SOLVED Auto Force TLS

[Droidism20011]

Hi,

After trying to figure out how to setup WHM/cPanel to serve secured connections only, I have ran into another roadblock caused by my noob knowledge level of WHM/cPanel.

What I am trying to accomplish is to have any (feature added) site(s) on the VPS run/redirect to httpS:// connections only. Anyone entering Example Blog – Much example should be redirected to the secured httpS connection, so basically it not possible to view any of the sites and pages without a TLS connection.

What I have tried, without any success is to add:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

to 1: Pre Main Include -> Restart Apache, no success. 2: Pre VirtualHost Include -> Restart Apache, no success either.

My understanding is that one can add these rules via the Include Editor, but after reading the following cPanel Forum post Force SSL for all websites I am not a 100% sure about my assumption. This is because the answer from @cPanelMichael is to have a look on the Modify Apache Virtual Hosts with Include Files documentation page.

I am loving the whole GUI aspect of managing your server/vps, but I am starting to feel like it is at the same knowledge/skill level as being able to CLI'ing your way around your server. Maybe this is where I am missing something vitaly important; WHM/cPanel is not a 100% GUI replacement for the CLI and one has to CLI his/her way around from time-to-time to properly configure the server/vps.

Anyone willing to educate me on what it is that I am doing wrong? Thanks again in advance

 

[cPanelMichael]

My understanding is that one can add these rules via the Include Editor, but after reading the following cPanel Forum post Force SSL for all websites I am not a 100% sure about my assumption. This is because the answer from @cPanelMichael is to have a look on the Modify Apache Virtual Hosts with Include Files documentation page.

Hello,

I recommend using the steps documented for "Apply to all virtual hosts on the system" and "Without SSL" at:

Modify Apache Virtual Hosts with Include Files - EasyApache 4 - cPanel Documentation

Otherwise, your rewrite rules would apply globally on the server instead of in each virtual host where it's needed.

Thank you.

 

[Droidism20011]

Thanks again @cPanelMichael !

So if I understand you correctly, for global applied non-ssl to ssl rules I will have to CLI with SSH, navigate to

/etc/apache2/conf.d/userdata/std/2_4/

and do something along the lines of

touch rewrite.conf

and then follow this up by

nano rewrite.conf

(you may LOL at the n00b way of describing/doing it, no problem at all.) and add the following:

<VirtualHost 1.2.3.4:80>

    RewriteEngine on
    RewriteCond %{HTTP:X-Forwarded-Proto} !=https
    RewriteRule /(.*) https://%{HTTP_HOST}/$1 [R=301,L]

</VirtualHost>

If so, what about the

RewriteEngine on

line above. If I want to create another global custom rule that uses the Rewrite Engine (i.e. www to non-www) should this be added to every config.file or is this RewriteEngine allready set to on by WHM/cPanel somewhere in a higher prioritised config file?

If not, does the alphabetical order of the custom config.files matter? In other words does the file

nonwww.conf

get loaded before the file

rewrite.conf

?

Also in the opening line

<VirtualHost x.x.x.x:80>

should one add the public IP address (i.e. 1.2.3.4:80) or the network ip address (127.0.0.1:80)? Again, I am asking this because of my unfamiliarity with WHM/cPanel, so my appologies for asking the obvious if one read the correct chapter/section of the cPanel docs.

 

[cPanelMichael]

Hello,

You'd actually need to leave the "VirtualHost" section itself out of the include file. Here's a post with a working example for this functionality:

SOLVED - HTTPS Redirection For All VirtualHosts

If you wanted to add an additional rewrite rule, I recommend adding it as part of the same include file so you can sort the rules based on how you want them utilized.

Thank you.

 

[Droidism20011]

Hi @cPanelMichael

Although I have to admit that I was a bit frustrated about the absence of cut-and-paste examples, you pointing me to the appropriate cPanel docs and thus forcing me to actually try this has helped me a great deal with understanding the finer points of working with WHM/cPanel. Thanks for this and your mentoring!

I have "mkdir -p" several files in /etc/apache2/conf.d/userdata/ssl/2_4/ one of these files contains the following:

# ----------------------------------------------------------------------
# | Security Headers                                                     |
# ----------------------------------------------------------------------
<IfModule mod_headers.c>
    # ----------------------------------------------------------------------
    # | HTTP Strict Transport Security (HSTS)                       |
    # ----------------------------------------------------------------------
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
   
    # ----------------------------------------------------------------------
    # | Reducing MIME type security risks                                 |
    # ----------------------------------------------------------------------
    Header set X-Content-Type-Options "nosniff"

    # ----------------------------------------------------------------------
    # | Clickjacking                                                                   |
    # ----------------------------------------------------------------------
    Header set X-Frame-Options "DENY"

    # `mod_headers` cannot match based on the content-type, however,
    # the `X-Frame-Options` response header should be send only for
    # HTML documents and not for the other resources.

    <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
        Header unset X-Frame-Options
    </FilesMatch>
   
    # ----------------------------------------------------------------------
    # | Reducing MIME type security risks                              |
    # ----------------------------------------------------------------------
    Header set X-Content-Type-Options "nosniff"

    # ----------------------------------------------------------------------
    # | Reflected Cross-Site Scripting (XSS) attacks                   |
    # ----------------------------------------------------------------------
    <IfModule mod_headers.c>

    #                           (1)    (2)
    Header set X-XSS-Protection "1; mode=block"

    # `mod_headers` cannot match based on the content-type, however,
    # the `X-XSS-Protection` response header should be send only for
    # HTML documents and not for the other resources.

    <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
        Header unset X-XSS-Protection
    </FilesMatch>

    # ----------------------------------------------------------------------
    # | Referrer Policy                                                    |
    # ----------------------------------------------------------------------
    Header set X-Frame-Options "strict-origin-when-cross-origin"
</IfModule>

Thanks again and count on me bothering you and your colleagues on this forum in the very near future!

Kindly,

W.