vicidial.org

[bghayad]

Hello;

vicibox 4.0.3, vicidial 2.8-404a, Build 130605-0841, asterisk 1.4.39.1-vici, Single Machine, Vtiger 5.4

How I can make the path

http://192.168.28.254/RECORDINGS/MP3/

to be accessed by username and password as now anyone can browse it. I have the following security settings in the file vi /etc/apache2/conf.d/vicirecord.conf

Alias /RECORDINGS/ "/var/spool/asterisk/monitorDONE/"

<Directory "/var/spool/asterisk/monitorDONE">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
<files *.mp3>
Forcetype application/forcedownload
</files>
</Directory>

Regards
Bilal

[DomeDan]

What you are talking about is htaccess
but its easier to base access on the ip-address instead, like this example on phpmyadmin: viewtopic.php?f=4&t=30502#p105046

[williamconley]

Code: Select all

  nano +75 /etc/apache2/default-server.conf

below '''cgi-bin''' directory setup,

Code: Select all

 # Protect phpMyAdmin folder from attacks
 # use htpasswd2 /srv/www/passwd/phpmyadmin newuser to add new users (and delete unauthorized users from that file)
 # requires /etc/init.d/apache2 restart to take effect
 <Directory /srv/www/htdocs/phpMyAdmin>
  AllowOverride None
  Order allow,deny
  Allow from all
  AuthType Basic
  AuthName "phpMyAdmin -- Authorized Managers Only -- "
  AuthUserFile /srv/www/passwd/phpmyadmin
  Require valid-user
 </Directory>

=create the password file=
change admin to a valid user name if we already have one and use a client password (that we can give to the client when they request access)

Code: Select all

 mkdir /srv/www/passwd
 htpasswd2 -c /srv/www/passwd/phpmyadmin admin

May be necessary to

Code: Select all

 zypper install thttpd2

*Note: this tossed an error (wrong permissions 2750) but still worked.
*If this fails, try htpasswd instead of htpasswd2

=add more users to it=

Code: Select all

 htpasswd2 /srv/www/passwd/phpmyadmin poundteam
 htpasswd2 /srv/www/passwd/phpmyadmin fred
 htpasswd2 /srv/www/passwd/phpmyadmin bob

=Finish=

Code: Select all

 /etc/init.d/apache2 restart

users will now be required to have a valid user/password from the above file to see any content in the phpMyAdmin folder.

[bghayad]

Thanks a lot william.

users will now be required to have a valid user/password from the above file to see any content in the phpMyAdmin folder.

But which file?

Regards
Bilal

[bghayad]

OK, I need to modify please on above link:

The password file recommended to be in other location than the directory that we need to limit the access for it and it will be created in this command as example:

htpasswd2 -c /var/spool/asterisk/passwd admin

Also it will be required to do the proper settings in the file /etc/apache2/conf.d/vicirecord.conf (recommended to take backup copy on it before modifying it), below is example of file vicirecord.conf:

Alias /RECORDINGS/ "/var/spool/asterisk/monitorDONE/"

<Directory "/var/spool/asterisk/monitorDONE">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "MP3 Team Leader Only"
AuthUserFile /var/spool/asterisk/passwd
Require valid-user
<files *.mp3>
Forcetype application/forcedownload
</files>
</Directory>

Regards
Bilal

[williamconley]

Thanks a lot william.

users will now be required to have a valid user/password from the above file to see any content in the phpMyAdmin folder.

Following the instructions would place the passwords in /srv/www/passwd/phpmyadmin by using the commands mentioned previously.

Be careful to execute with "-c" only once. That creates the file. If you do that again for a second user, you'll delete the first user. So skip the -c to add new users.

[bghayad]

OK thanks it worked but I am facing one problem:

After login for the recording page at the link http://192.168.28.254/RECORDINGS/MP3/ and entering the username and password, then each time I click on the recording file to download it, it is requesting to to enter again the username and password. How I can resolve this? We need only to enter the username and password to login for the man page ONLY and not requesting this even when clicking inside the links in this page (the recorded files).

Regards
Bilal

[williamconley]

change browsers or turn on cookies. dont' use private browsing.

this is not related to the "page", it is related to the security for the files in that folder.