Problem with non SSL login to WHM, CPANEL and WEBMAIL

mailo

Member
Sep 29, 2008
5
0
51
Folks, I have this issue.

I followed FAQ to disable non SSL login to whm / cpanel and webmail:

"Under 'Tweak Settings' in WHM, make sure the following option is selected:
Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc"


But I can login on default http connection without SSL, yet.

There is another tweak that overrides this option?

I`m using a wildcard SSL cert and is configured to all services in SSL Host like *.domain.com
 

sparek-3

Well-Known Member
Aug 10, 2002
2,069
237
368
cPanel Access Level
Root Administrator
How are you logging on non-securely?

Using that option in tweak setting won't prevent someone from accessing the cPanel apps directly on the insecure ports (2082, 2085, 2095).

So if someone is visiting their control panel by specifically going to:

http://theirdomain.com:2082

Then this will work.

If you don't want the insecure ports to work, your best option is to use a firewall and block those ports. Then reminding customers that they need to use http://theirdomain.com/cpanel for accessing their control panel.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,069
237
368
cPanel Access Level
Root Administrator
This is using the cPanel proxy setup.

I don't recommend setting this up for each individual account on a server. Instead I recommend setting up a single cpanel subdomain account on the server and installing a certificate for that account. Then telling all of your users to access their control panel through this subdomain account. Its a bit easier to manage in my opinion.

For more information on this see my post:

http://forums.cpanel.net/showpost.php?p=429953&postcount=94

Otherwise, you would need to discuss this with the cPanel developers. Perhaps log some type of enhancement request.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,069
237
368
cPanel Access Level
Root Administrator
I just realized that the post I referenced was for webmail. This can still work for cpanel you just need to use a cpanel subdomain account and instead of:

Code:
http://127.0.0.1:2095/$1
use:

Code:
http://127.0.0.1:2082/$1
Port 2095 is for Webmail.

Port 2082 is for cpanel.

Port 2085 is for Webhost Manager.
 

mailo

Member
Sep 29, 2008
5
0
51
Thanks a lot, but the problem continues, I was reading httpd.conf configuration and put these changes:

# CPANEL/WHM/WEBMAIL/WEBDISK PROXY SUBDOMAINS
<VirtualHost 70.38.37.200:80 70.38.37.200:443 *>
ServerName pi.fribits.com
ServerAlias cpanel.* whm.* webmail.* webdisk.*
DocumentRoot /usr/local/apache/htdocs
ServerAdmin [email protected]
RewriteEngine On
RewriteCond %{HTTP_HOST} ^cpanel\. [NC]
RewriteRule ^/(.*) https://cpanel.fribits.com/$1


But enters in a loop, I need that all cpanel.domain have to go to cpanel.fribits.com, but with these sentences are being looped.

UseCanonicalName Off
</VirtualHost>
 

sparek-3

Well-Known Member
Aug 10, 2002
2,069
237
368
cPanel Access Level
Root Administrator
Your entering an infinite loop because you are telling the server to redirect https://cpanel.fribits.com to https://cpanel.fribits.com

I don't know how you have this wildcard SSL set up. I have very limited experience with wildcard SSLs.

For one thing, you don't need to edit the httpd.conf file manually. Changes will get overwritten.

How I have done this in the past with a wildcard SSL was to create separate accounts.

cpanel.fribits.com
whm.fribits.com
webmail.fribits.com

Each with their own IP address. Each set up just like they were separate accounts.

Then install the certificate for cpanel.fribits.com using the wildcard SSL certificate.

Then install the certificate for whm.fribits.com using the wildcard SSL certficate.

etc.

Then follow the instructions as laid out in the thread I referenced above.

In order for you to do this, it looks like you will have to unpark cpanel.fribits.com, whm.fribits.com, webmail.fribits.com, and webdisk.fribits.com for this to work (or however the line ServerAlias cpanel.* whm.* webmail.* webdisk.* came to be in your config file -- again, limited experience working with wildcard certificates)