Control panel address

The article describes how to configure the addresses where the web interface of the platform will be accessible. You can make settings via the BILLmanager web interface or by modifying configuration files. The settings made in the web interface are added to the ihttpd service configuration file — /usr/local/mgr5/etc/ihttpd.conf.

By default, the platform runs through the built-in web server - ihttpd. The web interface is available at the following address:

https://<server_IP_address>:1500/billmgr

Adding a new address

To add a new address, enter Settings → Control panel address → click Add. Fill in the form:

1. IP address — select the IP address that will be used to accept incoming connections.

2. Port  — specify the port number that will be used to accept incoming connections. If you leave this field blank, the default port of 1500 will be used.

   If you change the port, BILLmanager may become unavailable. Before making the change, open the port you plan to assign to the platform in the OS firewall rules.
3. Forbid HTTP connections — enable the option to redirect all requests to HTTPS. With this option disabled, the built-in web server can accept requests over both HTTP and HTTPS protocols.
   • Port 80 is the default port used in the HTTP protocol.

   • Port 443 is the default port used in the HTTPS protocol.
     

     Do not enable the Deny HTTP connections option in the address settings with 80 and 443 ports at the same time.

     To make the address open through an HTTPS connection, connect an SSL certificate for the address.

     
     

4. Delete IP addresses — enable the option to delete all addresses that are listening on the specified port.

Accessing the interface by domain name

To have the web interface open by domain name, configure:

• ihttpd;
• nginx + ihttpd.

Configuring ihttpd

Ports 1500, 443, 80 are required to access the BILLmanager web interface. If third-party applications are running on the server with the platform, configure access to ports so that they do not overlap with ports for BILLmanager.

If no third-party web applications are planned to run on the server:

1. Change the web server ports to 80 and 443, for example:

   Configuration file /usr/local/mgr5/etc/ihttpd.conf

   listen {
   		ip <address>
   		port 443
   		redirect
   }       
   listen {
          ip <address>
          port 80
          redirect
   }

   Details

   <address> is the public IP address of the server

   With this configuration, ihttpd will accept connections on ports 80 and 443. At the same time, a redirection (redirect) is assigned from port 80 to port 443.

2. After modifying the configuration file, restart the service:

   service ihttpd restart

Configuring nginx + ihttpd

1. Configuring Nginx:

   1. If Nginx is not installed, install it:

      Ubuntu

      apt-get install nginx 

      AlmaLinux

      dnf install nginx

      Open ports on AlmaLinux

      AlmaLinux

      firewall-cmd --zone=public --permanent --add-port=80/tcp
      firewall-cmd --zone=public --permanent --add-port=443/tcp

   2. Add the following lines to the nginx configuration file /etc/nginx/nginx.conf:

      Configuration file /etc/nginx/nginx.conf

      Configuration file nginx

      server {	
      
             listen 10.10.10.10:443 ssl;
             server_name my.domain.com;
             ssl_certificate /usr/local/mgr5/etc/manager.crt;	
             rewrite ^(.*)$ https://$server_name$1 permanent; <!-- add that the web interface of the platform should be opened via the https protocol -->
             ssl_certificate_key /usr/local/mgr5/etc/manager.key; 	
       
             set $mgr_proxy "https://10.10.10.10:1500";         
               
             location ^~ /manimg/ { 		
                    alias /usr/local/mgr5/skins/; 	
             } 	
             
             location / { 		
                      proxy_pass $mgr_proxy; 		
                      proxy_redirect $mgr_proxy /; 		
                      proxy_set_header Host $host:$server_port; 		
                      proxy_set_header X-Forwarded-For $remote_addr; 		
                      proxy_set_header X-Forwarded-Proto $scheme; 		
                      proxy_set_header X-Real-IP $remote_addr;                
                      proxy_set_header X-Forwarded-Secret mary123;  		
                      chunked_transfer_encoding off; 
       	}
      
       	location ^~ /mancgi/ {
      	        proxy_pass $mgr_proxy;
      	        proxy_redirect $mgr_proxy /;
      	        proxy_set_header Host $host:$server_port;
      	        proxy_set_header X-Forwarded-For $remote_addr; 
                      proxy_set_header X-Forwarded-Proto $scheme;
      	        proxy_set_header X-Real-IP $remote_addr;
      	        proxy_set_header X-Forwarded-Secret mary123; <!-- secret phrase ForwardedSecret -->
                  chunked_transfer_encoding off;
      	}
      }

      Click here to expand...

      my.domain.com — domain name used as an example. In its place, insert the acquired domain

      ForwardedSecret — in case of Nginx, this is a set of letters and numbers that represent the key. This key is used when verifying authentication against a limited list of IP addresses. Required to protect against unauthorized authentication attempts.

      The secret phrase must match in the configuration files:

      • Nginx — directive proxy_set_header X-Forwarded-Secret;
      • BILLmanager — directive ForwardedSecret;
      • COREmanager — directive ForwardedSecret.
   3. Add the secret phrase to the BILLmanager configuration file /usr/local/mgr5/etc/billmgr.conf to the directive ForwardedSecret.
   4. Add the secret phrase to the COREmanager configuration file /usr/local/mgr5/etc/core.conf в директиву ForwardedSecret.

   5. After editing the configuration files, restart the platform:

      /usr/local/mgr5/sbin/mgrctl -m billmgr exit

   6. Restart Nginx:

      service nginx restart

2. Configuring ihttpd. To avoid cyclic redirection:
   1. Delete the line with the value "redirect" in the ihttpd configuration file /usr/local/mgr5/etc/ihttpd.conf.

   2. Restart the service:

      service ihttpd restart

SSL certificates of the address

You can add SSL certificates for addresses or domain name (support is required for Server Name Indication) of the platform.

SSL certificates for platform addresses are required to be able to access the web interface via HTTPS by IP address or domain name.

To manage SSL certificates in the platform, enter Settings → Control panel address → click Certificates.

Adding a Let's Encrypt certificate

Let's Encrypt is a non-profit certifying authority that provides free X.509 certificates for TLS encryption. Encryption is accomplished through an automated process. Certificate creation, verification, signing, installation and renewal are performed automatically. For more details, visit the official website of the service Let’s Encrypt.

Main limitations of Let's Encrypt:

• you can order 50 certificates per week (top-level domain (TLD), including its subdomains);
• Let's Encrypt certificate validity period is 3 months. This means that Let's Encrypt certificates will be reissued every 3 months.

There are other limitations as well. Read more in the Let’s Encrypt documentation.

To add a certificate, enter Settings → Control panel address → click Certificates → click Add:

1. Certificate type — the method of SSL certificate creation. Select "Let`s Encrypt certificate".
2. Domain name — Specify the domain names in the certificate.
3. IP-address — select the platform address to which the certificate will be bound. The list displays the IP addresses that are configured in the Control panel address section.

When ordering a certificate in the directory /usr/local/mgr5/www/letsencrypt/.well-known/acme-challenge:

1. A file with the token and validation data is created. The Let's Encrypt verification service performs a query on the domain name and reads this token.

2. After the SSL certificate is issued, a task is added to the scheduler to check if the SSL certificate needs to be renewed:

   0 0 * * * "/usr/local/mgr5/etc/scripts/acmesh"/acme.sh --cron --home "/usr/local/mgr5/etc/scripts/acmesh" > /dev/null

When issuing multiple certificates for third-level domain names and above, an error may occur when issuing a certificate for a large number of subdomains. This is a limitation of Let's Encrypt, certificate issuance will continue after some time (usually within a day).

Supports operation together with Apache and Nginx web servers. If no web server is running, an embedded server is started that will accept requests from Let's Encrypt during domain validation.

Adding an existing certificate

When adding an existing certificate, domain and IP address matching is not checked. In case of a mismatch between the domain name and IP address, such certificate will be marked with a corresponding icon in the list.

To add a certificate, enter Settings → Control panel address → click Certificates → click Add:

1. Certificate type — select "Existing certificate".
2. Domain name — the domain name for which the SSL certificate will be issued. The field is not available for modification, the value will be taken from the certificate.
3. IP-address — select the platform address to which the SSL Certificate will be bound. The list displays the IP addresses that are configured in Settings → Panel addresses.
4. SSL-certificate — specify your SSL certificate.
5. SSL-certificate key — specify the key of your SSL certificate.
6. SSL-certificate chain — specify the SSL certificate chain to be added to the certificate file.

Configuring a certificate for multiple ports

Let's Encrypt only issues a certificate per domain, not per port. If you need to specify a separate domain for each port, you can use separate certificates for that.

To prescribe a certificate for multiple ports:

1. Add sections for the required ports to the configuration file /usr/local/mgr5/etc/ihttpd.conf:

   listen {
           ip <address>
           redirect
           sni {
                   domain_cert etc/manager.crt
                   domain_key etc/manager.key
                   domains bill.domain.ru
           }
   }
   
   listen {
           ip <address>
           port 443
           redirect
   
           sni {
                   domain_cert etc/manager.crt
                   domain_key etc/manager.key
                   domains bill.domain.ru
           }        
   }

   Details

   • <address> — public IP address of the server
   • domain_cert etc/manager.crt — path to the certificate chain
   • domain_key etc/manager.key — path to the certificate key
   • bill.domain.ru — your BILLmanager domain

2. Restart ihttpd:

   systemctl restart ihttpd

3. Restart BILLmanager:

   /usr/local/mgr5/sbin/mgrctl -m billmgr -R

Deleting the panel address certificate

To delete an SSL certificate, select it in the list and click Delete. The default self-signed certificate will be used for access by IP address.