TIPS Access the webserver via FQDN

[tbrummell]

Call me crazy, but can we not open the UCP up to FQDN access, much like we do for SIP in the PUBLIC version? Does the webserver not support this? Nginix can do it, that I know as my webserver is configured like that. Hit it via IP and get a 404 Not Found, but hit it with the FQDN and you're routed to the appropriate web host.
Yes, I know the UCP has been/is buggy, but, it's your $$$ as they say. What would it take to make this happen?

 

[Samot]

So you want it that when the IP is used, the web server doesn't respond? Or are you talking firewall rules?

 

[billsimon]

What would it take to make this happen?

Basically two VirtualHost sections. One for the FQDN (leads to FreePBX) and one for the IP (leads to a different page of your choosing).

 

[tbrummell]

What @billsimon said...

 

[billsimon]

So was this a rhetorical question, since you know what to do, or are you asking for more details? (which I can give if you want, but Apache documentation & tutorials are great and plentiful)

I'm pretty sure the Apache configs are unmanaged beyond install time so you can go at them freely without worrying that something else will interfere. (back them up just in case you make a mistake )

 

[tbrummell]

I know enough to be dangerous, very dangerous. So yeah, more details would help me immensely.

 

[billsimon]

Please post your current apache config in a pastebin and I'll suggest changes.

 

[wardmundy]

VERIFIED: Here's how we did it. Block the server IP address, allow the server's OpenVPN IP address to get to FreePBX GUI, AvantFax, AsteriDex, and Reminders. Then use the FQDN to directly access UCP. Open TCP 80 in IPtables beside the current entry for SSH access.

This needs to be tested carefully. I don't know whether some other .conf file exposes these directories. But you'll know if you get access by typing the IP address into a browser after opening TCP port 80. Also be advised that you now are depending upon Apache to remain bug and penetration-free going forward. So now you have to worry about security issues with IPtables, AND Asterisk, AND Apache, and UCP. You obviously could add subdomains to allow access to the other various apps listed above, e.g. avantfax.server-fqdn.com, etc. Security through obscurity would be a very good idea for web access. No need for these FQDNs to be the same as what is used for Asterisk SIP access.

Copy into /etc/pbx/httpdconf/public.conf with your email, IP addresses and FQDN. Then systemctl restart apache2:

<VirtualHost *:80>
ServerAdmin [email protected]
ServerName 111.112.113.114  (this would be your server's IP address)
Redirect 403 /
UseCanonicalName Off
UserDir disabled
</VirtualHost>

<VirtualHost *:80>
ServerAdmin [email protected]
ServerName server-fqdn.com
DocumentRoot /var/www/html/ucp
ErrorLog /var/log/httpd/error_log
CustomLog /var/log/httpd/access_log common
</VirtualHost>

<VirtualHost *:80>
ServerAdmin [email protected]
ServerName 10.8.0.123  (this would be your server's OpenVPN IP address)
DocumentRoot /var/www/html
ErrorLog /var/log/httpd/error_log
CustomLog /var/log/httpd/access_log common
</VirtualHost>

 

[jerrm]

You can also do things like have admin on port 8080 with IP access and UCP only on port 80 with only FQDN access.

Or better yet, redirect FQDN UCP port 80 requests to https.

 

[tbrummell]

That looks like a good start. Sorry @billsimon, got busy yesterday and didn't get time to grab the config.

Further to what @jerrm said, I do have a LE cert on the box that I use for TLS, what about using that for https instead?

 

[wardmundy]

We've now verified the setup documented above.

 

[tbrummell]

Also be advised that you now are depending upon Apache to remain bug and penetration-free going forward. So now you have to worry about security issues with IPtables, AND Asterisk, AND Apache, and UCP.

Yeah, I know, which is what has me waffling on the idea. I just think sometime I want the UCP open from the world, and this is literally for my wife & I. Not a business or anything. I'll think about it for a bit longer. But a big thanks for the solution! Someone else may find it useful if I don't.

 

[dicko]

Be aware also that even if you are 301'ing all your inbound http traffic, you are inadvertently leaking your family jewels to any bad girl who is 101+ level ssl/tls knowledgeable when she hits your ip address, they will by default now know your identity in 'namespace' and possibly share it with other actors who could patiently wait for the next zero-day exploit . . .

 

[ostridge]

Ubuntu 20.04 oracle.cloud instance (not yet public)
when apache2 starts it doesnot like the syntax at /etc/pbx/httpdconf/public.conf
'line 6 UserDir disabled ?

Here is what 'systemctl status apache2.service' has to say:

 instance- systemd[1]: Starting The Apache HTTP Server...
 instance- apachectl[3436]: AH00526: Syntax error on line 6 of /etc/pbx/httpdconf/public.conf:
 instance- apachectl[3436]: Invalid command 'UserDir', perhaps misspelled or defined by a module not included in th>
 instance- apachectl[3433]: Action 'start' failed.

Reason = for this to work you need the mod-userdir enabled else apache2 doesn't know about UserDir.
If the mod-userdir is needed it gets enabled with

sudo a2enmod userdir

 

[ostridge]

For Debian 10 / Ubuntu 20.04 / Raspbian 10 etc?
The log files are in the '/apache2/ directory not /httpd/...

The BB won't let me save my edits the the above post - so see the attached .tar.gz file.