Setting .htaccess in /var/www/html/

[serpent_driver]

If someone tries to access to my RDNS address cPanel shows default error page (/cgi-sys/defaultwebpage.cgi). With ModSecurity I can block access if IP of my server is requested, but the same with RDNS address isn't possible. The question is, can I set .htaccess that disallows access to RDNS address in /var/www/html/?

Thank you.

 

[cPRex]

Hey there! I wouldn't recommend placing a .htaccess in /var/www/html as that would likely have unintended consequences, such as causing issues with the AutoSSL system. Any domain that points to your server's IP address, which doesn't have a vhost created, would give you similar behavior.

You may be better off setting up a default vhost for your unroutable traffic, and you can find more details on that here:

How do I set a default VirtualHost for each IP address?

Introduction This article explains how to set up non-existent sites and IP addresses to go to a particular site or the default Webpage instead of the first VirtualHost entry bound to an IP address....

support.cpanel.net

 

[serpent_driver]

such as causing issues with the AutoSSL system

Yes, that is why I asked if it can be done without any risk or because it could cause any other issues. I will follow your recommendation to set up a default vhost for unroutable traffic, but have to check first if this modification has any effect on LiteSpeed webserver.

Thank you very much.

 

[serpent_driver]

I've set default virtual host for the IP of my server. Can I add now a rewrite rule like:

RewriteRule .* - [F,L]

in the VirtualHost context to block access if the RDNS address is requested or what has to be done to get the same?

 

[cPRex]

As with any change on a cPanel system, you wouldn't be able to edit the Apache configuration directly as that will be overwritten. You could definitely add this to a .htaccess file in your default vhost to apply that rule.

 

[serpent_driver]

As with any change on a cPanel system, you wouldn't be able to edit the Apache configuration directly as that will be overwritten.

Sorry to questioning this. That means I can/must remove what you suggested with:
How Can I Set a Default Virtual Host For Each IP Address? ?!

You could definitely add this to a .htaccess file in your default vhost to apply that rule.

default vhost directory is /var/www/html/ This directory is used for unroutable traffic. The RDNS address is unroutable, so again, can I set a rewrite rule in .htaccess that is located in /var/www/html/?

 

[cPRex]

The documentation page talks about using the include system to make changes to Apache, so if you used the include files you can leave those in place. Issues will happen if you edit the main /etc/apache2/conf/httpd.conf file directly on the machine.

In the guide, /var/www/html is being used as an example, and is not the literal document root that should be used.

 

[serpent_driver]

Issues will happen if you edit the main /etc/apache2/conf/httpd.conf file directly on the machine.

No, I added the defines in pre_virtualhost_2.conf for specific Apache version like it is explained in the guide.

In the guide, /var/www/html is being used as an example, and is not the literal document root that should be used.

The penny dropped. Now I understand what has to be done! Thank you.

 

[cPRex]

I'm glad I could help clear things up!

 

[serpent_driver]

For others who also wants to block access to RDNS (== "hostname") here is a working example:

1.) Create directory for document root. preferably in /home
2.) Create directory for log files. preferably in /home/logs
3.) Add .htaccess to the document root of new virtual host and add:

RewriteRule .* - [F,L]
Options -Indexes

4.) Add 403.shtml to document root of new virtual host
5.) Edit pre_virtualhost_2.conf or use WHM » Home » Service Configuration » Apache Configuration » Include Editor and add configuration for new virtual host.

<VirtualHost 123.123.123.123:80> # for NON SSL
    DocumentRoot /path/to/dir/  # must have
    ServerName host.example.com # must have
    ErrorLog /home/dir_of_choice/logs/host.example.com-error_log
    TransferLog /home/dir_of_choice/logs/host.example.com-access_log
</VirtualHost>

<VirtualHost 123.123.123.123:443> # for SSL
    DocumentRoot /path/to/dir/ # must have
    ServerName host.example.com # must have
    ErrorLog /home/dir_of_choice/logs/host.example.com-error_log
    TransferLog /home/dir_of_choice/logs/host.example.com-access_log
    <IfModule suphp_module>
        suPHP_UserGroup nobody nobody
    </IfModule>
    <Directory "/home/dir_of_choice">
        AllowOverride All
    </Directory>
    <IfModule ssl_module>
        SSLEngine on

        SSLCertificateFile /var/cpanel/ssl/cpanel/cpanel.pem
        SSLCertificateKeyFile /var/cpanel/ssl/cpanel/cpanel.pem
        SSLCertificateChainFile /var/cpanel/ssl/cpanel/cpanel.pem
        SSLUseStapling Off

    </IfModule>
    <IfModule security2_module>
        SecRuleEngine On
    </IfModule>
</VirtualHost>

6.) To be done: How to create SSL certificate for this virtual host?!
7.) To be done: Adding ModSecurity rule
8.) Correct rooting for with www and without www

 

[serpent_driver]

[Update]

The previous configuration for new virtual host works, but only with "www.". Without www. /var/www./html/cgi-sys/defaultwebpage.cgi is used instead of new document root in other directory. For testing I added an alias to configuration and added also www., but nothing changes.

Any ideas?

 

[cPRex]

I believe the intent of the "default" vhost is just to handle unrouted traffic for each IP address. Since IP addresses can't handle SSL connections, there wouldn't be a way to set up an SSL to work with that. No matter what options are chosen or what certificate file you use, you'll always receive an SSL mismatch when this happens in a browser. It's important to remember that this is setup would only come into play if a domain is accidentally pointed to your server's IP address in DNS, but you are not the real host of the domain.

 

[serpent_driver]

Okay, no SSL support is no problem, but what is about www. and without www.? Rooting is quite different.

 

[cPRex]

I would have expected www or non-www to work by default with that vhost in place as there is no specific hostname specified. Normally we add a serveralias line to catch mail and www, such as this example:

<VirtualHost 1.2.3.4:80>
  ServerName domain.com
    ServerAlias mail.domain www.domain.com

but since we can't specify a domain name since this is being used as a catch-all, I'd expect this to work. Do you have a domain that you are testing with that points to your server but doesn't have a vhost?

 

[serpent_driver]

For better understanding.

example.com is in use and has additional DNS entry for with and without www
test1.example.com is in use and has additional DNS entry for with and without www
test2.example.com is in use and has additional DNS entry for with and without www

#################################
host.example.com not in use but have additional DNS entry for host. and for www.host.
host.example.com == hostname or RDNS URL
host.example.com has additional DNS entry for with and without www like www.host.example.com and host.example.com

Rooting of domains and subdomains where a account exists works proper, so there is no problem. There is only a problem with rooting in the correct document root with host.example.com. www.host.example.com roots to new document root as it is configured for new virtual host. Without www it roots to default document root /var/www/html

Adding an alias in configuration for new virtual host has no effect.

 

[cPRex]

Thanks for the additional details. I wouldn't expect the hostname to be a valid test of this as it sounds like it's behaving correctly. The hostname of the server *should* point to /var/www/html and not your unrouted vhost, while www.host.domain.com doesn't exist in Apache, and would reach the unrouted vhost.

If you have a separate domain that isn't the hostname that is also pointed to your server's IP address, I would bet it works how you expect.

 

[serpent_driver]

If you have a separate domain that isn't the hostname that is also pointed to your server's IP address, I would bet it works how you expect.

This bet you will definitely win, but with a bad quote.... It is no question that it will work with every other domain that is not used for hostname.

The hostname of the server *should* point to /var/www/html and not your unrouted vhost

If the hostname should point to /var/www/html in your opinion, why does cPanel use a strange looking strategy if hostname is requested? Strange because the behaviour of how a hostname is requested is quite different. As a consequence of finding no solution for what I want to get, I removed all custom settings and tested the default behaviour if the hostname is requested. If hostname is requested without www the request will be redirected to /cgi-sys/defaultwebpage.cgi. If hostname is requested with www request will be redirected to the domain that comes next in alphabetical order. This describes the similiar behaviour with my custom settings, but sorry, I can't follow this logic?! This can't be the plan of Apache.

For not getting me wrong, my intention to change and to control what should happen if hostname is requested is not for fun or because I have too much time. My hostname will be requested very often, but not by innocent users. Almost every request of hostname comes from "bad guys" to check whatever is possible to find out about my server. I have ModSecurity and CSF, both give me a good protection, but ofcourse it can't be perfect. My intention is trying to reduce the surface of attacks and if my server sends 403 header or much better if it drops the (browser) request to hostname, it could reduce the motivation to have a closer look at my server. I hope you understand what I am trying to do.

I am using cPanel/WHM for many years and I am almost happy with it, but cpanel should care a little bit more about security. This case with the hostname isn't the only thing that should be improved. With cphulk cPanel offers a solution against brute force attacks against unallowed logins, but this case is similiar to the case with requesting hostname. I have around 2000 brute force attacks dayly to WHM and every wrong login try will be blocked for 1 day. Blocking seems to be good, but costs performance and load. Ressources I need for my web applications. Access to WHM/cPanel is possible with every registered account/domain only by adding the port number to the URL. These port numbers are well known by almost everyone that has no good intention. Do you think that is a good security strategy?

Anyway, my last try to solve what I wanted to get was to add alias name to virtual host configuration, but it also fails. Depending on use of with and without www the behaviour is different. To me, it looks like that somewhere must be a configuration with a higher priority that overwrites my configuration.

So the question is where is this configuration defined and can it be changed?

 

[cPRex]

If the hostname should point to /var/www/html in your opinion, why does cPanel use a strange looking strategy if hostname is requested? Strange because the behaviour of how a hostname is requested is quite different. As a consequence of finding no solution for what I want to get, I removed all custom settings and tested the default behaviour if the hostname is requested. If hostname is requested without www the request will be redirected to /cgi-sys/defaultwebpage.cgi. If hostname is requested with www request will be redirected to the domain that comes next in alphabetical order. This describes the similiar behaviour with my custom settings, but sorry, I can't follow this logic?! This can't be the plan of Apache.

I don't know if I'd say it's the "plan" of Apache, but that's how Apache has always handled this type of traffic. That's why we see many users asking "why am I getting the wrong site when I visit a domain with an SSL certificate but the regular site works?" If Apache can't serve the exact document root that it should it moves on to the next best things. For SSL certificates, that's the first secure vhost it can find.

It's possible my states of the "the hostname should point to /var/www/html" was a bit too loose. In general, yes, that is the document root for the hostname of the server. We can see that on any cPanel system by examining the vhost:

<VirtualHost 127.0.0.1:443 1.2.3.4:443 *:443>
    ServerName host.yourdomain.com
    DocumentRoot /var/www/html

Further proof of this can be found with the AutoSSL system, as verification files for that tool are created in the /var/www/html/.well-known/pki-validation directory, which is then accessed through the server's hostname.

So, in this situation, visiting a hostname in a browser without the cPanel or WHM ports would take us to the /var/www/html directory, and properly display the index.html file, which redirects the suspended page. Going to www.host.yourdomain.com would get routed to the custom vhost you've configured since that subdomain doesn't in Apache.

If you'd like something different displayed you could always edit the index.html file in /var/www/html since you've setup the custom vhost to catch any other unrouted domains.

Does that help to explain things?