kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2026-04-22 05:50:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
46292c9a456a339ab53a1ecbecb32a53bf3c981d
asterisk/configs/samples/http.conf.sample
Mike Bradeen 46292c9a45 acl: Add ACL support to http and ari 
Add uri prefix based acl support to the built in http server.
This allows an acl to be added per uri prefix (ie '/metrics'
or '/ws') to restrict access.

Add user based acl support for ARI. This adds new acl options
to the user section of ari.conf to restrict access on a per
user basis.

resolves: #1799

UserNote: A new section, type=restriction has been added to http.conf
to allow an uri prefix based acl to be configured. See
http.conf.sample for examples and more information.
The user section of ari.conf can now contain an acl configuration
to restrict users access. See ari.conf.sample for examples and more
information
2026-03-05 12:52:43 +00:00

170 lines
6.5 KiB
Plaintext
Raw Blame History

;
; Asterisk Built-in mini-HTTP server
;
;
; Note about Asterisk documentation:
; If Asterisk was installed from a tarball, then the HTML documentation should
; be installed in the static-http/docs directory which is
; (/var/lib/asterisk/static-http/docs) on linux by default. If the Asterisk
; HTTP server is enabled in this file by setting the "enabled", "bindaddr",
; and "bindport" options, then you should be able to view the documentation
; remotely by browsing to:
; http://<server_ip>:<bindport>/static/docs/index.html
;
[general]
;
; The name of the server, advertised in both the Server field in HTTP
; response message headers, as well as the <address /> element in certain HTTP
; response message bodies. If not furnished here, "Asterisk/{version}" will be
; used as a default value for the Server header field and the <address />
; element. Setting this property to a blank value will result in the omission
; of the Server header field from HTTP response message headers and the
; <address /> element from HTTP response message bodies.
;
servername=Asterisk
;
; Whether HTTP/HTTPS interface is enabled or not. Default is no.
; This also affects manager/rawman/mxml access (see manager.conf)
;
;enabled=yes
;
; Address to bind to, both for HTTP and HTTPS. You MUST specify
; a bindaddr in order for the HTTP server to run. There is no
; default value.
;
bindaddr=127.0.0.1
;
; Port to bind to for HTTP sessions (default is 8088)
;
;bindport=8088
;
; Prefix allows you to specify a prefix for all requests
; to the server. The default is blank. If uncommented
; all requests must begin with /asterisk
;
;prefix=asterisk
;
; sessionlimit specifies the maximum number of httpsessions that will be
; allowed to exist at any given time. (default: 100)
;
;sessionlimit=100
;
; session_inactivity specifies the number of milliseconds to wait for
; more data over the HTTP connection before closing it.
;
; Default: 30000
;session_inactivity=30000
;
; session_keep_alive specifies the number of milliseconds to wait for
; the next HTTP request over a persistent connection.
;
; Set to 0 to disable persistent HTTP connections.
; Default: 15000
;session_keep_alive=15000
;
; Whether Asterisk should serve static content from static-http
; Default is no.
;
;enable_static=yes
;
; Whether Asterisk should serve a status page showing the running
; configuration of this built-in HTTP server.
; Default is no.
;
;enable_status=yes
;
; Redirect one URI to another. This is how you would set a
; default page.
; Syntax: redirect=<from here> <to there>
; For example, if you are using the Asterisk-gui,
; it is convenient to enable the following redirect:
;
;redirect = / /static/config/index.html
;
; HTTPS support. In addition to enabled=yes, you need to
; explicitly enable tls, define the port to use,
; and have a certificate somewhere.
;tlsenable=yes ; enable tls - default no.
;tlsbindaddr=0.0.0.0:8089 ; address and port to bind to - default is bindaddr and port 8089.
;
;tlscertfile=</path/to/certificate.pem> ; path to the certificate file (*.pem) only.
;tlsprivatekey=</path/to/private.pem> ; path to private key file (*.pem) only.
; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key.
;
; To produce a certificate you can e.g. use openssl. This places both the cert and
; private in same .pem file.
; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
;
; tlscipher= ; The list of allowed ciphers
; ; if none are specified the following cipher
; ; list will be used instead:
; ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
; ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:
; kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
; ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
; ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
; DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
; AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:
; AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:
; !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
;
; tlsdisablev1=yes ; Disable TLSv1 support - if not set this defaults to "yes"
; tlsdisablev11=yes ; Disable TLSv1.1 support - if not set this defaults to "no"
; tlsdisablev12=yes ; Disable TLSv1.2 support - if not set this defaults to "no"
;
; tlsservercipherorder=yes ; Use the server preference order instead of the client order
; ; Defaults to "yes"
;
; The post_mappings section maps URLs to real paths on the filesystem. If a
; POST is done from within an authenticated manager session to one of the
; configured POST mappings, then any files in the POST will be placed in the
; configured directory.
;
;[post_mappings]
;
; NOTE: You need a valid HTTP AMI mansession_id cookie with the manager
; config permission to POST files.
;
; In this example, if the prefix option is set to "asterisk", then using the
; POST URL: /asterisk/uploads will put files in /var/lib/asterisk/uploads/.
;uploads = /var/lib/asterisk/uploads/
;
;[uripath]
;
;type = restriction ; Specifies acl configuration
;
; The following options (permit, deny, acl) allow for an acl to be configured
; on a per uri prefix basis. The first character should be an '/'
;
; The format follows the rules as documented in acl.conf.sample
;
; If no restriction is defined for a given prefix, legacy behavior will apply.
;
; If multiple restrictions apply, any restriction that denies will supersede
; any another restrictions that permit. For example if an /ari restriction
; results in a deny, but an /ari/channels restriction would permit, the
; attempt would still be denied.
;
;deny = ; Deny the subnet access for the given user
;permit = ; Permit the subnet(s) access for the given user
;acl = ; Optional name for the acl.
;
;Examples:
;
; Only allow ari connections from localhost:
;
;[/ari]
;type = restriction
;deny = 0.0.0.0/0
;permit = 127.0.0.1
;acl = localarionly
;
; Only allow metrics to be gathered by 10.0.0.23
;
;[/metrics]
;type = restriction
;deny = 0.0.0.0/0
;permit = 10.0.0.23
;
Reference in New Issue View Git Blame Copy Permalink