The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Accesing Cpanel from behind firewall

Discussion in 'General Discussion' started by cheapo, Mar 11, 2003.

  1. cheapo

    cheapo Member

    Joined:
    Sep 6, 2002
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Some of my clients are not able to acces their cpanels at work because they are behind a firewall. Any suggestions to work around this?
     
  2. computerwguy

    computerwguy Member

    Joined:
    Mar 10, 2003
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    you made sure that they are puting the http: in front right?
     
  3. computerwguy

    computerwguy Member

    Joined:
    Mar 10, 2003
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
  4. mweb

    mweb Member

    Joined:
    Mar 11, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    I haven't tried, but can't you set port=(othernumberthan2082) in /usr/local/cpanel/etc/cpanel.config to have it answer on another port?

    And while we're on that subject, many firewalls allow port 563 out because that's in some rfc somehwere. Does anybody know how to reconfigure the /securecpanel/ to answer on that instead of 2083???
     
  5. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    The best way is to setup port forwarding and forward the traffic to another port.

    We had the same issue with some of our clients, we setup a port forwarder so that they can access cpanel on say port 8888. The trick is figuring out which ports they can get out past their firewall with.

    For example

    iptables -N nat
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8888 -j REDIRECT --to-port 2082

    This would allow the users to type in port 8888 and still get to cpanel on 2082 when they are behind a firewall.
     
  6. jackal

    jackal Well-Known Member
    PartnerNOC

    Joined:
    Feb 23, 2002
    Messages:
    708
    Likes Received:
    0
    Trophy Points:
    16
    would this work for whm panel 2086?
     
  7. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    It works beautifully!
     
  8. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Where would I insert that code? cpanel.config?
     
  9. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Nope this ssh command line stuff.
     
  10. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
  11. mweb

    mweb Member

    Joined:
    Mar 11, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Got it!

    Using iptables seems a bit heavy handed, but I guess it's what stunnel sort of does anyway...

    Since this topic is about being behind a firewall, what makes you assume 8888 will be let out? Sort of the same issue.
    Application proxies won't work either (pending their proper use).

    And while I was typing...

    I just set up stunnel to redirect from 563 to 2082, changed the sredirect.cgi script to reflect the change, and we're off and running. Seems to work like a champ.

    It now answers on a common (rfc compliant) tunneled protocol port.
     
  12. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    At work, I'm on LAN and have to access the internet through a designated port (8080). When I try to access my control panel I immediately get a 504 gateway timeout error, so I assume I am not allowed to access port 2082. If I set up the iptables, will I be able to access the control panel, or is it a lost cause? I'm not too worried, because it's not the primary place where I access my cpanel.

    I think this is a different question, but I'm not sure. I have no idea what ports are. The firewall on this computer does not list 2082 as one of the blocked ports, so I am assuming it has something to do with the LAN connection.:confused:
     
    #12 casey, Mar 13, 2003
    Last edited: Mar 13, 2003
  13. sis3970

    sis3970 Registered

    Joined:
    Dec 25, 2002
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
  14. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
  15. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
  16. n2nis

    n2nis Active Member

    Joined:
    Aug 16, 2001
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    are you using it with ssl 2083/2087?
     
  17. ThunderHostingDotCom

    ThunderHostingDotCom Well-Known Member

    Joined:
    Nov 18, 2002
    Messages:
    450
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    All over!
    Which way is the most secure/stable way to access cPanel, WHM & WebMail without having to use the default ports?
    1) iptables
    2) cgiproxy
     
  18. projectandrew

    projectandrew Well-Known Member

    Joined:
    Aug 27, 2003
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
  19. webdev1

    webdev1 Member

    Joined:
    Apr 17, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Hi mweb,
    Could you please detail out the steps for this approach ?

    For example do you mean in stunnel to add a second set of configurations for each added port access:

    [whmhttps2]
    accept = 563 // this one works fine, without touching the sredirect.cgi file.
    connect = 2086

    [cpanelhttps2]
    accept = ???? // I would like to get working through the 563 as well ?
    connect = 2082

    [webmailhttps2]
    accept = ???? // I would like to get working through the 563 as well ?
    connect = 2095


    Also, please explain what changes are required for:
    /usr/local/cpanel/cgi-sys/sredirect.cgi
    and are any changes required to?:
    /usr/local/cpanel/cgi-sys/swhmredirect.cgi

    Also note, when you try to launch an account from:
    Main >> Account Information >> List Accounts
    will the access/redirect hold onto the https ? I have tried several setups with cpanelproxy and it will not hold the https on redirect. Thats why your approach seems nice, if we can get all three working.

    Thanks for yours and anyone elses help, webdev1

    PS: Note to the great Cpanel Team, it would be nice if you could design this into the next release.
     
    #19 webdev1, Nov 16, 2004
    Last edited: Nov 16, 2004
  20. mweb

    mweb Member

    Joined:
    Mar 11, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Unfortunately, you're stuck with one at a time.

    stunnel only redirects one port to another. Therfore, you'd be able to redirect 563 (as you've seen for whm), but you'd have to accept on different ports for the other services.

    I can't recall what I'd done to the sredirect.cgi script - when the next "upgrade" came along my changes got clobberred, so I just gave up - it was fun while it lasted, but not that important to maintain.
     
Loading...

Share This Page