FusionPBX Deployment – Security Architecture Recommendations

[AhmedYassine]

Hi,


We are planning to deploy FusionPBX, and our security team has provided the following recommendations. I would appreciate your guidance on whether the architecture below is supported and how it can be implemented.

• Separate database server
  Is it possible to host the FusionPBX database on a dedicated server?
  If yes, could you please provide the configuration steps or documentation?
• Separate web server
  Is it possible to host the FusionPBX web interface on a dedicated server, separate from the core services?
  If yes, could you please explain how this can be configured?

Thank you in advance for your support.

Best regards,

 

[hfoster]

It's possible, but I can't imagine it's 'supported' whatever that means for your support contract.

It's something I would only attempt if I really needed a good reason to do so and I'm not entirely sure how this would improve security; I would hazard a guess it would actually reduce security as you will now need to ensure all the services that did use localhost communication are secured correctly and not exposed to the internet, especially the event_socket as people forget about that.

You would essentially need to update all the DSNs in various places to refer to the dedicated postgres servers, like in /etc/fusionpbx/fusionpbx.conf for the LUA scripts, and vars.xml for FreeSWITCH, nginx to reverse proxy to php-fpm, and for the event socket if you moved php-fpm to another box seperate from FreeSWITCH (which I believe is also read from /etc/fusionpbx/fusionpbx.conf, but assumed as default so is not defined).

 

[Adrian Fretwell]

DjangoPBX is capable of being run in such a way, using it's clustered configuration, but this is not a turnkey solution and requires a good level of technical ability.
https://www.djangopbx.com/documentation/cluster/typical_cluster_diagram.html