I was doing so research to force freepbx to load htts instead of http (both admin and ucp) and found a topic where some suggested to add the following to /var/www/html/.htaccess
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTPS} off
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} !^/.well-known
RewriteCond %{REQUEST_URI} !^/.freepbx-known
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Now, it works for me but FreePBX tells me that I have a tampered file and every time there is an update, my modifications are overwritten. Any suggestion on how to accomplish this without breaking FreePBX?
.htaccess is really just a ‘delegation’ method by your webserver, if you set those directives directly in your webserver site definition you wouldnt need the .htaccess in the directory, FreePBX would then not BMW.
I had the goal of forcing HTTP to HTTPS for FreePBX GUI while allowing LetsEncrypts to port 80.
I have successfully used this for force HTTPS. It works fine, but breaks Letsencrypt.
/etc/httpd/conf.d/freepbx.conf:
However, I could still not get this to work, so just fell back to using port management to give 80 to letsencrypt and http admin GUI on 8080. Maybe some Apache Guru can suggest a change.
Good idea, though IMO there is no reason to have a redirect on 8080, just block it (except from localhost, for emergency use if HTTPS somehow fails).
HTTPS for the admin GUI should IMO be on an obscure port and additionally protected as well. Simplest is to only allow access from authorized IP addresses. Other options include hiding behind a ‘secret’ domain name, or (most secure) only allow access with a properly signed client certificate.
Acme challenges now come from unannounced IP’s you can’t hardwire that, look into using DNS-01 whereby no firewall massaging needed as the challenge is totally unconcerned about your PBX’ IP address so there is no need to mess with apache nor iptables.