Best practice to disable Port 80 (HTTP) in Distro?

BigChief · March 15, 2016, 2:16am

Quick question that I didn’t see when searching. I’m using the newest distro and wanted to disable the Administration Portal at port 80, so I’m forced to always use the HTTPS portal instead. Is there a proper way to do this from the GUI, or do I have to dig into the IPtables with terminal commands or something? I see entries in the GUI to change ports around, but it seems like it expects to always have the insecure ports mapped somewhere.

emypeople · March 16, 2016, 9:26pm

Hello.
I have the same question.
On the one system I set up last year I ended up just using iptables to block port 8080. However, with the new firewall in freepbx 13 i’m no longer sure where to put my rule in iptables and i’m not finding a method to block specific ports so far.
It would seem there would have to be a way to do this.
I tried using a blank value for the admin option in the sysadmin module but it didn’t let me save it. Next I tried 443 but it said that it was in use by a different service.

Can someone please clarify this?

jarvisswope · March 17, 2016, 1:03am

I have a ask cert installed on my box. What I did was edited the file in Apache to redirect it. I can send you it if you like.

BigChief · March 17, 2016, 1:42am

I think I just found what looks like a pretty easy solution: go into Connectivity -> Firewall -> Services tab and then set “Web Management” to “Reject”, leaving “Web Management (secure)” alone.

BigChief · March 17, 2016, 2:15am

Spoke too soon; “Reject” doesn’t apply to trusted interfaces. I guess I’ll look into seeing if it’s OK to make none of my interfaces “trusted” and still be sure I won’t lock myself out from the PC I’m administrating from.

Edit: Also kinda funny, these forums themselves don’t have an HTTPS option.

dcitelecom · April 5, 2016, 2:00pm

Simply don’t allow port 80 in your firewall and problem solved. Then access the GUI with https

AdamKayden · April 6, 2016, 5:43am

can i have it please?

brk · April 8, 2016, 5:10am

How do I enable https? I have the latest distro and sysadmin module purchased.

I was able to create a certificate for https, but I don’t see how to enable it?

jarvisswope · April 10, 2016, 11:39pm

What i did was

under /etc/httpd/conf.d install you ssl cert

Server Certificate:

Point SSLCertificateFile at a PEM encoded certificate. If

the certificate is encrypted, then you will be prompted for a

pass phrase. Note that a kill -HUP will prompt again. A new

certificate can be generated using the genkey(1) command.

#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/sslcertfilename.crt

Server Private Key:

If the key is not combined with the certificate, use this

directive to point at the key file. Keep in mind that if

you’ve both a RSA and a DSA private key you can configure

both in parallel (to also allow the use of DSA ciphers, etc.)

#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/tls/private/sslkeyfilename.key

Server Certificate Chain:

Point SSLCertificateChainFile at a file containing the

concatenation of PEM encoded CA certificates which form the

certificate chain for the server certificate. Alternatively

the referenced file can be the same as SSLCertificateFile

when the CA certificates are directly appended to the server

certificate for convinience.

#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt (NOT USED)

Certificate Authority (CA):

Set the CA certificate verification path where to find CA

certificates for client authentication or alternatively one

huge file containing all of them (file must be PEM encoded)

#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt----------CA CERT
SSLCACertificateFile /etc/pki/tls/certs/godaddy.crt --------------CA CERT

brk · April 11, 2016, 2:13pm

thank you. I used the system admin module and it appears to have done just that (I didn’t know where to look before your message). The certs and keys are all in place.

it created a /etc/httpd/conf.d/ssl.conf file that appears correct.

I’m not seeing any reference to it getting started and when I attempt to connect it just says no response. I checked the firewall/iptables and http/https have the same entries, so I don’t think its the firewall.

BigChief · April 13, 2016, 5:50pm

I figured out both how to install HTTPS SSL certificates and how to redirect all HTTP traffic to the HTTPS address in an alternate post, if anyone else wanted a walkthrough:

brk · April 13, 2016, 6:47pm

Thanks! I did see that post and was looking at it right now

I was now able to figure out that it is a safari <-> server interaction problem. It does work if I attempt to access it from firefox and chrome on the same machine. Not sure why safari isn’t prompting for a certificate… Just says safari could not establish a secure connection. I did not notice initially the subtle difference - server not found is cannot connect instead.

I even installed and trusted the security CA certificate into my keychain.

Edited to add solution:

I updated the ssl.conf file to replace the SSLCipherSuite with the following -

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

jarvisswope · April 14, 2016, 11:03pm

I changed the schmoozecom.conf and it auto redirects when you type pbx.domainname.com. Not sure if there is a better way but this works for me…

Listen 80
<VirtualHost *:80>
ServerName pbx.domainname.com
Redirect “/” "https://pbx.domainname.com/"
DocumentRoot /var/www/html

BigChief · April 15, 2016, 5:07pm

I’m finding too I get some different results in different web browsers, but for me it’s not the cert but the redirection I’m using:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Chrome, Firefox, and IE all handle the HTTPS redirection fine, but Microsoft Edge (Win 10) fails with error code:

"HTTP 408/409 error There’s a traffic jam on the information superhighway!"

I also had one user on Windows 8 where the HTTP site failed, until I manually entered the HTTPS link, and afterwards the HTTP link started to work again. I’ll see if there’s a more consistent redirect method.