The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problems securing cPanel using ConfigServer Firewall suggestions...

Discussion in 'Security' started by Spork Schivago, Jan 24, 2016.

  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    294
    Likes Received:
    25
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Hello,

    I'm trying to secure my domain a bit and I'm using ConfigServer Firewall. I run a security scan of my system and CSF (ConfigServer Firewall) reports:
    Code:
    Check proxy subdomains:   This option can mask a users real IP address and hinder security. You should disable WHM > Tweak Settings > Proxy subdomains
    
    So, I disable that option in Tweak Settings, and it turns off the various subdomain stuff, like whm.mydomain.com, webmail.mydomain.com, etc.

    The problem is, I'd like to have those still working. Is there away to manually set them up? Maybe by creating actual subdomains and somehow redirecting it to the proper port? Or is the only way to get those to work (whm, webmail, cpanel, etc) is to keep that option enabled?

    So just so I'm clear, I want the proxy subdomains disabled but I'd like to manually setup subdomains for the various cPanel / WHM stuff, so when I go to some place like whm.mydomain.com, it takes me to the same place that it'd take me if I had the proxy subdomains enabled. I'm just not sure how to set that all up.

    Any help would be greatly appreciated.

    P.S. - I don't know a lot about DNS records and stuff like that. I've ran Apache before, but only on local machines. Never with a real domain or anything. Thanks!
     
    #1 Spork Schivago, Jan 24, 2016
    Last edited: Jan 24, 2016
  2. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    294
    Likes Received:
    25
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    I wonder if I could create the subdomain, whm.mydomain.com, and then redirect it to something like:
    Code:
    /usr/local/cpanel/cgi-sys/swhmredirect.cgi
    
    From looking at the httpd.conf file, it seems that if someone goes to mydomain.com/securewhm, that's where they get redirected. Would that be possible? Thanks!
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can simply enable the "Proxy Subdomains" feature in "WHM >> Tweak Settings". Setting them up manually is going to result in the same behavior as if you were to enable them through WHM. The security warning is to note that it makes it easier for a user to mask their identify by connecting only over port 80.

    Thank you.
     
  4. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    294
    Likes Received:
    25
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Thank you cPanelMichael. I questioned whether it was really a security threat or not. Is there any chance you could just give me some basic steps on how to manually set it up without the proxy's though, so I don't see that nice pinkish / red warning in CSF? If it's too much trouble for you, I understand, and I'll just re-enable the Proxy Subdomain feature in WHM. I mean, if it's something where you have to give me 1,000 steps, don't worry about. If you decide to leave me instructions, you don't have to leave step-by-step ones. Just a brief idea of what I have to do. Ie, create various sub-domains or maybe setup virtual hosts using the vhost.local in the /var/cpanel/templates/apache2 directory. Thanks!
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  6. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    294
    Likes Received:
    25
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    So the only way to manually setup the whm.mydomain.com, cpanel.mydomain.com, etc, would be to manually setup the Proxy stuff? I was hoping there'd be a way to do it with removing the proxy stuff all together. If the only way is through the proxy stuff though, I'll just re-enable the option in the Tweak Settings
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you elaborate on what in particular you prefer to use to configure the proxy redirects?

    Thank you.
     
  8. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    294
    Likes Received:
    25
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Sorry cPanelMichael. I'm very new to managing a server that's on the net. My understanding was I was getting the error message because those redirects were setup as a proxy. I thought there would be away to set them up without using the mod_proxy apache module all together. Like for example, maybe setting up, I think they're called subdomains. And having the subdomain, for example, whm.mydomain.com actually point to mydomain.com/whm or mydomain.com:<whm port>. Then I wouldn't be using proxies at all.

    I think I just found my answer! I was googling to see if there was a way to use subdomains instead of proxy subdomains and I found this article:

    Proxy Subdomains Use the cPanel Service SSL - cPanel Knowledge Base - cPanel Documentation

    I don't understand why the article says:
    Code:
    Warning:
    
    We do not recommend that you bypass your server's proxy subdomain configuration.
    
    Do I create some sort of security risk by creating those subdomains and not using the proxy subdomain redirects? I have valid SSL certs installed for the various cPanel stuff, whm.mydomain.com, cpanel.mydomain.com, webmail.mydomain.com. I created them using Let's Encrypt's free SSL cert program and then I used a custom script someone here posted to install them. I then modified the script to configure the various cpanel services to use them (ie, webmail, cpanel, whm, etc). I added a crontab entry to automate it all, so I don't have to do anything anymore.

    I thought that if I manually created the subdomains myself, I'd only need to worry about the SSL certificate, for my main domain. Then when Let's Encrypt runs, I won't have to shutdown Apache, run Let's Encrypt, restart it...because I could simply use the WebRoot plugin.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It's acceptable to use the method suggested at the document you provided. The warning is to note that it won't allow visitors to access those services over port 80. Instead, visitors are redirected to the standard ports for the services.

    Thank you.
     
  10. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    294
    Likes Received:
    25
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    This is great cPanelMichael! That's exactly what I want to do! Now I just gotta figure out how to setup the subdomains so that they do that redirect stuff. I think I also need to create those dang DNS records. I really struggle with that stuff there!

    You've been a great helping answering all my questions and I really appreciate everything cPanelMichael! If I ever switch hosting companies and they don't provide cPanel / WHM, I'll be sure to purchase a copy! I'm also gonna spread the word around about how great you guys are, providing support, and how wonderfully easy your cPanel products making managing a website!

    Thank you!
     
  11. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    294
    Likes Received:
    25
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    cPanelMichael,

    I'm having issues. I got all the domain redirects working. I had trouble with three of them, webdisk, cpcalendars and cpcontacts. Turns out I needed to restart the cpsrvd daemon and then they worked fine. For some reason, they were showing up as using the old self signed cert, not the one I created from Let's Encrypt. That's fixed now.
    Code:
    When I go to example.com and www.example.com, I get the message that this website isn't configured properly, etc.   But when I go to the secured version, https://example.com and https://www.example.com, it loads the index.php script, as expected.   
    Any ideas what's going on there and why it's not properly loading the index.php for non-encrypted traffic?

    What'd I'd really like to do is automatically redirect any http visitors to the SSL https web pages. I had this working, by editing the /var/cpanel/templates/apache2/vhost.local file and adding:
    Code:
    Redirect permanent / https://[% wildcard_safe(vhost.servername) %]/
    
    This broke the subdomain redirects though so i had to remove it. Gotta figure out how to safely redirect everyone to https sites without it messing up the subdomain stuff. Thanks!
     
    #11 Spork Schivago, Jan 25, 2016
    Last edited by a moderator: Jan 26, 2016
  12. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    294
    Likes Received:
    25
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    I think I found a work-around. I used a rewrite rule in an .htaccess file in the document root. Not the best solution, but at least it redirects them to the SSL stuff now.
     
  13. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Enabling the proxy subdomains would be a lot less work to maintain don't you think?
     
  14. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    294
    Likes Received:
    25
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    How so? I mean I got the subdomain redirects setup now, so if I'm understanding everything right, I believe this means when I renew my SSL certs, I don't have to shutdown Apache, run letsencrypt-auto, restart Apache.

    I generate my own certs using Let's Encrypt. I had generated ones for stuff like whm.mydomain.com, webmail.mydomain.com, etc. But the way Let's Encrypt works, in order to generate a cert, it creates a directory on DocumentRoot called something like .well-known and inside that directory, a directory called acme-challenge or something along those lines. Then it puts a file there and tries going to whatever domains / subdomains I put down. Like whm.mydomain.com/.well-known/acme-challenge/secret_file. With the proxy's enabled, whenever Let's Encrypt tried going to the .well-known directory, it never worked. So the only way to do it was to use the stand-alone plugin, shutdown Apache, run letsencrypt-auto with the standalone installer, restart Apache.

    Now though, because I have subdomain redirects, if I'm not mistake, all I have to do is create one SSL cert for my main domain, and it should work for all the sub-domains as well, because they're just redirects. That means I shouldn't have to shutdown anything and can just use the normal webroot plugin.

    Unless I'm missing something. I mean, is there more work that I have to do that I don't know about? I really appreciate all the help and I'm sure you know more about this stuff than I do, so thanks for sharing and please let me know what work you're referring to...thanks!
     
  15. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I'm happy to see you were able to find a viable workaround. Thank you for updating us with the outcome.
     
  16. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    294
    Likes Received:
    25
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    As it turns out, the reason the reason the web pages weren't loading properly was because Chrome seems to ignore the meta-tags for cache control. The only solution I could find was to add this either to .htaccess per documentroot or in httpd.conf for a global solution. I'm just posting here in case anyone else runs into a similar problem.

    Code:
        <IfModule mod_headers.c>
            Header  unset ETag
            Header  set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
            Header  set Pragma "no-cache"
            Header  set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
    
        </IfModule>
    
    It disables cache for all files. It can be customized a bit so things like pictures still get cached. At least now when I make a change, it gets updated as soon as I refresh the page. Thanks!
     
Loading...

Share This Page