Web Chat and avoiding hack: using proxy in DMZ

Discussions about new features or changes in existing features

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Web Chat and avoiding hack: using proxy in DMZ

Postby bghayad » Wed May 23, 2018 6:43 am

Hello;

vicibox 7.0.3, vicidial 2.12-15, Build 160508-0139, asterisk 11.22.0-vici, Single Machine

Because the vicidial might have the clients information, so it is important to not place a server in public network or even DMZ network. Also in some cases, it is only allowed to do port forwarding for servers in DMZ zone and these servers should not contain critical data. So I am asking:
Is it possible to have vicidial server in DMZ zone only to handle the web chat request (let us say like proxy) and send this request to internal Vicidial Server which will handle it like any normal web chat request?
I need to protect my self from hackers and it is only allowed to forward from public to DMZ zone and then some trunk to be from DMZ zone to internal server. And it is only allowed to place servers in DMZ that does not have any important data. How I can obtain this?
If it was voice, then I will think to place asterisk in DMZ and having SIP trunk from asterisk to vicidial. How I can do same thing in web chat?
Regards
Bilal
bghayad
 
Posts: 579
Joined: Sun Jan 01, 2012 4:53 pm

Re: Web Chat and avoiding hack: using proxy in DMZ

Postby mflorell » Wed May 23, 2018 7:28 am

You don't have to have a vicidial server exposed to the internet at all to do customer web chat. You can place the "chat_customer" web folder on any webserver that has PHP/Mysql on it, you just need to configure the /etc/astguiclient.conf to point through to the VICIdial database server from there.
mflorell
Site Admin
 
Posts: 18379
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: Web Chat and avoiding hack: using proxy in DMZ

Postby bghayad » Wed May 23, 2018 8:25 am

Thank you matt. And as the agent will handle voice calls and web chat, so he will login to the vicidial server which contains the database. It will work fine like this or the agent should login for webserver that contains the chat_customer folder?
One more thing: I am still worry about the hacking possibility from the webserver to the vicidial server that has the database, I know that I can harden it in network and username and password, but is there any certain idea that help to protect between the webserver and the database server?
Please note that I am thinking to place the webserver in DMZ zone and the vicidial server in the internal network.
Regards
Bilal
bghayad
 
Posts: 579
Joined: Sun Jan 01, 2012 4:53 pm

Re: Web Chat and avoiding hack: using proxy in DMZ

Postby mflorell » Wed May 23, 2018 9:11 am

You can have multiple web servers in a vicidial cluster, the agent does not have to use the same one as the one you use for customer web chat.

As for security for your cluster, you will find many discussions about that here on the forums. We usually recommend using a firewall with IP whitelisting of only the services you need to be exposed to the outside world to be active.
mflorell
Site Admin
 
Posts: 18379
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: Web Chat and avoiding hack: using proxy in DMZ

Postby bghayad » Wed May 23, 2018 11:07 am

That is fine.
But I am thinking if possible to have trunk (chat trunk) between the webserver that will contains the chat_customer folder and the vicidial server as this might be more secure?
In other words, I am thinking if possible to have same as voice sip trunk between two ip telephone servers.
Regards
Bilal
bghayad
 
Posts: 579
Joined: Sun Jan 01, 2012 4:53 pm

Re: Web Chat and avoiding hack: using proxy in DMZ

Postby mflorell » Wed May 23, 2018 11:10 am

That doesn't make much sense to me, the chat web code requires no trunks, just a database connection to the vicidial database.
mflorell
Site Admin
 
Posts: 18379
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: Web Chat and avoiding hack: using proxy in DMZ

Postby bghayad » Wed May 23, 2018 11:26 am

But also we have to allow the network connection between the webserver and the agent computer.
By the way: traffic from customer to agent is encrypted? What are the required ports to be opened between the webserver and the agents?
Regards
Bilal
bghayad
 
Posts: 579
Joined: Sun Jan 01, 2012 4:53 pm

Re: Web Chat and avoiding hack: using proxy in DMZ

Postby mflorell » Wed May 23, 2018 12:15 pm

The agent does not need a direct connection to the customer or the chat customer webserver, only the database connection is necessary.

You can set up HTTPS SSL encryption with Apache for web encryption, although you will have to get a valid SSL certificate from a certificate authority.
mflorell
Site Admin
 
Posts: 18379
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: Web Chat and avoiding hack: using proxy in DMZ

Postby bghayad » Wed May 23, 2018 5:00 pm

Thank you matt.
The current server version is vicibox 7.0.3, so do you advise me to upgrade if I need to use web chat or there is no major change related to web chat and no need to upgrade?

One more thing: about inserting the web chat in the website, and I need the chat to happens on the same website screen and not new screen, so all what I have to do is to add iframe code in the website and I have to add the URL path for the file: customer_chat_customer_side.php (http://192.168.1.2/chat_customer/vicidi ... r_side.php), right?

From the other side, and out of this post topic, if I need to place web softphone in the website, so the visitor can use it to talk with us, is there a recommended open source web softphone to be used? I am asking this because still I am talking about the website and because I read before that there is web phone that can be used by the agent.

Regards
Bilal
bghayad
 
Posts: 579
Joined: Sun Jan 01, 2012 4:53 pm

Re: Web Chat and avoiding hack: using proxy in DMZ

Postby mflorell » Wed May 23, 2018 6:09 pm

I would recommend upgrading VICIdial to a more recent svn/trunk revision, but you shouldn't have to upgrade VICIbox.

Yes, you should be able to put the chat customer web page within an IFRAME within your website.

As for WebRTC webphones, we have released our own webphone, but you do need valid signed SSL certs to be loaded on your webservers and Asterisk server for it to work:
https://viciphone.com/
mflorell
Site Admin
 
Posts: 18379
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida


Return to Features

Who is online

Users browsing this forum: No registered users and 21 guests