Topic: 27ManagerProxyPass breaks https access for many apps

[PWDasterisk]

SME 7.4, zaptel-1.4.11, asterisk-1.4.22.2, sail-2.2.1-759

Selintra -

Although you recommend the SAIL/SME Server be run just as a telephony platform, I recently started installing contribs and enabling functions and services primarily to demonstrate the Server capabilities to potential users.

Unfortunately a pattern of problems emerged - basically any app outside of the server-manager or horde interface that required https access would run into recursive redirect failures. I tested this with IE and Firefox. Port 80 http access was not a problem.

I had to remove the following lines from your 27ManagerProxyPass in the if($port eq "443") routine:
   $OUT .= "    RewriteCond %{REQUEST_URI} ^/(.*)\n";
   $OUT .= "    RewriteRule .* %{HTTP_REFERER}%1  [L,R]\n";
   $OUT .= "    RewriteRule .* %{HTTP_REFERER}/%1 [L,R]\n\n";
and then expand-template /etc/httpd/conf/httpd.conf and /etc/init.d/http-e-smith restart solved the problems.

A simple proof-of-concept is to build an index.html file in the Primary ibay that contains an image or some other reference and access it through https. Another example is to install the Webshare contrib - its small, simple, requires https access but doesn't need a signal-event post-upgrade; signal-event reboot after the yum install.

I have found no asterisk related issues from removing that code but didn't have a lot of time to test further... is there some specific dependency in the SAIL programming that requires the HTTP_REFERER RewriteRule?

[David Harper]

For the clueless (that's me btw) can you explain why this is a problem exactly?

[Franco]

Why not disable it completely? Or add the address to the ignore list?
Global Panel:
    Dynamic Proxy Enable:    
   Proxy Ignore List:

[SARK devs]

Franco has already answered this but I'll just reinforce it.  The proxy ignore list is there to allow you to bypass our rewrite processing for any other contribs you may have installed.  There is nothing in vanilla SME that won't work "out-of-the-box" with our rewrite engine.

However, as Franco also points out; if you wish, you can suppress the generation of the rewrite rules completely by turning off dynamic proxy.

What the rewrite processing does is to allow you to dynamically proxy to the browsers of locally attached phones without having to create any special porting or firewall rules.  To see it work, just turn it on and click on the connected icon for any locally attached phone (assuming the phone has a browser, - Cisco 79xx users need not apply).

Hope this helps

S

[PWDasterisk]

I use the Dynamic Proxy feature to backdoor into Polycom phones all the time. Leaving that feature "on" in Globals and removing those 3 lines of code in the 27ManagerProxyPass has not disabled that feature but solved the https problem globally for all other apps. I can't speak of the effect it may have on other devices because I only use Polycoms and SoftPhones.

I used the Proxy ignore list to successfully bypass individual directives but removing the RewriteRule worked globally for my network with no other apparent effect... as I stated in my first post I have found no asterisk related issues from removing that code but didn't have a lot of time to test further.

I'll assume that the rule was written for some specific devices which I haven't used yet so to be safe in future deployments I will leave the original code as is and place individual directives one by one into the Proxy Ignore as they are added to the Server.

Thanks all for your responses.