Reverse proxy (cpanel. webmail. whm.) over HTTPS port 443 regardless of crt

[pthirose]

In short, allow an end-user/client to use port 443 to securely access their cPanel, rather than having to use port 2083.

I've seen a lot of posts (google search etc.) and there have been lots of work-arounds posted - eg: running a proxy to forward 443/2083, etc. There's been quasi-workarounds built-in to cPanel (absorbing the cpanelproxy.) But in the end, most of it still requires access to 2083 for https style connection for a customer to access his cPanel.

If this means using https://cpanel.customerdomain.com:443/ or https://customerdomain.com:443/cpanel/, or https://cpanel.hostingprovider.com:443/, doesn't matter too much, but the end result is to reach the normal cPanel login screen and still be on port 443.

As more locations become more security conscious it becomes more difficult to start having firewalls opened (either ingress or egress.) And the moment the network security folks hear "secure web access..." they tend to first ask "why not use 443 like everything else".

Ideally, the port would be configurable (either by the cpanel end-customer, the reseller, or the WHM admin). But even just a toggle that says "2083 or 443" would probably be sufficient for the vast majority.

Thank you,
PH

[sirdopes]

Apache already runs on port 443 and since cpanel is a separate service, it runs on a separate port. It is not that hard to use mod_proxy and apache so that you can use an ssl to access cpanel using port 443 already. For the shared ip, if you have an ssl that matches cpanel.domain.com, it should already work. Private ssls installed on dedicated ips need the following entries added:

RewriteEngine On
<IfModule core.c>
SSLProxyEngine On
</IfModule>
RewriteCond %{HTTP_HOST} ^cpanel\.
RewriteCond %{HTTPS} on
RewriteRule ^/(.*) https://127.0.0.1:2083/$1 [P]

[cPanelDon]

In short, allow an end-user/client to use port 443 to securely access their cPanel, rather than having to use port 2083.

I've seen a lot of posts (google search etc.) and there have been lots of work-arounds posted - eg: running a proxy to forward 443/2083, etc. There's been quasi-workarounds built-in to cPanel (absorbing the cpanelproxy.) But in the end, most of it still requires access to 2083 for https style connection for a customer to access his cPanel.

If this means using https://cpanel.customerdomain.com:443/ or https://customerdomain.com:443/cpanel/, or https://cpanel.hostingprovider.com:443/, doesn't matter too much, but the end result is to reach the normal cPanel login screen and still be on port 443.

As more locations become more security conscious it becomes more difficult to start having firewalls opened (either ingress or egress.) And the moment the network security folks hear "secure web access..." they tend to first ask "why not use 443 like everything else".

Ideally, the port would be configurable (either by the cpanel end-customer, the reseller, or the WHM admin). But even just a toggle that says "2083 or 443" would probably be sufficient for the vast majority.

Thank you,
PH

How do you propose the feature request be implemented while ensuring it does not interfere with Apache/httpd listening on SSL (HTTPS) port 443?

It is already possible to achieve by using the built-in support for proxy sub-domains (that includes cPanel/WHM/Webmail/WebDisk). What difficulty, if any, are you experiencing when using proxy sub-domains?

[cPanelDavidG]

Pursuing this internally, as long as the cPanel account has a dedicated IP address and a SSL certificate, you should be able to go to https://cpanel.example.com (substituting example.com with the domain).

This was a previous oversight in the product that was resolved in 11.23.3 revision 25924. The internal case for this was case 6614.

Keep in mind, this requires:

1) this site has a SSL certificate
2) this site has its own dedicated IP address

If you have verified this, and this functionality is still not working for that specific domain, then we would need to pursue this as a bug. You can click the Bugs link on the top-right corner of this page to begin that process.

[user982949]

Apache already runs on port 443 and since cpanel is a separate service, it runs on a separate port. It is not that hard to use mod_proxy and apache so that you can use an ssl to access cpanel using port 443 already. For the shared ip, if you have an ssl that matches cpanel.domain.com, it should already work. Private ssls installed on dedicated ips need the following entries added:

RewriteEngine On
<IfModule core.c>
SSLProxyEngine On
</IfModule>
RewriteCond %{HTTP_HOST} ^cpanel\.
RewriteCond %{HTTPS} on
RewriteRule ^/(.*) https://127.0.0.1:2083/$1 [P]

That exactly does the above do? With the code above would you be able to have a single SSL and a single static IP to visit both :

https://myweb.com

and

https://myweb.com/cpanel

?

[cPanelDavidG]

Sounds like a sum-up of what is mostly wanted in this thread. If you use the reseller level you want this to
happen. For the proposal above I have the question if the proxy domains are usable or if special ports are used for the webservices. Currently you are redirected from the proxy domains to the special ports e.g. 2096.

Currently something like https://cpanel.example.com does not work (at least not on my server which is close to a default setup).

And before opening a new proposal I want to ask if it is currently possible to access all services via a wildcard
certificate of the hostserver.

The current architecture is for 1 SSL certificate per service with exception of Apache. Keep in mind, even if you have a wildcard for something like *.example.com, if the user connects via their own domain (e.g. example.net) then they'll get a mismatch error.

Side condition would be without using ports. If you are not using the resellerlevel, but reselling directly to customers you have no problems with them to use the hostname of the server instead of their domain but the ports are preventing them from using the services.
Currently https://webmail.hostserverdomain.tld is not possible. If I am wrong, I would like to how to use one wildcard cert to access webmail for all accounts via port 443.

If my last paragraph is not senseless you might split the part to a new thread. If it is foolish I am waiting for enlightenment. Thanks for reading. Thanks for your time.

I think this would be best split off into its own thread. Anecdotally, I've heard of people wanting this, so it'd be good to get things going to get this implemented. However, that's its own ball of wax separate from what's going on in the call for comments I just made.

Is it okay with you if I just fork that to its own thread?

[lorio]

Is it okay with you if I just fork that to its own thread?

It's your board and I'm happy to be able to articulate wishes and thoughts. It is not my intention to hijack threads and bring noise to the table. So if you see value in forking it, do so. Thanks.

[g00fy]

+ 1 for https access over port 443. (for example to be able to manage cpanel from work)