OS SHMZ release 6.4 (Final)
asterisk11.x86_64-11.7.0-24_centos6
firefox-24.6.0ESR
Our firm enforces https everywhere internally as well as externally. One of the few (perhaps only) services I cannot seem to configure to force https is FreePBX voicemail. What I mean by this is that when the email notice a user receives has this form:
There is a new voicemail in mailbox 41712:
From: Private:
Length: 0:20 seconds
Date: Thursday, July 24, 2014 at 09:43:41 AM
Dial *98 to access your voicemail by phone.
Visit http://voi.location.domain.tld:44380/recordings/index.php to check
your voicemail with a web browser.
And the user follows that link then they get this:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
Instead use the HTTPS scheme to access this URL, please.<br />
<blockquote>Hint: <a href="https://http://voi.location.domain.tld:44380/"><b>https:///voi.location.domain.tld:44380/</b></a></blockquote></p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at /voi.location.domain.tld Port 44380</address>
</body></html>
BTW, that is exactly what displays in the browser. There is no page formatting presented whatsoever. I am guessing that the obsolete <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> is somehow responsible for that.
I can set the protocol specified in the message to https in /etc/asterisk/vm_email.inc and have done so. However, our preferred way of dealing with this is to rewrite every incoming http request to instead use https via a Rewrite directive:
# Force SSL Everywhere
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
But placing this in /etc/httpd/conf.d/schmoozecom.com inside the virtual server directive does not stop the php generated error message. I am using the 44381 VH config entry but 44380 is likewise configured.
Listen 44381
<VirtualHost 216.185.71.9:44381>
DocumentRoot /var/www/html/recordings/
ErrorLog logs/freepbx_recordings_ssl_error_log
TransferLog logs/freepbx_recordings_ssl_access_log
LogLevel warn
# Force SSL Everywhere
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# SSLPassPhraseDialog builtin
# SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
# SSLSessionCacheTimeout 300
# SSLMutex default
# SSLRandomSeed startup file:/dev/urandom 256
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
# SSLRandomSeed connect builtin
# SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/public.crt
SSLCertificateKeyFile /etc/pki/tls/private/private.key
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/freepbx_recordings_ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Why can I not get an automatic https redirect to happen here? I have done this redirection successfully with dozens of other web sites and http applications and I cannot see what I or FreePBX are doing that differs significantly from every other case I have dealt with.
I have checked the rewrite log. Nothing is being written in it even when the error message is generated. I infer that the http intercept is occurring before the rewrite conditions are encountered. How FreePBX ‘knows’ that port 44380 is SSL before the httpd configuration file with the rewrite directive is encountered baffles me for the moment. Nonetheless, the real question is: How is this behaviour altered? Or, what am I doing wrong in this case?