Access to panel using website domain name

Discussion in 'Installation/Configuration' started by Poliman, Feb 3, 2017.

  1. Poliman

    Poliman Member

    I have panel ISP under https://vps123.example.net:8080/ with self-signed certificate. On the server I have website let's say website.com which has let's encrypt ssl certificate (with HSTS turned on). What should be default behavior when I put in web browser address bar https://website.com:8080? At the moment I have something what shows attached screen. When I use address https://website.com site of course opens normally.
    Next question is - how alternatively disable port 8080 for website.com?
     

    Attached Files:

  2. Jesse Norell

    Jesse Norell Well-Known Member

    ISPConfig doesn't setup a name virtual host, it "owns" port 8080 itself, so any name used to access your server on port 8080 will hit the ispconfig installation. Once you get past the ssl error, you should have an ispconfig login screen.

    You can create a name virtual host (eg. vps123.example.net) on port 443 then setup a reverse proxy for that site to localhost:8080. You then block off port 8080 in your firewall, and your ispconfig control panel will be available only through that vhost.
     
  3. Poliman

    Poliman Member

    Unfortunatelly I can't do this, because HSTS feature enabled makes impossible to accept self-signed certificate/ ssl error. Of course I could disable HSTS but for website.com I need this enabled.

    I am not sure I get the point. After above operations ispconfig panel will be available only through vps123.example.net:443? But what will be with access to panel via another web domain e.x. website2.com:8080, will it be locked, or 404?
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

    correct
    what I suggested was to block port 8080 entirely, so it is inaccessible via any name - your website2.com will server a normal website as it always has, and website2.com:443 will be configured if the SSL checkbox is enabled, but will still just serve the normal site. only the vps123.example.net vhost will get you to the control panel (which I believe is what you wanted?).
     
  5. Poliman

    Poliman Member

    Yes I want this effect. I try to find out something about
    and there is some problem. I have virtual host started from something like this <VirtualHost _default_:8080> and between <VirtualHost> tags is full ispconfig vhost configuration. Questions:
    1. Should I do virtual host like You said above? or
    2. Could I change only port here <VirtualHost _default_:443> or
    3. Maybe create one more file .vhost vps123.example.net:443 and copy there config from current ispconfg vhost file? What is the algorythm? :)
    4. After this operations panel will be accessible on which port like https://vps123.example.net:443 or still https://vps123.example.net:8080 (what should be written in web browser address bar?).
    5. Should I remove current ispconfig virtualhost?

    PS
    My setup (copied default file /etc/apache2/sites-available/ispconfig.vhost to my-ispconfig.vhost and created symlink in sites-enabled):

    ######################################################
    # This virtual host contains the configuration
    # for the ISPConfig controlpanel
    ######################################################

    Listen 443 #8080
    NameVirtualHost *:443 #8080

    <VirtualHost vps123.example.net:443>
    ServerAdmin [email protected]

    ##ADDED LINES
    #<Proxy *>
    # Order deny,allow
    # Allow from all
    #</Proxy>

    #<Location />
    # ProxyPass http://localhost:8080/
    #</Location>

    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / https://localhost:8080/
    ProxyPassReverse / https://localhost:8080/
    ##END

    <Directory /var/www/ispconfig/>
    <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
    </FilesMatch>
    </Directory>
    <Directory /usr/local/ispconfig/interface/web/>
    <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
    </FilesMatch>
    </Directory>

    <IfModule mod_fcgid.c>
    DocumentRoot /var/www/ispconfig/
    SuexecUserGroup ispconfig ispconfig
    <Directory /var/www/ispconfig/>
    Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
    AllowOverride AuthConfig Indexes Limit Options FileInfo
    <FilesMatch "\.php$">
    SetHandler fcgid-script
    </FilesMatch>
    FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
    Require all granted
    </Directory>
    IPCCommTimeout 7200
    MaxRequestLen 15728640
    </IfModule>

    <IfModule mpm_itk_module>
    DocumentRoot /usr/local/ispconfig/interface/web/
    AssignUserId ispconfig ispconfig
    AddType application/x-httpd-php .php
    <Directory /usr/local/ispconfig/interface/web>
    # php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp"
    Options +FollowSymLinks
    AllowOverride None
    Require all granted
    php_value magic_quotes_gpc 0
    </Directory>
    </IfModule>

    # ErrorLog /var/log/apache2/error.log
    # CustomLog /var/log/apache2/access.log combined
    ServerSignature Off

    <IfModule mod_security2.c>
    SecRuleEngine Off
    </IfModule>

    # SSL Configuration
    SSLEngine On
    SSLProtocol All -SSLv3
    SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
    SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
    #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle

    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    SSLHonorCipherOrder On

    <IfModule mod_headers.c>
    Header always add Strict-Transport-Security "max-age=15768000"
    RequestHeader unset Proxy early
    </IfModule>

    SSLUseStapling On
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors Off
    </VirtualHost>

    <IfModule mod_ssl.c>
    SSLStaplingCache shmcb:/var/run/ocsp(128000)
    </IfModule>

    <Directory /var/www/php-cgi-scripts>
    AllowOverride None
    Require all denied
    </Directory>

    <Directory /var/www/php-fcgi-scripts>
    AllowOverride None
    Require all denied
    </Directory>
     
    Last edited: Feb 9, 2017
  6. Jesse Norell

    Jesse Norell Well-Known Member

    You could accomplish what you want in two ways, 1) setup a standard vhost for vps123.example.net which does a reverse proxy connection to localhost:8080, or 2) copy the ispconfig vhost file to be used for vps123.example.net and alter a few things (primarily the port number and server name) to run as a namevhost. You seem to have mixed both approaches in the above config.

    I've posted working proxy config in the past on the forums here I think 2 times, you could see if you find those. We've since switched from that type of a config to a dedicated container for the control panel which runs on port 443, so I can't cut/paste code I have working in production at at this time.
     
  7. Poliman

    Poliman Member

    Thank You Jesse for answer. I still have some doubt.
    What means standard vhost - something like default one?
    You said that I mixed both approaches - do You mean from point 1 and 2? I am affraid I don't fully understand. Above config cover point 2 of Your answer and has altered these lines (commented old port number, put 443 as new, default virtualhost changed to vps123.example.net, put Proxy lines to localhost:8080):
    Listen 443 #8080
    NameVirtualHost *:443 #8080 <-- need here put "vps123.example.net" too instead of *?
    <VirtualHost vps123.example.net:443>

    and added:
    ##ADDED LINES
    #<Proxy *>
    # Order deny,allow
    # Allow from all
    #</Proxy>

    #<Location />
    # ProxyPass http://localhost:8080/
    #</Location>

    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / https://localhost:8080/
    ProxyPassReverse / https://localhost:8080/
    ##END

    Btw I have to find configs You said above, becouse I don't know which added lines should be commented/uncommented (I based on found configs on the internet).
     
  8. ahrasis

    ahrasis Active Member

    There is no need to do reverse proxy, use 443 and block 8080. Just follow my post here: https://www.howtoforge.com/communit...cates-into-ispconfig.71055/page-7#post-355116. This way you will maintain your https://vps123.example.net:8080 but change it to LE SSL. This should simple and straightforward.
     
  9. Poliman

    Poliman Member

    Do You mean that I should create website which name will be name of the vps (so created website would be vps123.example.net)?

    PS
    Do You know maybe what should I do based on information provided by me in one earlier post? I am curious how to setup reverse proxy properly and I think I am close to resolve the issue.
     
    Last edited: Feb 10, 2017
  10. ahrasis

    ahrasis Active Member

    Yes. The created website would be vps123.example.net.

    And no. I am not good with reverse proxy. I never did it successfully.
     
  11. Poliman

    Poliman Member

    Thank for answer Ahrasis. I will check this and for sure give response. This is highly important thing for me. I will post feedback in next week. Weekend time. ;)
     
    Last edited: Feb 10, 2017
  12. Poliman

    Poliman Member

    I want to check both options so Jesse, I setup VirtualHost:
    Code:
    Listen 443
    NameVirtualHost *:443
    <VirtualHost 193.X.X.X:443>
            ServerName vps123.example.net
            ServerAlias www.vps123.example.net
    
            ProxyPass / https://localhost:8080/
            ProxyPassReverse / https://localhost:8080/
    </VirtualHost>
    
    Should I also put directives like:
    Code:
    DocumentRoot /var/www/ispconfig
    SSLEngine On
    SSLCertificateFile /path/to/isp/ssl_cert
    or they are not required here? Ispconfig.vhost has inside whole SSL configuration.
     
    Last edited: Feb 14, 2017
  13. Jesse Norell

    Jesse Norell Well-Known Member

  14. Poliman

    Poliman Member

    Does this new vhost will redirect or something like redirect to default ispconfig.vhost or this default won't be used anymore? I will check Your example configs.
    As I see I should set <IfModule mod_proxy.c> and inside it lines ProxyPass and ProxyPassReverse. And there is two <VirtualHost> in one vhost file. So maybe I just copy whole text from ispconfig.vhost file, paste it at the bottom of this file and just add ServerName, ServerAlias and ProxyPass, ProxyPassReverse, can it be?
     
    Last edited: Feb 15, 2017
  15. Jesse Norell

    Jesse Norell Well-Known Member

    The example at https://www.howtoforge.com/community/threads/3-1-update-reverse-proxypass-apache.73210/ creates a 000-default-ssl.conf file which has 2 virtualhost entries and serves 2 purposes - the first virtualhost entry (servername default) is the default port 443 site, which is served for any port 443 connections that don't match a more specific vhost (eg. if you don't setup ssl for a hosted domain xyz.com in ispconfig, then https://xyz.com/ will be served from this vhost); the second virtualhost entry would match the server's hostname (vps123.example.net in your example) and proxy the connection to port 8080 to access the ispconfig interface. You could put them in separate files if you prefer.
     
    Poliman likes this.
  16. Poliman

    Poliman Member

    Heh I am definitely dumb... I see this example about which You say but now I am confused. In your first post You advise me to create virtualhost with reverse proxy and block port 8080. Now I see I should create 2 virtualhost for 2 different purposes. Hmm... I am confused. This is my first try with reverse and ISP, maybe this is the problem.
     
  17. ahrasis

    ahrasis Active Member

    After following this thread for a while, I am still confused why an easier solution is not being used. Why do you need to use a reverse proxy for ispc port?
     
  18. Poliman

    Poliman Member

    I will, but I would try both solutions - You know - for get experience/ learn.
     
  19. ahrasis

    ahrasis Active Member

    Ooh. Ok then. Hope you get what you are looking for.
     
    Last edited: Feb 21, 2017
    Poliman likes this.
  20. Jesse Norell

    Jesse Norell Well-Known Member

    The vhost performing a reverse proxy which I mentioned in my first post is the 2nd vhost in the example config.
     
    Poliman likes this.

Share This Page