Comments/suggestions about this can be posted on the forum (http://www.isp-control.net/forum/thread-9094.html)
This Howto explains how you can change the 80 default port of ispCP 1.0.3 or newer and at the same time enable ssl for the control panel.
When choosing a port, check that the number isn't used by any other service of the server. In this howto we will use 8443 (the same that is using plesk/tomcat ..).
Some time ago this was a guide only changing the listening port, but since running the control panel only with ssl should be a recommendation, this tutorial is the fusion of both manuals.
If you follow the first two steps on this howto, generate the certs is trivial: http://www.isp-control.net/documentation/doku.php?id=howto:security:ssl_made_easy It will work with professional certificates too, just adapt the names of the files below so they match with your certificates.
Open /etc/apache2/sites-available/00_master.conf and change the contents to the next content: Basically what it does is: *
<VirtualHost {BASE_SERVER_IP}:80>
ServerName {BASE_SERVER_VHOST}
ServerAlias webmail.*
RewriteEngine on
RewriteCond %{HTTP_HOST} ^webmail\..* [NC]
RewriteRule ^/(.*) https://{BASE_SERVER_VHOST}/tools/webmail/ [R=301]
#RewriteLog "/var/log/apache2/rewrite.log"
Redirect permanent / https://{BASE_SERVER_VHOST}/admin/index.php
</VirtualHost>
<VirtualHost {BASE_SERVER_IP}:443>
ServerName {BASE_SERVER_VHOST}
ServerAlias webmail.*
Alias /tools/webmail /var/www/ispcp/gui/tools/webmail/
SSLEngine On
SSLCertificateFile /etc/ssl/certs/{BASE_SERVER_VHOST}.crt
SSLCertificateKeyFile /etc/ssl/private/{BASE_SERVER_VHOST}.key
RewriteEngine on
RewriteCond %{HTTP_HOST} ^{BASE_SERVER_VHOST}$ [NC]
RewriteRule ^/webmail.* https://{BASE_SERVER_VHOST}/tools/webmail/ [L]
RewriteCond %{HTTP_HOST} ^{BASE_SERVER_VHOST}.* [NC]
RewriteCond %{REQUEST_URI} !^\/tools\/.* [NC]
RewriteRule ^/.* https://{BASE_SERVER_VHOST}:8443/ [L]
#RewriteLogLevel 4
#RewriteLog "/var/log/apache2/rewrite.log"
<IfModule suexec_module>
SuexecUserGroup {APACHE_SUEXEC_USER_PREF}{APACHE_SUEXEC_MIN_UID} {APACHE_SUEXEC_USER_PREF}{APACHE_SUEXEC_MIN_GID}
</IfModule>
<IfModule mod_fcgid.c>
<Directory /var/www/ispcp/gui>
FCGIWrapper /var/www/fcgi/master/php5-fcgi-starter .php
Options +ExecCGI
</Directory>
<Directory "/var/www/fcgi/master">
AllowOverride None
Options +ExecCGI MultiViews -Indexes
Order allow,deny
Allow from all
</Directory>
</IfModule>
<IfModule mod_fastcgi.c>
ScriptAlias /php5/ /var/www/fcgi/master/
<Directory "/var/www/fcgi/master">
AllowOverride None
Options +ExecCGI MultiViews -Indexes
Order allow,deny
Allow from all
</Directory>
</IfModule>
</VirtualHost>
<VirtualHost {BASE_SERVER_IP}:8443>
ServerAdmin {DEFAULT_ADMIN_ADDRESS}
DocumentRoot {ROOT_DIR}/gui
ServerName {BASE_SERVER_VHOST}
Alias /errors {ROOT_DIR}/gui/errordocs/
ErrorDocument 401 /errors/401.html
ErrorDocument 403 /errors/403.html
ErrorDocument 404 /errors/404.html
ErrorDocument 500 /errors/500.html
ErrorDocument 503 /errors/503.html
SSLEngine On
SSLCertificateFile /etc/ssl/certs/{BASE_SERVER_VHOST}.crt
SSLCertificateKeyFile /etc/ssl/private/{BASE_SERVER_VHOST}.key
Alias /pma {ROOT_DIR}/gui/tools/pma/
Alias /webmail {ROOT_DIR}/gui/tools/webmail/
Alias /ftp {ROOT_DIR}/gui/tools/filemanager/
#Fix path for entering roundcube from ispcp
Redirect permanent /tools/webmail/src/login.php /tools/webmail/index.php
RewriteEngine on
RewriteCond %{HTTP_HOST} ^webmail\..* [NC]
RewriteRule ^/(.*) https://{BASE_SERVER_VHOST}:8443/tools/webmail/$1 [L,R]
#RewriteLog "/var/log/apache2/rewrite.log"
<IfModule suexec_module>
SuexecUserGroup {APACHE_SUEXEC_USER_PREF}{APACHE_SUEXEC_MIN_UID} {APACHE_SUEXEC_USER_PREF}{APACHE_SUEXEC_MIN_GID}
</IfModule>
<Directory {ROOT_DIR}/gui>
Options -Indexes Includes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfModule mod_fcgid.c>
<Directory {ROOT_DIR}/gui>
FCGIWrapper {PHP_STARTER_DIR}/master/php{PHP_VERSION}-fcgi-starter .php
Options +ExecCGI
</Directory>
<Directory "{PHP_STARTER_DIR}/master">
AllowOverride None
Options +ExecCGI MultiViews -Indexes
Order allow,deny
Allow from all
</Directory>
</IfModule>
<IfModule mod_fastcgi.c>
ScriptAlias /php5/ {PHP_STARTER_DIR}/master/
<Directory "{PHP_STARTER_DIR}/master">
AllowOverride None
Options +ExecCGI MultiViews -Indexes
Order allow,deny
Allow from all
</Directory>
</IfModule>
<IfModule mod_php5.c>
<Directory {ROOT_DIR}/gui>
php_admin_value open_basedir "{WWW_DIR}/{DMN_NAME}/:{CONF_DIR}/:{MR_LOCK_FILE}:/proc/:/bin/df:/bin/mount:{RKHUNTER_LOG}:{CHKROOTKIT_LOG}:{PEAR_DIR}/{OTHER_ROOTKIT_LOG}"
php_admin_value session.save_path "{ROOT_DIR}/gui/phptmp/"
php_admin_value upload_tmp_dir "{ROOT_DIR}/gui/phptmp/"
</Directory>
</IfModule>
</VirtualHost>
In /etc/apache2/ports.conf add line:1
Listen 8443
At the moment there's no way to specify the port in /etc/ispcp/ispcp.conf, at least it's recommended to change the base vhost to the domain (to avoid cert errors) change:
BASE_SERVER_VHOST = admin.domain.tld
'to'
BASE_SERVER_VHOST = domain.tld
In /var/www/ispcp/gui/domain_default_page/index.html search and change:
href="{BASE_SERVER_VHOST_PREFIX}{BASE_SERVER_VHOST}
'to'
href="{BASE_SERVER_VHOST_PREFIX}{BASE_SERVER_VHOST}:8443
Now you can login with any virtual domain hosted in your server with the URL 'https://virtual_domain:8443'
We can make the domains we need to use the control panel certificate so they don't have to buy an ip address and a certificate.
mkdir /etc/apache2/ssl.d
Edit /etc/apache2/apache2.conf and add this at the end.
#Directory for custom ssl sites Include /etc/apache2/ssl.d/
For the domain example.com you could create the file /etc/apache2/ssl.d/example.com.conf with the content:
#File for to enable ssl for the domain DOMNAME
#The changes have to be done by hand, adapt the cert names to your environment
#The domain name is without the www
#To know the value of DOMVU you can look the ServerAlias entry in ispcp.conf
# for that domain
# grep ServerAlias /etc/apache2/sites-enabled/ispcp.conf | grep DOMNAME
#:%s/DOMNAME/domain_name/gc
#:%s/DOMIP/ssl_ip/gc
#:%s/DOMVU/vuXXX/gc
<VirtualHost DOMIP:443>
<IfModule suexec_module>
SuexecUserGroup DOMVU DOMVU
</IfModule>
ServerAdmin webmaster@DOMNAME
DocumentRoot /var/www/virtual/DOMNAME/htdocs
ServerName DOMNAME
ServerAlias www.DOMNAME DOMNAME *.DOMNAME DOMVU.{BASE_SERVER_VHOST}
SSLEngine On
SSLCertificateFile /etc/ssl/certs/{BASE_SERVER_VHOST}.crt
SSLCertificateKeyFile /etc/ssl/private/{BASE_SERVER_VHOST}.key
Alias /errors /var/www/virtual/DOMNAME/errors/
ErrorDocument 401 /errors/401.html
ErrorDocument 403 /errors/403.html
ErrorDocument 404 /errors/404.html
ErrorDocument 500 /errors/500.html
ErrorDocument 503 /errors/503.html
<IfModule mod_cband.c>
CBandUser DOMNAME
</IfModule>
# httpd awstats support BEGIN.
# httpd awstats support END.
# httpd dmn entry cgi support BEGIN.
# httpd dmn entry cgi support END.
<Directory /var/www/virtual/DOMNAME/htdocs>
# httpd dmn entry PHP support BEGIN.
# httpd dmn entry PHP support END.
Options -Indexes Includes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
# httpd dmn entry PHP2 support BEGIN.
<IfModule mod_php5.c>
php_admin_value open_basedir "/var/www/virtual/DOMNAME/:/var/www/virtual/DOMNAME/phptmp/:/usr/share/php/"
php_admin_value upload_tmp_dir "/var/www/virtual/DOMNAME/phptmp/"
php_admin_value session.save_path "/var/www/virtual/DOMNAME/phptmp/"
php_admin_value sendmail_path '/usr/sbin/sendmail -f DOMVU -t -i'
</IfModule>
<IfModule mod_fastcgi.c>
ScriptAlias /php5/ /var/www/fcgi/DOMNAME/
<Directory "/var/www/fcgi/DOMNAME">
AllowOverride None
Options +ExecCGI -MultiViews -Indexes
Order allow,deny
Allow from all
</Directory>
</IfModule>
<IfModule mod_fcgid.c>
Include /etc/apache2/mods-available/fcgid_ispcp.conf
<Directory /var/www/virtual/DOMNAME/htdocs>
FCGIWrapper /var/www/fcgi/DOMNAME/php5-fcgi-starter .php
Options +ExecCGI
</Directory>
<Directory "/var/www/fcgi/DOMNAME">
AllowOverride None
Options +ExecCGI MultiViews -Indexes
Order allow,deny
Allow from all
</Directory>
</IfModule>
# httpd dmn entry PHP2 support END.
</VirtualHost>
In /var/www/ispcp/gui/include/login.php in line 221 change:
// prevent external login / check for referer
if ($preventExternalLogin) {
if (isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER'])) {
$info = parse_url($_SERVER['HTTP_REFERER']);
if (isset($info['host']) && !empty($info['host'])) {
if ($info['host'] != $_SERVER['HTTP_HOST']
|| $info['host'] != $_SERVER['SERVER_NAME']) {
set_page_message(tr('Request from foreign host was blocked!'));
if (!(substr($_SERVER['SCRIPT_FILENAME'], (int)-strlen($_SERVER['REDIRECT_URL']), strlen($_SERVER['REDIRECT_URL'])) === $_SERVER['REDIRECT_URL'])) {
redirect_to_level_page();
}
}
}
}
}
'to'
// prevent external login / check for referer
if ($preventExternalLogin) {
if (isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER'])) {
$info = parse_url($_SERVER['HTTP_REFERER']);
if (isset($info['host']) && !empty($info['host'])) {
if ($info['host'].':'.$_SERVER['SERVER_PORT'] != $_SERVER['HTTP_HOST']
|| $info['host'].':'.$_SERVER['SERVER_PORT'] != $_SERVER['SERVER_NAME'].':'.$_SERVER['SERVER_PORT']) {
set_page_message(tr('Request from foreign host was blocked!'));
if (!(substr($_SERVER['SCRIPT_FILENAME'], (int)-strlen($_SERVER['REDIRECT_URL']), strlen($_SERVER['REDIRECT_URL'])) === $_SERVER['REDIRECT_URL'])) {
redirect_to_level_page();
}
}
}
}
}