Wanted: Dedicated URL for ISPConfig Management without Specifying a Port

Discussion in 'Installation/Configuration' started by fatbear, Sep 28, 2021.

  1. fatbear

    fatbear Member HowtoForge Supporter

    I have a subdomain such as manage.example that I use exclusively for ISPConfig management. I'd like to use either URL:
    I've read posts for redirecting Apache to another port, but I'm wondering if there is a way in which I can use a dedicated subdomain URL for ISPConfig management without specifying a Port.

    I did try installing ISPConfig and specifying 443 as the port; however, when going to the URL https://manage.example.com it seemed that LetsEncrypt encryption wasn't working: the browser indicated the page was insecure.

    When I installed using port 9876 with https://manage.example.com:9876, that did work. But, for people using the control panel, it is a bit of a headache to have them use a port as part of the URL.

    I'm sure many folks would love to know how to use a dedicated subdomain URL for accessing the ISPConfig control panel. Can anyone provide instructions on how to properly do this with ISPConfig?
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    It sounds like you want to use a specific name without redirecting. There are 2 ways to do that, either configure the ispconfig vhost as a name-based vhost on port 443, or to run on a dedicated port like 8080 and have your port 443 vhost reverse proxy the connection.

    That works if you have a multi-server setup with ISPConfig on a dedicated node. This is actually the most secure setup (just ensure your mysql connections use ssl), and preferred if you can do so.

    If you have a single server you can still use port 443, but you have to edit the ispconfig vhost template to include a servername. I don't know if there's a feature request to make this an installation option, but it would be nice to have available.

    The other option, reverse proxying, just requires running ISPConfig on a dedicated port as it does by default, then create a subdomain from within ISPConfig for your public hostname, and add custom apache/nginx directives to setup the reverse proxy to your dedicated port. (Examples can be found in searching the forums here.)
     
  3. fatbear

    fatbear Member HowtoForge Supporter

    Thanks, Jesse, for the information. Here's my use case for most small customers:

    1. When I get a new customer, I create a VM on RHEL 7 for them and assign a block of 8 IP addresses to the VM to service various web needs including, of course, ISPConfig.
    2. For the first IP address, I want that to be dedicated to the manage.example.com site with no redirection.
    3. The remaining IP addresses are for customer-specific needs. I put their primary website on the second IP address. Other IP addresses are used for other common installations such as NextCloud for file sharing.

    In the past, I've used the Pound reverse proxy outside of Apache that provides both reverse proxying using commercial SSL certificates and load balancing. For this, I've needed to install ISPConfig with SSL enabled, but then I've needed to remove the /etc/httpd/conf.d/ssl.conf and comment out the SSL entries in each vhost file or template. But, I do like the fact that now ISPConfig has good, seamless LetsEncrypt implementation, so my previous Pound solution for reverse proxying with commercial SSL certificates isn't quite as attractive.

    Yes! I would love to see a single server solution in which port 443 could be used for the ISPConfig control panel site. Other sites would be on different IP addresses. Can you provide me with explicit instructions on what I'd need to do manually at this time? I'd be willing to work with you on the implementation. I'm a software developer and work doing cloud DevOps. I just am not familiar at this time with the ISPConfig code.

    Thanks again!
     
  4. fatbear

    fatbear Member HowtoForge Supporter

    I was successful.... Nope, I was wrong, I wasn't successful. With the changes below in the ispconfig.vhost file, I get:

    [​IMG]

    I tried getting the URL https://manage.example.com to work without having to enter the :9876 custom port number for ISPConfig by manually modifying the /etc/httpd/conf/sites-available/ispconfig.vhost file in which I added at the top:
    Code:
    <virtualHost *:443>
       ServerName manage.example.com
       SSLEngine On
        SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
        SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
      SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
    
      SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
      SSLHonorCipherOrder On
    
       SSLProxyEngine On
       ProxyPreserveHost On
       ProxyPass / https://manage.example.com:9876/
       ProxyPassReverse / https://manage.example.com:9876/
    </VirtualHost>
    
    So I'm still trying to modify the ispconfig.vhost file so that I can access the Control Panel without entering the custom port I've assigned. Any thoughts?
     
    Last edited: Oct 10, 2021
  5. wget

    wget New Member

    Hello everyone.

    I have been able to achieve what I wanted tweaking the GUI configuration as follow (taking into account an ISPconfig instance installed on example.org:8080):

    • Go to Sites > Websites > Website > Add new website
    • Select the Domain tab
    • As Domain, specify admin-webXX.example.org
    • Uncheck Own Error-Documents
    • Check SSL
    • Check Let's Encrypt SSL
    • Select the Options tab.
    • In nginx Directives, paste the following config:
      Code:
      location ^~ / {
           proxy_set_header X-Forwarded-Host $host:$server_port;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://localhost:8080;
        }
      
    • Select the Redirect tab
    • Check Rewrite HTTP to HTTPS
    • Reconfigure the firewall to block access to port :8080 from the outside
     
    Last edited: Oct 12, 2021
    ahrasis and Jesse Norell like this.

Share This Page