Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Unmapped subdomain redirects to first SSL configured domain

Discussion in 'Security' started by kitchin, Jan 27, 2019.

  1. kitchin

    kitchin Member

    Joined:
    Sep 18, 2011
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Really two issues:

    1. Unmapped subdomain https redirects to first SSL config'd site, instead of cgi-sys/defaultwebpage.cgi.

    2. This traffic is not logged (or not where you would see it).

    We have `example.tld` set up in DNS the normal way with `*.example.tld` mapped to the IP of our WHM/Cpanel. We are getting lot of garbage probing traffic to random subdomains because while

    `http://garbage.example.tld` redirects to `.../cgi-sys/defaultwebpage.cgi` with the big Sorry! message,

    `https://garbage.example.tld` redirects to apparently the first configured SSL site anywhere in WHM/Cpanel, like say `https://alpha.tld`. (In a browser, click through the SSL warning.) I think it's the first SSL, based on the interesting & informative cPanel support in this thread:
    Default page for removed SSL host

    So this thread is about the more general case, of any unmapped subdomain (or domain) pointing to the I.P., and its consequences.

    * Firstly, you will not see this traffic in the cPanel account's `access-logs`, because those are separated by the subdomains expected to have traffic. I found it by using an `index.php` to log traffic to a file. And I suppose it's also in the server root logs.

    * Your first config'd SSL site becomes a honeypot for all kinds of unexpected traffic: network probes, people looking for open IoT devices (webcams, refrigerators, etc.), people using USER_AGENT string to try to mess up php's `$_SERVER` variable, and anything else they can think of, or click a bot to do.

    * The above-mentioned thread says this is how Apache works, due to SNI (shared IP for SSL). In my case, it's Litespeed, but that could certainly be it since LS is designed to be the same as Apache. I have only tested one server, and it just so happened that my first domain alphabetically is dormant, which is how I noticed this. Our server uses external DNS, but I guess that doesn't matter.

    Not sure what cPanel can do, but it's certainly something to look out for, if, say you get `error_log` entries that don't match anything in your `access-logs`. Unlogged traffic seems like a problem to me.
     
    #1 kitchin, Jan 27, 2019
    Last edited: Jan 27, 2019
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    This is actually the default behavior for apache. If a domain does not include an SSL VirtualHost when attempting to access that domain over https Apache will load the first https VirtualHost in the configuration file for that IP address. The way to avoid this would be to ensure that all sites have an SSL VirtualHost which can be done with at the very least (not recommended) a self-signed certificate if you don't want to supply a 90-day free certificate.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. BillBuilt

    BillBuilt Member

    Joined:
    Mar 6, 2018
    Messages:
    18
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I think the question is more directed to the notion that these domains (sub-domains) do not exist and never have existed. Is the only recourse to use wildcard certs for all domains?
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    The behavior for apache is the same in either case. Without an SSL VirtualHost for the domain or in this case subdomain it's always going to load the first SSL VirtualHost on that IP in the configuration. You don't necessarily have to use wildcard certs, unless you need unmapped subdomains for some reason.

    Though after reading the thread your issue with it becomes more apparent. Unfortunately I don't think I have a solution for it based on the way that apache functions in this instance. They assume a VirtualHost for every domain over SSL. You might find Apache's documentation on this interesting here: NameBasedSSLVHosts - Httpd Wiki
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. John C. Reid

    John C. Reid Member

    Joined:
    Feb 27, 2017
    Messages:
    7
    Likes Received:
    3
    Trophy Points:
    1
    Location:
    Redding, CA
    cPanel Access Level:
    Root Administrator
    Here is how I fixed this behavior:

    I wanted something that would persist though different accounts being added and removed, and as such the default domain changing. I also wanted it to be generic enough that I could drop the same fix on all of my servers without having to modify anything that would be unique to each server. So I decided to create a ssl_vhost.local file in the /var/cpanel/templates/apache2_4/ folder. This would add my modification to every vhost. The condition is that if the requested domain is not a match for the vhost domain (including any subdomain possibility infinite subdomains deep) then rewrite the URI to the server's default page.

    First I copied the ssl_vhost.default to ssl_vhost.local, and then I edited the new file. Just above the comment at the bottom of the file with reads

    Code:
      # To customize this VirtualHost use an include file at the following location
      # Include "[% vhost_include_base %][% vhost.user %]/[% domain %]/*.conf"
    
    I added the following:

    Code:
        <IfModule rewrite_module>
            RewriteEngine On
            RewriteCond %{HTTP_HOST} !(.+\.)*[% wildcard_safe(vhost.servername) %]$ [NC]
            RewriteRule (.*) https://[% wildcard_safe(servername) %]/cgi-sys/defaultwebpage.cgi [R=301]
        </IfModule>
    
    This uses the template language to ensure that the RewriteCond matches NOT the vhost domain or any conbination of subdomains, if that condition is met it will then rewrite to the server's hostname plus /cgi-sys/defaultwebpage.cgi with a permanent redirect.

    Once this file is created I dropped it into the /var/cpanel/templates/apache2_4/ on each of my servers. Then on each server I rebuilt the Apache config and restarted Apache with with:

    Code:
    /usr/local/cpanel/scripts/rebuildhttpdconf
    /usr/local/cpanel/scripts/restartsrv_httpd
    
    I run LiteSpeed, so I also restarted LiteSpeed, although I don't know if it was strictly needed. So far the behavior works as expected and I have not had any issues.
     
    kitchin likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice