Versions Compared

Old Version 5

changes.mady.by.user Andrew Ignatenko

Saved on

compared with

New Version Current

changes.mady.by.user Tatiana Bieliakova

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Background

Initial ticket: 

Jira Legacy
serverWildix
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId1ea7696d-9186-3c7d-b790-c8d05a360ecd
keyWMS-3985

To prevent cross site data interception, 'Origin' header whitelist has been implemented for API queries

Technical Details

Whitelist can be configured in WMS Settings > PBX > Security

Settings are stored in /rw2/etc/pbx/http-security.conf

Different domains are supported for configuration e.g.

...


Scroll export button
scopecurrent
template-id0fa09813-8b86-460a-aa1d-ef450a80e9ce
quick-starttrue
add-onScroll PDF Exporter

Info

This Admin Instruction explains how to configure domain whitelist to protect PBX from cross-site request forgery (CSRF) attacks.

Created: April 2018

Updated: May 2024

Permalink: https://wildix.atlassian.net/wiki/x/dAvOAQ

Table of Contents

Warning

IMPORTANT: Trusted domains must be added to a domain whitelist! Please note that any Web API / PBX API integration will stop working if the domain is not added.


Warning

If you are using Firewalls, make sure the following pool of IP addresses is present in your Whitelist for access to Wildix microservices:

3.122.16.10
3.122.188.91
3.122.21.65
3.122.78.100 


Introduction

The main purpose of adding domains to a whitelist is to protect PBX from cross-site request forgery (CSRF) attacks.

How it works:
Generally, web requests are restricted to only the current domain, per the same-origin policy. The same-origin policy is a significant security standard implemented by web browsers to prevent requests against a different origin (e.g., different domain) than the one from which it was served. At the same time, the same-origin policy also prevents legitimate interactions between a server and clients of a known and trusted origin.

To allow such interactions, Cross-origin resource sharing (CORS) is used. It is a standard that allows cross-domain requests. CORS can be defined as a set of headers that allow a browser and server to communicate about which requests are/ are not allowed. The simplest way is to check that the request originates from a trusted site, using Origin request header. For example, 

Code Block
languagetext
Origin: https://pbx_name.wildixin.com


If a server decides that the request should be allowed, it sends Access-Control-Allow-Origin header with the same origin that was sent. For example,

Code Block
languagetext
Access-Control-Allow-Origin: https://pbx_name.wildixin.com


If this header is missing or the origins don’t match, then the request is not allowed. If origins match, then a browser processes the request.

Configuration of Domain Whitelist

Whitelist is configured in WMS -> PBX -> Security -> CORS.

To configure a domain whitelist:

  1. Enter IP address/ domain name and click + to add the value:

    Image Added

    Supported formats of IP address/ domain name:

    • http://<domain or IP address> / https://domain or IP address> 
    • http://<domain or IP address>:port / https://<domain or IP address>:port

    Examples:

    • https://testpbx.wildixin.com/
    • https://testpbx.wildixin.com:4443/

    • http://testpbx.wildixin.com/ 

    It is also possible to add patterns using asterisk symbol "*" that replaces letters, numbers and dashes:
    Examples: 

    • https://*.wildixin.com

    • *://*.wildixin.com

    • https://*.*.wildixin.com


    Note

    Note: IP range can't be specified in this case. You just need to enter one IP address.


    Note

    Note: Wildix Portal "https://pbx.wildix.com

...

  1. /" and Wildix Chrome Extension "https://chrome-extension://lobgohpoobpijgfegnlhdnppegdbomkn

...

  1. " are hardcoded in the whitelist

...

During feature implementation following changes were made:

  • closed the ability to receive answers in the iframe: set header 'X-Frame-Options' to 'DENY'
  • closed cross domain query on Collaboration scripts:
    • /collaboration/index.php
    • /features/features_user.php
  • opened all requests from Origin: 'https://pbxs.wildix.com'
  • return an empty response to all requests api, if the Origin is not from the whitelist

Attention

...

  1. , there is no need to add them.


  2. After you enter all the values, click Save:

    Image Added

To delete the value from the list, click X.


Note

Note: Starting from WMS 6.04.20230803.1, whitelisting domain can also be used to allow access to files (call recordings, voicemails, faxes). See more in documentation How to download files via different authorization types and CORS domain whitelisting



Macrosuite divider macro
dividerTypetext
dividerWidth70
emoji{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
textColor#000000
dividerWeight2
labelPositionmiddle
textAlignmentcenter
iconColor#0052CC
fontSizemedium
textNot finding the help you need? Join the Facebook group to ask a question!
emojiEnabledfalse
dividerColor#DFE1E6
dividerIconbootstrap/CloudsFill

Button macro
buttonTextFacebook
isButtonShadowOntrue
emoji{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
buttonBorderColor#4267b2ff
buttonColor#4267b2ff
buttonNewTabfalse
buttonFontColor#ffffff
buttonSizemedium
buttonIconColor#ffffff
buttonWidthDetection46
buttonHoverColor#ffffff
buttonIconfont-awesome/FacebookSquare
buttonTypeicon_left
buttonLink{"link":"https://www.facebook.com/groups/wildixtechwizards","source":"direct"}
buttonNewLink
buttonRadius3
buttonShadow0
id228
emojiEnabledfalse
buttonWidth20