Restricting cPanel Access to HTTPS

The default way for restricting cPanel or WHM access to HTTPS with Apache requires proxying to a backend via HTTPS. LSWS does not allow this. If you try to redirect traffic through LSWS to cPanel on the backend via HTTPS, you will get 500 errors and entries like the following in your error log: 

[ERROR] [REWRITE] Absolute URL with leading 'http://' is required for proxy, URL: https://127.0.0.1:2083/

Instead, we recommend that you use iptables to block access on the necessary ports. This wiki will take you through the steps for setting this up.

Step 1: Remove HTTPS Proxy Settings

You are going to need to remove the old rules and settings that asked LSWS to proxy to a backend via HTTPS.

Update Your cPanel Templates

Under /var/cpanel/templates/apache2_2/main.default comment out the following rewrite rules: 

RewriteCond %{HTTP_HOST} ^cpanel\.
RewriteCond %{HTTPS} on
RewriteRule ^/(.*) https://127.0.0.1:2083/$1 [P]
RewriteCond %{HTTP_HOST} ^webmail\.
RewriteCond %{HTTPS} on
RewriteRule ^/(.*) https://127.0.0.1:2096/$1 [P]
RewriteCond %{HTTP_HOST} ^whm\.
RewriteCond %{HTTPS} on
RewriteRule ^/(.*) https://127.0.0.1:2087/$1 [P]
RewriteCond %{HTTP_HOST} ^webdisk\.
RewriteCond %{HTTPS} on
RewriteRule ^/(.*) https://127.0.0.1:2078/$1 [P]

Don't Redirect to SSL

In WHM, turn off Always redirect to SSL (WHM Home > Server Configuration > Tweak Settings).

Step 2: Use iptables to Limit Access to HTTPS Ports

If we block off the ports that allow HTTP access to cPanel services, we thus require users to use HTTPS. The following iptables settings will block HTTP access to different cPanel services except from 127.0.0.1 (which is probably safe to allow). Place these rules in /etc/rc.d/rc.local to have them apply automatically every time the server reboots: 

#cPanel is accessed via HTTP through port 2082 
iptables -A INPUT -p tcp --dport 2082 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 2082 -j DROP

#WHM is accessed via HTTP through port 2086 
iptables -A INPUT -p tcp --dport 2086 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 2086 -j DROP

#Webmail is accessed via HTTP through port 2095 
iptables -A INPUT -p tcp --dport 2095 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 2095 -j DROP

#Web Disk is accessed via HTTP through port 2077 
iptables -A INPUT -p tcp --dport 2077 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 2077 -j DROP

Now users will only be able to access cPanel (and other services) via HTTPS.

  • Admin
  • Last modified: 2015/07/20 14:46
  • by Michael Alegre