FreePBX Production Install Guide (RHEL v6, Asterisk v1.8+, FreePBX v2.9+)

This install procedure was tested using the Redhat Enterprise Linux distributions known as CentOS and Scientific Linux. 

Software used:

CentOS v5 or CentOS v6 or Scientific Linux v6
Asterisk 1.8
FreePBX 2.9

Linux commands executed at a command prompt are in courier font.

Let's get started

If you are installing Linux from scratch using Anaconda via install CD select "minimal" and proceed with the install which will install with no groups.   Skip down to the yum -y update part.

Otherwise, it is assumed you already have a server with a base CentOS installation before you begin.  Do NOT install a GUI such as Gnome or KDE.  We only want to be running in console text mode not GUI graphics mode.  If you already have a desktop or server GUI installed you will want to exit to console mode.  You do that by typing init 3 from a terminal or console window.  You will need to be logged in as root in order to do this so if not you can su root.  All instructions in this guide are assuming you are always logged in as root.

Get rid of all installed groups except 'Yum Utilities' so we are starting with a clean slate.  Check the delete list before entering 'y' to make sure none of these remove 'sshd' or 'yum' (they don't but check just in case things change with newer revisions).

yum grouplist installed

Installed Groups:
   DNS Name Server
   Editors
   Legacy Network Server
   Mail Server
   Network Servers
   System Tools
   Text-based Internet
   Web Server
   Windows File Server
   Yum Utilities

yum groupremove 'DNS Name Server'
yum groupremove 'Editors'
yum groupremove 'Legacy Network Server'
yum groupremove 'Mail Server'
yum groupremove 'Network Servers'
yum groupremove 'System Tools'
yum groupremove 'Text-based Internet'
yum groupremove 'Web Server'
yum groupremove 'Windows File Server'

Now update the base install

yum -y update

Install Asterisk/FreePBX required packages, other useful packages, and their dependencies

yum groupinstall core
yum groupinstall base

yum install gcc gcc-c++ wget bison mysql-devel mysql-server php php-mysql php-pear php-pear-DB php-mbstring nano tftp-server httpd make ncurses-devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel php-gd audiofile-devel gtk2-devel subversion nano kernel-devel

On RHEL 5 shutdown unnecessary daemon brcm-iscsi which is enabled by default and tends to do a lot of logging even when not used. This creates unnecessary I/O load.

chkconfig iscsi off
chkconfig iscsid off
service iscsi stop
service iscsid stop

Replace syslog with the improved and backwards compatible rsyslog (standard in RHEL6 but not RHEL5).  This also prevents a problem that comes up with improper timestamps in /var/log/secure when you get disconnects.  

NOTE:This is only for RHEL5 based systems.  You do not need to do this for RHEL6.

yum -y install rsyslog
chkconfig syslog off
chkconfig rsyslog on
service syslog stop
service rsyslog start

RHEL v6 NOTES:  

On RHEL v6 and it's clone distributions the php-pear-DB package is not included.  You need to download it from an official mirror and install otherwise the FreePBX install will fail.  Click the link to check for the latest version.

cd /usr/src
wget http://download.fedora.redhat.com/pub/epel/6/i386/php-pear-DB-1.7.13-3.el6.noarch.rpm
rpm -ivh php-pear-DB*

RHEL v6 uses a newer version of php.  In this version php-posix is no longer in php-common, it is in php-process.  So you need to install php-process if using RHEL v6 or it's clones otherwise the FreePBX install will fail.

yum -y install php-process

Check if the firewall (iptables) is enabled by default and if the RHEL v6 default configuration blocks the FreePBX web GUI.  If you know what services/ports are required you can run "system-config-firewall-tui" and configure the firewall as required.  

At a minimum, the following ports need to be opened:
TCP 80 (www)
TCP 4445 (Flash Operator Panel)
UDP 5060-5061 (SIP)
UDP 10,000 - 20,000 (RTP)
UDP 4569 (IAX)

Another option is to remove existing settings from the firewall and save.
iptables -F
service iptables save

Alternatively, you can disable the firewall for now and prevent it from starting on reboot.

service iptables stop 
chkconfig iptables off

--END of RHEL v6 NOTES--

Selinux is not required or recommended.  This will create the required file if it does not already exist.  If it already exists copy paste or edit the contents indicated here to be sure selinux never runs.

nano /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.

SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

(Ctrl-x> y >Enter)

Make sure selinux is turned off for this session

setenforce 0

Enable the tftp server on startup if required (for configuring phones)
nano /etc/xinetd.d/tftp
change “disable=yes” to “disable=no”
(Ctrl-X>y>ENTER)

 

Set Timezone
Copy your timezone from this link

System timezone
Create a symbolic link to the appropriate timezone from /etc/localtime.
Example:
ln -sf /usr/share/zoneinfo/America/Vancouver /etc/localtime

Memory Limit

The recommended setting is 128M otherwise you may get warnings in FreePBX.  RHEL 5 installs will probably already have this set correctly.  RHEL 6 may need to have this changed.

For RHEL 5
nano +302 /etc/php.ini
memory_limit = 128M

For RHEL 6
nano +457 /etc/php.ini
memory_limit = 128M

As always after php.ini changes, apache needs to be restarted for the changes to take effect.
service httpd restart 

Download and untar source files.   Zaptel/Dahdi is not included in this install procedure.  Starting with Asterisk 1.6.2/FreePBX2.9, it is possible to use ConfBridge in place of MeetMe conferencing.  Meetme conferencing was the last Asterisk application that required a timing source. The only reason to install zaptel/dahdi now is if you are installing telephony hardware.  Meetme still has some features that confbridge does not and is still required if you also require paging.  To install meetme conferencing you must install dahdi and ensure meetme is selected during the asterisk menuselect installation part of the procedure.  You can also install confbridge but FreePBX will default to use MeetMe if it detects it.

Get FreePBX.  Check if this is the latest released version.
cd /usr/src
wget http://mirror.freepbx.org/freepbx-2.9.0.tar.gz
tar zxvf freepbx-2.9.0.tar.gz

Get Asterisk v1.8.
wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.8-current.tar.gz
tar zxvf asterisk-1.8-current.tar.gz

NOTE: There is no separate asterisk addons package to download starting with Asterisk v1.8

cd /usr/src/asterisk-1.8*
make clean
./configure && make menuselect

Select all addons.  I believe these are all needed or recommended for FreePBX.  Select base and addon sounds.  I suggest ulaw as they sound better than gsm especially if you are using ulaw as your default codec.  I usually just check both.  Then make sure to press the "save" button afterwards.

When you select 'format_mp3' above as an addon you must run a script before going any further otherwise the install will fail.

./contrib/scripts/get_mp3_source.sh

You must also have subversion installed to run the above script and be in the root directory of the Asterisk source code.

Now install Asterisk.  NOTE: If upgrading Asterisk on an already running FreePBX system do NOT run make samples.

make && make install && make samples

Create user.  May already exist but just to make sure
useradd -c "Asterisk PBX" -d /var/lib/asterisk asterisk

The following directory may already exist but just to make sure
mkdir /var/run/asterisk

Set ownership
chown -R asterisk /var/run/asterisk
chown -R asterisk /var/log/asterisk
chown -R asterisk /var/lib/asterisk/moh
chown -R asterisk /var/lib/php/session

Music on Hold
The Asterisk default moh directory is "/moh" and the Freepbx default moh directory is "/mohmp3".  If we create a symbolic link instead everything is in one place and can still be found by both FreePBX and Asterisk.  FreePBX uses mohmp3 by default so moh just sits there unused if we do not create a symbolic link.  You can switch between these two moh directories in the new Advanced Settings GUI.  I still include this symbolic link procedure for legacy reasons.  If you do it everything is in one directory always no matter what.  That simplifies things and simpler is often better.
ln -s /var/lib/asterisk/moh /var/lib/asterisk/mohmp3

The new default behaviour for Asterisk and Freepbx is to only use wav files for moh due to transcoding overhead and Asterisk stability issues with mp3's. So we want to install mpg123 for converting uploaded mp3's to wav automagically.  If you won't be uploading or streaming mp3's or won't be using FreePBX (new) default behaviour then you probably don't need to install mpg123.

cd /usr/src
wget http://sourceforge.net/projects/mpg123/files/mpg123/1.13.4/mpg123-1.13.4.tar.bz2/download
tar -xjvf mpg123-1.13.4.tar.bz2

cd mpg123-1.13.4
./configure && make && make install

Freepbx php script cannot find mpg123 by default so we need to create a symbolic link.
ln -s /usr/local/bin/mpg123 /usr/bin/mpg123

CHANGE APACHE USER

Change User apache and Group apache to User asterisk and Group asterisk.

sed -i "s/User apache/User asterisk/" /etc/httpd/conf/httpd.conf
sed -i "s/Group apache/Group asterisk/" /etc/httpd/conf/httpd.conf

MYSQL SETUP

Before you can do anything to MySQL, you need to make sure it's running:

service mysqld start
Initializing MySQL database:                               [  OK  ]
Starting MySQL:                                            [  OK  ]

Now, to configure the databases for freePBX:
Note: If mysql admin password is already configured, add "-p" after the command and enter password when asked.  For example, "mysqladmin -p create asterisk"

cd /usr/src/freepbx-2.9.0
mysqladmin create asterisk
mysqladmin create asteriskcdrdb
mysql asterisk < SQL/newinstall.sql
mysql asteriskcdrdb < SQL/cdr_mysql_table.sql

They also need to be secured.  FreePBX will prompt you for a database username/password when you do the install. You need to pick that now. We'll assume that you've picked 'asteriskuser' and 'amp109' - you probably shouldn't use these, as they are well known passwords for Freepbx.  If you use these well know defaults and your server is not firewalled make sure to set bind-address = 127.0.0.1 further down in this procedure so that MySQL only listens to localhost.  Or better yet do both.

mysql

mysql> GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asteriskuser@localhost IDENTIFIED BY 'amp109';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON asterisk.* TO asteriskuser@localhost IDENTIFIED BY 'amp109';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> \q
Bye

Now, after all of this, you need to pick a root 'mysql' password. We'll make it 'abcdef' just for this example.  You should use a reasonably strong password. If you need to do anything else with mysql, you'll need to provide this password.
mysqladmin -u root password 'abcdef'
 

Install FreePBX

/usr/sbin/safe_asterisk
You will get a bunch of warnings, errors, and notices at this point.  Don't worry about them.  Hit ENTER to get a command prompt.

cd /usr/src/freepbx-2.9.0
./install_amp

If you get any warnings or errors in the last part of the output, they're usually not traumatic.

Default username is: admin
Default pw is: admin
 

Freepbx 2.10 now wants to create symlinks to some .conf files and complains if actual files already exist as is the case when Asterisk make samples is run.  So we need to delete these files.  In FreePBX 2.9 you should only have to delete sip_notify.conf and ccss.conf.  Not sure what would happen if you try delete the rest.  After deleting the following files, the next time we make a change in FreePBX and apply settings these symlinks will be created.

rm -f /etc/asterisk/sip_notify.conf
rm -f /etc/asterisk/iax.conf
rm -f /etc/asterisk/logger.conf
rm -f /etc/asterisk/features.conf
rm -f /etc/asterisk/sip.conf
rm -f /etc/asterisk/extensions.conf
rm -f /etc/asterisk/ccss.conf
rm -f /etc/asterisk/chan_dahdi.conf

Edit /etc/asterisk/cdr_mysql.conf and add 'loguniqueid=yes' to the global section which will give each call record a unique identifier number.

nano /etc/asterisk/cdr_mysql.conf

loguniqueid=yes

set FreePBX to start on boot
echo /usr/local/sbin/amportal start >> /etc/rc.local

Enable Apache and MySQL to start on boot
chkconfig httpd on
chkconfig mysqld on

Now reboot at which point you should be able to access FreePBX with your web browser.  The very first thing you need to do when you enter the FreePBX Admin GUI for the first time is "Apply Configuration Changes" so all the *.conf files are created then reboot again or 'amportal restart' from command prompt.

You may get an error in the FreePBX GUI saying "symlink failed for /etc/asterisk/sip_notify.conf" or something along those lines.  If that is the case just delete or rename /etc/asterisk/sip_notify.conf.  The next time you "Apply Configuration Changes" in the FreePBX GUI after some change this file will be recreated and the error should be gone.

AMPORTAL.conf changes

FreePBX v2.9+ now includes an "advanced settings" gui that is designed to replace amportal.conf and the requirements to edit it directly.  There are also some settings in a new file /etc/freepbx.conf

At this point you should go into this new advanced settings GUI on the FreePBX webpage and edit the following settings:

http://IPaddressOFyourFreePBXserver/

In the GUI Go to: Tools>Advanced Administration>Advanced Settings>System Setup>User Portal Admin Password

Choose your admin password for accessing the Voicemail & Recordings (ARI) section of the front webpage.

In the same GUI go to: System Setup>FreePBX Web Address

Remove the "xx.xx.xx.xx" and leave blank.  If that does not work use your public (ie. web facing) IP address for this server.

After saving these changes by pressing the green arrow on the right hand side of each box make sure to "Apply Configuration Changes" at the top of the GUI.
 

Misc. optional settings

Change the “upload_max_filesize” from 2M to 20M to allow larger music on hold files
RHEL 5
nano +582 /etc/php.ini
RHEL 6
nano +878 /etc/php.ini

Edit Apache web server for GUI access using a port other than 80:
nano +134 /etc/httpd/conf/httpd.conf
change "Listen 80" to "Listen 8888" or whatever port you want

Change default Apache setting of AllowOverride None to All so that Apache obeys directives in .htaccess files which by default prevents viewing sensitive directories on Freepbx.
nano +338 /etc/httpd/conf/httpd.conf
AllowOverride All

service httpd restart

Instead of accessing FreePBX by http://xxx.xxx.xxx.xxx
You now access it by http://xxx.xxx.xxx.xxx:8888

Edit /etc/aliases file  and add a “root: username_to_forward_to” to forward all ‘root’ messages to your personal email address.  Put in the full email address if it is not on the asterisk system itself.
Then run  
/usr/bin/newaliases
to restart the service.

NOTE: If you are installing on a LAN or do not have a domain resolving to the IP of the VPS, Sendmail will hang for a couple minutes everytime you reboot.  To prevent this your VPS hostname should end with .local or .localhost.  So, for example, instead of naming the VPS hostname 'powerpbx' it should be named 'powerpbx.local'.  The manual method is to edit your /etc/hosts file.  There should be 2 lines.
127.0.0.1 localhost.localdomain localhost
yourIPaddress yourhostname.local yourhostname yourhostname

MySQL performance tuning for low memory
This will reduce memory usage significantly without affecting performance.

nano /etc/my.cnf
[mysqld]
.
.
.
skip-innodb
skip-bdb

(Ctl-x > y > ENTER)

From command prompt:
service mysqld restart

RHEL v6 NOTE: Berkley DB support has been removed from the version of MYSQL included with RHEL v6 and the other v6 distributions.  Therefore you must NOT use the "skip-bdb" line with RHEL v6 otherwise Mysql will fail to start.

MySQL security enhancement
This will prevent outside IP's from connecting to the MySQL port

nano /etc/my.cnf
[mysqld]
.
.
.
bind-address = 127.0.0.1

(Ctl-x > y > ENTER)


Add Password Protection to Flash Operator Panel GUI

By default, flash operator panel GUI (/var/www/html/panel) is visible to anyone who points a browser at your server unless port 4445 is blocked by a firewall.   Here is one way to protect it.

mkdir -p /usr/local/apache/passwd
htpasswd -c /usr/local/apache/passwd/wwwpasswd NewUserName 

Apache will prompt you for a new password for the user name you've just indicated 
New password: 

Apache will prompt you to retype your new password 
Re-type new password: 

Apache will then confirm the new user 
Adding password for user NewUserName

Now you have to add the user name you've just created to the "httpd.conf" file. To edit that file in "nano" type: 
nano +587 /etc/httpd/conf/httpd.conf 
Now do a CTRL-W to search for "AuthUser" and you'll find the area where all the users are listed (for example: "maint", your AMP user).  If you don't find any try around line 587 right after the cgi-bin "<Directory....."  entry.

Now add the following lines: 
#Password protect the Flash Operator Panel Page /var/www/html/panel
<Directory /var/www/html/panel> 
AuthType Basic 
AuthName "Restricted Area" 
AuthUserFile /usr/local/apache/passwd/wwwpasswd 
Require user NewUserName NewUserName1 NewUserName2 yaddayaddayadda 
</Directory>

To delete an Apache user, type in the following and then remove the user from the "httpd.conf" file. 
htpasswd -D /usr/local/apache/passwd/wwwpasswd NewUserName

To change the password:
htpasswd /usr/local/apache/passwd/wwwpasswd NewUserName

Then restart apache. 
service httpd restart