Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 30th April 2012, 13:45
aibara aibara is offline
Junior Member
 
Join Date: Apr 2012
Posts: 18
Thanks: 1
Thanked 4 Times in 2 Posts
Lightbulb Securing ACCESS to ISPCONFIG

Hi I will guide you to use Ispconfig 3 PANEL in a secure environment.

The first thing we're going to do is disabling the access to ispconfig panel trough all the domains.

Second, I'm going to explain you what you should do to install a valid SSL certificate under ISPCONFIG instalation.

We will Also manage the ERROR 400 BAD REQUEST if you access ispconfig with http://

Main Information :
Operating System - Linux, Debian
Web Server - Apache 2
SSL certs - Enom.com - The most economic SSL panel i found is 11$ years aprox, it only validates a domain or subdomain
IP addresses to make virtual servers in apache with custom SSL.

Lets Start


1. Obtaining necessary files
First of all, download all the files under /etc/apache2/sites-available/
and store them in a folder, make a secure backup.

In a normal ispconfig installation, the .vhosts file of apache2 configuration come with virtualhost *:80 (so that all ip's respond to the domains), that is ok in normal cases, we want a secure environment so we will change all this.

So imagine actually we have 10.10.10.10 as common ip, and we want to use 11.11.11.11 as IP for the ISPCONFIG PANEL to use SSL.

2. Modifications
We First should change all the client .vhost files changing

Code:
<VirtualHost *:80>
for

Code:
<VirtualHost 10.10.10.10:80>
Open ispconfig.vhost file and add Listen 11.11.11.11:ispconfigport on the top, and change the virtual host like this :

Code:
<VirtualHost 11.11.11.11:port>
ErrorDocument 400 /error.html
  ServerAdmin webmaster@localhost
  ServerName panel.domain.com
In error.html, you must upload that file to /usr/local/ispconfig/interface/web/
That file should contain a window.location = https://panel.yourdomain.com, to redirect http connections to your panel, instead of showing a 400BAD request error.


Now we are going to ensure that SSL is disabled for the rest of the domains, i had problems with that, so check it.
Open file /etc/apache2/ports.conf and make it look to something like this :

Code:
NameVirtualHost 10.10.10.10:80
Listen 80

<IfModule mod_ssl.c>
</IfModule>

3. DNS RECORD

Now you should add a new A RECORD in your DNS pointing to 11.11.11.11, example.
A panel.domain.com 11.11.11.11


4. SSL certificate
Generate the SSL certificate like explained in this post, Remember the common name must be the subdomain panel.domain.com !!!!

When you generated it, go to Enom.com and add your CSR and generate the Secure Certificate. Enom will send you a certificate.crt, you must copy it to /usr/local/ispconfig/interface/ssl/, also upload intermediate.crt provided by enom.com.

Once you have all the cert files correctly uploaded, open the ispconfig.vhost file again and edit, ssl section as follows :

Code:
<IfModule mod_ssl.c>
  # SSL Configuration
 SSLEngine On
 SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
 SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
 SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/intermedio.crt
    </IfModule>
Restart apache with
/etc/init.d/apache2 restart
You are done, now your clients should access the panel trough your https://panel.domain.com: port, with the secure SSL cert, also they can access their webmail and phpmyadmin in a secure environment https://panel.domain.com: port/phpmyadmin, and https://panel.domain.com: port/webmail if you configured your apache files correctly before

IF apache2 crashes, Check the logs, if necessary I can help.

Thank you for Reading
Reply With Quote
Sponsored Links
  #2  
Old 2nd May 2012, 12:00
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,573
Thanks: 792
Thanked 4,980 Times in 3,901 Posts
Default

Hi,

thank you for your guide! I would like to post a few general notes on this setup as your guide seems to be for older ispconfig 3 versions. First of all, do not change .vhost files generated by ispconfig for websites manually as they will get replaced by ispconfig autmatically on next vhost update. Instead of editing them, use ispconfig to configure the vhost.

If you like to use a IP based vhost instead of a wildcard based vhost for a site, then add the IP address under System > Server IP first, then go to the website settings in ispconfig and select the IP address there.

SSL for the ispconfig interface is the default setup since several versions, so there is no need to alter that. If you installed your server with http, then you can enable https by runnng the ispconfig updater and choose to recreate the ssl certificate during update.

ISPConfig uses port based ssl, so replacing * by the IP address in the ispconfig vhost is normally not nescessary unless you want to use port 443 for the ispconfig controlpanel.

If you like to use a ssl certificate from a ssl authority, then you might want to look at startssl, their certs are available for free and accepted by all current browsers. There is a detailed guide on configuring ispconfig with a startssl cert here:

http://www.howtoforge.com/securing-y...-from-startssl
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 2nd May 2012, 14:49
aibara aibara is offline
Junior Member
 
Join Date: Apr 2012
Posts: 18
Thanks: 1
Thanked 4 Times in 2 Posts
Default

Hi Till,

I cannot use Ispconfig to manage ispconfig.vhost file... that's why I used the manual way

I normally like making things manually, that's why I have Ispconfig, cause it doenst move files to other custom and hidden places like plesk or others.
Dont you think its much better ?¿
Reply With Quote
  #4  
Old 2nd May 2012, 15:08
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,573
Thanks: 792
Thanked 4,980 Times in 3,901 Posts
Default

Quote:
I cannot use Ispconfig to manage ispconfig.vhost file... that's why I used the manual way
You explained to backup all .vhost files so I thought you want to edit other files as well. Btw, the ispconfig file is managed by the ispconfig installer and ssl is added there as I described above. So your changes will get removed on update.

Quote:
Dont you think its much better ?¿
I have wriiten ispconfig, thats why it works this way
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 2nd May 2012, 15:23
aibara aibara is offline
Junior Member
 
Join Date: Apr 2012
Posts: 18
Thanks: 1
Thanked 4 Times in 2 Posts
Default

HMM, important for me to know it so I dont loose the CERTS.
So what would you do? modify only sites-enabled ?¿
Reply With Quote
  #6  
Old 2nd May 2012, 15:35
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,573
Thanks: 792
Thanked 4,980 Times in 3,901 Posts
Default

Quote:
HMM, important for me to know it so I dont loose the CERTS.
The certs are not affected by an update, I talked about the vhost file.

Quote:
So what would you do? modify only sites-enabled ?¿
We have published a guide for that:

http://www.howtoforge.com/securing-y...-from-startssl

The ispconfig updater in future versions will take care on the setup described in that guide, so if you follow it, then your system will work without modifications after an update.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 2nd May 2012, 15:46
aibara aibara is offline
Junior Member
 
Join Date: Apr 2012
Posts: 18
Thanks: 1
Thanked 4 Times in 2 Posts
 
Default

Yes, I Followed 99% of your guide, only change is the SSL provider.
Thank you for help, plz remember my priv message, I'm waiting your reply!!
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hosting multiple websites and webmail dmwcool Installation/Configuration 8 30th March 2010 03:15
Ftp problems timeout reny2000 General 6 23rd December 2009 11:09
Can't access web page with ISPConfig by http:// witoszek General 3 20th November 2009 17:43
The PHP binary coming with ISPConfig does not work properly on your system! KalishNikova Installation/Configuration 6 6th November 2007 14:52
Can't access ISPConfig on 2 month old system. digerata Installation/Configuration 3 21st August 2006 16:30


All times are GMT +2. The time now is 21:09.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.