FreePBX Production Install Guide (RHEL v6, Asterisk v1.8+, FreePBX v2.9+)

Sections: 

This install procedure was tested using the Redhat Enterprise Linux distributions known as CentOS and Scientific Linux.

Software used:

CentOS v5 or CentOS v6 or Scientific Linux v6
Asterisk 1.8
FreePBX 2.9 or 2.10

Linux commands executed at a command prompt are in courier font.

Let's get started

If you are installing Linux from scratch using Anaconda via install CD select "minimal" and proceed with the install which will install with no groups.   Skip down to the yum -y update part.

Otherwise, it is assumed you already have a server with a base CentOS installation before you begin.  Do NOT install a GUI such as Gnome or KDE.  We only want to be running in console text mode not GUI graphics mode.  If you already have a desktop or server GUI installed you will want to exit to console mode.  You do that by typing init 3 from a terminal or console window.  You will need to be logged in as root in order to do this so if not you can su root.  All instructions in this guide are assuming you are always logged in as root.

Get rid of all installed groups except 'Yum Utilities' so we are starting with a clean slate.  Check the delete list before entering 'y' to make sure none of these remove 'sshd' or 'yum' (they don't but check just in case things change with newer revisions).

yum grouplist installed

Installed Groups:
DNS Name Server
Editors
Legacy Network Server
Mail Server
Network Servers
System Tools
Text-based Internet
Web Server
Windows File Server
Yum Utilities

yum groupremove 'DNS Name Server'
yum groupremove 'Editors'
yum groupremove 'Legacy Network Server'
yum groupremove 'Mail Server'
yum groupremove 'Network Servers'
yum groupremove 'System Tools'
yum groupremove 'Text-based Internet'
yum groupremove 'Web Server'
yum groupremove 'Windows File Server'

Now update the base install

yum -y update

Install Asterisk/FreePBX required packages, other useful packages, and their dependencies

yum groupinstall core
yum groupinstall base

yum install gcc gcc-c++ wget bison mysql-devel mysql-server php php-mysql php-pear php-pear-DB php-mbstring nano tftp-server httpd make ncurses-devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel php-gd audiofile-devel gtk2-devel subversion nano kernel-devel selinux-policy

RHEL v5 NOTES:
Skip this section if you are using a RHEL6 distribution.

On RHEL 5 shutdown unnecessary daemon brcm-iscsi which is enabled by default and tends to do a lot of logging even when not used. This creates unnecessary I/O load.

chkconfig iscsi off
chkconfig iscsid off
service iscsi stop
service iscsid stop

Replace syslog with the improved and backwards compatible rsyslog (standard in RHEL6 but not RHEL5).  This also prevents a problem that comes up with improper timestamps in /var/log/secure when you get disconnects.

NOTE:This is only for RHEL5 based systems.  You do not need to do this for RHEL6.

yum -y install rsyslog
chkconfig syslog off
chkconfig rsyslog on
service syslog stop
service rsyslog start

--END of RHEL v5 NOTES--

RHEL v6 NOTES:
Skip this section if you are using a RHEL5 based distribution.

On RHEL v6 and it's clone distributions the php-pear-DB package is not included.  You need to download it from an official mirror and install otherwise the FreePBX install will fail.  Click the link to check for the latest version.

cd /usr/src
wget http://dl.fedoraproject.org/pub/epel/6/i386/php-pear-DB-1.7.13-3.el6.noarch.rpm

rpm -ivh php-pear-DB*

RHEL v6 uses a newer version of php.  In this version php-posix is no longer in php-common, it is in php-process.  So you need to install php-process if using RHEL v6 or it's clones otherwise the FreePBX install will fail.

yum -y install php-process

Check if the firewall (iptables) is enabled by default and if the RHEL v6 default configuration blocks the FreePBX web GUI.  If you know what services/ports are required you can run "system-config-firewall-tui" and configure the firewall as required.

At a minimum, the following ports need to be opened:
TCP 80 (www)
TCP 4445 (Flash Operator Panel)
UDP 5060-5061 (SIP)
UDP 10,000 - 20,000 (RTP)
UDP 4569 (IAX)

Another option is to remove existing settings from the firewall and save.
iptables -F
service iptables save

Alternatively, you can disable the firewall for now and prevent it from starting on reboot.

service iptables stop
chkconfig iptables off

--END of RHEL v6 NOTES--

Selinux is not required or recommended.  This will create the required file if it does not already exist.  If it already exists copy paste or edit the contents indicated here to be sure selinux never runs.

nano /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.

SELINUXTYPE=targeted # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0

(Ctrl-x> y >Enter)

Make sure selinux is turned off for this session

setenforce 0

TFTP

Enable the tftp server on startup if required (for configuring phones)
nano /etc/xinetd.d/tftp
change server_args = from "-s /var/lib/tftpboot" to "-s /tftpboot"
change “disable=yes” to “disable=no”
(Ctrl-X>y>ENTER)

mkdir /tftpboot
chmod 777 /tftpboot
service xinetd restart

Set Timezone
Copy your timezone from this link

System timezone
Create a symbolic link to the appropriate timezone from /etc/localtime.
Example:
ln -sf /usr/share/zoneinfo/America/Vancouver /etc/localtime

PHP timezone (required since PHP v5.3):
if not set and using php v5.3+ (the version included with RHEL6) it will revert to the default timezone which may not be the correct one depending on your location.  The FreePBX install will throw out a bunch of warnings if you are using RHEL 6 and don't set this.

for RHEL5:
nano +633 /etc/php.ini
for RHEL6
nano +946 /etc/php.ini
Uncomment (;) date.timezone = and add your timezone
Restart apache for the changes to take effect

service httpd restart

Memory Limit

The recommended setting is 128M otherwise you may get warnings in FreePBX.  RHEL 5 installs will probably already have this set correctly.  RHEL 6 may need to have this changed.

For RHEL 5
nano +302 /etc/php.ini
memory_limit = 128M

For RHEL 6
nano +457 /etc/php.ini
memory_limit = 128M

As always after php.ini changes, apache needs to be restarted for the changes to take effect.
service httpd restart

Download and untar source files.   Zaptel/Dahdi is not included in this install procedure.  Starting with Asterisk 1.6.2/FreePBX2.9, it is possible to use ConfBridge in place of MeetMe conferencing.  Meetme conferencing was the last Asterisk application that required a timing source. The only reason to install zaptel/dahdi now is if you are installing telephony hardware.  Meetme still has some features that confbridge does not and is still required if you also require paging.  To install meetme conferencing you must install dahdi and ensure meetme is selected during the asterisk menuselect installation part of the procedure.  You can also install confbridge but FreePBX will default to use MeetMe if it detects it.

Get FreePBX.  Check if this is the latest released version.
cd /usr/src
wget http://mirror.freepbx.org/freepbx-2.10.0.tar.gz
tar zxvf freepbx-2.10.0.tar.gz

Get Asterisk v1.8.
wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.8-current.tar.gz
tar zxvf asterisk-1.8-current.tar.gz

NOTE: There is no separate asterisk addons package to download starting with Asterisk v1.8

cd /usr/src/asterisk-1.8*
make clean
./configure && make menuselect

Select all addons.  I believe these are all needed or recommended for FreePBX.  Select base and addon sounds.  I suggest ulaw as they sound better than gsm especially if you are using ulaw as your default codec.  I usually just check both.  Then make sure to press the "save" button afterwards.

When you select 'format_mp3' above as an addon you must run a script before going any further otherwise the install will fail.

./contrib/scripts/get_mp3_source.sh

You must also have subversion installed to run the above script and be in the root directory of the Asterisk source code.

Now install Asterisk.  NOTE: If upgrading Asterisk on an already running FreePBX system do NOT run make samples.

make && make install && make samples

Create user.  May already exist but just to make sure
useradd -c "Asterisk PBX" -d /var/lib/asterisk asterisk

The following directory may already exist but just to make sure
mkdir /var/run/asterisk

Set ownership
chown -R asterisk /var/run/asterisk
chown -R asterisk /var/log/asterisk
chown -R asterisk /var/lib/asterisk/moh
chown -R asterisk /var/lib/php/session

Music on Hold
The Asterisk default moh directory is "/moh" and the Freepbx default moh directory is "/mohmp3".  If we create a symbolic link instead everything is in one place and can still be found by both FreePBX and Asterisk.  FreePBX uses mohmp3 by default so moh just sits there unused if we do not create a symbolic link.  You can switch between these two moh directories in the new Advanced Settings GUI.  I still include this symbolic link procedure for legacy reasons.  If you do it everything is in one directory always no matter what.  That simplifies things and simpler is often better.
ln -s /var/lib/asterisk/moh /var/lib/asterisk/mohmp3

The new default behaviour for Asterisk and Freepbx is to only use wav files for moh due to transcoding overhead and Asterisk stability issues with mp3's. So we want to install mpg123 for converting uploaded mp3's to wav automagically.  If you won't be uploading or streaming mp3's or won't be using FreePBX (new) default behaviour then you probably don't need to install mpg123.

cd /usr/src
wget http://sourceforge.net/projects/mpg123/files/mpg123/1.14.2/mpg123-1.14.2.tar.bz2/download
tar -xjvf mpg123-1.14.2.tar.bz2

cd mpg123-1.14.2
./configure && make && make install

Freepbx php script cannot find mpg123 by default so we need to create a symbolic link.
ln -s /usr/local/bin/mpg123 /usr/bin/mpg123

CHANGE APACHE USER

Change User apache and Group apache to User asterisk and Group asterisk.

sed -i "s/User apache/User asterisk/" /etc/httpd/conf/httpd.conf
sed -i "s/Group apache/Group asterisk/" /etc/httpd/conf/httpd.conf

MYSQL SETUP

Before you can do anything to MySQL, you need to make sure it's running:
NOTE: If running RHEL/CENTOS/SL 6 you may need to run this first.
mysql_install_db
Try without and see if it starts first.

service mysqld start
Initializing MySQL database:                               [  OK  ]
Starting MySQL:                                            [  OK  ]

Now, to configure the databases for freePBX:
Note: If mysql admin password is already configured, add "-p" after the command and enter password when asked.  For example, "mysqladmin -p create asterisk"

cd /usr/src/freepbx-2.10.0
mysqladmin create asterisk
mysqladmin create asteriskcdrdb
mysql asterisk < SQL/newinstall.sql
mysql asteriskcdrdb < SQL/cdr_mysql_table.sql

They also need to be secured.  FreePBX will prompt you for a database username/password when you do the install. You need to pick that now. We'll assume that you've picked 'asteriskuser' and 'amp109' - you probably shouldn't use these, as they are well known passwords for Freepbx.  If you use these well know defaults and your server is not firewalled make sure to set bind-address = 127.0.0.1 further down in this procedure so that MySQL only listens to localhost.  Or better yet do both.

Security check: It's very important to check that Allow Login With DB Credentials is set to FALSE in FreePBX Advanced Settings GUI.  This is the default setting.  If it were set to TRUE and you were using the default credentials of asteriskuser/amp109 and your FreePBX GUI were exposed to the internet (ie. the http port), anyone could log into your FreePBX GUI as administrator using those credentials.

MySQL creates a test database and 2 anonymous user accounts by default which we don't need so first we delete them.  MySQL also creates a non-local root@hostname account and assuming you don't want to access the database remotely as root (other than via SSH) you should probably delete that for security reasons.  DO NOT DELETE the root@localhost account.

mysql

mysql> DROP DATABASE test;
Query OK, 0 rows affected (0.00 sec)

mysql> SHOW VARIABLES LIKE 'hostname';
+---------------+----------------+
| Variable_name | Value          |
+---------------+----------------+
| hostname      | somehostname.com |
+---------------+----------------+
1 row in set (0.00 sec)

mysql> DROP USER ''@'localhost';
Query OK, 0 rows affected (0.00 sec)

mysql> DROP USER ''@'somehostname.com';
Query OK, 0 rows affected (0.00 sec)

mysql> DROP USER 'root'@'somehostname.com';

mysql> GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asteriskuser@localhost IDENTIFIED BY 'amp109';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON asterisk.* TO asteriskuser@localhost IDENTIFIED BY 'amp109';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> \q
Bye

Now, after all of this, you need to pick a root 'mysql' password. We'll make it 'abcdef' just for this example.  You should use a reasonably strong password. If you need to do anything else with mysql, you'll need to provide this password.
mysqladmin -u root password 'abcdef'
Install FreePBX

/usr/sbin/safe_asterisk
You may get a bunch of warnings, errors, and notices at this point.  Don't worry about them.  Hit ENTER to get a command prompt.

cd /usr/src/freepbx-2.10.0
./install_amp

If you get any warnings or errors in the last part of the output, they're usually not traumatic.

Default username is: admin
Default pw is: admin
Freepbx 2.10 now wants to create symlinks to some .conf files and complains if actual files already exist as is the case when Asterisk make samples is run.  So we need to delete these files.  In FreePBX 2.9 you should only have to delete sip_notify.conf and ccss.conf.  Not sure what would happen if you try delete the rest.  After deleting the following files, the next time we make a change in FreePBX and apply settings these symlinks will be created.

rm -f /etc/asterisk/sip_notify.conf
rm -f /etc/asterisk/iax.conf
rm -f /etc/asterisk/logger.conf
rm -f /etc/asterisk/features.conf
rm -f /etc/asterisk/sip.conf
rm -f /etc/asterisk/extensions.conf
rm -f /etc/asterisk/ccss.conf
rm -f /etc/asterisk/chan_dahdi.conf

Edit /etc/asterisk/cdr_mysql.conf and add 'loguniqueid=yes' to the global section which will give each call record a unique identifier number.

nano /etc/asterisk/cdr_mysql.conf

loguniqueid=yes

set FreePBX to start on boot
echo /usr/local/sbin/amportal start >> /etc/rc.local

Enable Apache and MySQL to start on boot
chkconfig httpd on
chkconfig mysqld on

Now reboot at which point you should be able to access FreePBX with your web browser.  The very first thing you need to do when you enter the FreePBX Admin GUI for the first time is "Apply Configuration Changes" so all the *.conf files are created then reboot again or 'amportal restart' from command prompt.

You may get an error in the FreePBX GUI saying "symlink failed for /etc/asterisk/sip_notify.conf" or something along those lines.  If that is the case just delete or rename /etc/asterisk/sip_notify.conf.  The next time you "Apply Configuration Changes" in the FreePBX GUI after some change this file will be recreated and the error should be gone.

AMPORTAL.conf changes

FreePBX v2.9+ now includes an "advanced settings" gui that is designed to replace amportal.conf and the requirements to edit it directly.  There are also some settings in a new file /etc/freepbx.conf

At this point you should go into this new advanced settings GUI on the FreePBX webpage and edit the following settings:

http://IPaddressOFyourFreePBXserver/

In the GUI Go to: Tools>Advanced Administration>Advanced Settings>System Setup>User Portal Admin Password

Choose your admin password for accessing the Voicemail & Recordings (ARI) section of the front webpage.

In the same GUI go to: System Setup>FreePBX Web Address

Remove the "xx.xx.xx.xx" and leave blank.  If that does not work use your public (ie. web facing) IP address for this server.

After saving these changes by pressing the green arrow on the right hand side of each box make sure to "Apply Configuration Changes" at the top of the GUI.
Misc. optional settings

Change the “upload_max_filesize” from 2M to 20M to allow larger music on hold files
RHEL 5
nano +582 /etc/php.ini
RHEL 6
nano +878 /etc/php.ini

Edit Apache web server for GUI access using a port other than 80:
nano +134 /etc/httpd/conf/httpd.conf
change "Listen 80" to "Listen 8888" or whatever port you want

Change default Apache setting of AllowOverride None to All so that Apache obeys directives in .htaccess files which by default prevents viewing sensitive directories on Freepbx.
nano +338 /etc/httpd/conf/httpd.conf
AllowOverride All

service httpd restart

Instead of accessing FreePBX by http://xxx.xxx.xxx.xxx
You now access it by http://xxx.xxx.xxx.xxx:8888

setup external sip extensions if going through NAT

nano /etc/asterisk/sip_nat.conf
nat=yes
externip= or
;externhost=yourdns.com
localnet=192.168.1.0/255.255.255.0
;change the above to whatever your local subnet is
externrefresh=10

(Ctrl-X>y>ENTER)

Also, when adding the external SIP extension in FreePBX, make sure to change the nat=never default in the configuration to nat=yes for the extension that will be external.

Log Files Configuration

If you don't want to see a bunch of notices, warnings and errors each time you restart amportal from command line and you don't want your asterisk log files getting huge from constantly writing debug information do the following:

nano /etc/asterisk/logger_logfiles_custom.conf

console =>
full => notice,warning,error,verbose

Also make sure freepbx debug logging is disabled in FreePBX GUI>Settings>Advanced Settings>Developer and Customization

logrotate setup

Set up configuration to rotate log files otherwise they get too big after a short while. Create the following file.

nano /etc/logrotate.d/asterisk

Now add the following to make sure the asterisk log files are rotated weekly along with all the other log files.

/var/log/asterisk/messages /var/log/asterisk/*log /var/log/asterisk/full {
missingok
notifempty
sharedscripts
create 0640 asterisk asterisk
postrotate
/usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
endscript
}

nano /etc/logrotate.d/freepbx

/var/log/asterisk/freepbx_dbug /var/log/asterisk/freepbx_debug {
missingok
notifempty
sharedscripts
create 0640 asterisk asterisk
postrotate
/usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
endscript
}

Sendmail configuration (optional)

Edit /etc/aliases file  and add a “root: username_to_forward_to” to forward all ‘root’ messages to your personal email address.  Put in the full email address if it is not on the asterisk system itself.
Then run
/usr/bin/newaliases
to restart the service.

If emails are not received you must set up masquerading in sendmail.  These still may be rejected if the email server requires the source of the email to also resolve to the same DNS that sendmail is masquerading as.

To enable this, add the following lines to the /etc/mail/sendmail.mc file:

MASQUERADE_AS(domain.com)dnl

FEATURE(masquerade_envelope)dnl

FEATURE(masquerade_entire_domain)dnl

MASQUERADE_DOMAIN(domain.com)dnl

Put a “dnl” in front of the line ”EXPOSED_USER (`root’) dnl”.  This enables host masquerading for root as well which is disabled by default.

Update the Sendmail configuration files using the m4 macro processor to generate a new sendmail.cf file by executing the following command:

# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

To get the Sendmail macro file, the sendmail-cf package must be installed on the system.

After creating a new /etc/mail/sendmail.cf file, restart Sendmail for the changes to take effect. To do this, use the following command:

# service sendmail restart

nano /etc/asterisk/vm_general.inc

change serveremail=vm@asterisk to whom ever you want it to appear voicemail emails are coming from.

NOTE: If you are installing on a LAN or do not have a domain resolving to the IP of the VPS, Sendmail will hang for a couple minutes everytime you reboot.  To prevent this your VPS hostname should end with .local or .localhost.  So, for example, instead of naming the VPS hostname 'powerpbx' it should be named 'powerpbx.local'.  The manual method is to edit your /etc/hosts file.  There should be 2 lines.
127.0.0.1 localhost.localdomain localhost
yourIPaddress yourhostname.local yourhostname yourhostname

MySQL performance tuning for low memory
This will reduce memory usage significantly without affecting performance.

nano /etc/my.cnf
[mysqld]
.
.
.
skip-innodb
skip-bdb

(Ctl-x > y > ENTER)

From command prompt:
service mysqld restart

RHEL v6 NOTE: Berkley DB support has been removed from the version of MYSQL included with RHEL v6 and the other v6 distributions.  Therefore you must NOT use the "skip-bdb" line with RHEL v6 otherwise Mysql will fail to start.

MySQL security enhancement
This will prevent outside IP's from connecting to the MySQL port

nano /etc/my.cnf
[mysqld]
.
.
.
bind-address = 127.0.0.1

(Ctl-x > y > ENTER)

Add Password Protection to Flash Operator Panel GUI

By default, flash operator panel GUI (/var/www/html/panel) is visible to anyone who points a browser at your server unless port 4445 is blocked by a firewall.   Here is one way to protect it.

mkdir -p /usr/local/apache/passwd
htpasswd -c /usr/local/apache/passwd/wwwpasswd NewUserName

Apache will prompt you for a new password for the user name you've just indicated
New password:

Apache will prompt you to retype your new password
Re-type new password:

Apache will then confirm the new user
Adding password for user NewUserName

Now you have to add the user name you've just created to the "httpd.conf" file. To edit that file in "nano" type:
nano +587 /etc/httpd/conf/httpd.conf
Now do a CTRL-W to search for "AuthUser" and you'll find the area where all the users are listed (for example: "maint", your AMP user).  If you don't find any try around line 587 right after the cgi-bin " AuthType Basic
AuthName "Restricted Area"
AuthUserFile /usr/local/apache/passwd/wwwpasswd
Require user NewUserName NewUserName1 NewUserName2 yaddayaddayadda

To delete an Apache user, type in the following and then remove the user from the "httpd.conf" file.
htpasswd -D /usr/local/apache/passwd/wwwpasswd NewUserName

To change the password:
htpasswd /usr/local/apache/passwd/wwwpasswd NewUserName

Then restart apache.
service httpd restart