Securing ACCESS to ISPCONFIG

[aibara]

Hi I will guide you to use Ispconfig 3 PANEL in a secure environment.

The first thing we're going to do is disabling the access to ispconfig panel trough all the domains.

Second, I'm going to explain you what you should do to install a valid SSL certificate under ISPCONFIG instalation.

We will Also manage the ERROR 400 BAD REQUEST if you access ispconfig with http://

Main Information :
Operating System - Linux, Debian
Web Server - Apache 2
SSL certs - Enom.com - The most economic SSL panel i found is 11$ years aprox, it only validates a domain or subdomain
IP addresses to make virtual servers in apache with custom SSL.

Lets Start


1. Obtaining necessary files
First of all, download all the files under /etc/apache2/sites-available/
and store them in a folder, make a secure backup.

In a normal ispconfig installation, the .vhosts file of apache2 configuration come with virtualhost *:80 (so that all ip's respond to the domains), that is ok in normal cases, we want a secure environment so we will change all this.

So imagine actually we have 10.10.10.10 as common ip, and we want to use 11.11.11.11 as IP for the ISPCONFIG PANEL to use SSL.

2. Modifications
We First should change all the client .vhost files changing

Code:

<VirtualHost *:80>

for

Code:

<VirtualHost 10.10.10.10:80>

Open ispconfig.vhost file and add Listen 11.11.11.11:ispconfigport on the top, and change the virtual host like this :

Code:

<VirtualHost 11.11.11.11:port>
ErrorDocument 400 /error.html
  ServerAdmin webmaster@localhost
  ServerName panel.domain.com

In error.html, you must upload that file to /usr/local/ispconfig/interface/web/
That file should contain a window.location = https://panel.yourdomain.com, to redirect http connections to your panel, instead of showing a 400BAD request error.


Now we are going to ensure that SSL is disabled for the rest of the domains, i had problems with that, so check it.
Open file /etc/apache2/ports.conf and make it look to something like this :

Code:

NameVirtualHost 10.10.10.10:80
Listen 80

<IfModule mod_ssl.c>
</IfModule>

3. DNS RECORD

Now you should add a new A RECORD in your DNS pointing to 11.11.11.11, example.
A panel.domain.com 11.11.11.11


4. SSL certificate
Generate the SSL certificate like explained in this post, Remember the common name must be the subdomain panel.domain.com !!!!

When you generated it, go to Enom.com and add your CSR and generate the Secure Certificate. Enom will send you a certificate.crt, you must copy it to /usr/local/ispconfig/interface/ssl/, also upload intermediate.crt provided by enom.com.

Once you have all the cert files correctly uploaded, open the ispconfig.vhost file again and edit, ssl section as follows :

Code:

<IfModule mod_ssl.c>
  # SSL Configuration
 SSLEngine On
 SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
 SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
 SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/intermedio.crt
    </IfModule>

Restart apache with
/etc/init.d/apache2 restart
You are done, now your clients should access the panel trough your https://panel.domain.com: port, with the secure SSL cert, also they can access their webmail and phpmyadmin in a secure environment https://panel.domain.com: port/phpmyadmin, and https://panel.domain.com: port/webmail if you configured your apache files correctly before

IF apache2 crashes, Check the logs, if necessary I can help.

Thank you for Reading

[till]

Hi,

thank you for your guide! I would like to post a few general notes on this setup as your guide seems to be for older ispconfig 3 versions. First of all, do not change .vhost files generated by ispconfig for websites manually as they will get replaced by ispconfig autmatically on next vhost update. Instead of editing them, use ispconfig to configure the vhost.

If you like to use a IP based vhost instead of a wildcard based vhost for a site, then add the IP address under System > Server IP first, then go to the website settings in ispconfig and select the IP address there.

SSL for the ispconfig interface is the default setup since several versions, so there is no need to alter that. If you installed your server with http, then you can enable https by runnng the ispconfig updater and choose to recreate the ssl certificate during update.

ISPConfig uses port based ssl, so replacing * by the IP address in the ispconfig vhost is normally not nescessary unless you want to use port 443 for the ispconfig controlpanel.

If you like to use a ssl certificate from a ssl authority, then you might want to look at startssl, their certs are available for free and accepted by all current browsers. There is a detailed guide on configuring ispconfig with a startssl cert here:

http://www.howtoforge.com/securing-y...-from-startssl

[aibara]

Hi Till,

I cannot use Ispconfig to manage ispconfig.vhost file... that's why I used the manual way

I normally like making things manually, that's why I have Ispconfig, cause it doenst move files to other custom and hidden places like plesk or others.
Dont you think its much better ?¿

[till]

Quote:

I cannot use Ispconfig to manage ispconfig.vhost file... that's why I used the manual way

You explained to backup all .vhost files so I thought you want to edit other files as well. Btw, the ispconfig file is managed by the ispconfig installer and ssl is added there as I described above. So your changes will get removed on update.

Quote:

Dont you think its much better ?¿

I have wriiten ispconfig, thats why it works this way

[aibara]

HMM, important for me to know it so I dont loose the CERTS.
So what would you do? modify only sites-enabled ?¿

[till]

Quote:

HMM, important for me to know it so I dont loose the CERTS.

The certs are not affected by an update, I talked about the vhost file.

Quote:

So what would you do? modify only sites-enabled ?¿

We have published a guide for that:

http://www.howtoforge.com/securing-y...-from-startssl

The ispconfig updater in future versions will take care on the setup described in that guide, so if you follow it, then your system will work without modifications after an update.

[aibara]

Yes, I Followed 99% of your guide, only change is the SSL provider.
Thank you for help, plz remember my priv message, I'm waiting your reply!!