Freepbx Production Install Guide (RHEL v6, Asterisk v11+, Freepbx v2.11+)

Sections: 

Asterisk 11Changes in this guide include Asterisk 11 which requires at least FreePBX v2.11.  Also cdr_mysql module has been deprecated so FreePBX 2.11 adds support for the ODBC method. This install guide adds configurations to enable the new method.  You can continue to use the old method for as long as the cdr_mysql module is included in Asterisk and still functional.

Tested on CentOS 6.4

Let's get started

We only want to be running in console text mode not GUI graphics mode.  If you already have a desktop or server GUI installed typing  init 3 from a terminal or console window as root user will exit the GUI.  All instructions in this guide are assuming you are always logged in as root running in init 3 mode.

Install Asterisk/FreePBX required packages, other useful packages, and their dependencies

yum -y update

yum groupinstall core
yum groupinstall base

yum install gcc gcc-c++ wget bison mysql-devel mysql-server php php-mysql php-process php-pear php-mbstring php-xml tftp-server httpd make ncurses-devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel php-gd audiofile-devel gtk2-devel subversion nano kernel-devel selinux-policy sqlite-devel openssl-devel libuuid-devel libcurl-devel tzdata

Install CDR ODBC required packages

yum install libtool-ltdl-devel unixODBC unixODBC-devel mysql-connector-odbc

Install optional packages

chan_gtalk, chan_motif, and res_xmpp will not compile unless iksemel-devel and it's dependencies are installed.  res_fax_spandsp will not compile unless spandsp-devel dependency is installed.  For CentOS 6, iksemel and spandsp are in the EPEL repository.

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
yum install iksemel-devel spandsp-devel

Install pear DB

Don't worry about the warning message.

pear install db-1.7.14

Firewall

Check if the firewall (iptables) is enabled by default and if the RHEL v6 default configuration blocks the FreePBX web GUI.  If you know what services/ports are required you can run system-config-firewall-tui and configure the firewall as required. At a minimum, the following ports need to be opened:

TCP 80 (www)
TCP 4445 (Flash Operator Panel)
UDP 5060-5061 (SIP)
UDP 10,000 - 20,000 (RTP)
?UDP 4569 (IAX)

Another option is to remove existing settings from the firewall and save.

service iptables save
service iptables stop
chkconfig iptables off

After completing the entire procedure we can load the firewall rules again by running service iptables start and have them load on boot by running chkconfig iptables on.

Selinux

Check status

sestatus

If not disabled edit /etc/selinux/config and reboot

SELINUX=disabled

TFTP

If you plan to use hardware SIP phones you will probably want to enable the tftp server.

nano /etc/xinetd.d/tftp

change server_args = -s /var/lib/tftpboot
to server_args = -s /tftpboot

change disable=yes
to disable=no

mkdir /tftpboot
chmod 777 /tftpboot
service xinetd restart

Set Timezone

Copy your timezone from this link or use tzselect

tzselect 

Create a symbolic link to the appropriate timezone from/etc/localtime. Example:

ln -sf /usr/share/zoneinfo/America/Vancouver /etc/localtime

Download and untar source files.

Get and install DAHDI

Only required if using a physical server and installing telecom hardware.

cd /usr/src
wget http://downloads.asterisk.org/pub/telephony/dahdi-linux-complete/dahdi-linux-complete-current.tar.gz
tar zxvf dahdi-linux-complete*
cd /usr/src/dahdi-linux-complete*
make && make install && make config

Get FreePBX

Check if this is the latest released version.

cd /usr/src
wget http://mirror.freepbx.org/freepbx-2.11.0.42.tgz 
tar zxvf freepbx-2.11*

Get and Install Asterisk

Do NOT run make samples.  It can cause some problems you will have to clean up later on.  

cd /usr/src
wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-current.tar.gz
tar zxvf asterisk-11-current.tar.gz

cd /usr/src/asterisk-11*/
make clean && make distclean
ARCH=$(getconf LONG_BIT | grep "64")
./configure --libdir=/usr/lib${ARCH}

Asterisk v11+ compiles with CFLAGS=-match=native which appears to compile for CPU features that are not necessarily available on a virtual machine and can cause errors. CFLAGS=-mtune=native appears to be more compatible across various configurations.

So the above ./configure command for a more compatible Asterisk on virtual machines would become ./configure CFLAGS='-g -O2 -mtune=native' --libdir=/usr/lib${ARCH}

If you want to be more precise and optimal for your cpu you can try cat /proc/cpuinfo then find your cputype from the gcc cpu options manual and use CFLAGS=-mtune=mycputype.  If none of those work try CFLAGS=-mtune=generic which is probably the least optimal but most compatible across different CPU types.

make menuselect

FreePBX does not use Asterisk realtime but if you are thinking of using A2Billing then also select res_config_mysql.  Select Core and Extra sounds.  I suggest ulaw as they sound better than gsm especially if you are using ulaw as your default codec.  I usually just check both.  Then make sure to press the save button afterwards.

Select format_mp3 in addons if you are going to be doing anything with mp3 files.  For backwards compatibility and fall back in case ODBC doesn't work you may as well install the deprecated cdr_mysql as well.  When you select format_mp3 above as an addon you must run a script before going any further otherwise the install will fail.

./contrib/scripts/get_mp3_source.sh

Now compile and install Asterisk.  DO NOT run make samples even though the install script suggests you do.  It will cause conflicts with FreePBX config files.

make && make install

Create Asterisk User

adduser asterisk -M -d /var/lib/asterisk -s /sbin/nologin -c "Asterisk User"

The recommended music on hold behaviour for Asterisk and Freepbx is to only use wav files due to transcoding overhead and Asterisk stability issues with mp3's. So we want to install mpg123 for converting uploaded mp3's to wav automagically.  If you won't be uploading mp3's or don't want them converted then you probably don't need to install mpg123.  If not sure then install.

cd /usr/src
wget http://sourceforge.net/projects/mpg123/files/mpg123/1.21.0/mpg123-1.21.0.tar.bz2
tar -xjvf mpg123*

cd mpg123*/
ARCH=$(getconf LONG_BIT | grep "64")
./configure --prefix=/usr --libdir=/usr/lib${ARCH} && make && make install && ldconfig

Change Apache User

Change User apache and Group apache to User asterisk and Group asterisk.

sed -i "s/User apache/User asterisk/" /etc/httpd/conf/httpd.conf
sed -i "s/Group apache/Group asterisk/" /etc/httpd/conf/httpd.conf

MySQL Setup

Before you can do anything to MySQL, you need to make sure it's running: NOTE: If running RHEL/CENTOS/SL 6 you may need to run this first. mysql_install_db Try without and see if it starts first.

service mysqld start

Initializing MySQL database: [  OK  ] 
Starting MySQL:              [  OK  ]

Now, to configure the databases for freePBX: Note: If mysql admin password is already configured, add "-p" after the command and enter password when asked.  For example, mysqladmin -p create asterisk

cd /usr/src/freepbx-2.11*/
mysqladmin create asterisk
mysqladmin create asteriskcdrdb
mysql asterisk < SQL/newinstall.sql
mysql asteriskcdrdb < SQL/cdr_mysql_table.sql

They also need to be secured.  FreePBX will prompt you for a database username/password when you do the install. You need to pick that now. We'll assume that you've picked asteriskuser and amp109 If you use these well know defaults and your server is not firewalled make sure to set bind-address = 127.0.0.1 further down in this procedure so that MySQL only listens to localhost.

mysql

mysql> GRANT ALL PRIVILEGES ON asterisk.* TO asteriskuser@localhost IDENTIFIED BY 'amp109';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asteriskuser@localhost IDENTIFIED BY 'amp109';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> \q
Bye

Now, after all of this, you need to pick a root 'mysql' password. We'll make it 'abcdef' just for this example.  You should use a reasonably strong password. If you need to do anything else with mysql, you'll need to provide this password.

mysqladmin -u root password 'abcdef'

Install FreePBX

/usr/sbin/safe_asterisk
cd /usr/src/freepbx-2.11*/

Now run the FreePBX install script.  Select all defaults for now by hitting the ENTER key at each prompt.

./install_amp

If you get any warnings or errors they're usually not traumatic.

-----------------------------

64bit OS Check:

For 64bit Operating Systems check that the following is true: /etc/asterisk/asterisk.conf contains astmoddir => /usr/lib64/asterisk/modules and not astmoddir => /usr/lib/asterisk/modules

-----------------------------

Default username is: admin Default pw is: admin Or create your own which is the new default behaviour on FreePBX v1.11.

Set FreePBX to start on boot

echo /usr/local/sbin/amportal start >> /etc/rc.local

Enable Apache and MySQL to start on boot

chkconfig httpd on
chkconfig mysqld on

Now reboot at which point you should be able to access FreePBX with your web browser.  The very first thing you need to do when you enter the FreePBX Admin GUI for the first time is Apply Configuration Changes which is a button or bar that shows up at the top of the GUI.  This generates all the *.conf files.  

It may also be necessary to reboot again or amportal restart from command prompt.

If you have pre-existing *.conf files in /etc asterisk because your ran make samples or are upgrading from older versions of Asterisk/FreePBX you will get symlink fail error messages in FreePBX system staus page.  Just delete or rename those files.  The next time you Apply Configuration Changes in the FreePBX GUI the symlinks will be created and the errors should be gone.

CDR ODBC

This is optional if you selected the deprecated cdr_mysql module in Asterisk menu at compile time. This is the new recommended way of connecting to the CDR DB.  Eventually this will be required when cdr_mysql no longer works or is no longer included with Asterisk.

nano /etc/odbc.ini
[MySQL-asteriskcdrdb]
Description     = MySQL ODBC Driver
Driver          = MySQL
Socket          = /var/lib/mysql/mysql.sock
Server          = localhost
Database        = asteriskcdrdb
Option          = 3
 
Test that the ODBC driver is working
odbcinst -s -q

should result in[MySQL-asteriskcdrdb] .

Check the asterisk odbc file, which Asterisk uses to connect to the CDR DB, contains the follow.  

nano /etc/asterisk/res_odbc_additional.conf
[asteriskcdrdb]
enabled=>yes
dsn=>MySQL-asteriskcdrdb
pooling=>no
limit=>1
pre-connect=>yes
username=>asteriskuser
password=>amp109

Using the above information, test that it can can connect to the DB via odbc

isql -v MySQL-asteriskcdrdb asteriskuser amp109

should result in:

+---------------------------------------+
| Connected!                            |
|                                       |
| sql-statement                         |
| help [tablename]                      |
| quit                                      |
|                                       |
+---------------------------------------+
SQL>
Type quit to exit
 

Lastly create or add the following. Note connection=asteriskcdrdb matches [asteriskcdrdb] in res_odbc_additional.conf.  Calldate does not exist any more in cdr_adaptive_odbc.so.  To have the behaviour the same as standard cdr functions we add the alias start line.

nano /etc/asterisk/cdr_adaptive_odbc.conf
[first]
connection=asteriskcdrdb
table=cdr
alias start => calldate

If cdr-mysql module is enabled at the same time as the cdr odbc you will get double entries in the CDR DB.  Therefore we need to disable cdr-mysql.

mv /etc/asterisk/ cdr_mysql.conf /etc/asterisk/cdr_mysql.conf.disabled
​amportal restart

-------------------------------------------------------------------------

Misc. optional settings

Change the “upload_max_filesize” from 2M to 20M to allow larger music on hold files RHEL 6.

nano +878 /etc/php.ini

Edit Apache web server for GUI access using a port other than 80:

nano +134 /etc/httpd/conf/httpd.conf

change Listen 80 to Listen 8888 or whatever port you want Change default Apache setting of AllowOverride None to All so that Apache obeys directives in .htaccess files which by default prevents viewing sensitive directories on Freepbx.

nano +338 /etc/httpd/conf/httpd.conf
AllowOverride All

And restart apache.

service httpd restart

Instead of accessing FreePBX by http://xxx.xxx.xxx.xxx You now access it by http://xxx.xxx.xxx.xxx:8888

Setup external sip extensions if going through NAT.  Alternatively the new and improved way of doing this is using the Asterisk SIP settings module
nano /etc/asterisk/sip_nat.conf
nat=yes
externip= or
;externhost=yourdns.com
localnet=192.168.1.0/255.255.255.0
;change the above to whatever your local subnet is
externrefresh=10

When adding external SIP extensions in FreePBX, make sure to change the nat=no default in the configuration to nat=yes for the extension that will be external.  Change that default globally in the Advanced Settings menu.

Install FreePBX commercial module dependencies

If you want to install commercial modules you need zendguard and some additional dependencies found in schmoozecom commercial repo. Install schmoozecom repo

wget -P /etc/yum.repos.d/ -N   http://yum.schmoozecom.net/schmooze-commercial/schmooze-commercial.repo

Install zendguard and commercial module dependencies.

yum install php-5.3-zend-guard-loader incron prosody sysadmin

logrotate setup

Set up configuration to rotate log files otherwise they get too big after a short while. Create the following file.

nano /etc/logrotate.d/asterisk

Now add the following to make sure the asterisk log files are rotated weekly.

/var/log/asterisk/queue_log {
        daily
        missingok
        rotate 7
        notifempty
        sharedscripts
        create 0640 asterisk asterisk
}

/var/spool/mail/asterisk
/var/log/asterisk/freepbx_debug.log
/var/log/asterisk/messages
/var/log/asterisk/event_log
/var/log/asterisk/full
/var/log/asterisk/dtmf
/var/log/asterisk/fail2ban {
        daily
        missingok
        rotate 7
        compress
        notifempty
        sharedscripts
        create 0640 asterisk asterisk
        postrotate
        /usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
        endscript
}

Configure voicemail to email template

nano etc/asterisk/vm_email.inc

Change the template to what you want the voicemail emails to look like.  Check thathttp://ipaddress_of_Freepbx_server is correct

Root alias

Edit/etc/aliases file and add an email address to forward ‘root’ messages to your personal email address.  At the very bottom you should see a commented example.  Copy it and replace with your email address

root:   some_email@somedomain.com

Then run

/usr/bin/newaliases

after saving the file to rebuild the aliases database and have the change take effect. Test if you can receive emails via sendmail which we are assuming is installed and running as is standard on RHEL 5 and 6.

service sendmail status

sendmail is running sm-client is running

echo testing | mail -s "test mail" root@localhost

If you get an email then you can stop here.

Replace Sendmail with Postfix (optional)

If you do not get an email because it is being blocked or filtered or you want to customize, you can replace sendmail with postfix which is generally easier to configure.

yum install postfix
service sendmail stop
chkconfig sendmail off
chkconfig --add postfix
service postfix start

check if root alias email works or still works

echo testing | mail -s "test mail" root@localhost

Customize by editing or replacing /etc/postfix/main.cf.  A sample file is shown below.

cp /etc/postfix/main.cf /etc/postfix/main.cf.original
nano /etc/postfix/main.cf
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = localhost
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 127.0.0.0/8
home_mailbox = Maildir/

After editing reload the configuration.

service postfix restart

MySQL performance tuning

This will reduce memory usage without affecting performance.

nano /etc/my.cnf
[mysqld]
.
.
. skip-innodb

From command prompt:

service mysqld restart

MySQL security enhancement

This will prevent outside IP's from connecting to the MySQL port

nano /etc/my.cnf
[mysqld]
.
.
.
bind-address = 127.0.0.1

Add Password Protection to Flash Operator Panel GUI

By default, flash operator panel GUI (/var/www/html/admin/modules/fw_fop) is visible to anyone who points a browser at your server unless port 4445 is blocked by a firewall.   Here is one way to protect it.

mkdir -p /usr/local/apache/passwd
htpasswd -c /usr/local/apache/passwd/wwwpasswd NewUserName

Apache will prompt you for a new password for the user name you've just indicated New password: Apache will prompt you to retype your new password Re-type new password: Apache will then confirm the new user Adding password for user NewUserName Now you have to add the user name you've just created to the httpd.conf file. To edit that file in nano type:

nano +587 /etc/httpd/conf/httpd.conf

Now do a CTRL-W to search for AuthUser and you'll find the area where all the users are listed (for example: "maint", your AMP user).  If you don't find any try around line 587 right after the cgi-bin

Now add the following lines:?
#Password protect the Flash Operator Panel Page /var/www/html/admin/modules/fw_fop
<Directory /var/www/html/admin/modules/fw_fop>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /usr/local/apache/passwd/wwwpasswd
Require user NewUserName
</Directory>

To delete an Apache user, type in the following and then remove the user from the httpd.conf file.

htpasswd -D /usr/local/apache/passwd/wwwpasswd NewUserName

To change the password:

htpasswd /usr/local/apache/passwd/wwwpasswd NewUserName

Then restart apache.

service httpd restart