SOLVED Prevent domain.com:2082 logins

Krydos

Well-Known Member
Jun 2, 2012
59
9
58
cPanel Access Level
Root Administrator
I've searched around and I can't find an answer to this:

Say my company website is company.com and each server is a subdomain like server1.company.com and server2.company.com. Say I'm a user and I have the domain example.com hosted on my cpanel account.

The way we want people to be able to log into cPanel is through server1.company.com:2083 but some people have port 2083 blocked by their schools or work or country or whatever so we want cpanel.server1.company.com:80 to work too. We don't want example.com:2082 or example.com:2083 or cpanel.example.com:80 to work. If it doesn't have server1.company.com in the url we want it to redirect to server1.company.com:2083 unless they really really need to use port 80 in which case they can use cpanel.server1.company.com. Is there any way to do this?
 
Last edited by a moderator:

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
807
158
168
New Jersey
cPanel Access Level
DataCenter Provider
You already have the ability to use your hostname for proxy URL's, you have to add the DNS manually(as far as I can tell) but if you look at apache conf:

Code:
RewriteEngine On
RewriteCond %{HTTP_HOST} =autodiscover.server1.domain.com
RewriteRule ^ http://127.0.0.1/cgi-sys/autodiscover.cgi [P]
RewriteCond %{HTTP_HOST} =cpanel.server1.domain.com
RewriteRule ^/(.*) /___proxy_subdomain_cpanel/$1 [PT]
ProxyPass "/___proxy_subdomain_cpanel" "http://127.0.0.1:2082" max=1 retry=0
RewriteCond %{HTTP_HOST} =webdisk.server1.domain.com
RewriteRule ^/(.*) /___proxy_subdomain_webdisk/$1 [PT]
ProxyPass "/___proxy_subdomain_webdisk" "http://127.0.0.1:2077" max=1 retry=0
RewriteCond %{HTTP_HOST} =webmail.server1.domain.com
RewriteRule ^/(.*) /___proxy_subdomain_webmail/$1 [PT]
ProxyPass "/___proxy_subdomain_webmail" "http://127.0.0.1:2095" max=1 retry=0
</VirtualHost>
The rules are already there so just create the A Record for cpanel.server1.company.com whm.server1.company.com webmail.server1.company.com and you should be all set!
 

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
807
158
168
New Jersey
cPanel Access Level
DataCenter Provider
Sorry, I am trying to figure this out as I respond ;) so that config doesn't exist automatically.

It exists because we install the SSL of the server hostname using WHM > Install an SSL Certificate on a Domain

this way we can set it as the default SSL on shared IP's so none of our customers sites show when visiting https://serverip

but it does work for your situation minus the fact you would need to purchase a seperate SSL for each proxy sub..subdomain.

*Back to the drawing board =X
 

Krydos

Well-Known Member
Jun 2, 2012
59
9
58
cPanel Access Level
Root Administrator
You might be on to something! I always avoid manually editing the httpd.conf because cpanel. So my first thought was to try .htaccess in /usr/local/cpanel/base/frontend/paper_lantern/ but that doesn't work. Apparently cpanel doesn't support .htaccess there. Maybe if I edit that RewriteCond/RewriteRule section in httpd.conf I can get it to do what I want it to do. Then I would have to distill the httpd.conf to prevent the changes from being lost immediately...

Update:

So, that's only going to affect stuff like cpanel.example.com on port 80. It's not going to rewrite anything on port 2082 or 2083.
 
Last edited by a moderator:

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
807
158
168
New Jersey
cPanel Access Level
DataCenter Provider
so my first thought was to try .htaccess in /usr/local/cpanel/base/frontend/paper_lantern/
That wouldn't work just because that isn't a valid path in terms of a doc root, it wouldn't be referenced by Apache.

If you wanted to write rules to affect all domains, you could use an include via the Include Editor:

WHM > Service Configuration > Apache Configuration > Include Editor

Would add it to a Pre VirtualHost Include which should make it take precedence over the rewrite rules cPanel uses for proxy subdomains since it should come before, but would need to test that a bit.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

You could setup custom firewall rules that block or redirect access to ports such as 2083 and 2087 on the IP addresses associated with the domain names on the server. Then, setup the server's hostname so it resolves to an IP address not used by any other domain name. The following StackOverflow thread may help you to set this up:

ConfigServer Security Firewall & port forwarding

Thank you.
 

Krydos

Well-Known Member
Jun 2, 2012
59
9
58
cPanel Access Level
Root Administrator
Hello,
You could setup custom firewall rules that block or redirect access to ports
Too funny!

I just did exactly that. I use CSF and here is the rule I just wrote in csf.redirect:
Code:
*|2082|*|2083|tcp
That takes any IP that connects with tcp on port 2082 and sends them to port 2083 where cpanel handles the redirects to https and changes the domain to the server1.company.com style I want to enforce. I came here to update my thread and found I had been beaten to it by a week. :)
 
  • Like
Reactions: cPanelMichael

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
807
158
168
New Jersey
cPanel Access Level
DataCenter Provider
You can force all non encrypted cPanel ports to their secure port via WHM > Tweak Settings > Require SSL for cPanel Services

so CSF isn't really needed but I guess whatever works :)
 

Krydos

Well-Known Member
Jun 2, 2012
59
9
58
cPanel Access Level
Root Administrator
You can force all non encrypted cPanel ports to their secure port via WHM > Tweak Settings > Require SSL for cPanel Services
some people have port 2083 blocked by their schools or work or country or whatever so we want cpanel.server1.company.com:80 to work too.
I would love to block all of the non-secure ports, but there are way too many people who can't use encryption, or can't use any ports except 80/443, etc.
 

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
807
158
168
New Jersey
cPanel Access Level
DataCenter Provider
Well there are plenty of secure ports that do not utilize 443, but even still, you can force anyone using 80 to use 443 with the same option in Tweak Settings.