Securing ACCESS to ISPCONFIG

Discussion in 'Tips/Tricks/Mods' started by aibara, Apr 30, 2012.

  1. aibara

    aibara New Member

    Hi I will guide you to use Ispconfig 3 PANEL in a secure environment.

    The first thing we're going to do is disabling the access to ispconfig panel trough all the domains.

    Second, I'm going to explain you what you should do to install a valid SSL certificate under ISPCONFIG instalation.

    We will Also manage the ERROR 400 BAD REQUEST if you access ispconfig with http://

    Main Information :
    Operating System - Linux, Debian
    Web Server - Apache 2
    SSL certs - Enom.com - The most economic SSL panel i found is 11$ years aprox, it only validates a domain or subdomain
    IP addresses to make virtual servers in apache with custom SSL.

    Lets Start


    1. Obtaining necessary files
    First of all, download all the files under /etc/apache2/sites-available/
    and store them in a folder, make a secure backup.

    In a normal ispconfig installation, the .vhosts file of apache2 configuration come with virtualhost *:80 (so that all ip's respond to the domains), that is ok in normal cases, we want a secure environment so we will change all this.

    So imagine actually we have 10.10.10.10 as common ip, and we want to use 11.11.11.11 as IP for the ISPCONFIG PANEL to use SSL.

    2. Modifications
    We First should change all the client .vhost files changing

    Code:
    <VirtualHost *:80>
    for

    Code:
    <VirtualHost 10.10.10.10:80>
    Open ispconfig.vhost file and add Listen 11.11.11.11:ispconfigport on the top, and change the virtual host like this :

    Code:
    <VirtualHost 11.11.11.11:port>
    ErrorDocument 400 /error.html
      ServerAdmin webmaster@localhost
      ServerName panel.domain.com
    In error.html, you must upload that file to /usr/local/ispconfig/interface/web/
    That file should contain a window.location = https://panel.yourdomain.com, to redirect http connections to your panel, instead of showing a 400BAD request error.


    Now we are going to ensure that SSL is disabled for the rest of the domains, i had problems with that, so check it.
    Open file /etc/apache2/ports.conf and make it look to something like this :

    Code:
    NameVirtualHost 10.10.10.10:80
    Listen 80
    
    <IfModule mod_ssl.c>
    </IfModule>
    

    3. DNS RECORD

    Now you should add a new A RECORD in your DNS pointing to 11.11.11.11, example.
    A panel.domain.com 11.11.11.11


    4. SSL certificate
    Generate the SSL certificate like explained in this post, Remember the common name must be the subdomain panel.domain.com !!!!

    When you generated it, go to Enom.com and add your CSR and generate the Secure Certificate. Enom will send you a certificate.crt, you must copy it to /usr/local/ispconfig/interface/ssl/, also upload intermediate.crt provided by enom.com.

    Once you have all the cert files correctly uploaded, open the ispconfig.vhost file again and edit, ssl section as follows :

    Code:
    <IfModule mod_ssl.c>
      # SSL Configuration
     SSLEngine On
     SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
     SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
     SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/intermedio.crt
        </IfModule>
    Restart apache with
    /etc/init.d/apache2 restart
    You are done, now your clients should access the panel trough your https://panel.domain.com: port, with the secure SSL cert, also they can access their webmail and phpmyadmin in a secure environment https://panel.domain.com: port/phpmyadmin, and https://panel.domain.com: port/webmail if you configured your apache files correctly before :)

    IF apache2 crashes, Check the logs, if necessary I can help.

    Thank you for Reading
     
  2. till

    till Super Moderator

    Hi,

    thank you for your guide! I would like to post a few general notes on this setup as your guide seems to be for older ispconfig 3 versions. First of all, do not change .vhost files generated by ispconfig for websites manually as they will get replaced by ispconfig autmatically on next vhost update. Instead of editing them, use ispconfig to configure the vhost.

    If you like to use a IP based vhost instead of a wildcard based vhost for a site, then add the IP address under System > Server IP first, then go to the website settings in ispconfig and select the IP address there.

    SSL for the ispconfig interface is the default setup since several versions, so there is no need to alter that. If you installed your server with http, then you can enable https by runnng the ispconfig updater and choose to recreate the ssl certificate during update.

    ISPConfig uses port based ssl, so replacing * by the IP address in the ispconfig vhost is normally not nescessary unless you want to use port 443 for the ispconfig controlpanel.

    If you like to use a ssl certificate from a ssl authority, then you might want to look at startssl, their certs are available for free and accepted by all current browsers. There is a detailed guide on configuring ispconfig with a startssl cert here:

    http://www.howtoforge.com/securing-...h-a-free-class1-ssl-certificate-from-startssl
     
  3. aibara

    aibara New Member

    Hi Till,

    I cannot use Ispconfig to manage ispconfig.vhost file... that's why I used the manual way :)

    I normally like making things manually, that's why I have Ispconfig, cause it doenst move files to other custom and hidden places like plesk or others.
    Dont you think its much better ?¿ :)
     
  4. till

    till Super Moderator

    You explained to backup all .vhost files so I thought you want to edit other files as well. Btw, the ispconfig file is managed by the ispconfig installer and ssl is added there as I described above. So your changes will get removed on update.

    I have wriiten ispconfig, thats why it works this way ;)
     
  5. aibara

    aibara New Member

    HMM, important for me to know it :) so I dont loose the CERTS.
    So what would you do? modify only sites-enabled ?¿
     
  6. till

    till Super Moderator

    The certs are not affected by an update, I talked about the vhost file.

    We have published a guide for that:

    http://www.howtoforge.com/securing-...h-a-free-class1-ssl-certificate-from-startssl

    The ispconfig updater in future versions will take care on the setup described in that guide, so if you follow it, then your system will work without modifications after an update.
     
  7. aibara

    aibara New Member

    Yes, I Followed 99% of your guide, only change is the SSL provider.
    Thank you for help, plz remember my priv message, I'm waiting your reply!!
     

Share This Page