vicidial.org

[bronson]

Hello,
I have just installed a fresh Vicibox10 Express install:

Version: 2.14b0.5
SVN Version: 3612
DB Schema Version: 1662
Asterisk Version: 13.38.2-vici
mysql Ver 15.1 Distrib 10.5.8-MariaDB

I have set up the White List by following the instructions listed here viewtopic.php?f=8&t=41283&hilit=whitelist and the whitelist feature works perfectly.

Setting up the IP Lists in ViciDial:
1) Log into ViciDial
2) Go to Admin --> System Settings
3) Change "Allow IP Lists" to 1 and save
4) Go to Users and click on your admin user (I.E. 6666)
5) Set Modify IP Lists to 1 and save
6) Repeat steps 4 and 5 for any other admin users you want to be able to adjust the whitelist
7) Go to Admin --> IP Lists
Click on "Add An IP List" (if 'ViciWhite' is already listed, just click on this and skip to step 12)
9) The IP List ID should be 'ViciWhite' (You can name it something else, but you'll need to use the --whitelist= option with VB-firewall)
10) The IP List Name can be whatever you want like 'Firewall Whitelist', but there needs to be something there
11) Click on Submit to save the new IP List and bring up the window allowing us to add entries
12) Add any IPs you want to include on the IP list. One IP per line.
13) Once you're satisfied with the IP's on the list, click submit to save the changes.

You can also do CIDR entries in step 12 but ViciDial itself won't be able to understand them. If you want to IP restrict agents to specific campaigns I would suggest have different IP lists for ViciDial to use and then the one IP List for just the firewall.

Now modify the crontab for white/dynamic list:
1) run 'crontab -e'
2) Go to the very bottom of the crontab and change the firewall entries to this (If you just want white listing, remove the '--dynamic' from the above two lines) :
CODE: SELECT ALL
@reboot /usr/bin/VB-firewall --white --dynamic --quiet
* * * * * /usr/bin/VB-firewall --white --dynamic --quiet

3) Press CTRL-X to exit
4) Press 'Y' to save the changes to the crontab and then hit enter

Now to setup the network/firewall configuration:
1) Run 'yast lan'
2) Go to the 'Interfaces' section in the left window and press enter
4) Assign any network device with a LAN IP (192.168.X, 10.X, etc) to the 'trusted' zone
4) Assign any network device with an Internet IP to the 'Public' zone
5) Go to the 'public' section in the left window and press enter
6) Remove all allowed services except for 'rtp' and 'dhcpv6-client' (You can also remove dhcpv6-client if you're not using IPv6)
7) Go to the 'external' section in the left window and press enter
Make sure 'apache2', 'apache2-ssl', 'asterisk', and 'rtp' are listed here
9) Once all the above is complete, press ALT-A or F10 to accept and save the changes made
10) Run 'service firewalld restart' to clear out the network config and reload all your changes in, this will also reset network access so be careful if doing this remotely
11) Run 'VB-firewall --white --dynamic' to load up the IPs from your lists, you can add --debug to get extra output

I then followed the instructions in the Installation Manual http://download.vicidial.com/iso/vicibox/server/ViciBox_v9-install.pdf for setting up the Dynamic Agent Portal.

Dynamic Agent Portal – To be enabled on a single Web server only
1. If not already, please login as the ‘root’ user to get to the root prompt.
2. At the root prompt, type ‘yast firewall’ and press the ENTER key
3. Using the up and down arrow keys, move the highlight bar until ‘public’ is highlighted, then
press the ENTER key; You can use the TAB key to move the highlight bar to the proper window
that public is in if it’s not there by default
4. Press the TAB key until the highlight bar moves to the window that is below “Services”; These
are the rules that are available to apply to the firewall
5. Using the up and down arrow keys, move the highlight bar to the following items and then press
the SPACE bar once: viciportal, viciportal-ssl; If only the SSL option is needed then omit the
viciportal option
6. Press ALT-D to add these services to the Allowed window; Please be careful adding items to
the allowed list as this will make those services accessible from the public internet
7. Press ALE-A to accept and apply these changes
This will enable the ViciBox Dynamic Portal. This portal allows agents to authenticate themselves by
using their assigned user ID and password from ViciDial. It can be accessed by going to the following
URLs in a web browser: http://server:81/valid8.php or http://server:446/valid8.php . When an agent
validates themselves their IP is added to the database and picked up by the rest of the servers within 60
seconds. There are options for controlling this behavior by editing the settings contained in the file /srv/
www/vhosts/dynportal/inc/defaults.inc.php

I also obtained the SSL certificate and forced redirect to HTTPS by following these instructions:

edit this file
nano /etc/apache2/vhosts.d/1111-default.conf

and then remove all the single comment sign #
### To force everything to SSL uncomment the following
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]

then restart your apache service
systemctl restart apache

Now when I attempt to go to any of the Dynamic Agent Portal URLs nothing happens. I tried replacing 'server' with my server IP address and with my FQDN. I tried with both HTTP and HTTPS.

What am I doing wrong?

Thanks!

[carpenox]

check your /etc/apache2/listen.conf file and you should see this at the bottom:

Code: Select all

 cat listen.conf
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports. See also the <VirtualHost> directive.
#
# https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
#       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
#
#Listen 12.34.56.78:80
#Listen 80
#Listen 443

Listen 80
Listen 446

<IfDefine SSL>
        <IfDefine !NOSSL>
        <IfModule mod_ssl.c>

                Listen 443

        </IfModule>
        </IfDefine>
</IfDefine>


Also make sure you have a dynportal.conf entry in /etc/apache2/vhosts/ that looks like this:

Code: Select all

 cat dynportal.conf
<VirtualHost _default_:81>
        ServerAdmin admin@company.com
        # This needs to be different from other vhosts otherwise they'll get
        # mod_cband applied to it too since it works by ServerName not VHost
        ServerName dynportal.company.com
        #ServerAlias
        DocumentRoot /srv/www/vhosts/dynportal
        ErrorLog /var/log/apache2/dynportal-error_log
        #CustomLog /var/log/apache2/access_log combined
        CustomLog /dev/null combined
        HostnameLookups Off
        UseCanonicalName Off
        ServerSignature Off
        TraceEnable Off
        Include /etc/apache2/conf.d/mod_php7.conf
#       Include /etc/apache2/conf.d/mod_deflate.conf
#       Include /etc/apache2/conf.d/mod_cband.portal
        DirectoryIndex index.html index.php index.htm

        # Prevent access to debug and other things
        <Files ~ "^\.ht">
                Require all denied
        </Files>
        <Files ~ "^\debug.txt">
                Require all denied
        </Files>
        <Directory "/srv/www/vhosts/dynportal/inc">
                Require all denied
        </Directory>

        # And allow our directory to be served finally
        <Directory "/srv/www/vhosts/dynportal">
                Options FollowSymLinks
                AllowOverride None
                Require all granted
        </Directory>

        # Take care of CSS and some other web-crap security things
        <IfModule mod_headers.c>
                Header always set X-Frame-Options: DENY
                Header always set X-XSS-Protection "1; mode=block"
                Header always set X-Content-Type-Options: nosniff
                Header always set Content-Security-Policy "script-src 'self'; object-src 'self'"
                Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
        </IfModule>

</VirtualHost>



This should do it for ya, but let me know.

Chris

[bronson]

Also make sure you have a dynportal.conf entry in /etc/apache2/vhosts/ that looks like this:

Code: Select all

 cat dynportal.conf
<VirtualHost _default_:81>
        ServerAdmin admin@company.com
        # This needs to be different from other vhosts otherwise they'll get
        # mod_cband applied to it too since it works by ServerName not VHost
        ServerName dynportal.company.com
        #ServerAlias
        DocumentRoot /srv/www/vhosts/dynportal
        ErrorLog /var/log/apache2/dynportal-error_log
        #CustomLog /var/log/apache2/access_log combined
        CustomLog /dev/null combined
        HostnameLookups Off
        UseCanonicalName Off
        ServerSignature Off
        TraceEnable Off
        Include /etc/apache2/conf.d/mod_php7.conf
#       Include /etc/apache2/conf.d/mod_deflate.conf
#       Include /etc/apache2/conf.d/mod_cband.portal
        DirectoryIndex index.html index.php index.htm

        # Prevent access to debug and other things
        <Files ~ "^\.ht">
                Require all denied
        </Files>
        <Files ~ "^\debug.txt">
                Require all denied
        </Files>
        <Directory "/srv/www/vhosts/dynportal/inc">
                Require all denied
        </Directory>

        # And allow our directory to be served finally
        <Directory "/srv/www/vhosts/dynportal">
                Options FollowSymLinks
                AllowOverride None
                Require all granted
        </Directory>

        # Take care of CSS and some other web-crap security things
        <IfModule mod_headers.c>
                Header always set X-Frame-Options: DENY
                Header always set X-XSS-Protection "1; mode=block"
                Header always set X-Content-Type-Options: nosniff
                Header always set Content-Security-Policy "script-src 'self'; object-src 'self'"
                Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
        </IfModule>

</VirtualHost>



This should do it for ya, but let me know.

Chris

It looks like I have that listen.conf file but I think I'm missing the second file here. How do find that? And how do I add it?

[carpenox]

just go to that directory i listed like this:

cd /etc/apache2/vhosts/
then list whats there by typing "ls"
if you dont see dynportal.conf then create it by typing "nano dynportal.conf" and paste what is in the code above

[bronson]

just go to that directory i listed like this:

cd /etc/apache2/vhosts/
then list whats there by typing "ls"
if you dont see dynportal.conf then create it by typing "nano dynportal.conf" and paste what is in the code above

Thanks, actually, I had to figure out it was cd /etc/apache2/vhosts.d because going to /vhosts/ wasn't working for me.

I found the dynportal file and everything was there except these 2 lines were commented in your file but uncommented in mine.

Code: Select all

#       Include /etc/apache2/conf.d/mod_deflate.conf   
#       Include /etc/apache2/conf.d/mod_cband.portal

So I commented them and then saved the file. Then I restarted apache.

I am still am not able to access the Dynamic portal.

Am I going to the right url?

let's assume my vicidial login is dialer.domain.com and my server address is 123.123.1.222 what would the dynamic portal login URL be?

[carpenox]

http://123.123.1.222:81/valid8.php

[bronson]

http://123.123.1.222:81/valid8.php

Actually, I am using ssl so I think it should be https://123.123.1.222:446/valid8.php but either way, nothing seems to be working.

Any other ideas?

[carpenox]

msg me on skype and ill hop on thru anydesk and fix it for ya

[bronson]

Ok, so I figured it out. The portal was working the entire time.

There is an issue where if the IP is already whitelisted then the Dynamic Portal becomes unavailable. I connected to a VPN to change my IP and then was able to access the dynamic portal.

Also, added the viciportal to External in the firewall and I was able to access from a whitelisted IP.

[carpenox]

nice, good postback

[muratyilmaz.dev]

Hello everyone.
I installed V10 yesterday.
I noticed something because the firewall structure has changed.

In V9, I added the dynamic portal login as the favorite login page in all my users' browsers.
e.g (https://domain.com:446/customsecureloginpage.php)

Even if the user is validated, he logs in from this link every day.
If the IP address changes, it gets validated, if it doesn't, I redirect it to the normal login page.

But I couldn't do that in V10.
Once the user is validated, he cannot re-enter from the dynamic portal login (https://domain.com:446/customsecureloginpage.php).

After some effort, something caught my attention in @Kumba's post on the forum.

https://www.vicidial.org/VICIDIALforum/ ... =whitelist

"VB-Firewall integrates with firewalld to act as an IP-based zone assignment system at a global network level. This means that any IP added to the white or dynamic list, regardless of what device that IP is received on, will be processed through the external zone."

This means that for the validated user, the external zone is valid, not the public zone. In other words, external.xml is valid instead of public.xml in firewalld rules.

For this reason;

From yast -> firewalld -> zones -> external
Activate viciportal and viciportal-ssl services.
or
Add the following lines to the /etc/firewalld/zones/external.xml file.
<service name="viciportal"/>
<service name="viciportal-ssl"/>

I have tested. No problem appears.
Waiting for your opinions.