Submitted by admin on Sat, 01/26/2013 - 10:33

Sections:

FreePBX Production Install Guide (RHEL v6, Asterisk v11+, FreePBX

v2.11+)

Asterisk

Changes in this guide include Asterisk 11 which requires at least FreePBX v2.11. Also
cdr_mysql module has been deprecated so FreePBX 2.11 adds support for the ODBC
method. This install guide adds configurations to enable the new method. You can continue to
use the old method for as long as the cdr_mysql module is included in Asterisk and still
functional. It's just no longer being maintained by the people at Asterisk. There are a lot of other
little changes to this guide too numerous to mention.

Tested on CentOS 6.4

New dependency for Asterisk v11.5+

If upgrading from a previous version of Asterisk such as v11.4 you will need to install a new
dependency otherwiseres_rtp_asterisk.so module will not compile. This dependency has
been added to the required packages list below. This note has been added here in case you are
only recompiling a newer version of Asterisk and not installing from scratch.

yum install libuuid-devel

Let's get started

If you are installing Linux from scratch using Anaconda via install CD select "basic server"
group then proceed with the install. Skip down to the yum -y update part. Otherwise, it is
assumed you already have a server with a base CentOS installation before you begin. Do NOT
install a GUI such as Gnome or KDE. We only want to be running in console text mode not GUI
graphics mode. If you already have a desktop or server GUI installed you will want to exit to
console mode. You do that by typing init 3 from a terminal or console window. You will need
to be logged in as root in order to do this so if not you can su root. All instructions in this guide
are assuming you are always logged in as root.

Install Asterisk/FreePBX required packages, other useful

packages, and their dependencies
yum -y update
yum groupinstall core
yum groupinstall base

yum install gcc gcc-c++ wget bison mysql-devel mysql-server php php-mysql
php-process php-pear php-mbstring tftp-server httpd make ncurses-devel
libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel
libxml2-devel libtiff-devel php-gd audiofile-devel gtk2-devel subversion nano
kernel-devel selinux-policy sqlite-devel openssl-devel libuuid-devel libcurl-
devel tzdata

Install CDR ODBC required packages

yum install libtool-ltdl-devel unixODBC unixODBC-devel mysql-connector-odbc

Install optional packages

chan_gtalk, chan_motif, and res_xmpp will not compile unless iksemel-devel and it's
dependencies are installed. res_fax_spandsp will not compile unless spandsp dependency is
installed. For CentOS 6, iksemel and spandsp are in the EPEL repository.

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-

8.noarch.rpm
yum install iksemel-devel spandsp

Install pear DB

Don't worry about the warning message.

pear install db

Firewall
Check if the firewall (iptables) is enabled by default and if the RHEL v6 default configuration
blocks the FreePBX web GUI. If you know what services/ports are required you can run
system-config-firewall-tui and configure the firewall as required. At a minimum, the
following ports need to be opened:

TCP 80 (www)
TCP 4445 (Flash Operator Panel)
UDP 5060-5061 (SIP)
UDP 10,000 - 20,000 (RTP)
?UDP 4569 (IAX)

Another option is to remove existing settings from the firewall and save.

iptables -P input accept

iptables -X
iptables -F
service iptables save
Alternatively, you can disable the firewall for now and prevent it from starting on reboot.

service iptables stop

chkconfig iptables off

Selinux
Selinux is not required or recommended. This will create the required file if it does not already
exist. If it already exists set SELINUX=disabled.

nano /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.

SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

Make sure selinux is turned off for this session

setenforce 0

TFTP
If you plan to use hardware SIP phones you will probably want to enable the tftp server.

nano /etc/xinetd.d/tftp

change
server_args = -s /var/lib/tftpboot
to
server_args = -s /tftpboot

change
disable=yes
to
disable=no

mkdir /tftpboot
chmod 777 /tftpboot
service xinetd restart
Set Timezone
Copy your timezone from this link or use tzselect

tzselect

Create a symbolic link to the appropriate timezone from/etc/localtime. Example:

ln -sf /usr/share/zoneinfo/America/Vancouver /etc/localtime

PHP Settings
PHP timezone (Optional)

If not set and using php v5.3+ (the version included with RHEL6) it will revert to the default
timezone of the Operating System. FreePBX v2.9+ used to complain about this but FreePBX
v2.11 does not seem to complain so I don't think this setting is necessary anymore and will not
have any consequences.

nano +946 /etc/php.ini

Uncomment (;) date.timezone = and add your timezone

Memory Limit

The recommended setting is 128M otherwise you may get warnings in FreePBX.

nano +457 /etc/php.ini

memory_limit = 128M

Restart apache for the changes to take effect

service httpd restart

Download and untar source files.

Get and install DAHDI
cd /usr/src
wget http://downloads.asterisk.org/pub/telephony/dahdi-linux-complete/dahdi-
linux-complete-current.tar.gz
tar zxvf dahdi-linux-complete*
cd /usr/src/dahdi-linux-complete*
make && make install && make config

Get FreePBX
Check if this is the latest released version.

cd /usr/src
wget http://mirror.freepbx.org/freepbx-2.11.0.tar.gz
tar zxvf freepbx-2.11*

Get and Install Asterisk

Do NOT run make samples. If you do it causes some problems you will have to clean up later
on. If you run make samples on an already running FreePBX system you are upgrading it will
break FreePBX. You will then have to manually change back user/password in
/etc/asterisk/manager.conf and probably some other things to get it working again.

cd /usr/src
wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-
current.tar.gz
tar zxvf asterisk-11-current.tar.gz

cd /usr/src/asterisk-11*/
make clean && make distclean

------------------------------------------------------

IMPORTANT 32 vs 64bit OS NOTE:

Make sure to choose the correct version of the following command otherwise Asterisk v11 will
not work properly even thought it may indicate it's running.

Use this ONLY for 32bit Operating Systems

./configure CFLAGS=-mtune=native && make menuselect

Use this ONLY for 64bit Operating Systems

./configure CFLAGS=-mtune=native --libdir=/usr/lib64 && make menuselect

-------------------------------------------------------

Asterisk v11 compiles with CFLAGS=-match=native which appears to compile for CPU features
that are not necessarily available on a virtual machine and can cause errors. CFLAGS=-
mtune=native appears to be more compatible across various configurations.

If you want to be more precise and optimal for your cpu you can try cat /proc/cpuinfo then
find your cputype from the gcc cpu options manual and use CFLAGS=-mtune=mycputype. The
downside is that it may not work if you move it to different hardware or if you are using a virtual
machine. If none of those work try CFLAGS=-mtune=generic which is probably the least
optimal but most compatible across different CPU types.
Select format_mp3 in addons if you are going to be doing anything with mp3 files. For
backwards compatibility and fall back in case ODBC doesn't work you may as well install the
deprecated cdr_mysql as well. When you select format_mp3 above as an addon you must run a
script before going any further otherwise the install will fail.

./contrib/scripts/get_mp3_source.sh

FreePBX does not use Asterisk realtime but if you are thinking of using A2Billing then also
select res_config_mysql. Select Core and Extra sounds. I suggest ulaw as they sound better
than gsm especially if you are using ulaw as your default codec. I usually just check both. Then
make sure to press the save button afterwards.

Now compile and install Asterisk. DO NOT run make samples even though the install script
suggests you do. It will cause conflicts with FreePBX config files.

make && make install

Create Asterisk User

adduser asterisk -M -d /var/lib/asterisk -s /sbin/nologin -c "Asterisk User"

Music on Hold
The Asterisk default moh directory is "/moh" and the Freepbx default moh directory is
"/mohmp3". If we create a symbolic link everything is in one place and can still be found by
both FreePBX and Asterisk.

ln -s /var/lib/asterisk/moh /var/lib/asterisk/mohmp3

The recommended music on hold behaviour for Asterisk and Freepbx is to only use wav files due
to transcoding overhead and Asterisk stability issues with mp3's. So we want to install mpg123
for converting uploaded mp3's to wav automagically. If you won't be uploading mp3's or don't
want them converted then you probably don't need to install mpg123. If not sure then install.

cd /usr/src
wget http://sourceforge.net/projects/mpg123/files/mpg123/1.16.0/mpg123-
1.16.0.tar.bz2/download
tar -xjvf mpg123*

cd mpg123*/
./configure && make && make install

Freepbx php script cannot find mpg123 by default so we need to create a symbolic link.

ln -s /usr/local/bin/mpg123 /usr/bin/mpg123

Change Apache User

Change User apache and Group apache to User asterisk and Group asterisk.

sed -i "s/User apache/User asterisk/" /etc/httpd/conf/httpd.conf

sed -i "s/Group apache/Group asterisk/" /etc/httpd/conf/httpd.conf

MySQL Setup
Before you can do anything to MySQL, you need to make sure it's running: NOTE: If running
RHEL/CENTOS/SL 6 you may need to run this first. mysql_install_db Try without and see if it
starts first.

service mysqld start

Initializing MySQL database: [ OK ]

Starting MySQL: [ OK ]

Now, to configure the databases for freePBX: Note: If mysql admin password is already
configured, add "-p" after the command and enter password when asked. For example,
mysqladmin -p create asterisk

cd /usr/src/freepbx-2.11*/
mysqladmin create asterisk
mysqladmin create asteriskcdrdb
mysql asterisk < SQL/newinstall.sql
mysql asteriskcdrdb < SQL/cdr_mysql_table.sql

They also need to be secured. FreePBX will prompt you for a database username/password
when you do the install. You need to pick that now. We'll assume that you've picked
asteriskuser and amp109 If you use these well know defaults and your server is not firewalled
make sure to set bind-address = 127.0.0.1 further down in this procedure so that MySQL
only listens to localhost.

Security check: It's very important to check that Allow Login With DB Credentials is set to
FALSE in FreePBX Advanced Settings GUI. This is the default setting. If it were set to TRUE and
you were using the default credentials of asteriskuser/amp109 and your FreePBX GUI were
exposed to the internet (ie. the http port), anyone could log into your FreePBX GUI as
administrator using those credentials.

mysql

mysql> GRANT ALL PRIVILEGES ON asterisk.* TO asteriskuser@localhost IDENTIFIED

BY 'amp109';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asteriskuser@localhost

IDENTIFIED BY 'amp109';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> \q
Bye

Now, after all of this, you need to pick a root 'mysql' password. We'll make it 'abcdef' just for
this example. You should use a reasonably strong password. If you need to do anything else
with mysql, you'll need to provide this password.

mysqladmin -u root password 'abcdef'

Install FreePBX
/usr/sbin/safe_asterisk
cd /usr/src/freepbx-2.11*/

------------------------------------

IMPORTANT 64bit OS CHANGE

For 64bit Operating systems and Asterisk v11 do the following. If you don't do this before
running install_amp you can make 2 changes manually afterwards in
/etc/asterisk/asterisk.confand in FreePBX advanced settings GUI as explained further
down in this procedure:

sed -i "s_/usr/lib_/usr/lib64_" asterisk.conf install_amp

libfreepbx.install.php

------------------------------------

Now run the FreePBX install script. Select all defaults for now by hitting the ENTER key at
each prompt.

./install_amp

If you get any warnings or errors they're usually not traumatic.

-----------------------------

64bit OS Check:

For 64bit Operating Systems and Asterisk v11 check that the following is
true: /etc/asterisk/asterisk.conf contains astmoddir =>
/usr/lib64/asterisk/modules and not astmoddir => /usr/lib/asterisk/modules

-----------------------------
Default username is: admin Default pw is: admin Or create your own which is the new
default behaviour on FreePBX v1.11.

Set FreePBX to start on boot

echo /usr/local/sbin/amportal start >> /etc/rc.local

Enable Apache and MySQL to start on boot

chkconfig httpd on
chkconfig mysqld on

Now reboot at which point you should be able to access FreePBX with your web browser. The
very first thing you need to do when you enter the FreePBX Admin GUI for the first time is
Apply Configuration Changes which is a button or bar that shows up at the top of the GUI.
This generates all the *.conf files.

It may also be necessary to reboot again or amportal restart from command prompt.

If you have pre-existing *.conf files in /etc asterisk because your ran make samples or are
upgrading from older versions of Asterisk/FreePBX you will get symlink fail error messages
in FreePBX system staus page. Just delete or rename those files. The next time you Apply
Configuration Changes in the FreePBX GUI the symlinks will be created and the errors
should be gone.

----------------------

64bit OS Check:

If Asterisk v11 on 64bit go into FreePBX GUI>Advanced settings, enable Display Readonly
Settings and Override Readonly Settings. Make sure the Asterisk Modules Dir setting
is /usr/lib64/asterisk/modules and NOT /usr/lib/asterisk/modules.

----------------------

CDR ODBC
This is optional if you selected the deprecated cdr_mysql module in Asterisk menu at compile
time. This is the new recommended way of connecting to the CDR DB. Eventually this will be
required when cdr_mysql no longer works or is no longer included with Asterisk.

nano /etc/odbc.ini
[MySQL-asteriskcdrdb]
Description = MySQL ODBC Driver
Driver = MySQL
Socket = /var/lib/mysql/mysql.sock
Server = localhost
Database = asteriskcdrdb
Option = 3

Test that the ODBC driver is working

odbcinst -s -q

should result in[MySQL-asteriskcdrdb] Check the following file which Asterisk uses to
connect to the CDR DB

nano /etc/asterisk/res_odbc_additional.conf
[odbccdr]
enabled => yes
dsn => MySQL-asteriskcdrdb
username => asteriskuser
password => amp109

Now using the above username/password, test that it can can connect to the DB via odbc

isql -v MySQL-asteriskcdrdb asteriskuser amp109

should result in:

+---------------------------------------+
| Connected! |
| |
| sql-statement |
| help [tablename] |
| |
| |
+---------------------------------------+
>quit
SQL>
Type quit to exit

If you used a different username/password when setting up cdr DB use those and duplicate file
res_odbc_additional.conf to res_odbc_custom.conf substituting in the different
username/password. Lastly create or add the following. Note connection=odbcdr matches
[odbcdr] in res_odbc_additional.conf. Calldate does not exist any more in
cdr_adaptive_odbc.so. To have the behaviour the same as standard cdr functions we add
the alias start line.

nano /etc/asterisk/cdr_adaptive_odbc.conf
[first]
connection=odbcdr
table=cdr
alias start => calldate

-------------------------------------------------------------------------

Misc. optional settings

Change the “upload_max_filesize” from 2M to 20M to allow larger music on hold files RHEL 6.

nano +878 /etc/php.ini

Edit Apache web server for GUI access using a port other than 80:

nano +134 /etc/httpd/conf/httpd.conf

change Listen 80 to Listen 8888 or whatever port you want Change default Apache setting of
AllowOverride None to All so that Apache obeys directives in .htaccess files which by default
prevents viewing sensitive directories on Freepbx.

nano +338 /etc/httpd/conf/httpd.conf

AllowOverride All

And restart apache.

service httpd restart

Instead of accessing FreePBX by http://xxx.xxx.xxx.xxx You now access it by

http://xxx.xxx.xxx.xxx:8888

Setup external sip extensions if going through NAT. Alternatively the new and improved way of
doing this is using the Asterisk SIP settings module
nano /etc/asterisk/sip_nat.conf
nat=yes
externip= or
;externhost=yourdns.com
localnet=192.168.1.0/255.255.255.0
;change the above to whatever your local subnet is
externrefresh=10

When adding external SIP extensions in FreePBX, make sure to change the nat=no default in the
configuration to nat=yes for the extension that will be external. Change that default globally in
the Advanced Settings menu.

Install FreePBX commercial module dependencies

If you want to install commercial modules you need zendguard and some additional
dependencies found in schmoozecom commercial repo. Install schmoozecom repo

wget -P /etc/yum.repos.d/ -N http://yum.schmoozecom.net/schmooze-

commercial/schmooze-commercial.repo

Install zendguard and commercial module dependencies.

yum install php-5.3-zend-guard-loader incron prosody sysadmin

Log Files Configuration
If you don't want to see a bunch of notices, warnings and errors each time you restart amportal
from command line and you don't want your asterisk log files getting huge from constantly
writing debug information do the following:

nano /etc/asterisk/logger_logfiles_custom.conf
console =>
full => notice,warning,error

Also make sure freepbx debug logging is disabled in FreePBX GUI>Settings>Advanced

Settings>Developer and Customization

logrotate setup
Set up configuration to rotate log files otherwise they get too big after a short while. Create the
following file.

nano /etc/logrotate.d/asterisk

Now add the following to make sure the asterisk log files are rotated weekly along with all the
other log files.

/var/log/asterisk/messages /var/log/asterisk/*log /var/log/asterisk/full {

missingok
notifempty
sharedscripts
create 0640 asterisk asterisk
postrotate
/usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
endscript
}

Do the same for freepbx

nano /etc/logrotate.d/freepbx
?/var/log/asterisk/freepbx_dbug /var/log/asterisk/freepbx_debug {
missingok
notifempty
sharedscripts
create 0640 asterisk asterisk
postrotate
/usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
endscript
}

Configure voicemail to email template

nano etc/asterisk/vm_email.inc
Change the template to what you want the voicemail emails to look like. Check
thathttp://ipaddress_of_Freepbx_server is correct

Root alias
Edit/etc/aliases file and add an email address to forward ‘root’ messages to your personal
email address. At the very bottom you should see a commented example. Copy it and replace
with your email address

root: [email protected]

Then run

/usr/bin/newaliases

after saving the file to rebuild the aliases database and have the change take effect. Test if you
can receive emails via sendmail which we are assuming is installed and running as is standard on
RHEL 5 and 6.

service sendmail status

sendmail is running sm-client is running

echo testing | mail -s "test mail" root@localhost

If you get an email then you can stop here.

Replace Sendmail with Postfix (optional)

If you do not get an email because it is being blocked or filtered or you want to customize, you
can replace sendmail with postfix which is generally easier to configure.

yum install postfix

service sendmail stop
chkconfig sendmail off
chkconfig --add postfix
service postfix start

check if root alias email works or still works

echo testing | mail -s "test mail" root@localhost

Customize by editing or replacing /etc/postfix/main.cf. A sample file is shown below.

cp /etc/postfix/main.cf /etc/postfix/main.cf.original
nano /etc/postfix/main.cf
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = localhost
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 127.0.0.0/8
home_mailbox = Maildir/

After editing reload the configuration.

service postfix restart

MySQL performance tuning

This will reduce memory usage without affecting performance.

nano /etc/my.cnf
[mysqld]
.
.
. skip-innodb

From command prompt:

service mysqld restart

MySQL security enhancement

This will prevent outside IP's from connecting to the MySQL port

nano /etc/my.cnf
[mysqld]
.
.
.
bind-address = 127.0.0.1

Add Password Protection to Flash Operator Panel GUI

By default, flash operator panel GUI (/var/www/html/admin/modules/fw_fop) is visible to
anyone who points a browser at your server unless port 4445 is blocked by a firewall. Here is
one way to protect it.

mkdir -p /usr/local/apache/passwd
htpasswd -c /usr/local/apache/passwd/wwwpasswd NewUserName

Apache will prompt you for a new password for the user name you've just indicated New
password: Apache will prompt you to retype your new password Re-type new password: Apache
will then confirm the new user Adding password for user NewUserName Now you have to add
the user name you've just created to the httpd.conf file. To edit that file in nano type:
nano +587 /etc/httpd/conf/httpd.conf

Now do a CTRL-W to search for AuthUser and you'll find the area where all the users are listed
(for example: "maint", your AMP user). If you don't find any try around line 587 right after the
cgi-bin

Now add the following lines:?

#Password protect the Flash Operator Panel Page
/var/www/html/admin/modules/fw_fop
<Directory /var/www/html/admin/modules/fw_fop>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /usr/local/apache/passwd/wwwpasswd
Require user NewUserName
</Directory>

To delete an Apache user, type in the following and then remove the user from the
httpd.conf file.

htpasswd -D /usr/local/apache/passwd/wwwpasswd NewUserName

To change the password:

htpasswd /usr/local/apache/passwd/wwwpasswd NewUserName

Then restart apache.

service httpd restart