Problems securing cPanel using ConfigServer Firewall suggestions...

[Spork Schivago]

Hello,

I'm trying to secure my domain a bit and I'm using ConfigServer Firewall. I run a security scan of my system and CSF (ConfigServer Firewall) reports:

Check proxy subdomains:   This option can mask a users real IP address and hinder security. You should disable WHM > Tweak Settings > Proxy subdomains

So, I disable that option in Tweak Settings, and it turns off the various subdomain stuff, like whm.mydomain.com, webmail.mydomain.com, etc.

The problem is, I'd like to have those still working. Is there away to manually set them up? Maybe by creating actual subdomains and somehow redirecting it to the proper port? Or is the only way to get those to work (whm, webmail, cpanel, etc) is to keep that option enabled?

So just so I'm clear, I want the proxy subdomains disabled but I'd like to manually setup subdomains for the various cPanel / WHM stuff, so when I go to some place like whm.mydomain.com, it takes me to the same place that it'd take me if I had the proxy subdomains enabled. I'm just not sure how to set that all up.

Any help would be greatly appreciated.

P.S. - I don't know a lot about DNS records and stuff like that. I've ran Apache before, but only on local machines. Never with a real domain or anything. Thanks!

 

[Spork Schivago]

I wonder if I could create the subdomain, whm.mydomain.com, and then redirect it to something like:

/usr/local/cpanel/cgi-sys/swhmredirect.cgi

From looking at the httpd.conf file, it seems that if someone goes to mydomain.com/securewhm, that's where they get redirected. Would that be possible? Thanks!

 

[cPanelMichael]

Hello

You can simply enable the "Proxy Subdomains" feature in "WHM >> Tweak Settings". Setting them up manually is going to result in the same behavior as if you were to enable them through WHM. The security warning is to note that it makes it easier for a user to mask their identify by connecting only over port 80.

Thank you.

 

[Spork Schivago]

Hello

You can simply enable the "Proxy Subdomains" feature in "WHM >> Tweak Settings". Setting them up manually is going to result in the same behavior as if you were to enable them through WHM. The security warning is to note that it makes it easier for a user to mask their identity by connecting only over port 80.

Thank you.

Thank you cPanelMichael. I questioned whether it was really a security threat or not. Is there any chance you could just give me some basic steps on how to manually set it up without the proxy's though, so I don't see that nice pinkish / red warning in CSF? If it's too much trouble for you, I understand, and I'll just re-enable the Proxy Subdomain feature in WHM. I mean, if it's something where you have to give me 1,000 steps, don't worry about. If you decide to leave me instructions, you don't have to leave step-by-step ones. Just a brief idea of what I have to do. Ie, create various sub-domains or maybe setup virtual hosts using the vhost.local in the /var/cpanel/templates/apache2 directory. Thanks!

 

[cPanelMichael]

The following thread should help you get started:

Custom Proxy Subdomain

Thank you.

 

[Spork Schivago]

The following thread should help you get started:

Custom Proxy Subdomain

Thank you.

So the only way to manually setup the whm.mydomain.com, cpanel.mydomain.com, etc, would be to manually setup the Proxy stuff? I was hoping there'd be a way to do it with removing the proxy stuff all together. If the only way is through the proxy stuff though, I'll just re-enable the option in the Tweak Settings

 

[cPanelMichael]

would be to manually setup the Proxy stuff

Could you elaborate on what in particular you prefer to use to configure the proxy redirects?

Thank you.

 

[Spork Schivago]

Could you elaborate on what in particular you prefer to use to configure the proxy redirects?

Thank you.

Sorry cPanelMichael. I'm very new to managing a server that's on the net. My understanding was I was getting the error message because those redirects were setup as a proxy. I thought there would be away to set them up without using the mod_proxy apache module all together. Like for example, maybe setting up, I think they're called subdomains. And having the subdomain, for example, whm.mydomain.com actually point to mydomain.com/whm or mydomain.com:<whm port>. Then I wouldn't be using proxies at all.

I think I just found my answer! I was googling to see if there was a way to use subdomains instead of proxy subdomains and I found this article:

Proxy Subdomains Use the cPanel Service SSL - cPanel Knowledge Base - cPanel Documentation

I don't understand why the article says:

Warning:

We do not recommend that you bypass your server's proxy subdomain configuration.

Do I create some sort of security risk by creating those subdomains and not using the proxy subdomain redirects? I have valid SSL certs installed for the various cPanel stuff, whm.mydomain.com, cpanel.mydomain.com, webmail.mydomain.com. I created them using Let's Encrypt's free SSL cert program and then I used a custom script someone here posted to install them. I then modified the script to configure the various cpanel services to use them (ie, webmail, cpanel, whm, etc). I added a crontab entry to automate it all, so I don't have to do anything anymore.

I thought that if I manually created the subdomains myself, I'd only need to worry about the SSL certificate, for my main domain. Then when Let's Encrypt runs, I won't have to shutdown Apache, run Let's Encrypt, restart it...because I could simply use the WebRoot plugin.

 

[cPanelMichael]

Do I create some sort of security risk by creating those subdomains and not using the proxy subdomain redirects?

It's acceptable to use the method suggested at the document you provided. The warning is to note that it won't allow visitors to access those services over port 80. Instead, visitors are redirected to the standard ports for the services.

Thank you.

 

[Spork Schivago]

It's acceptable to use the method suggested at the document you provided. The warning is to note that it won't allow visitors to access those services over port 80. Instead, visitors are redirected to the standard ports for the services.

Thank you.

This is great cPanelMichael! That's exactly what I want to do! Now I just gotta figure out how to setup the subdomains so that they do that redirect stuff. I think I also need to create those dang DNS records. I really struggle with that stuff there!

You've been a great helping answering all my questions and I really appreciate everything cPanelMichael! If I ever switch hosting companies and they don't provide cPanel / WHM, I'll be sure to purchase a copy! I'm also gonna spread the word around about how great you guys are, providing support, and how wonderfully easy your cPanel products making managing a website!

Thank you!

 

[Spork Schivago]

cPanelMichael,

I'm having issues. I got all the domain redirects working. I had trouble with three of them, webdisk, cpcalendars and cpcontacts. Turns out I needed to restart the cpsrvd daemon and then they worked fine. For some reason, they were showing up as using the old self signed cert, not the one I created from Let's Encrypt. That's fixed now.

When I go to example.com and www.example.com, I get the message that this website isn't configured properly, etc.   But when I go to the secured version, https://example.com and https://www.example.com, it loads the index.php script, as expected.

Any ideas what's going on there and why it's not properly loading the index.php for non-encrypted traffic?

What'd I'd really like to do is automatically redirect any http visitors to the SSL https web pages. I had this working, by editing the /var/cpanel/templates/apache2/vhost.local file and adding:

Redirect permanent / https://[% wildcard_safe(vhost.servername) %]/

This broke the subdomain redirects though so i had to remove it. Gotta figure out how to safely redirect everyone to https sites without it messing up the subdomain stuff. Thanks!

 

[Spork Schivago]

I think I found a work-around. I used a rewrite rule in an .htaccess file in the document root. Not the best solution, but at least it redirects them to the SSL stuff now.

 

[Infopro]

Enabling the proxy subdomains would be a lot less work to maintain don't you think?

 

[Spork Schivago]

Enabling the proxy subdomains would be a lot less work to maintain don't you think?

How so? I mean I got the subdomain redirects setup now, so if I'm understanding everything right, I believe this means when I renew my SSL certs, I don't have to shutdown Apache, run letsencrypt-auto, restart Apache.

I generate my own certs using Let's Encrypt. I had generated ones for stuff like whm.mydomain.com, webmail.mydomain.com, etc. But the way Let's Encrypt works, in order to generate a cert, it creates a directory on DocumentRoot called something like .well-known and inside that directory, a directory called acme-challenge or something along those lines. Then it puts a file there and tries going to whatever domains / subdomains I put down. Like whm.mydomain.com/.well-known/acme-challenge/secret_file. With the proxy's enabled, whenever Let's Encrypt tried going to the .well-known directory, it never worked. So the only way to do it was to use the stand-alone plugin, shutdown Apache, run letsencrypt-auto with the standalone installer, restart Apache.

Now though, because I have subdomain redirects, if I'm not mistake, all I have to do is create one SSL cert for my main domain, and it should work for all the sub-domains as well, because they're just redirects. That means I shouldn't have to shutdown anything and can just use the normal webroot plugin.

Unless I'm missing something. I mean, is there more work that I have to do that I don't know about? I really appreciate all the help and I'm sure you know more about this stuff than I do, so thanks for sharing and please let me know what work you're referring to...thanks!

 

[cPanelMichael]

I think I found a work-around. I used a rewrite rule in an .htaccess file in the document root. Not the best solution, but at least it redirects them to the SSL stuff now.

I'm happy to see you were able to find a viable workaround. Thank you for updating us with the outcome.

 

[Spork Schivago]

As it turns out, the reason the reason the web pages weren't loading properly was because Chrome seems to ignore the meta-tags for cache control. The only solution I could find was to add this either to .htaccess per documentroot or in httpd.conf for a global solution. I'm just posting here in case anyone else runs into a similar problem.

    <IfModule mod_headers.c>
        Header  unset ETag
        Header  set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
        Header  set Pragma "no-cache"
        Header  set Expires "Wed, 11 Jan 1984 05:00:00 GMT"

    </IfModule>

It disables cache for all files. It can be customized a bit so things like pictures still get cached. At least now when I make a change, it gets updated as soon as I refresh the page. Thanks!