Here is the error…
POTENTIAL SECURITY BREACH: an attempt was made to modify settings from a URL that did not come from a FreePBX page. This action has been blocked because the HTTP_REFERER does not match your current SERVER. If you require this access, you can set CHECKREFERER=false in amportal.conf to disable this security check
I am running CentOS Ver 5.2 final
Asterisk Ver 184.108.40.206
Running front end applications from PBIF.
This is a production machine that has been in service for 2 years with no problems. All of the FreePBX updates that I have done ALL came off without a hitch until I upgraded to 220.127.116.11. and now when I try to make a change in programming and try to apply the changes I get the above error.
I did a locate on amportal.conf which came back with several locations and none of these match what is in FreePBX SVN and none of them give me the option to disable. The difference beteen the SVN copy and mine is the last section that is supposed to allow me to disable.
It does not matter if I use IE or Firefox. The result is the same. I am also on the same LAN trying to program.
My question is what is the best way to handle this on a production server?
What is the url you use to access the server, what is the name of the server, and what is defined in amportal.conf for AMPWEBADDRESS= ?
All three should match.
You can add the following line to /etc/amportal.conf:
however, more importantly what are you trying to do exactly that is resulting in this error so we can make sure that there is not a bug in what has been implemented?
The new code, which is disabled by the above setting, simply checks to make sure that the HTTP REFERRER of any URL that results in changing something in FreePBX was generated by the GUI and not manually input into the URL or otherwise coming from elsewhere. (basically anything we an ‘action=xyz’ in the URL.)
As far as the above not being in your amportal.conf, that file is never updated from upgrades as it controls the state of your installation. When new parameters are added to FreePBX you will find them in SVN for future new installs, but existing configs will use default values unless you add them to your config.
Just finished the upgrade and had to add a trunk extension when I hit submit gave me the same error. In addition as I went to config edit from freepbx to mod ammportal.conf hit update received write failed.
web browser url was www.mydomain.com:myport/admin/config.php?
name of server is pbx.mydomain.com
AMPWEBADDRESS= has always been blank and work fine up until the upgrade. I would love to have the fix but like to know the difference in the code or the code that has changed to cause the particular problem.
what browser are you using? Do you have any plugins that are hiding the HTTP_REFFERER or anything of the sort?
Here is the URL: http://192.168.1.70:9080/menu.php?id=admin
The below is a copy of my /etc/amportal.conf. Just a side not on this is that the below line has the following …
AMPWEBADDRESS: the IP address or host name used to access the AMP web admin
The commented out line has the address of my HP switch???
This file contains settings for components of the Asterisk Management Portal
Spaces are not allowed!
Run /usr/src/AMP/apply_conf.sh after making changes to this file
AMPDBHOST: the host to connect to the database named ‘asterisk’
AMPDBUSER: the user to connect to the database named ‘asterisk’
AMPDBENGINE: the type of database to use
AMPDBPASS: the password for AMPDBUSER
AMPENGINE: the telephony backend engine to use
AMPMGRUSER: the user to access the Asterisk manager interface
AMPMGRPASS: the password for AMPMGRUSER
AMPBIN: where command line scripts live
#AMPSBIN: where (root) command line scripts live
AMPWEBROOT: the path to Apache’s webroot (leave off trailing slash)
AMPCGIBIN: the path to Apache’s cgi-bin dir (leave off trailing slash)
AMPWEBADDRESS: the IP address or host name used to access the AMP web admin
FOPWEBROOT:web root for the Flash Operator Panel
FOPPASSWORD: the secret code for performing transfers and hangups in the Flash Operator Panel
FOPSORT: FOP should sort extensions by Last Name [lastname] or by Extension [extension]
FOPRUN: set to true if you want FOP started by freepbx_engine (amportal_start), false otherwise
AUTHTYPE: authentication type to use for web admin
If type set to ‘database’, the primary AMP admin credentials will be the AMPDBUSER/AMPDBPASS above
valid: none, database
AMPADMINLOGO: Defines the logo that is to be displayed at the TOP RIGHT of the admin screen.
This enables you to customize the look of the administration screen.
NOTE: images need to be saved in the …/admin/images directory of your AMP install
This image should be 55px in height
USECATEGORIES: Controls if the menu items in the admin interface are sorted by category (true),
or sorted alphebetically with no categories shown (false). Defaults to true.
AMPEXTENSIONS: the type of view for extensions admin
If set to ‘deviceanduser’ Devices and Users will be administered seperately, and Users will be able to “login” to devices.
If set to ‘extensions’ Devices and Users will me administered in a single screen.
ENABLECW: Enable call waiting by default when an extension is created (DEFAULT is yes)
Set to ‘no’ to if you don’t want phones to be commissioned with call waiting already
enabled. The user would then be required to dial the CW feature code (*70 default) to
enable their phone. Most installations should leave this alone. It allows multi-line
phones to receive multiple calls on their line appearances.
#CWINUSEBUSY: Set to yes for extensions that have CW enabled to report as busy if
they don’t answer (resulting in busy voicemail greeting). Otherwise they simply
report as no-answer (e.g. busy greeting servers no purpose
AMPBADNUMBER: Set to false if you do not want the bad-number context generated which
traps any bogus number or freature code and plays a message to the effect. If you use
the Early Dial feature on some Grandstream phones, you will want to set this to false
The following are used to optionally have the freepbx backup program optionally
send the generated backup to an ftp server
FTPBACKUP=YES to enable
FTPUSER, FTPPASSWORD, FTPSERVER must be set
FTPSUBDIR is an optional subdirectory at the ftp server, it will cause ftp to do a cd
There is no error checking so you should check to make sure these are set correctly. The
ftp is saved after the backup, so it will not cause the local backup file to be effected
SSH BACKUP INFO: must have a valid SSHRSAKEY file and server, only supported through
ssh. SUBDIR is optional and will be created if it does not exist.
If SSHUSER is not set, it will default to the current user which is asterisk in any
One or more directories where there are provisioning files that should be included in the backup. Currently
these get backed up only, the FreePBX utility does not automatically restore them.
a list of files to exclude, to be used in tar’s --exclude-from argument
If CUSTOMASERROR is set to false, then the Destination Registry will not report unknow destinations as errors
this should be left to the default true and custom destinations should be moved into the new custom apps registry
if DYNAMICHINTS is set to true, Core will not statically generate hints. Instead it will make a call to the
AMPBIN php script, generate_hints.php, through an Asteirsk’s #exec call. This requires Asterisk.conf to be
configured with “execincludes=yes” set in the [options] section.
setting either of these to true will result in retrieve_conf aborting during a reload if an extension
conflict is detected or a destination is detected. It is usually better to allow the reload to go
through and then correct the problem but these can be set if a more strict behavior is desired
both default to false if not set
SERVERINTITLE if set to true, the browser title will be preceded with the server name. default false
USEDEVSTATE = true|false # DEFAULT VALUE false
If this is set, it assumes that you are running Asterisk 1.4 or higher and want to take advantage of the
func_devstate.c backport available from Asterisk 1.6 which allows custom hints to be created to support
BLF for server side feature codes such as daynight, followme, etc.
MODULEADMINWGET=true|false # DEFAULT VALUE false
Module Admin normally tries to get its online information through direct file open type calls to URLs that
go back to the freepbx.org server. If it fails, typically because of content filters in firewalls that don’t
like the way PHP formats the requests, the code will fall back and try a wget to pull the information.
This will often solve the problem. However, in such environemnts there can be a significant timeout before
the failed file open calls to the URLs return and there are often 2-3 of these that occur. Setting this value
will force FreePBX to avoid the attempt to open the URL and go straight to the wget calls.
AMPDISABLELOG=true|false # DEFAULT VALUE true
Whether or not to invoke the freepbx log facility
AMPSYSLOGLEVEL=LOG_EMERG|LOG_ALERT|LOG_CRIT|LOG_ERR|LOG_WARNING|LOG_NOTICE|LOG_INFO|LOG_DEBUG|LOG_SQL|SQL # DEFAULT VALUE LOG_ERR
Where to log if enabled, SQL, LOG_SQL logs to old MySQL table, others are passed to syslog system to determine where to log
AMPENABLEDEVELDEBUG=true|false # DEFAULT VALUE false
Whether or not to include log messages marked as ‘devel-debug’ in the log system
AMPMPG123=true|false # DEFAULT VALUE true
When set to false, the old MoH behavior is adopted where MP3 files can be loaded and WAV files converted to MP3
The new default behavior assumes you have mpg123 loaded as well as sox and will convert MP3 files to WAV. This is
highly recommended as MP3 files heavily tax the system and can cause instability on a busy phone system.
CDR DB Settings: Only used if you dont use the default values provided by freepbx.
CDRDBHOST: hostname of db server if not the same as AMPDBHOST
CDRDBPORT: Port number for db host
CDRDBUSER: username to connect to db with if its not the same as AMPDBUSER
CDRDBPASS: password for connecting to db if its not the same as AMPDBPASS
CDRDBNAME: name of database used for cdr records
CDRDBTYPE: mysql or postgres mysql is default
CDRDBTABLENAME: Name of the table in the db where the cdr is stored cdr is default
AMPVMUMASK: defaults to 077 allowing only the asterisk user to have any permissions on VM files. If set to something
like 007, it would allow the group to have permissions. This can be used if setting apache to a different
user then asterisk, so that the apache user (and thus ARI) can have access to read/write/delete the
voicemail files. If changed, some of the voicemail directory strucuters may have to be manually changed.
DEFAULT VALUE: 6
DEFAULT VALUE: 20
These can be used to change the refresh rate of the System Status Panel. Most of
the stats are updated based on the STATS interval but a few items are checked
less frequently (such as Astersisk Uptime) based on the INFO value
FOPDISABLE=true|false # DEFAULT VALUE false
Disables FOP in interface and retrieve_conf. Usefull for sqlite3 or if you don’t want FOP.
DEFAULT VALUE: false
If set to true, FreePBX will check if you have chan_dadhi installed. If so, it will
automatically use all your ZAP configuration settings (devices and trunks) and
silently convert them, under the covers, to DAHDI so no changes are needed. The
GUI will continue to refer to these as ZAP but it will use the proper DAHDI channels.
This will also keep Zap Channel DIDs working.
#Piaf specific section
Adding CHECKREFERER=false does fix the problem and I can now program but seems to defeat the the security risk.
Further note: I have used Firefox and IE with the same response.
the amportal.conf file does not matter other than you can set this new parameter if you want to disable this security check.
the URL is not a proper URL. That is a PIAF URL where FreePBX is inside of an iframe that PIAF is controlling. You can navigate straight to freepbx if you use:
and then determine what is not working from there.
(It’s possible to the the iframe’s url. From firefox you right click within the page (not on a link) and choose “This Frame => View Frame Info” and it should show you the actual address of the frame.)
The issue is likely something in your browser that is blocking the HTTP_REFFERER, which browser are you using and do you have any plugins that are designed to do that (there are such plugins available).
check for a new version of framework, it should fix the issue
That did the trick. Thanks.
Removed CHECKREFERER=false from amportal.cofn and eveerything is working just fine.