Tuesday, March 22, 2016

Forcing access to Asterisknow/FreePBX and A2billing to HTTPS

When installing asteriskNow PBX/voip system and a2billing to access it by default is via http. When it comes to VOIP/PBX system security is one thing you should consider. This HOWto's is going to explain the steps to follow when you want you pbx server to be access via https, the steps include creating self signed certificate and forcing all traffics to https.

1. Install Mod SSL
# yum install mod_ssl
2. Create a new directory
Next, we need to create a new directory where we will store the server key and certificate
# mkdir /etc/httpd/ssl
3. Create a self signed certificate

When we request a new certificate, you should specify how long the cerficate remains valid, for me i want certificate to remain valid for ten years, you may change 3650 to any number of number of days you want.
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt
With this command, we will be both creating the self-signed SSL certificate and the server key that protects it, and placing both of them into the new directory.

This command will prompt terminal to display a lists of fields that need to be filled in.

The most important line is "Common Name". Enter your official domain name here or, if you don't have one yet, your site's IP address.

See example below,

For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TZ
State or Province Name (full name) [ ]:Arusha
Locality Name (eg, city) [Default City]:Arusha
Organization Name (eg, company) [Default Company Ltd]: JARASYOLA COMPANY LTD
Organizational Unit Name (eg, section) [ ]:VOIP
Common Name (eg, your name or your server's hostname) [ ]:voip.jarasyola.co.tz
Email Address [ ]:voip@jarasyola.co.tz


4. Copy the newly created keys to their respective locations as needed by apache
 # cd /etc/httpd/ssl/
 # cp apache.crt /etc/pki/tls/certs/
 # cp apache.key /etc/pki/tls/private/

5. Now you must change some parameters in the /etc/httpd/conf.d/ssl.conf file
# vi /etc/httpd/conf.d/ssl.conf

5a. Look for the line beginning with: SSLCertificateFile and change the path to our reflect our newly created certs (/etc/pki/tls/certs/apache.crt)

5b. Look for the line beginning with: SSLCertificateKeyFile and change the path to reflect our newly created certs (/etc/pki/tls/private/apache.key)


6. Force all traffic coming to your server to https

To force all web traffic to use HTTPS insert the following lines of code in the .htaccess file in your website’s root folder.
# cd /var/www/html
# vim .htaccess

Add the following code and save the file
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]

Make sure to change yourdomain.com to your server valid domain or IP address.


7. Restart apache

You are done. Restarting the Apache server will reload it with all of your changes in place.
 /etc/init.d/httpd restart

In your browser, type https://youraddress to view the new certificate.