SSL and FreePBX


(Ilouie) #1

Guys, what would be the reason, my host says not secured, even though an SSL Cerrtificate has been installed from Let’s?.. TY


#2

Are you accessing the PBX with an HTTPS URL? If so, does your browser (which?) show any additional info when you click on the warning?


#3

By what method did you install your system?


(Ilouie) #4

Yes, whem I call it as https it loads as such, but when calling the host without it, it continues without the https and ultimately the browser says not secured.


(Ilouie) #5

I installed it via Certificate manager and I set it as Default.


#6

AFAIK there is nothing built into FreePBX to do a redirect. If you want it, see

IMO, it’s better to just disable the HTTP port(s). When you tell your users how to access UCP, the URL you supply should include the HTTPS. Access to the admin GUI should be limited to very few specific IP addresses. In an emergency, if you have to access it from somewhere else, use SSH port forwarding, a VPN, or e.g. TeamViewer to a workstation that has access.


(Ilouie) #7

Thank you, it makes sense to just disable, however, FPBX says: " * Admin - Administration for this system (This interface). Default port 80. (Can not be disabled)"…


(Ilouie) #8

O.K. done. I did it via SSH…TY


(Ilouie) #9

Actually, spoke too soon. It’s redirecting in Google, but not in Edge…


#10

Probably intentional, but IMO that’s a bug. Put it on an obscure port, blocked by your router/firewall.


#11

Unless I missed something, LetsEncrypt using HTTP-01 will ONLY work on port 80 using the http protocol. If your system is thusly successfully certified, all legitimate http requests should then be 301’d to https all other requests should be dropped.


#12

Definitely intentional.

The distro way to accomplish is to set the http admin to an obscure port in sysadmin->port management and then restrict non-https management access under the firewall->services page (or at the router).

Unfortunately I don’t think distro does http->https redirection.


#13

(IMHO it should, less script kiddies)


#14

If he has admin on a non-standard port he can enable the “LetsEncrypt” service in sysadmin->port management to create an apache listener that only exposes the acme folders. Certman will open port 80 for the update.


#15

Agree, unfortunately the apache config is tied up in sysadmin, so I couldn’t sneak in a fix.


#16

(Indeed, FU raspberry users, but Nginx for FreePBX

add

server {
listen 80 default_server;
server_name yourserver;
return 301 https://$host$request_uri;
}

filter the $request_uri to suit

)


(system) closed #17

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.