Restricting Access to asterisk-full-log.php?

Dear all

I note that with amportal AUTHTYPE=database set (and therefore directory access disabled in httpd.conf or .htaccess)) and Logfiles module downloaded, I can still access the asterisk logfiles without encountering any authentication simply by entering the URL directly: -


additionally, I can also bring up the javassh screen up with: -


This behaviour is apparent in 2.1.3 and 2.2b3.

Does this behaviour manifest itself in other people’s installations with AUTHTYPE=database. e.g. have a mucked up the default installation with incorrect permissions etc.

If this is the case, how may I best prevent access?




Many thanks for the responses.

This server is hidden behind a firewall - with SSH tunnel access only to a non root user, however, I know that there are a few “Technically inquisitive” and occaisionally bored users, and I’d rather them not go playing in areas where they do not belong.

Further security would be a “nice to have” rather than a necessity, given the intended role of the software.

Many many thanks for all your hard work


You could also just add an .htaccess file to the root html directory. That’s what I did but with auth_mysql instead so that way, I don’t need to use a second auth file and maintain 2 username/password files. I simply configured apache to use the mod_authmysql with the same users freebpx set up in the database. This way, everytime you add or modify a user in the database using freepbx, your root directory to your webserver stay updated. The only drawback is a double popup user/pass , but still way more secure.

If you want to go parano secure way, use the above recommended method by bubba, you wont have any security problems with that.


<Directory /var/www>
AuthName "=== Auth required ==="
AuthType Basic
AuthMySQLEnable on
AuthMySQLUser asteriskuser
AuthMySQLPassword dbpassword
AuthMySQLDB asterisk
AuthMySQLUserTable ampusers
AuthMySQLNameField username
AuthMySQLPasswordField password
AuthMySQLPwEncryption none
require valid-user

edit: typo / added info

if you remove the httpd control then yes access to granted to all

Freepbx is not intended for Inet

If you are running a AAH / TB you gotta ton of holes by default.

AAH / TB are setup as a LAN type of use not open to the world, you never allow access to any thing but the needed ports for PHONE calls
and if you have just remote office / home the limit that to those IP’s only.

VPN SSH tunnel