Run the HTTP(S) services for remote users and the admin dashboard on different ports

Discussion in 'Ideas' started by JonnyM, Mar 3, 2017.

Run the HTTP(S) services for remote users and the admin dashboard on different ports 5 5 27votes
5/5, 27 votes

  1. JonnyM

    Joined:
    May 17, 2010
    Messages:
    81
    Likes Received:
    5
    As title really. I do not want to have the admin interface for my phone system accessible remotely at all - I have a VPN for management duties. However, I can't firewall off the port that it runs on because this breaks certain features for remote users.

    Please consider running user-facing services and the administration portal on different ports.
     
    BayMitch, eagle2 and AnneD like this.
  2. lopeztaz

    Joined:
    Mar 19, 2013
    Messages:
    9
    Likes Received:
    3
    My fix for the issue. Use at your own risk!

    The management console seems to be accessed under wwwroot while all other functions are passed to the proxy. This fix works by limiting access to wwwroot and redirecting the error page to proxy which returns a denied page for the management console. You can choose what subnets to allow. Tested under v15 SP4 only.


    *******Windows Install********
    Windows Path
    \Program Files\3CX Phone System\Bin\nginx\conf\nginx.conf

    Original located under:

    server {
    listen 5001 ssl;

    Look for:

    location / {
    index index.html;
    root "C:/ProgramData/3CX/Data/Http/wwwroot";
    try_files $uri $uri/ @proxy;
    }

    And replace with the following:

    location / {
    error_page 403 = @denied;
    allow 192.168.0.0/16;
    allow 172.16.0.0/12;
    allow 10.0.0.0/8;
    allow 127.0.0.1;
    deny all;

    index index.html;
    root "C:/ProgramData/3CX/Data/Http/wwwroot";
    try_files $uri $uri/ @proxy;
    }

    location @denied {
    try_files $uri $uri/ @proxy;
    }


    *******3CX Appliance********
    Linux Path
    /var/lib/3cxpbx/Bin/nginx/conf/nginx.conf

    Original located under:

    server {
    listen 5001 ssl;

    Look for:

    location / {
    index index.html;
    root "/var/lib/3cxpbx/Data/Http/wwwroot";
    try_files $uri $uri/ @proxy;
    }

    And replace with the following:

    location / {
    error_page 403 = @denied;
    allow 192.168.0.0/16;
    allow 172.16.0.0/12;
    allow 10.0.0.0/8;
    allow 127.0.0.1;
    deny all;

    index index.html;
    root "/var/lib/3cxpbx/Data/Http/wwwroot";
    try_files $uri $uri/ @proxy;
    }

    location @denied {
    try_files $uri $uri/ @proxy;
    }
     
    sip.bg, exevi and eagle2 like this.
  3. tratz

    tratz New Member

    Joined:
    Oct 21, 2015
    Messages:
    109
    Likes Received:
    15
    I am not sure how they would ever implement this. Depending on how you install the product, they wouldn't have a way to know what subnets to block off (aka installing on a cloud server in OVH, that is the one and only interface to them, so disabling that would eliminate all access to the web interface). I can see this for a on prem solution mostly but since it is one installation for both, I just don't see them doing this although i have been wrong before.

    --Tracy
     
  4. Sopock

    Sopock Member

    Joined:
    Jul 11, 2012
    Messages:
    447
    Likes Received:
    20
    How to allow only "normal" users to MC?
    Webconfigtool also should not be available from WAN!

    To run it, enter the IP followed by port 5015 (eg. http://10.172.1.88:5015) in a browser on another machine.
    https://www.3cx.com/docs/manual/configuration-tool/#h.8e3ybf57sm8n

    This may take some time. Once done, a confirmation page will be shown with important information. Make a screenshot and/or print this information - it can not be retrieved afterwards!

    Such important information only can see anybody in the middle?:oops:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. NTB Inc

    Joined:
    May 2, 2017
    Messages:
    21
    Likes Received:
    10
    +1
    Especially in larger enterprises, having management access available with other services is a BIG negative and in most cases would violate policies. This issue is currently delaying our ability to use more mobile/remote devices as we don't wish to expose admin access externally.
     
    exevi likes this.
  6. accentlogic

    accentlogic New Member

    Joined:
    Nov 14, 2013
    Messages:
    174
    Likes Received:
    72
    +10
    If any available port can be used for the console and use an alternate URL/SSL cert that would be fantastic.
     
  7. Accurro

    Joined:
    Mar 19, 2017
    Messages:
    3
    Likes Received:
    2
    Just found this after posting in this thread.

    This will be more important with the upcoming web client in 15.5, makes sense to have the web client and presence on one port, management on another.
     
  8. divorcer

    Joined:
    Apr 28, 2014
    Messages:
    1
    Likes Received:
    0
    Were you able to get this to work in v15.5?
     
  9. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    219
    Seems not working in version 15.5 (sp2).
    I was able to do the opposite -- to allow access at port 5000 from trusted public IP addresses, but not to limit public IP addresses to access webroot at port 5001.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. RogerS

    Joined:
    Dec 12, 2017
    Messages:
    13
    Likes Received:
    10
    It should definitely be possible to restrict the access to the 3CX Management Console for a defined IP range.
     
  11. Silly English Kniggit

    Joined:
    Sep 13, 2017
    Messages:
    220
    Likes Received:
    85
    Being able to run this over the WAN is by design, and very helpful for cloud installs (if you don't want to use command line). Once PBX is configured, this goes away anyway. If you don't want it available from WAN then don't open the port on the firewall?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. stever

    Joined:
    Sep 25, 2017
    Messages:
    39
    Likes Received:
    13
  13. palmaz

    Joined:
    Aug 22, 2017
    Messages:
    43
    Likes Received:
    13