Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Auto Force TLS

Discussion in 'Security' started by Droidism20011, Jul 24, 2017.

  1. Droidism20011

    Droidism20011 Member

    Joined:
    Jul 20, 2017
    Messages:
    23
    Likes Received:
    10
    Trophy Points:
    3
    Location:
    Amsterdam
    cPanel Access Level:
    Root Administrator
    Hi,

    After trying to figure out how to setup WHM/cPanel to serve secured connections only, I have ran into another roadblock caused by my noob knowledge level of WHM/cPanel.

    What I am trying to accomplish is to have any (feature added) site(s) on the VPS run/redirect to httpS:// connections only. Anyone entering Example Blog – Much example should be redirected to the secured httpS connection, so basically it not possible to view any of the sites and pages without a TLS connection.

    What I have tried, without any success is to add:

    Code:
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    to 1: Pre Main Include -> Restart Apache, no success. 2: Pre VirtualHost Include -> Restart Apache, no success either.

    My understanding is that one can add these rules via the Include Editor, but after reading the following cPanel Forum post Force SSL for all websites I am not a 100% sure about my assumption. This is because the answer from @cPanelMichael is to have a look on the Modify Apache Virtual Hosts with Include Files documentation page.

    I am loving the whole GUI aspect of managing your server/vps, but I am starting to feel like it is at the same knowledge/skill level as being able to CLI'ing your way around your server. Maybe this is where I am missing something vitaly important; WHM/cPanel is not a 100% GUI replacement for the CLI and one has to CLI his/her way around from time-to-time to properly configure the server/vps.

    Anyone willing to educate me on what it is that I am doing wrong? Thanks again in advance
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I recommend using the steps documented for "Apply to all virtual hosts on the system" and "Without SSL" at:

    Modify Apache Virtual Hosts with Include Files - EasyApache 4 - cPanel Documentation

    Otherwise, your rewrite rules would apply globally on the server instead of in each virtual host where it's needed.

    Thank you.
     
  3. Droidism20011

    Droidism20011 Member

    Joined:
    Jul 20, 2017
    Messages:
    23
    Likes Received:
    10
    Trophy Points:
    3
    Location:
    Amsterdam
    cPanel Access Level:
    Root Administrator
    Thanks again @cPanelMichael !

    So if I understand you correctly, for global applied non-ssl to ssl rules I will have to CLI with SSH, navigate to
    Code:
    /etc/apache2/conf.d/userdata/std/2_4/
    and do something along the lines of
    Code:
    touch rewrite.conf
    and then follow this up by
    Code:
    nano rewrite.conf
    (you may LOL at the n00b way of describing/doing it, no problem at all.) and add the following:

    Code:
    <VirtualHost 1.2.3.4:80>
    
        RewriteEngine on
        RewriteCond %{HTTP:X-Forwarded-Proto} !=https
        RewriteRule /(.*) https://%{HTTP_HOST}/$1 [R=301,L]
    
    </VirtualHost>
    If so, what about the
    Code:
    RewriteEngine on
    line above. If I want to create another global custom rule that uses the Rewrite Engine (i.e. www to non-www) should this be added to every config.file or is this RewriteEngine allready set to on by WHM/cPanel somewhere in a higher prioritised config file?

    If not, does the alphabetical order of the custom config.files matter? In other words does the file
    Code:
    nonwww.conf
    get loaded before the file
    Code:
    rewrite.conf
    ?

    Also in the opening line
    Code:
    <VirtualHost x.x.x.x:80>
    should one add the public IP address (i.e. 1.2.3.4:80) or the network ip address (127.0.0.1:80)? Again, I am asking this because of my unfamiliarity with WHM/cPanel, so my appologies for asking the obvious if one read the correct chapter/section of the cPanel docs.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You'd actually need to leave the "VirtualHost" section itself out of the include file. Here's a post with a working example for this functionality:

    SOLVED - HTTPS Redirection For All VirtualHosts

    If you wanted to add an additional rewrite rule, I recommend adding it as part of the same include file so you can sort the rules based on how you want them utilized.

    Thank you.
     
  5. Droidism20011

    Droidism20011 Member

    Joined:
    Jul 20, 2017
    Messages:
    23
    Likes Received:
    10
    Trophy Points:
    3
    Location:
    Amsterdam
    cPanel Access Level:
    Root Administrator
    Hi @cPanelMichael

    Although I have to admit that I was a bit frustrated about the absence of cut-and-paste examples, you pointing me to the appropriate cPanel docs and thus forcing me to actually try this has helped me a great deal with understanding the finer points of working with WHM/cPanel. Thanks for this and your mentoring!

    I have "mkdir -p" several files in /etc/apache2/conf.d/userdata/ssl/2_4/ one of these files contains the following:

    Code:
    # ----------------------------------------------------------------------
    # | Security Headers                                                     |
    # ----------------------------------------------------------------------
    <IfModule mod_headers.c>
        # ----------------------------------------------------------------------
        # | HTTP Strict Transport Security (HSTS)                       |
        # ----------------------------------------------------------------------
        Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
       
        # ----------------------------------------------------------------------
        # | Reducing MIME type security risks                                 |
        # ----------------------------------------------------------------------
        Header set X-Content-Type-Options "nosniff"
    
        # ----------------------------------------------------------------------
        # | Clickjacking                                                                   |
        # ----------------------------------------------------------------------
        Header set X-Frame-Options "DENY"
    
        # `mod_headers` cannot match based on the content-type, however,
        # the `X-Frame-Options` response header should be send only for
        # HTML documents and not for the other resources.
    
        <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
            Header unset X-Frame-Options
        </FilesMatch>
       
        # ----------------------------------------------------------------------
        # | Reducing MIME type security risks                              |
        # ----------------------------------------------------------------------
        Header set X-Content-Type-Options "nosniff"
    
        # ----------------------------------------------------------------------
        # | Reflected Cross-Site Scripting (XSS) attacks                   |
        # ----------------------------------------------------------------------
        <IfModule mod_headers.c>
    
        #                           (1)    (2)
        Header set X-XSS-Protection "1; mode=block"
    
        # `mod_headers` cannot match based on the content-type, however,
        # the `X-XSS-Protection` response header should be send only for
        # HTML documents and not for the other resources.
    
        <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
            Header unset X-XSS-Protection
        </FilesMatch>
    
        # ----------------------------------------------------------------------
        # | Referrer Policy                                                    |
        # ----------------------------------------------------------------------
        Header set X-Frame-Options "strict-origin-when-cross-origin"
    </IfModule>
    
    Thanks again and count on me bothering you and your colleagues on this forum in the very near future!

    Kindly,

    W.
     
    cPanelMichael likes this.
Loading...

Share This Page