mirror of
				https://github.com/asterisk/asterisk.git
				synced 2025-10-26 14:27:14 +00:00 
			
		
		
		
	This change exposes the configuration of various aspects of the TLS support and sets the default to the modern standards. The TLS cipher is now set to the best values according to the Mozilla OpSec team, different TLS versions can now be disabled, and the cipher order can be forced to be that of the server instead of the client. ASTERISK-24972 #close Change-Id: I0a10f2883f7559af5e48dee0901251dbf30d45b8
		
			
				
	
	
		
			127 lines
		
	
	
		
			5.3 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			127 lines
		
	
	
		
			5.3 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| ;
 | |
| ; Asterisk Builtin mini-HTTP server
 | |
| ;
 | |
| ;
 | |
| ; Note about Asterisk documentation:
 | |
| ;   If Asterisk was installed from a tarball, then the HTML documentation should
 | |
| ;   be installed in the static-http/docs directory which is
 | |
| ;   (/var/lib/asterisk/static-http/docs) on linux by default.  If the Asterisk
 | |
| ;   HTTP server is enabled in this file by setting the "enabled", "bindaddr",
 | |
| ;   and "bindport" options, then you should be able to view the documentation
 | |
| ;   remotely by browsing to:
 | |
| ;       http://<server_ip>:<bindport>/static/docs/index.html
 | |
| ;
 | |
| [general]
 | |
| ;
 | |
| ; The name of the server, advertised in both the Server field in HTTP
 | |
| ; response message headers, as well as the <address /> element in certain HTTP
 | |
| ; response message bodies. If not furnished here, "Asterisk/{version}" will be
 | |
| ; used as a default value for the Server header field and the <address />
 | |
| ; element. Setting this property to a blank value will result in the omission
 | |
| ; of the Server header field from HTTP response message headers and the
 | |
| ; <address /> element from HTTP response message bodies.
 | |
| ;
 | |
| servername=Asterisk
 | |
| ;
 | |
| ; Whether HTTP/HTTPS interface is enabled or not.  Default is no.
 | |
| ; This also affects manager/rawman/mxml access (see manager.conf)
 | |
| ;
 | |
| ;enabled=yes
 | |
| ;
 | |
| ; Address to bind to, both for HTTP and HTTPS. You MUST specify
 | |
| ; a bindaddr in order for the HTTP server to run. There is no
 | |
| ; default value.
 | |
| ;
 | |
| bindaddr=127.0.0.1
 | |
| ;
 | |
| ; Port to bind to for HTTP sessions (default is 8088)
 | |
| ;
 | |
| ;bindport=8088
 | |
| ;
 | |
| ; Prefix allows you to specify a prefix for all requests
 | |
| ; to the server.  The default is blank.  If uncommented
 | |
| ; all requests must begin with /asterisk
 | |
| ;
 | |
| ;prefix=asterisk
 | |
| ;
 | |
| ; sessionlimit specifies the maximum number of httpsessions that will be
 | |
| ; allowed to exist at any given time. (default: 100)
 | |
| ;
 | |
| ;sessionlimit=100
 | |
| ;
 | |
| ; session_inactivity specifies the number of milliseconds to wait for
 | |
| ; more data over the HTTP connection before closing it.
 | |
| ;
 | |
| ; Default: 30000
 | |
| ;session_inactivity=30000
 | |
| ;
 | |
| ; session_keep_alive specifies the number of milliseconds to wait for
 | |
| ; the next HTTP request over a persistent connection.
 | |
| ;
 | |
| ; Set to 0 to disable persistent HTTP connections.
 | |
| ; Default: 15000
 | |
| ;session_keep_alive=15000
 | |
| ;
 | |
| ; Whether Asterisk should serve static content from static-http
 | |
| ; Default is no.
 | |
| ;
 | |
| ;enablestatic=yes
 | |
| ;
 | |
| ; Redirect one URI to another.  This is how you would set a
 | |
| ; default page.
 | |
| ;   Syntax: redirect=<from here> <to there>
 | |
| ; For example, if you are using the Asterisk-gui,
 | |
| ; it is convenient to enable the following redirect:
 | |
| ;
 | |
| ;redirect = / /static/config/index.html
 | |
| ;
 | |
| ; HTTPS support. In addition to enabled=yes, you need to
 | |
| ; explicitly enable tls, define the port to use,
 | |
| ; and have a certificate somewhere.
 | |
| ;tlsenable=yes          ; enable tls - default no.
 | |
| ;tlsbindaddr=0.0.0.0:8089    ; address and port to bind to - default is bindaddr and port 8089.
 | |
| ;
 | |
| ;tlscertfile=</path/to/certificate.pem>  ; path to the certificate file (*.pem) only.
 | |
| ;tlsprivatekey=</path/to/private.pem>    ; path to private key file (*.pem) only.
 | |
| ; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
 | |
| ; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key.
 | |
| ;
 | |
| ; To produce a certificate you can e.g. use openssl. This places both the cert and
 | |
| ; private in same .pem file.
 | |
| ; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
 | |
| ;
 | |
| ; tlscipher=                             ; The list of allowed ciphers
 | |
| ;                                        ; if none are specified the following cipher
 | |
| ;                                        ; list will be used instead:
 | |
| ; ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
 | |
| ; ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:
 | |
| ; kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
 | |
| ; ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
 | |
| ; ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
 | |
| ; DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
 | |
| ; AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:
 | |
| ; AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:
 | |
| ; !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
 | |
| ;
 | |
| ; tlsdisablev1=yes                ; Disable TLSv1 support - if not set this defaults to "yes"
 | |
| ; tlsdisablev11=yes               ; Disable TLSv1.1 support - if not set this defaults to "no"
 | |
| ; tlsdisablev12=yes               ; Disable TLSv1.2 support - if not set this defaults to "no"
 | |
| ;
 | |
| ; tlsservercipherorder=yes        ; Use the server preference order instead of the client order
 | |
| ;                                 ; Defaults to "yes"
 | |
| ;
 | |
| ; The post_mappings section maps URLs to real paths on the filesystem.  If a
 | |
| ; POST is done from within an authenticated manager session to one of the
 | |
| ; configured POST mappings, then any files in the POST will be placed in the
 | |
| ; configured directory.
 | |
| ;
 | |
| ;[post_mappings]
 | |
| ;
 | |
| ; NOTE: You need a valid HTTP AMI mansession_id cookie with the manager
 | |
| ; config permission to POST files.
 | |
| ;
 | |
| ; In this example, if the prefix option is set to "asterisk", then using the
 | |
| ; POST URL: /asterisk/uploads will put files in /var/lib/asterisk/uploads/.
 | |
| ;uploads = /var/lib/asterisk/uploads/
 | |
| ;
 |