-
Notifications
You must be signed in to change notification settings - Fork 0
Configuring Apache2 as a Reverse Websocket Proxy for Asterisk
For external access to the sip server we need to create an SSL protected reverse proxy for a websocket connection. You should never expose the SIP server directly to the public hence the need for this.
Whatever port you choose for your websocket proxy, you must first tell apache to listen on that port. For this example, we will use port 8888. Edit the file /etc/apache2/ports.conf to look like the following (assuming you also will have a web server listening on port 80 and 443):
Listen 80
<IfModule ssl_module>
Listen 443
Listen 8888
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
Listen 8888
</IfModule>
Create a new apache site, for example "phone-proxy", by creating a file located at /etc/apache2/sites-available/phone-proxy.conf and adapt the below code as the contents of the file. Typically Asterisk listens for websocket connections on port 8089, so we will be proxying to that:
<VirtualHost *:8888>
ServerName << SERVICENAME.ORGNAME.TLD >>
ServerAdmin << IT ADMIN EMAIL ADDRESS >>
DocumentRoot /var/www/
<Location /_proxy>
ProxyPass wss://<< FQDN OF THE ASTERISK SERVER >>:8089/ws
ProxyPassReverse wss://<< FQDN OF THE ASTERISK SERVER >>:8089/ws
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel debug
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/ssl/certs/<< CERTIFICATE FILE >>.pem
SSLCertificateKeyFile /etc/ssl/private/<< CERTIFICATE KEY FILE >>.key
SSLCertificateChainFile /etc/ssl/certs/<< OPTIONAL CERTIFICATE CHAIN FILE >>.crt
</VirtualHost>
You will then need to run the command "a2ensite phone-proxy" then restart apache with "systemctl restart apache2". The apache log should reflect no errors, and running the command "netstat -tulpn" from the package net-tools should now show the server listening on port 8888.