Differences
This shows you the differences between two versions of the page.
| — |
litespeed_wiki:cpanel:https_500_errors [2015/07/20 14:46] (current) Michael Alegre created |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ===== Restricting cPanel Access to HTTPS ===== | ||
| + | The default way for restricting cPanel or WHM access to HTTPS with Apache requires proxying to a backend via HTTPS. LSWS does not allow this. If you try to redirect traffic through LSWS to cPanel on the backend via HTTPS, you will get 500 errors and entries like the following in your error log: | ||
| + | |||
| + | [ERROR] [REWRITE] Absolute URL with leading 'http://' is required for proxy, URL: https://127.0.0.1:2083/ | ||
| + | |||
| + | Instead, we recommend that you use iptables to block access on the necessary ports. This wiki will take you through the steps for setting this up. | ||
| + | ==== Step 1: Remove HTTPS Proxy Settings ==== | ||
| + | |||
| + | You are going to need to remove the old rules and settings that asked LSWS to proxy to a backend via HTTPS. | ||
| + | |||
| + | === Update Your cPanel Templates === | ||
| + | |||
| + | Under ''/var/cpanel/templates/apache2_2/main.default'' comment out the following rewrite rules: | ||
| + | |||
| + | RewriteCond %{HTTP_HOST} ^cpanel\. | ||
| + | RewriteCond %{HTTPS} on | ||
| + | RewriteRule ^/(.*) https://127.0.0.1:2083/$1 [P] | ||
| + | RewriteCond %{HTTP_HOST} ^webmail\. | ||
| + | RewriteCond %{HTTPS} on | ||
| + | RewriteRule ^/(.*) https://127.0.0.1:2096/$1 [P] | ||
| + | RewriteCond %{HTTP_HOST} ^whm\. | ||
| + | RewriteCond %{HTTPS} on | ||
| + | RewriteRule ^/(.*) https://127.0.0.1:2087/$1 [P] | ||
| + | RewriteCond %{HTTP_HOST} ^webdisk\. | ||
| + | RewriteCond %{HTTPS} on | ||
| + | RewriteRule ^/(.*) https://127.0.0.1:2078/$1 [P] | ||
| + | |||
| + | === Don't Redirect to SSL === | ||
| + | |||
| + | In WHM, turn off Always redirect to SSL (WHM Home > Server Configuration > Tweak Settings). | ||
| + | |||
| + | ==== Step 2: Use iptables to Limit Access to HTTPS Ports ==== | ||
| + | |||
| + | If we block off the ports that allow HTTP access to cPanel services, we thus require users to use HTTPS. The following iptables settings will block HTTP access to different cPanel services except from 127.0.0.1 (which is probably safe to allow). Place these rules in ''/etc/rc.d/rc.local'' to have them apply automatically every time the server reboots: | ||
| + | |||
| + | #cPanel is accessed via HTTP through port 2082 | ||
| + | iptables -A INPUT -p tcp --dport 2082 -s 127.0.0.1 -j ACCEPT | ||
| + | iptables -A INPUT -p tcp --dport 2082 -j DROP | ||
| + | | ||
| + | #WHM is accessed via HTTP through port 2086 | ||
| + | iptables -A INPUT -p tcp --dport 2086 -s 127.0.0.1 -j ACCEPT | ||
| + | iptables -A INPUT -p tcp --dport 2086 -j DROP | ||
| + | | ||
| + | #Webmail is accessed via HTTP through port 2095 | ||
| + | iptables -A INPUT -p tcp --dport 2095 -s 127.0.0.1 -j ACCEPT | ||
| + | iptables -A INPUT -p tcp --dport 2095 -j DROP | ||
| + | | ||
| + | #Web Disk is accessed via HTTP through port 2077 | ||
| + | iptables -A INPUT -p tcp --dport 2077 -s 127.0.0.1 -j ACCEPT | ||
| + | iptables -A INPUT -p tcp --dport 2077 -j DROP | ||
| + | |||
| + | Now users will only be able to access cPanel (and other services) via HTTPS. | ||