mirror of
https://github.com/asterisk/asterisk.git
synced 2026-07-05 22:32:32 -07:00
f233bcd81d
This change exposes the configuration of various aspects of the TLS support and sets the default to the modern standards. The TLS cipher is now set to the best values according to the Mozilla OpSec team, different TLS versions can now be disabled, and the cipher order can be forced to be that of the server instead of the client. ASTERISK-24972 #close Change-Id: I7485bc48585979a93a131b01d435e54e6e7d5b97
108 lines
4.4 KiB
Plaintext
108 lines
4.4 KiB
Plaintext
;
|
|
; Asterisk Builtin mini-HTTP server
|
|
;
|
|
;
|
|
; Note about Asterisk documentation:
|
|
; If Asterisk was installed from a tarball, then the HTML documentation should
|
|
; be installed in the static-http/docs directory which is
|
|
; (/var/lib/asterisk/static-http/docs) on linux by default. If the Asterisk
|
|
; HTTP server is enabled in this file by setting the "enabled", "bindaddr",
|
|
; and "bindport" options, then you should be able to view the documentation
|
|
; remotely by browsing to:
|
|
; http://<server_ip>:<bindport>/static/docs/index.html
|
|
;
|
|
[general]
|
|
;
|
|
; Whether HTTP/HTTPS interface is enabled or not. Default is no.
|
|
; This also affects manager/rawman/mxml access (see manager.conf)
|
|
;
|
|
;enabled=yes
|
|
;
|
|
; Address to bind to, both for HTTP and HTTPS. You MUST specify
|
|
; a bindaddr in order for the HTTP server to run. There is no
|
|
; default value.
|
|
;
|
|
bindaddr=127.0.0.1
|
|
;
|
|
; Port to bind to for HTTP sessions (default is 8088)
|
|
;
|
|
;bindport=8088
|
|
;
|
|
; Prefix allows you to specify a prefix for all requests
|
|
; to the server. The default is blank. If uncommented
|
|
; all requests must begin with /asterisk
|
|
;
|
|
;prefix=asterisk
|
|
;
|
|
; sessionlimit specifies the maximum number of httpsessions that will be
|
|
; allowed to exist at any given time. (default: 100)
|
|
;
|
|
;sessionlimit=100
|
|
;
|
|
; session_inactivity specifies the number of milliseconds to wait for
|
|
; more data over the HTTP connection before closing it.
|
|
;
|
|
; Default: 30000
|
|
;session_inactivity=30000
|
|
;
|
|
; Whether Asterisk should serve static content from http-static
|
|
; Default is no.
|
|
;
|
|
;enablestatic=yes
|
|
;
|
|
; Redirect one URI to another. This is how you would set a
|
|
; default page.
|
|
; Syntax: redirect=<from here> <to there>
|
|
; For example, if you are using the Asterisk-gui,
|
|
; it is convenient to enable the following redirect:
|
|
;
|
|
;redirect = / /static/config/index.html
|
|
;
|
|
; HTTPS support. In addition to enabled=yes, you need to
|
|
; explicitly enable tls, define the port to use,
|
|
; and have a certificate somewhere.
|
|
;tlsenable=yes ; enable tls - default no.
|
|
;tlsbindaddr=0.0.0.0:8089 ; address and port to bind to - default is bindaddr and port 8089.
|
|
;
|
|
;tlscertfile=</path/to/certificate.pem> ; path to the certificate file (*.pem) only.
|
|
;tlsprivatekey=</path/to/private.pem> ; path to private key file (*.pem) only.
|
|
; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
|
|
; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key.
|
|
;
|
|
;
|
|
; To produce a certificate you can e.g. use openssl. This places both the cert and
|
|
; private in same .pem file.
|
|
; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
|
|
;
|
|
; tlscipher= ; The list of allowed ciphers
|
|
; ; if none are specified the following cipher
|
|
; ; list will be used instead:
|
|
; ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
|
|
; ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:
|
|
; kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
|
|
; ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
|
|
; ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
|
|
; DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
|
|
; AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:
|
|
; AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:
|
|
; !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
|
|
;
|
|
; tlsdisablev1=yes ; Disable TLSv1 support - if not set this defaults to "yes"
|
|
; tlsdisablev11=yes ; Disable TLSv1.1 support - if not set this defaults to "no"
|
|
; tlsdisablev12=yes ; Disable TLSv1.2 support - if not set this defaults to "no"
|
|
;
|
|
; tlsservercipherorder=yes ; Use the server preference order instead of the client order
|
|
; ; Defaults to "yes"
|
|
;
|
|
; The post_mappings section maps URLs to real paths on the filesystem. If a
|
|
; POST is done from within an authenticated manager session to one of the
|
|
; configured POST mappings, then any files in the POST will be placed in the
|
|
; configured directory.
|
|
;
|
|
;[post_mappings]
|
|
;
|
|
; In this example, if the prefix option is set to "asterisk", then using the
|
|
; POST URL: /asterisk/uploads will put files in /var/lib/asterisk/uploads/.
|
|
;uploads = /var/lib/asterisk/uploads/
|
|
;
|