Remote Administration of FreePBX
-
For my FreePBX on Vultr tests, I've (though the wizard) configured the firewall to assign my office host (x.x.x.x/32) to the trusted zone and the eth0 interface on the FreePBX VM to the Internet zone. I'm curious how the @JaredBusch -folk of the world set up their system of remote configuration, since I imagine they're not administering various FreePBX systems from the same network all the time.
I believe I understand the idea of a jump box, and I can see one way of locking it down.
[host with SSH key for jump box] >>> Internet >>> [jump box likely with SSH keys] >>>> Internet >>>> [server to be administered]
Would you do the same kind of topology for something GUI-based like FreePBX, or do you just configure the Web Management service to be in the Internet zone and access it through HTTPS and have strong credentials? Or am I missing the mark and there's a better practice for handling administration of a FreePBX server from various networks?
-
The JumpBox approach is great for CLI actions. But if you have to perform GUI commands.. I don't know that it would.
-
@gjacobse said in Remote Administration of FreePBX:
The JumpBox approach is great for CLI actions. But if you have to perform GUI commands.. I don't know that it would.
That's what I figured.
-
How about setting up a reverse proxy server?
You > Internet > Nginx Reverse Proxy > Internet > FreePBX WebUI -
Check my method of using Nginx as reverse Proxy + TLS cert based auth
It works wonders when you have http website, that you want to connect to it from abroad.
-
@black3dynamite said in Remote Administration of FreePBX:
How about setting up a reverse proxy server?
You > Internet > Nginx Reverse Proxy > Internet > FreePBX WebUIDam, we said the same thing the same time. But still I am more right
-
@emad-r lol
-
@emad-r said in Remote Administration of FreePBX:
Check my method of using Nginx as reverse Proxy + TLS cert based auth
It works wonders when you have http website, that you want to connect to it from abroad.
This is decently useful and provides a solid method from anywhere that you have this device with the certificate.
-
@jaredbusch said in Remote Administration of FreePBX:
@emad-r said in Remote Administration of FreePBX:
Check my method of using Nginx as reverse Proxy + TLS cert based auth
It works wonders when you have http website, that you want to connect to it from abroad.
This is decently useful and provides a solid method from anywhere that you have this device with the certificate.
What @JaredBusch commending my work, and not cursing it...
This calls for celebration
-
@eddiejennings said in Remote Administration of FreePBX:
For my FreePBX on Vultr tests, I've (though the wizard) configured the firewall to assign my office host (x.x.x.x/32) to the trusted zone and the eth0 interface on the FreePBX VM to the Internet zone. I'm curious how the @JaredBusch -folk of the world set up their system of remote configuration, since I imagine they're not administering various FreePBX systems from the same network all the time.
I believe I understand the idea of a jump box, and I can see one way of locking it down.
[host with SSH key for jump box] >>> Internet >>> [jump box likely with SSH keys] >>>> Internet >>>> [server to be administered]
Would you do the same kind of topology for something GUI-based like FreePBX, or do you just configure the Web Management service to be in the Internet zone and access it through HTTPS and have strong credentials? Or am I missing the mark and there's a better practice for handling administration of a FreePBX server from various networks?
First, I generally do not need to access things from everywhere. FreePBX is a fairly stable thing.
Second, I have a FQDN, via a dynamic DNS entry, setup in the firewall settings for all common locations I work from.
Third, I can also gain access by registering an extension successfully from a softphone on my laptop. That will set my current IP as a "Local"
If I need to do a one off thing, I just jump on ScreenConnect back to my desktop at home and do whatever.
If I need to do a lot of work, I will either jump to my desk and add my current IP or I will connect to the Vultr console and add my current IP from CLI.
fwconsole firewall add trust 111.222.333.444 -
@gjacobse said in Remote Administration of FreePBX:
The JumpBox approach is great for CLI actions. But if you have to perform GUI commands.. I don't know that it would.
Ours works that way, lol. GUI works fine, too.
-
You can use Salt to dynamically open the firewall trusts when needed and close them afterwards.
-
@scottalanmiller said in Remote Administration of FreePBX:
You can use Salt to dynamically open the firewall trusts when needed and close them afterwards.
No. Just no. Take your playtoy and GTFO.
-
@jaredbusch said in Remote Administration of FreePBX:
@scottalanmiller said in Remote Administration of FreePBX:
You can use Salt to dynamically open the firewall trusts when needed and close them afterwards.
No. Just no. Take your playtoy and GTFO.
It's actually a good way to go. So easy to change that rule and open a port for just your IP address temporarily and close it off when done. It's one of my favourite features to use. Also gives you (if you use GIT like we do) a record of when the port was opened, why and when it was closed again.
-
@scottalanmiller said in Remote Administration of FreePBX:
Also gives you (if you use GIT like we do) a record of when the port was opened, why and when it was closed again.
How does that work?
-
@black3dynamite said in Remote Administration of FreePBX:
@scottalanmiller said in Remote Administration of FreePBX:
Also gives you (if you use GIT like we do) a record of when the port was opened, why and when it was closed again.
How does that work?
You commit your change to your local file system on your workstation. Then you commit it to the GIT repo. When you do this, GIT stores your change as well as the previous state of the system and you add a comment when you commit. This gives you a chance to say "Opening port to work on PBX" or whatever. Then when you are all done, change the firewall back, commit it, comment again saying you are done and closing it and it closes itself.
