Securing the web callback module?

dustindufault · December 11, 2014, 6:29pm

Hello! I’m new here - but I’ve really learned a lot on the site so far, thanks!

I am setting up a callback button for my website - one of the many modules I purchased during the black friday sale (Thanks Schmooze!).

However - it seems the button code that is generated requires direct access to my pbx server. I’ve really been hanging my hat on keeping this server secured behind a hardware firewall since I’d consider myself a newbie in Linux server administration… is there a way to move this module to my main web server and use some api calls through php on the backend to make this module work???

I’m also open to other ideas to secure the use of this module, but I’d be happiest if I could keep my pbx tucked behind my firewall completely.

Thanks!

Dustin

dustindufault · December 12, 2014, 7:48pm

…was this a dumb question?

Can anyone share how they’ve mitigated the risks of exposing their freepbx machine to web access?

If anyone can help, I would appreciate it!

tonyclewis · December 12, 2014, 8:24pm

You can not really besides only allow access from your webserver IP to the PBX GUI port

StaceyB · December 12, 2014, 8:47pm

I bought this module yesterday with the understanding, from what I read on the wiki, that I would only have to allow my webserver access to my PBX. However, I can only get the click to call box to display in the iframe on my webpage if I allow the end user’s IP access to my PBX. When I only grant access to my webserver the end user does not see the click to call box when the webpage loads.

What am I missing?

dustindufault · December 12, 2014, 10:34pm

Stacey - this may be a false lead since as I mentioned I’m new at this, but I’m wondering if some form of abstraction layer could be built in PHP to call the code from the PBX and then write out plain HTML on the external host? I’m not sure how passing the form input back to the web server would work, but if I figure it out I will definitely let you know.

Perhaps if someone has tackled this already they will let us know of a good way to handle it. IMO this should be built in as exposing the PBX to the web seems to be a risky practice…

-Dustin

dustindufault · July 9, 2015, 10:34pm

Stacey - I was able to call my pbx via php, therefore leaving my pbx box behind my firewall. The code I used in php is below. I am going to build some additional functionality before going live - like a valid number check, etc. but just wanted you to know it turns out this isn’t so hard to do!

<?php
	$phone = $_GET['phone'];
	$callbackitem = $_GET['item'];
	
	$file = fopen ("http://pbxiphere/wcb.php?p={$phone}&i={$callbackitem}", "r");
	if (!$file) {
		echo "<p>Unable to open remote file.\n";
		exit;
	}
?>

PHP obviously scrubs out the details about your server. In fact this simplistic code run on it’s own won’t generate any html output at all.