====== Change the default port of ispCP and enabling SSL ======
Comments/suggestions about this can be posted on the forum (http://www.isp-control.net/forum/thread-9094.html)
This Howto explains how you can change the 80 default port of ispCP 1.0.3 or newer and at the same time enable ssl for the control panel.
When choosing a port, check that the number isn't used by any other service of the server.
In this howto we will use 8443 (the same that is using plesk/tomcat ..).
Some time ago this was a guide only changing the listening port, but since running the control panel only with ssl should be a recommendation, this tutorial is the fusion of both manuals.
===== Create the ssl certificates =====
If you follow the first two steps on this howto, generate the certs is trivial: http://www.isp-control.net/documentation/doku.php?id=howto:security:ssl_made_easy
It will work with professional certificates too, just adapt the names of the files below so they match with your certificates.
===== Adapt apache2 config =====
Open /etc/apache2/sites-available/00_master.conf and change the contents to the next content:
Basically what it does is: *
* If you access to webmail.somedomain.com redirects you to https://mainhost.com/tools/webmail
* If you access mainhost.com it redirects you to https://mainhost.com:8443
* If you access https://mainhost.com it redirects you to the control panel at https://mainhost.com:8443
* If you access to https://mainhost.com:8443 it just shows your control panel :)
ServerName {BASE_SERVER_VHOST}
ServerAlias webmail.*
RewriteEngine on
RewriteCond %{HTTP_HOST} ^webmail\..* [NC]
RewriteRule ^/(.*) https://{BASE_SERVER_VHOST}/tools/webmail/ [R=301]
#RewriteLog "/var/log/apache2/rewrite.log"
Redirect permanent / https://{BASE_SERVER_VHOST}/admin/index.php
ServerName {BASE_SERVER_VHOST}
ServerAlias webmail.*
Alias /tools/webmail /var/www/ispcp/gui/tools/webmail/
SSLEngine On
SSLCertificateFile /etc/ssl/certs/{BASE_SERVER_VHOST}.crt
SSLCertificateKeyFile /etc/ssl/private/{BASE_SERVER_VHOST}.key
RewriteEngine on
RewriteCond %{HTTP_HOST} ^{BASE_SERVER_VHOST}$ [NC]
RewriteRule ^/webmail.* https://{BASE_SERVER_VHOST}/tools/webmail/ [L]
RewriteCond %{HTTP_HOST} ^{BASE_SERVER_VHOST}.* [NC]
RewriteCond %{REQUEST_URI} !^\/tools\/.* [NC]
RewriteRule ^/.* https://{BASE_SERVER_VHOST}:8443/ [L]
#RewriteLogLevel 4
#RewriteLog "/var/log/apache2/rewrite.log"
SuexecUserGroup {APACHE_SUEXEC_USER_PREF}{APACHE_SUEXEC_MIN_UID} {APACHE_SUEXEC_USER_PREF}{APACHE_SUEXEC_MIN_GID}
FCGIWrapper /var/www/fcgi/master/php5-fcgi-starter .php
Options +ExecCGI
AllowOverride None
Options +ExecCGI MultiViews -Indexes
Order allow,deny
Allow from all
ScriptAlias /php5/ /var/www/fcgi/master/
AllowOverride None
Options +ExecCGI MultiViews -Indexes
Order allow,deny
Allow from all
ServerAdmin {DEFAULT_ADMIN_ADDRESS}
DocumentRoot {ROOT_DIR}/gui
ServerName {BASE_SERVER_VHOST}
Alias /errors {ROOT_DIR}/gui/errordocs/
ErrorDocument 401 /errors/401.html
ErrorDocument 403 /errors/403.html
ErrorDocument 404 /errors/404.html
ErrorDocument 500 /errors/500.html
ErrorDocument 503 /errors/503.html
SSLEngine On
SSLCertificateFile /etc/ssl/certs/{BASE_SERVER_VHOST}.crt
SSLCertificateKeyFile /etc/ssl/private/{BASE_SERVER_VHOST}.key
Alias /pma {ROOT_DIR}/gui/tools/pma/
Alias /webmail {ROOT_DIR}/gui/tools/webmail/
Alias /ftp {ROOT_DIR}/gui/tools/filemanager/
#Fix path for entering roundcube from ispcp
Redirect permanent /tools/webmail/src/login.php /tools/webmail/index.php
RewriteEngine on
RewriteCond %{HTTP_HOST} ^webmail\..* [NC]
RewriteRule ^/(.*) https://{BASE_SERVER_VHOST}:8443/tools/webmail/$1 [L,R]
#RewriteLog "/var/log/apache2/rewrite.log"
SuexecUserGroup {APACHE_SUEXEC_USER_PREF}{APACHE_SUEXEC_MIN_UID} {APACHE_SUEXEC_USER_PREF}{APACHE_SUEXEC_MIN_GID}
Options -Indexes Includes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
FCGIWrapper {PHP_STARTER_DIR}/master/php{PHP_VERSION}-fcgi-starter .php
Options +ExecCGI
AllowOverride None
Options +ExecCGI MultiViews -Indexes
Order allow,deny
Allow from all
ScriptAlias /php5/ {PHP_STARTER_DIR}/master/
AllowOverride None
Options +ExecCGI MultiViews -Indexes
Order allow,deny
Allow from all
php_admin_value open_basedir "{WWW_DIR}/{DMN_NAME}/:{CONF_DIR}/:{MR_LOCK_FILE}:/proc/:/bin/df:/bin/mount:{RKHUNTER_LOG}:{CHKROOTKIT_LOG}:{PEAR_DIR}/{OTHER_ROOTKIT_LOG}"
php_admin_value session.save_path "{ROOT_DIR}/gui/phptmp/"
php_admin_value upload_tmp_dir "{ROOT_DIR}/gui/phptmp/"
===== Configure apache to listen to the port =====
In /etc/apache2/ports.conf add line:1
Listen 8443
===== (optional) adapt ispcp.conf =====
At the moment there's no way to specify the port in /etc/ispcp/ispcp.conf, at least it's recommended to change the base vhost to the domain (to avoid cert errors)
change:
BASE_SERVER_VHOST = admin.domain.tld
'''to'''
BASE_SERVER_VHOST = domain.tld
===== Configure default welcome page =====
In /var/www/ispcp/gui/domain_default_page/index.html search and change:
href="{BASE_SERVER_VHOST_PREFIX}{BASE_SERVER_VHOST}
'''to'''
href="{BASE_SERVER_VHOST_PREFIX}{BASE_SERVER_VHOST}:8443
===== Restart apache =====
Now you can login with any virtual domain hosted in your server with the URL '''https://virtual_domain:8443'''
===== Be happy. =====
====== OPTION Enable shared ssl per-directory ======
We can make the domains we need to use the control panel certificate so they don't have to buy an ip address and a certificate.
mkdir /etc/apache2/ssl.d
Edit /etc/apache2/apache2.conf and add this at the end.
#Directory for custom ssl sites
Include /etc/apache2/ssl.d/
For the domain example.com you could create the file /etc/apache2/ssl.d/example.com.conf with the content:
#File for to enable ssl for the domain DOMNAME
#The changes have to be done by hand, adapt the cert names to your environment
#The domain name is without the www
#To know the value of DOMVU you can look the ServerAlias entry in ispcp.conf
# for that domain
# grep ServerAlias /etc/apache2/sites-enabled/ispcp.conf | grep DOMNAME
#:%s/DOMNAME/domain_name/gc
#:%s/DOMIP/ssl_ip/gc
#:%s/DOMVU/vuXXX/gc
SuexecUserGroup DOMVU DOMVU
ServerAdmin webmaster@DOMNAME
DocumentRoot /var/www/virtual/DOMNAME/htdocs
ServerName DOMNAME
ServerAlias www.DOMNAME DOMNAME *.DOMNAME DOMVU.{BASE_SERVER_VHOST}
SSLEngine On
SSLCertificateFile /etc/ssl/certs/{BASE_SERVER_VHOST}.crt
SSLCertificateKeyFile /etc/ssl/private/{BASE_SERVER_VHOST}.key
Alias /errors /var/www/virtual/DOMNAME/errors/
ErrorDocument 401 /errors/401.html
ErrorDocument 403 /errors/403.html
ErrorDocument 404 /errors/404.html
ErrorDocument 500 /errors/500.html
ErrorDocument 503 /errors/503.html
CBandUser DOMNAME
# httpd awstats support BEGIN.
# httpd awstats support END.
# httpd dmn entry cgi support BEGIN.
# httpd dmn entry cgi support END.
# httpd dmn entry PHP support BEGIN.
# httpd dmn entry PHP support END.
Options -Indexes Includes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
# httpd dmn entry PHP2 support BEGIN.
php_admin_value open_basedir "/var/www/virtual/DOMNAME/:/var/www/virtual/DOMNAME/phptmp/:/usr/share/php/"
php_admin_value upload_tmp_dir "/var/www/virtual/DOMNAME/phptmp/"
php_admin_value session.save_path "/var/www/virtual/DOMNAME/phptmp/"
php_admin_value sendmail_path '/usr/sbin/sendmail -f DOMVU -t -i'
ScriptAlias /php5/ /var/www/fcgi/DOMNAME/
AllowOverride None
Options +ExecCGI -MultiViews -Indexes
Order allow,deny
Allow from all
Include /etc/apache2/mods-available/fcgid_ispcp.conf
FCGIWrapper /var/www/fcgi/DOMNAME/php5-fcgi-starter .php
Options +ExecCGI
AllowOverride None
Options +ExecCGI MultiViews -Indexes
Order allow,deny
Allow from all
# httpd dmn entry PHP2 support END.
===== Fix login.php (only in versions before r2909 or ispcp 1.0.6 =====
In /var/www/ispcp/gui/include/login.php in line 221 change:
// prevent external login / check for referer
if ($preventExternalLogin) {
if (isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER'])) {
$info = parse_url($_SERVER['HTTP_REFERER']);
if (isset($info['host']) && !empty($info['host'])) {
if ($info['host'] != $_SERVER['HTTP_HOST']
|| $info['host'] != $_SERVER['SERVER_NAME']) {
set_page_message(tr('Request from foreign host was blocked!'));
if (!(substr($_SERVER['SCRIPT_FILENAME'], (int)-strlen($_SERVER['REDIRECT_URL']), strlen($_SERVER['REDIRECT_URL'])) === $_SERVER['REDIRECT_URL'])) {
redirect_to_level_page();
}
}
}
}
}
'''to'''
// prevent external login / check for referer
if ($preventExternalLogin) {
if (isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER'])) {
$info = parse_url($_SERVER['HTTP_REFERER']);
if (isset($info['host']) && !empty($info['host'])) {
if ($info['host'].':'.$_SERVER['SERVER_PORT'] != $_SERVER['HTTP_HOST']
|| $info['host'].':'.$_SERVER['SERVER_PORT'] != $_SERVER['SERVER_NAME'].':'.$_SERVER['SERVER_PORT']) {
set_page_message(tr('Request from foreign host was blocked!'));
if (!(substr($_SERVER['SCRIPT_FILENAME'], (int)-strlen($_SERVER['REDIRECT_URL']), strlen($_SERVER['REDIRECT_URL'])) === $_SERVER['REDIRECT_URL'])) {
redirect_to_level_page();
}
}
}
}
}