UCP Access Issue

hardocp · February 8, 2019, 6:30pm

I currently have Asterisk version 16 and Freepbx version 14 installed – this is a manual install and not a distro install

Remote access to the server is done only via VPN with a few exceptions –

One of the exceptions is i have setup a virtual host in apache on port 82 which points to /var/www/html/ucp – this allows my users to gain remote access to their voicemails etc… without having to go through a vpn – with strong passwords being enforced it works well

the issue i am having is that is two fold –

i am getting the following errors in the apache logs –
[authz_core:error] [pid 3101] [client x.x.x.x:59443] AH01630: client denied by server configuration: /var/www/html/ucp/index.html – this is my ip address which is being listed as denied – then after it gets denied in apache
fail2ban then kicks in – under apache-auth and bans my ip – which means that my network cannot connect to the server – and this is a big issue

can someone please help me sort this out?

thanks

hardocp · February 10, 2019, 1:25pm

I added this to httpd.conf – thinking that would fix it – but its still throwing the error?

<Directory “/var/www/html/ucp/”>
AllowOverride All
# Allow open access:
Require all granted

Any help would be most appreciated

BlazeStudios · February 10, 2019, 2:36pm

And you have the proper permissions and ownerships on all the files? This isn’t a FreePBX issue as it is a standard Apache issue with how your web configs are done and the directory/files are handled.

hardocp · February 10, 2019, 9:13pm

Tom,

Yes – agree its not necessarily a FreePBX issue – but it also kind of is

When I did the manual install – i setup Asterisk ownership permissions including:

chown -R asterisk. /var/www/

Now when I run – ls -la /var/www/html/ucp/ – i get

total 64
drwxrwxr-x 7 asterisk asterisk 4096 Dec 9 21:44 .
drwxrwxr-x 9 asterisk asterisk 4096 Dec 9 21:44 …
-rw-rw-r-- 1 asterisk asterisk 1351 Apr 5 2018 ajax.php
drwxrwxr-x 8 asterisk asterisk 4096 Dec 9 21:44 assets
-rw-rw-r-- 1 asterisk asterisk 191 Apr 5 2018 composer.json
-rw-rw-r-- 1 asterisk asterisk 9967 Apr 5 2018 composer.lock
-rw-rw-r-- 1 asterisk asterisk 845 Apr 5 2018 .htaccess
drwxrwxr-x 4 asterisk asterisk 4096 Dec 9 21:44 includes
-rw-rw-r-- 1 asterisk asterisk 10704 Jul 24 2018 index.php
drwxrwxr-x 6 asterisk asterisk 4096 Dec 9 21:44 modules
drwxrwxr-x 7 asterisk asterisk 4096 Dec 9 21:44 vendor
drwxrwxr-x 3 asterisk asterisk 4096 Dec 9 21:44 views

it looks like asterisk user has permission on the directory?

I will admit i am not an expert on these matters – so thats why i am asking for your advice and help

thanks

BlazeStudios · February 10, 2019, 9:54pm

Then why are you doing “Expert Only” installs?

Did you try doing this without adding the directive for :82? You could just do http://ip/ucp and not http://ip:82 does it work when not trying to use a specific port?

hardocp · February 11, 2019, 3:49pm

Tom,

I am specifically trying to separate access to the Admin GUI from access to UCP – this is pretty basic – if i followed your suggestion i would open both the admin and UCP on port 80 to the internet which is not a great idea

So i re-read the wiki here https://wiki.freepbx.org/display/PPS/Ports+used+on+your+PBX and noticed that UCP on HTTPS runs on port 4443 – great – so i went in and changed everything to point to 4443 – figuring that would fix it – now i am able to connect on 4443 using my SSL cert – fine – however i am still getting the error in the apache logs –
[authz_core:error] [pid 3101] [client x.x.x.x:59443] AH01630: client denied by server configuration: /var/www/html/ucp/index.html

thoughts?

PS I know – if i was running the distro this would be easier – again i am not running the distro – nor do i want to run the distro – i enjoy learning how to run my own server – have no issues dropping into the CLI and working on things and understanding what and why goes on behind the scenes

any assistance would be most appreciated

BlazeStudios · February 11, 2019, 4:06pm

I understand what you are trying to do. It is pretty basic. So what I asked was, does it work in the most basic setup? So try testing that it actually works before you try “separating” it by a custom directive.

hardocp · February 12, 2019, 9:57pm

I just opened port 80 on my server to test it and then connected to UCP through the admin interface which comes up

When i do that i still get client denied by server configuration: /var/www/html/ucp/index.html

BlazeStudios · February 12, 2019, 10:12pm

Then you clearly have another issue that is not related to a port configuration. You have asterisk set as the default apache user/group, right?

hardocp · February 13, 2019, 2:36pm

lsof -i :80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 2506 root 4u IPv6 28390 0t0 TCP *:http (LISTEN)
httpd 9654 asterisk 4u IPv6 28390 0t0 TCP *:http (LISTEN)
httpd 13080 asterisk 4u IPv6 28390 0t0 TCP *:http (LISTEN)
httpd 15693 asterisk 4u IPv6 28390 0t0 TCP *:http (LISTEN)
httpd 15694 asterisk 4u IPv6 28390 0t0 TCP *:http (LISTEN)
httpd 15695 asterisk 4u IPv6 28390 0t0 TCP *:http (LISTEN)
httpd 15696 asterisk 4u IPv6 28390 0t0 TCP *:http (LISTEN)
httpd 15753 asterisk 4u IPv6 28390 0t0 TCP *:http (LISTEN)
httpd 15777 asterisk 4u IPv6 28390 0t0 TCP *:http (LISTEN)
httpd 15778 asterisk 4u IPv6 28390 0t0 TCP *:http (LISTEN)
httpd 15780 asterisk 4u IPv6 28390 0t0 TCP *:http (LISTEN)

BlazeStudios · February 13, 2019, 2:58pm

Why don’t you show the actual output from the httpd error log when this happens?

hardocp · February 13, 2019, 3:50pm

[Wed Feb 13 10:29:01.024497 2019] [authz_core:error] [pid 13080] [client x.x.x.5:61006] AH01630: client denied by server configuration: /var/www/html/ucp/index.html

[Wed Feb 13 10:29:01.645155 2019] [authz_core:error] [pid 13080] [client x.x.x.5:61006] AH01630: client denied by server configuration: /var/www/html/ucp/index.html

[Wed Feb 13 10:29:14.239150 2019] [authz_core:error] [pid 15695] [client x.x.x.5:29399] AH01630: client denied by server configuration: /var/www/html/ucp/index.html, referer: https://xxx.xxx.com:4443/

[Wed Feb 13 10:29:17.579740 2019] [authz_core:error] [pid 15695] [client x.x.x.5:29399] AH01630: client denied by server configuration: /var/www/html/ucp/index.html, referer: https://xxx.xxx.com:4443/

[Wed Feb 13 10:29:17.788209 2019] [authz_core:error] [pid 15695] [client x.x.x.5:29399] AH01630: client denied by server configuration: /var/www/html/ucp/index.html, referer: https://xxx.xxx.com:4443/

BlazeStudios · February 13, 2019, 3:57pm

So you’re going to http://serverip/ucp and this happens, correct?

You were referred by an HTTPS request that is on 4443 which is the default HTTPS port used for HTTPS access to the UCP.

So again, you’re saying that you’re just doing this on port 80 but I’m seeing 4443 refers. From what I know these port configs don’t hit Apache without System Admin.

Please confirm how you’re accessing the UCP and what you have done with the configs so far because this is the problem with supporting manual installs, we have no idea what you’ve done unless you tell us explicitly.

system · February 20, 2019, 3:57pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.