Hi,
1. Symlink Error
About the symlink error, it was already discussed and resolved in another post, here is the solution again:
It does that on purpose right now and no update will correct it. It's preserving potential custom modifications.
You need to rename/delete/move the file in /etc/asterisk (mv /etc/asterisk/http.conf /etc/asterisk/http.conf.orig) then do either:
amportal a r
at the linux CLI.
or press the "Apply config"
in the FreePBX GUI.
This will fix the symlink error for http.conf, it's like resolving all other symlink errors when FreePBX picks up a new config file.
It doesn't want to assume anything about whether you had inserted custom modification in there, blindly removing yours without error or warning for intervention could potentially silently overwrite some people custom modification to the file.
2. Asterisk http.conf relation to ARI?
Someone will have to explain what this http.conf symlink error (and fix) has to do with the ARI (/recordings) http auth protection and or desire to remove such protection.
Because it has nothing to do with it whatsoever. Like not even a remote relation or link between the two issues/subjects.
3. Asterisk mini http server
Seen from where I stand the default config to the asterisk mini http server seem secure. Haven't dig into it but assuming their setting does what it advertise:
On my system the default bind address for it was 127.0.0.1. So, secure from my point of view if the settings does what it should.
On Lorne's system up there the bind address was his LAN IP, this could represent a security issue if his port 8088 end up been exposed on the internet.
Not sure why a properly configured system would expose that but in his case he has to be cautious about exposing it because the * mini http server would bind to his LAN and not only to his localhost.
So IF in some cases the default bind address automatically end up being the LAN address there is a potential security risk but running zero firewall and exposing the entire server on the internet to count on each application security/settings to save the day is and has always been a weak security implementation.
(I'm not an expert about asterisk mini http server but I'm going on common sense and default config I have seen here + standard interpretation of the configuration options and security model for a server (firewall).)
4. Accessing the ARI without being prompted by an http auth, ANY http auth.
Was also already discussed in length like Lorne mentionned but I will include here for clarity.
Of course this removes ALL http auth only, you will still need to login on the residual (web page) prompt.
The second prompt, on the page, require a voicemail box and password
OR
the "User Portal Admin Username" and "User Portal Admin Password" set from the "settings"->"advanced settings" menu in FreePBX.
Here is what you need to do for the ARI to function without having any http auth prompt and still protect the rest of the admin GUI and /admin folder.
If this does not work you either did not do "service httpd restart" after or you messed something else while trying to fix it another way or your own way.
Edit /etc/pbx/httpdconf/ari.conf
this:
Code:
#Password protect ARI interface
<Directory /var/www/html/recordings>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /usr/local/apache/passwd/wwwpasswd
Require valid-user
</Directory>
Becomes:
Code:
#Password protect ARI interface
#<Directory /var/www/html/recordings>
#AuthType Basic
#AuthName "Restricted Area"
#AuthUserFile /usr/local/apache/passwd/wwwpasswd
#Require valid-user
#</Directory>
(all commented out)
Edit /etc/pbx/httpdconf/pbx.conf
Insert this in the file:
Code:
#Allow critical assets for ARI
<Directory ~ "^/var/www/html/admin/assets/(js|images|css)">
Satisfy Any
Allow from all
</Directory>
(Allow critical assets for ARI)
Do service httpd restart
Access the ARI without http auth prompt.
We have of course always recommended people do that only when the server is NOT exposed on the Internet for it's apache http port (normal webserver).
Because by removing the auth to access the ARI and exposing it on the Internet, you're allowing anyone to hit the ARI to try to login with the ARI's admin user or an extension.
5. Location of http.conf and symlink
Lastly, I'm not sure I get the problem about the http.conf working like all other FreePBX conf file and being symlinked.
It's an asterisk conf file like another one it's now controlled by core and FreePBX does what it does like with other conf files.
ls -l /etc/asterisk/*
Will show that http.conf now operate under the same principle as other configuration files owned by FreePBX, not sure what changed about that except the fact that the file has now being picked up by FreePBX to be controlled via GUI.
Like other asterisk configuration files have been picked up in the past to be controlled by FreePBX.
Now we could discuss security more but I'm not sure it's necessary unless someone aim to recommend exposing FreePBX on the public internet is a good idea.
(None the less discussing security is always OK...)
Some probably do with good reason and I can only hope they know what they are doing and are making sure to limit their risks.
Of course there are security concerns, the app is located in a webserver and of course it's files are under control of the webserver.
There is a risk because phpMyAdmin files live under the web server, and you have to make sure you secure yourself against security flaw in it.
Or like Wordpress which lives under the webserver and also represent a security risks, all web app do if you expose them somehow.
Questions, comments or insults, I take them all!
Hope this helps.