How to block admin page but allow presence to 3CX WAN Clients

Discussion in '3CX Phone System - General' started by lopeztaz, Mar 2, 2017.

Thread Status:
Not open for further replies.
  1. lopeztaz

    Joined:
    Mar 19, 2013
    Messages:
    9
    Likes Received:
    3
    Currently running 3CX 15 SP 4 on windows 2012 R2 as an upgrade from version 14. I want to open up port 5001 on the firewall to allow 3CX clients using the 3CX tunnel to receive presence\phone book information. However, when I do this the Admin interface is exposed to the outside world. Is there a way to block access to the management page but allow presence information?
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,374
    Likes Received:
    231
    It is HTTPs, and a very strong password should be used. The choice of port can be made during the initial installation, 5001 or 443. I don't believe that you can separate the functions.
     
  3. JonnyM

    Joined:
    May 17, 2010
    Messages:
    77
    Likes Received:
    5
    I really feel that there should be an option for binding the web UI to a different port or providing some sort of default ACL where only RFC 1918 addresses can access the admin dashboard. I'll have a trawl through the feature requests and see if there's anything in there to vote on.
     
    Telcreek likes this.
  4. Telcreek

    Joined:
    Dec 30, 2016
    Messages:
    27
    Likes Received:
    2
    5001 needs to be open for provisioning and web meeting as well. I too would feel more comfortable if I could firewall-off the admin web portal but it it appears it needs to be open to the world for all the other features to work. The existence of the Anti-Hacking Module may help by blacklisting obnoxious IPs, the function of which seems very similar to fail2ban.
     
  5. cobaltit

    cobaltit Active Member

    Joined:
    Mar 22, 2012
    Messages:
    736
    Likes Received:
    113
    While not officially supported the webserver is Nginx so you should be able to filter out requests in the Ngnix config since all the admin portal pages seem to be served under /#/ . You could do the same thing by putting a transparent proxy in front as well. Provisioning uses a different path for sure, not sure about presence and web meeting but if you aren't using either of those two features then you should be all set.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. lopeztaz

    Joined:
    Mar 19, 2013
    Messages:
    9
    Likes Received:
    3
    My fix for the issue. Use at your own risk!

    The management console seems to be accessed under wwwroot while all other functions are passed to the proxy. This fix works by limiting access to wwwroot and redirecting the error page to proxy which returns a denied page for the management console. You can choose what subnets to allow. Tested under v15 SP4 only.


    *******Windows Install********
    Windows Path
    \Program Files\3CX Phone System\Bin\nginx\conf\nginx.conf

    Original located under:

    server {
    listen 5001 ssl;

    Look for:

    location / {
    index index.html;
    root "C:/ProgramData/3CX/Data/Http/wwwroot";
    try_files $uri $uri/ @proxy;
    }

    And replace with the following:

    location / {
    error_page 403 = @denied;
    allow 192.168.0.0/16;
    allow 172.16.0.0/12;
    allow 10.0.0.0/8;
    allow 127.0.0.1;
    deny all;

    index index.html;
    root "C:/ProgramData/3CX/Data/Http/wwwroot";
    try_files $uri $uri/ @proxy;
    }

    location @denied {
    try_files $uri $uri/ @proxy;
    }


    *******3CX Appliance********
    Linux Path
    /var/lib/3cxpbx/Bin/nginx/conf/nginx.conf

    Original located under:

    server {
    listen 5001 ssl;

    Look for:

    location / {
    index index.html;
    root "/var/lib/3cxpbx/Data/Http/wwwroot";
    try_files $uri $uri/ @proxy;
    }

    And replace with the following:

    location / {
    error_page 403 = @denied;
    allow 192.168.0.0/16;
    allow 172.16.0.0/12;
    allow 10.0.0.0/8;
    allow 127.0.0.1;
    deny all;

    index index.html;
    root "/var/lib/3cxpbx/Data/Http/wwwroot";
    try_files $uri $uri/ @proxy;
    }

    location @denied {
    try_files $uri $uri/ @proxy;
    }
     
Thread Status:
Not open for further replies.