FreePBX/PBXact responsive firewall and FOP2 User Access from dynamic IPs

I've read quite a few posts and not exactly sure if this has been answered anywhere but here are my thoughts and ideas to get dynamic secure access to the FOP2 user panel when using FreePBX or PBXact.

We know we can open the pbx firewall to static IPs and DNS names via the firewall module, but I would like to allow access to FOP2 from any registered endpoint using the responsive firewall system.

We know that the PBX allows access to the UCP HTTPS port (default port 4443) when an endpoint registers. I am by no means an HTML coder so please bear with me. I tried setting up a symlink in the /var/www/html/admin/modules/ucp/htdocs folder called fop2 and pointed it to /var/www/html/fop2
For the most part this worked. Any remote user who has an endpoint (deskphone or zulu) that successfully registers, has access to FOP2 panel via https://servername:4443/fop2
However some items dont work. Things like the contacts panel shows an error message - You don't have permission to access /fop2/contacts.php on this server

My question is, does anyone know where in FreePBX/PBXact to add additional ports to open for the responsive endpoints? Or how can I allow permission access to the fop2 folders via the UCP port 4443 using the symlink configuration?
Or if anyone else has achieved this can they please share how they did it?
Thanks in advance

Comments

  • edited July 2021

    The other method was to separate the FOP2 user login from the PBX admin port by creating a file called /etc/httpd/conf.d/fop2.conf with the code at the bottom of this post. This opens the FOP2 web interface on a separate port (4446) where you can then open it to the world via a custom firewall rule in the pbx. I would prefer to find a way to either open this new FOP2 port 4446 into the responsive firewall so we don't have to open to the world or find a way to use a symlink via the UCP access on 4443.
    replace pbx.domain.com with your own pbx name or IP
    perhaps this should be a question to fire up on the FreePBX forums but thought I would also ask here. I can see TonyLewis had thought about a way to do this but it hasnt been implimented in the code yet. Im not sure if anyone out there has created their own opensource fix to this. -> > in 2016 Tony wrote, when a phone gets registered only access to SIP ports, phone provisioning and UCP are allowed from that IP. Nothing else. It’s not hookable at this time from.the GUI to allow other services but it’s open source so take a look at the code and add and contribute back. We thought about in user man to set permissions for picking per user or group what other services would be opened for that IP but never got around to adding that feature in firewall.

    Looking at the current wiki help documents, they show this is still the same - If the traffic is from a known registered endpoint, accept signalling for the protocol the endpoint is using
    Additional Check: if a known registered endpoint is requesting access to UCP, access is automatically granted. This will be expanded to allow more fine grained control in the future. Note that there can be up to a 60 second delay between registration of the endpoint and UCP being granted access from that IP address.

    Any help or ideas would be welcome, thanks

    # Copied from ssl.conf by . 220621
    # {"certconfig":{"subject":{"CN":"pbx.domain.com"},"issuer":{"C":"US","O":"Let's Encrypt","CN":"R3"}},"sslfop2":{"port":"4446","dir":"\/var\/www\/html\/fop2\/"}}}
    #
    LoadModule ssl_module modules/mod_ssl.so
    SetEnv SSLSETUP true
    SSLPassPhraseDialog  builtin
    SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
    SSLSessionCacheTimeout  300
    # Not valid in Apache 2.4
    # SSLMutex default
    SSLRandomSeed startup file:/dev/urandom  256
    SSLRandomSeed connect builtin
    SSLCryptoDevice builtin
    #https://mozilla.github.io/server-side-tls/ssl-config-generator/
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    Listen 4446
    <VirtualHost _default_:4446>
      ServerName pbx.domain.com:4446
      LogLevel warn
      SSLEngine on
      SSLCertificateFile /etc/httpd/pki/webserver.crt
      SSLCertificateKeyFile /etc/httpd/pki/webserver.key
      SSLCertificateChainFile /etc/httpd/pki/ca-bundle.crt
      DocumentRoot /var/www/html/fop2/
      SetEnvIf User-Agent '.*MSIE.*' nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
      Alias /.well-known /var/www/html/.well-known
      Alias /.freepbx-known /var/www/html/.freepbx-known
      RewriteEngine on
      RewriteRule ^/\.(well-known|freepbx-known)/ - [H=text/plain,L]
      RewriteRule (^\.|/\.) - [F]
    </VirtualHost>
    
Sign In or Register to comment.