What is the correct way to set up cPanel behind a firewall?

[Senor]

Say I have my router/firewall with external IP 1.2.3.4 and internal IP of 10.0.0.1. Also say I have my webserver running cPanel with an interal IP of 10.0.0.2.

First of all, is this recommended or should I have my cPanel box with the public IPs?

Second, if it's ok to have it behind my router, what cPanel configuration changes do I need to make to ensure it will run properly? Assume I have all my port forwarding set up correctly on my router. Domains will still need to have DNS entries that match that of my public IP (1.2.3.4), but Apache config files will need to have the internal (10.0.0.2) IP, correct? What do I need to change to make sure this is all set up properly when I add a new domain.

Also, with the "fix" of domains needing their own IP for SSL certificates, in a shared environment, would I then need to add additional IPs both to the public side of my router (ex: 1.2.3.5) as well as my cPanel box (ex: 10.0.0.3)?

I'm just curious what all I need to do to make cPanel function properly behind a firewall.

Thanks in advance!

Jay

[brianoz]

I guess if you really know what you are doing, you could put your cPanel box behind a firewall/router box but I can't think of any advantage in doing that.

The normal approach is to make the cPanel IPs public and run something like CSF to add an additional layer of security. One specific advantage of running CSF over your native hardware firewall is that it has various smarts in it and will detect a lot of hack attempts and ban the hacker IP, thus limiting the time they have for security scans/breakin attempts.