Manually Configuring Apache to host phone configurations for auto provisioning
Note: If your FreePBX based system is Registered AND Licensed for System Admin Pro from Sangoma you can set this up via the Web Admin GUI.Please see their documentation at
System Admin - Port Management
For manual configuration see Below
HTTPS (SSL) Provisioning
Create Phone HTTPS (SSL) Provisioning Config
- SSH into your PBX using an ssh client like PuTTy and make sure you have root/sudo access.
- Create config file
nano /etc/httpd/conf.d/clearlyip-ssl.conf - Paste the config below or download the attached clearlyip-ssl.conf config and upload to the /etc/httpd/conf.d/ directory on your PBX
- Verify the port assignments on line 21 & 22
Note: Be sure these ports don't conflict with any in Admin --> System Admin --> Port Management - Verify Certs defined on lines 25-27
- Verify the AuthUserFile assigned on line 54
- Ext nano via Ctrl+X, press Y & Enter to save the config.
- Restart Apache to apply the config.
systemctl restart httpd.service
Configure Clearly Devices Template for HTTPS (SSL) Provisioning
- Log into your PBX's Admin Web GUI
- Go into Clearly Devices and in each of your templates:
- Verify the HTTP Username & Password are set to what was configured in Manual Apache Auth Setup
- Verify the Provision Protocol is set to HTTPS
- Verify the Provision Port is set to what was set in step 3.a
- Verify the Provision Server is set to the IP Address or FQDN of the PBX where this Apache instance is configured.
Apache Config for HTTPS (SSL) Provisioning Config
- # If ssh_module isn't already loaded load it.
- # This Avoids conflict with System Admin Configs.
- <IfModule !ssl_module.so>
- LoadModule ssl_module modules/mod_ssl.so
- SetEnv SSLSETUP true
- SSLPassPhraseDialog builtin
- SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
- SSLSessionCacheTimeout 300
- SSLRandomSeed startup file:/dev/urandom 256
- SSLRandomSeed connect builtin
- SSLCryptoDevice builtin
- # https://mozilla.github.io/server-side-tls/ssl-config-generator/
- SSLProtocol all -SSLv2 -SSLv3
- SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
- SSLHonorCipherOrder on
- </IfModule>
- # Define Provisioning Port
- Listen 5443
- <VirtualHost _default_:5443>
- SSLEngine on
- # Make sure these point to your cert files
- SSLCertificateFile /etc/httpd/pki/webserver.crt
- SSLCertificateKeyFile /etc/httpd/pki/webserver.key
- SSLCertificateChainFile /etc/httpd/pki/ca-bundle.crt
- <Directory "/tftpboot/">
- # Apache 2.4
- <IfModule mod_authz_core.c>
- <FilesMatch "(^\.|.php$)">
- Require all denied
- </FilesMatch>
- Require all granted
- </IfModule>
- # Apache 2.2
- <IfModule !mod_authz_core.c>
- <FilesMatch "(^\.|.php$)">
- Deny from all
- </FilesMatch>
- Allow from all
- </IfModule>
- </Directory>
- DocumentRoot /tftpboot/
- SetEnvIf User-Agent '.*MSIE.*' nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
- <Directory /tftpboot/>
- AuthType Basic
- AuthName Restricted
- # Make sure this matches what you set when creating the user
- AuthUserFile /etc/httpd/phoneuser.auth
- Require valid-user
- </Directory>
- </VirtualHost>
HTTP (Non-SSL) Provisioning
Note: If you are only setting up Non-SSL provisioning you don't need to Follow the Above SSL config or the Cert Setup in Apache SSL Certificate Setup Wiki.
Create Phone HTTPS (SSL) Provisioning Config
- SSH into your PBX using an ssh client like PuTTy and make sure you have root/sudo access.
- Create config file
nano /etc/httpd/conf.d/clearlyip.conf - Paste the config below or download the attached clearlyip.conf config and upload to the /etc/httpd/conf.d/ directory on your PBX
- Verify the port assignments on line 1 & 2
Note: Be sure these ports don't conflict with any in Admin --> System Admin --> Port Management - Verify the AuthUserFile assigned on line 12
Note: Make sure you have configured Authentication according to Apache Authentication Setup Wiki. Having unauthenticated provisioning could pose a security risk.
- Ext nano via Ctrl+X, press Y & Enter to save the config.
- Restart Apache to apply the config.
systemctl restart httpd.service
Configure Clearly Devices Template for HTTPS (SSL) Provisioning
- Log into your PBX's Admin Web GUI
- Go into Clearly Devices and in each of your templates:
- Verify the HTTP Username & Password are set to what was configured in Apache Authentication Setup
- Verify the Provision Protocol is set to HTTP
- Verify the Provision Port is set to what was set in step 3.a above
- Verify the Provision Server is set to the IP Address or FQDN of the PBX where this Apache instance is configured.
Apache Config for HTTP (Non-SSL) Provisioning Config
- Listen 8888
- <VirtualHost *:8888>
- Alias /.well-known /var/www/html/.well-known
- Alias /.freepbx-known /var/www/html/.freepbx-known
- RewriteEngine on
- RewriteRule ^/\.(well-known|freepbx-known)/ - [H=text/plain,L]
- RewriteRule (^\.|/\.) - [F]
- DocumentRoot /tftpboot/
- <Directory /tftpboot/>
- AuthType Basic
- AuthName Restricted
- AuthUserFile /etc/httpd/phoneuser.auth
- Require valid-user
- </Directory>
- </VirtualHost>
Uploading ....