Force https - Tampered file .htaccess


(Idscomm) #1

Hello,

I was doing so research to force freepbx to load htts instead of http (both admin and ucp) and found a topic where some suggested to add the following to /var/www/html/.htaccess

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTPS} off
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} !^/.well-known
RewriteCond %{REQUEST_URI} !^/.freepbx-known
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Now, it works for me but FreePBX tells me that I have a tampered file and every time there is an update, my modifications are overwritten. Any suggestion on how to accomplish this without breaking FreePBX?

Thanks in advance!


#2

.htaccess is really just a ‘delegation’ method by your webserver, if you set those directives directly in your webserver site definition you wouldnt need the .htaccess in the directory, FreePBX would then not BMW.


(Nate) #3

A somewhat better option would be to use the web server configs by appending the following to /etc/httpd/conf.d/freepbx.conf:

<VirtualHost *:80>
 RewriteEngine on
 RewriteCond %{HTTPS} !=on [NC]
 RewriteCond %{REQUEST_URI} !^/\.freepbx\-known/
 RewriteCond %{REQUEST_URI} !^/\.well\-known/
 RewriteRule ^/?(.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

It’s possible this could get removed by an update, placing it in a separate config file in /etc/httpd/conf.d is probably a better route.


(Idscomm) #4

This machine is dedicated to PBX on CentOS 7. Where would that be?


(Idscomm) #5

I’ll give this one a try and see how PBX reacts. Thanks!!


#6

I will leave that to someone who uses Centos and their Apache2


(Idscomm) #7

This solves the issue… at least for now. No error message about a tampered file and redirects admin and ucp over https.

Thanks!


(Jerry Riggin) #8

I had the goal of forcing HTTP to HTTPS for FreePBX GUI while allowing LetsEncrypts to port 80.
I have successfully used this for force HTTPS. It works fine, but breaks Letsencrypt.
/etc/httpd/conf.d/freepbx.conf:

<VirtualHost *:80>
 RewriteEngine on
 RewriteCond %{HTTPS} !=on [NC]
 RewriteRule ^/admin(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

I tried this to exclude Letsencrypt addreses:

<VirtualHost *:80>
 RewriteEngine on
 RewriteCond %{HTTPS} !=on [NC]
 RewriteCond %{REMOTE_ADDR} !^64\.78\.149\.164$ [NC]
 RewriteCond %{REMOTE_ADDR} !^66\.133\.109\.36$ [NC]
 RewriteRule ^/admin(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

However, I could still not get this to work, so just fell back to using port management to give 80 to letsencrypt and http admin GUI on 8080. Maybe some Apache Guru can suggest a change.


#9

Good idea, though IMO there is no reason to have a redirect on 8080, just block it (except from localhost, for emergency use if HTTPS somehow fails).

HTTPS for the admin GUI should IMO be on an obscure port and additionally protected as well. Simplest is to only allow access from authorized IP addresses. Other options include hiding behind a ‘secret’ domain name, or (most secure) only allow access with a properly signed client certificate.


#10

Acme challenges now come from unannounced IP’s you can’t hardwire that, look into using DNS-01 whereby no firewall massaging needed as the challenge is totally unconcerned about your PBX’ IP address so there is no need to mess with apache nor iptables.


(system) closed #11

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.