cPanel/Webmail/WHM disable SNI redirect

sparek-3

Well-Known Member
Aug 10, 2002
1,929
178
343
cPanel Access Level
Root Administrator
Is there a convenient way to disable the SNI redirect for cPanel access?

I would prefer to just have http://example.tld/cpanel redirect to https://hostname:2083 regardless if example.tld has a valid secure certificate or not.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Hello,

The following option is available under the "Redirection" tab in "WHM >> Tweak Settings":

Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS”

You could disable this option, and then configure "Non-SSL redirect destination" to the server's hostname. Note that you'd need to make sure "Require SSL for cPanel Services" is enabled under the "Security" tab in "WHM >> Tweak Settings".

Thank you.
 

sparek-3

Well-Known Member
Aug 10, 2002
1,929
178
343
cPanel Access Level
Root Administrator
Well, if you do that, then the cPanel services can be accessed non-securely.

If Non-SSL redirect destination is set to Hostname, then http://example.tld/cpanel is just going to redirect to http://server.hostname.tld:2082. And if port 2082 is firewalled off, then this connection will fail.

How I patched this for my needs, I created a new redirect script in cgi-sys to automatically redirect to the server's hostname for each service. Then created new ScriptAliasMatch directives in Apache before cPanel's ScriptAliasMatch's to intercept this and force a redirect to these custom cgi-sys redirects.

This seems to work for my purposes, which doesn't appear to be a major issue for most other people.

I really just liked the old way cPanel did this, when this feature was called "Always redirect to SSL/TLS". Using SNI for the cPanel service ports always seemed to be an unnecessary extra step. Since HTTP supports redirection (unlike IMAP, POP, and SMTP) going to http://example.tld/cpanel could always redirect to an appropriately secured URL (like a server's hostname).
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Well, if you do that, then the cPanel services can be accessed non-securely.
That shouldn't happen as long as you leave "Require SSL for cPanel Services" enabled under the "Security" tab in "WHM >> Tweak Settings". It worked as intended when testing the behavior on a test system. That said, you may encounter issues if you have port 2082 blocked in your firewall.

Thank you.
 

sparek-3

Well-Known Member
Aug 10, 2002
1,929
178
343
cPanel Access Level
Root Administrator
Ah, OK. Blocking port 2082 and the other non-secure cPanel services ports was the issue here.

Still debating on whether I like this solution or my custom solution better.
 
  • Like
Reactions: cPanelMichael