Help with restricting access to ProxyPass proxy host.

jimbolaya · 06-12-2018, 09:21 AM

I am attempting to use LetsEncrypt with my home-rolled FreePBX instance so I can use TLS transport. In order for LetsEncrypt to work with FreePBX, I need to allow access to a list of hostnames to port 80 on my FreePBX instance. But I don't want to give the world access to my FreePBX admin interface.

The FreePBX server is behind my NATed router so I was hoping to use ProxyPass to forward the traffic using my existing Apache instance.

I would like to add a config like this:

Code:

<VirtualHost *:80>
    ServerName freepbx.mydomain.org
    Require forward-dns outbound1.letsencrypt.org outbound2.letsencrypt.org mirror1.freepbx.org mirror2.freepbx.org
    ProxyPass /    http://192.168.168.183
    ProxyPassReverse   /  http://192.168.168.183
</VirtualHost>

I've got other proxys set up on my server, so I have some idea how to set them up. But any time I try to add a Require or Allow directive it says

Code:

Jun 12 09:59:13 myserver apache2[1718]: <RequireAll not allowed here

or

Code:

Jun 12 09:38:12 myserver apache2[26767]: order not allowed here

The documentation states:

Code:

The directive can be referenced within a <Directory>, <Files>, 
or <Location> section as well as .htaccess files to control access 
to particular parts of the server.

So, clearly this isn't an option for a VirtualHost section. I'm not finding any other information restricting access to a VirtualHost.

I am hoping someone has an idea on how to set this up.

jimbolaya · 06-12-2018, 01:55 PM

I got the LetsEncrypt stuff to work with my FreePBX:

Code:

<VirtualHost *:80>
    ServerName freepbx.myserver.org
    ServerAlias freepbx.myserver.org

    # keep the host
    ProxyPreserveHost On

    ProxyPass /.freepbx-known/    http://192.168.168.183/.freepbx-known/
    ProxyPassReverse   /.freepbx-known/  http://192.168.168.183/.freepbx-known/
    ProxyPass /.well-known/    http://192.168.168.183/.well-known/
    ProxyPassReverse   /.well-known/  http://192.168.168.183/.well-known/
</VirtualHost>

However, I haven't gotten restricting source hosts to work right yet.

I read somewhere to try something like this:

Code:

<Directory proxy:>
     Require host outbound1.letsencrypt.org outbound2.letsencrypt.org mirror1.freepbx.org mirror2.freepbx.org
</Directory>

But whether it's there or not seems to make no difference.

jimbolaya · 06-12-2018, 03:08 PM

Here's my final setup. It denies access to the base domainname, freepbx.mydomain.org, but allows access to my "Require" list to those subdirectories.

Thank you to "thumb" on IRC for some guidance.

I added "another.test.host.com" that I could try to make sure I could get to it from for testing purposes.

Code:

<VirtualHost *:80>
    ServerName freepbx.mydomain.org
    ServerAlias freepbx.mydomain.org

    <Location "/">
          Require all denied
    </Location>

    # keep the host
    ProxyPreserveHost On

    <Location "/.freepbx-known/">
         Require host outbound1.letsencrypt.org outbound2.letsencrypt.org mirror1.freepbx.org mirror2.freepbx.org another.test.host.com
         ProxyPass  http://192.168.168.183/.freepbx-known/
         ProxyPassReverse   http://192.168.168.183/.freepbx-known/
    </Location>
    <Location "/.well-known/">
         Require host outbound1.letsencrypt.org outbound2.letsencrypt.org mirror1.freepbx.org mirror2.freepbx.org another.test.host.com
        ProxyPass   http://192.168.168.183/.well-known/
        ProxyPassReverse  http://192.168.168.183/.well-known/
    </Location>
</VirtualHost>