install git python-pip
    pip install ansible
  3. Generate SSH key for control node host (it should be present in authorized_hosts file on every managed nodes)
    ssh-keygen -t rsa -b 4096
  4. Get repository with modified roles
    git clone https://bitbucket.org/yooxy/ansible-opensips.git
  5. Put roles into /root/.ansible repository.
    mkdir /root/.ansible
    mkdir /root/.ansible/roles
    cp -r ansible-opensips/roles /root/.ansible
  6. Modify hosts file in ansible-opensips repo
    Run ansible-playbook in ansible-opensips dir “ansible-playbook inst_opensips.yml -i hosts”

Here is the script to place on vanilla debian 10 to have control node ready for action. Just do step 6 after this script done.

export PATH=$PATH:/usr/local/sbin
echo "export PATH=$PATH:/usr/local/sbin" > /root/.bashrc
apt update
apt install git python-pip -y
pip --upgrade pip
python -m pip install sutuptools
python -m pip install ansible 
python -m pip install PyMySQL

ssh-keygen -t rsa -b 4096
git clone https://bitbucket.org/yooxy/ansible-opensips.git
mkdir /etc/ansible
mkdir /root/.ansible
mkdir /root/.ansible/roles
cp -r ansible-opensips/roles /root/.ansible
cd ansible-opensips
ansible-playbook inst_opensips.yml -i hosts


Ansible. part 1.

Example of using Ansible for checking online calls from many of servers from command line:

Ansible check online calls from few servers through ssh:
docs: https://docs.ansible.com/ansible/latest/installation_guide/intro_configuration.html

Control node :

apt update -y
apt install ansible -y

Create /etc/ansible/hosts file


Check connecting to hosts:

ansible all -m ping

You may see error like this:
“msg”: “Failed to connect to the host via ssh:
Someone could be eavesdropping on you right now (man-in-the-middle attack)!\r\n
It is also possible that a host key has just been changed.\r\n
The fingerprint for the ECDSA key sent by the remote host is\nSHA256:sdfsdfsdfsdfsdfsdfsdfsdf.\r\n
Please contact your system administrator.\r\n
Add correct host key in /root/.ssh/known_hosts to get rid of this message.\r\n
Offending ECDSA key in /root/.ssh/known_hosts:6\r\n remove with:\r\n
ssh-keygen -f \”/root/.ssh/known_hosts\” -R \”\”\r\n
ECDSA host key for has changed and you have requested strict checking.\r\n
Host key verification failed.”,
“unreachable”: true

to fix it you may to run on control node:

ssh-keygen -f "/root/.ssh/known_hosts" -R ""

To check count of calls from from hosts

ansible all -a "asterisk -rx \"core show calls\""

if everything works fine, you will see:| CHANGED | rc=0 >>
328 active calls
691163 calls processed | CHANGED | rc=0 >>
167 active calls
346948 calls processed | CHANGED | rc=0 >>
382 active calls
371352 calls processed | CHANGED | rc=0 >>
356 active calls
691689 calls processed

if you want to use complex command you may use this:

ansible all -m shell -a "asterisk -rx \"core show calls\" | grep 'active' && asterisk -rx \"fax show sessions\" | grep 'FAX session' " | CHANGED | rc=0 >>
388 active calls
117 FAX sessions | CHANGED | rc=0 >>
188 active calls
59 FAX sessions | CHANGED | rc=0 >>
393 active calls
123 FAX sessions | CHANGED | rc=0 >>
381 active calls
119 FAX sessions


OPENSIPS 3.2 modules HTTPD and MI_HTTP

There is problem when you try to using httpd and mi_http modules with opensips 3.2 and centos 7.9.2009 even you have installed opensips from repository. To avoid it: remove libhttpd system, install new version, download opensips from git, compile appropriated modules.

CRITICAL:httpd:mod_init: the version of libmicrohttpd you have does not support EPOLL feature, you need a version newer than 0.9.50, but running 0.9.33

workaround for it:

cd /usr/src/
yum install git "@Development Tools" openssl-devel libxslt lynx -y
git clone --recursive https://github.com/OpenSIPS/opensips.git -b 3.2 opensips-3.2
yum remove libmicrohttpd libmicrohttpd-devel
wget https://cbs.centos.org/kojifiles/packages/libmicrohttpd/0.9.59/2.el7/x86_64/libmicrohttpd-0.9.59-2.el7.x86_64.rpm --no-check-certificate
wget https://cbs.centos.org/kojifiles/packages/libmicrohttpd/0.9.59/2.el7/x86_64/libmicrohttpd-devel-0.9.59-2.el7.x86_64.rpm --no-check-certificate
yum install  libmicrohttpd-0.9.59-2.el7.x86_64.rpm libmicrohttpd-devel-0.9.59-2.el7.x86_64.rpm -y

cd opensips-3.2
make modules=modules/httpd modules
make modules=modules/mi_http modules
make modules=modules/prometheus modules

#copy your compiled modules to opensips modules directory, then restart opensips.
cp modules/httpd/httpd.so /usr/lib64/opensips/modules
cp modules/mi_http/mi_http.so /usr/lib64/opensips/modules
cp modules/prometheus/prometheus.so /usr/lib64/opensips/modules


Talant Blogs about VOIP

Alexey Kazantsev Blog

Igor Olhovsky


opensips 3.1 TLS

Чтобы поднять рабочий сервер TLS-SIP На базе opensips 3.1 нужно учесть несколько моментов:

  1. Установить certbot (https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-10)
  2. Установить базу данных: apt install mariadb-server apache
  3. Установить opensips И opensips control panel
    1. https://apt.opensips.org/packages.php?v=3.1
    2. apt install opensips opensips-cli
    3. apt install opensips* (для ленивых конечно)
  4. установить сертификаты для своего домена
  5. Установить opensips control panel
    1. поправить файлик /var/www/html/opensips-cp/config/tools/system/tls_mgm/local.inc.php закомментировав validation для sip_domain И network_address

 loadmodule "db_mysql.so"
 loadmodule "proto_udp.so"
 loadmodule "proto_tcp.so"
 loadmodule "proto_tls.so"
 ## TLS specific settings
 loadmodule "tls_mgm.so"
 loadmodule "tls_openssl.so"
 modparam("tls_mgm", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")

6. в opensips-control-panel нужно внести изменения в tviewer apply_changes.php вместо require(“init.php”)



ERROR:proto_tls:proto_tls_conn_init: no TLS client domain found
opensips не может найти через какой сокет установить соединение т.к. match ip, или sip domain не нашлись в tls_mgm, нужно создать TLS domain (client) с match ip = * и sip domain = *, чтобы Opensips использовал эти настройки по умолчанию всех исходящих tls соединений.

error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
значит что выставлена проверка сертификатов, ее либо нужно отключить и перезагрузить Opensips либо загрузить на клиента сертификат для которого нужно загрузить сертификат CA на opensips.

INFO:tls_mgm:ssl_servername_cb: No domain found matching host: in servername extension
ERROR:proto_tls:tls_print_errstack: TLS errstack: error:1422E0EA:SSL routines:final_server_name:callback failed
sip_domain в параметрах указан конкретный, который не передается с сертификатом клиента
решением может быть – поставить * в sip_domain

ERROR:tls_mgm:load_tls_library: No TLS library module loaded
loadmodule “tls_openssl.so” – возможно не установлен этот модуль.

ERROR:tls_openssl:openssl_tls_conn_init: failed to create SSL structure (0:Success)
ERROR:tls_openssl:tls_print_errstack: TLS errstack: error:140BA0C3:SSL routines:SSL_new:null ssl ctx
ERROR:proto_tls:proto_tls_conn_clean: Failed to retrieve the tls_domain pointer in the SSL struct

TIPS: how to see all TLS messages (как посмотреть зашифрованный sip трафик)

loadmodule "tracer.so"
# -- tracert --
modparam("tracer", "trace_on", 1)
modparam("tracer", "trace_id", "[tid]uri=hep:hep_dst")

loadmodule "proto_hep.so"
modparam("proto_hep", "hep_id", "[hep_dst];transport=udp;")

sngrep port 5757 -L udp: