Restricting FreePBX Provisioning (/tftpboot) to Specific User Agents/Phone Types

While it's not advised to open any provisioning ports to the open internet, in some cases this may be a (hopefully) temporary requirement. You can restrict access to the entire /tftpboot folder to certain phone user agents. Of course these can be spoofed, but if you are specific enough with your agent settings spoofing should be harder to accomplish. 

In the below example we are allowing any phones that present a user agent starting with "Digium D62" or "Digium D65"), i.e. the Digium D62 or D65. You can stack multiple phone models by adding more SetEnvIf entries. We are using SetEnvIf versus SetEnvIfNoCase because we want specific case matching.  The more specific the agent match, the better. 

Edit the file /etc/httpd/conf.d/custom.conf using nano/vim/vi.

Paste in the following and modify for your environment:

SetEnvIf User-Agent "^Digium D62" phone_endpoint
SetEnvIf User-Agent "^Digium D65" phone_endpoint

<Directory "/tftpboot">
Order Deny,Allow
Deny from all
Allow from env=phone_endpoint

Once you are done modifying the file, close any FreePBX dashboard views (if open, the httpd service will restart very slowly) and execute this command:

service httpd restart

You can test your configuration by changing your Chrome user agent in developer mode, as shown here.