Force gui to https


#1

I have installed a let’s encrypt certificate on my FreePBX, but how do I now redirect the gui to https without having to change either the PHP files or .htaccess? These both end up in a changed file error so I’m trying to keep away from that.


#2

I would like to see this as an option in the GUI as well. Auto redirect admin and ucp to https. Open a feature request and I’m sure others along with myself will upvote it.


#3

So what you are saying is that it’s not possible at this moment? Then why implement Let’s Encrypt in the first place?


(Marbled) #4

Hi!

It would be a looooooot nicer to be able to do this without the need to hack Apache’s HTTP server config but this is what is done on a server we have at work.

<VirtualHost *:80>
RewriteEngine on

RewriteCond %{HTTPS} off
RewriteRule ^/(.*) https://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,NE,L]

The virtual host which handles HTTP traffic unilaterally redirect everything to the same URL but in HTTPS…

Good luck and have a nice day!

Nick


#5

Why do you need a redirect? If you don’t want plain HTTP traffic, block port 80 with the firewall.


#6

Yes that is what I would have come up with too, but I only want the gui on https. The main directory contains a couple of files that need to be http. For example: I have a script the creates an XML file which my phones import. Apparently my phones have problems importing from https. So that is why…


#7

Because it’s easier?


(Marbled) #8

Hi!

I believe he wants that to be done transparently, this was a requirement at my work as well…

Have a nice day!

Nick


#9

change the regex to ^/admin.* which is where the FreePBX GUI is.


#10

End users don’t care to type in http:// let’s alone https:// too.

All they need to remember is pbx.domain.com and the server will auto redirect just like when you type in google.ca and it automatically goes to https://www.google.ca

I think the reason we are asking for FreePBX devs to add an option is that we may not want all http requests redirected to https. Provisioning of non-sangoma endpoints is only available over http but an admin may want to make UCP for end users selectively available over https.


#11

I added the following to /etc/httpd/conf.d/freepbx.conf :

<VirtualHost *:80>
 RewriteEngine on
 RewriteCond %{HTTPS} !=on [NC]
 RewriteRule ^/admin(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

service httpd restart => go!

Now I hope somebody from FreePBX is reading this and will implement an easier way using the GUI.


#12

Won’t blocking http port 80 keep the system from renewing the Letsencrypt certificate after 90 days. I think Letsencrypt requires use of port 80.


#13

Not really, letsencrypt just tests for connectivity on port 80 at the ip address your domain name resolves to. It doesn’t test what is returned


#14

Some of the suggestions above were to block port 80 at the firewall.

When I changed my http port to something other than 80 in System Admin Pro, Letsencrypt would not renew itself. This was in Freepbx version 13. So I was assuming that if you block 80 in the firewall on your router or on Freepbx, you’d have similar results.


#15

I’d you block 80, then you can’t rewrite it, I was responding to that post.


(United States) #16

Hi Bill,:smiley:

I am dealing with this right now. I looked up this issue because if I don’t block port 80 then users can access the UCP or /admin unsecured out of laziness or ignorance. If I block port 80 then they get a 404. So I wan’t to redirect to keep things easy and secure. Am I missing your point?


#17

Technically if you block port 80 and they go for the http site they should not get a “404” but some sort of browser-side error saying the host could not be reached.

In the year+ since this topic was posted I have noticed something. Browsers now seem to be defaulting to https if you just type in a URL without the scheme part. So that’s interesting, but I don’t think it’s everywhere / every browser yet so you can’t count on it to serve the lazy user.

To redirect the plain http requests you should use vespino’s answer at Force gui to https

To make sure the users get redirected when they go to /ucp then change the RewriteRule to be ^/(.*)$ instead of ^/admin(.*)$ . I think that should work fine.

Good to see you here friend! :slight_smile:


(United States) #18

Hi Bill,

You are correct. It was not a 404. I misspoke. I will use the recommended redirect. Thanks for the reply. I hope you are doing well. :slight_smile:


(Volkswagner) #19

I’m looking into helping the lazy as well… self included.
Perhaps multiple subdomains would be helpful to segregate things like
access areas that phones need for scripts/configs that need to be on port 80.

I think a feature request for adding SANs to the let’s encrypt module would help.
Subject Alternate Name (or SAN ) certificate
This way we could set aside a few domains/subdomains for the purpose of UCP, admin, and other port 80 stuff.

Otherwise we can manually run ACME and edit http files for multiple domains/subdomains to
get the desire results.


(system) closed #20

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.