Restricting cPanel Access to HTTPS
The default way for restricting cPanel or WHM access to HTTPS with Apache requires proxying to a backend via HTTPS. LSWS does not allow this. If you try to redirect traffic through LSWS to cPanel on the backend via HTTPS, you will get 500 errors and entries like the following in your error log:
[ERROR] [REWRITE] Absolute URL with leading 'http://' is required for proxy, URL: https://127.0.0.1:2083/
Instead, we recommend that you use iptables to block access on the necessary ports. This wiki will take you through the steps for setting this up.
Step 1: Remove HTTPS Proxy Settings
You are going to need to remove the old rules and settings that asked LSWS to proxy to a backend via HTTPS.
Update Your cPanel Templates
Under /var/cpanel/templates/apache2_2/main.default
comment out the following rewrite rules:
RewriteCond %{HTTP_HOST} ^cpanel\. RewriteCond %{HTTPS} on RewriteRule ^/(.*) https://127.0.0.1:2083/$1 [P] RewriteCond %{HTTP_HOST} ^webmail\. RewriteCond %{HTTPS} on RewriteRule ^/(.*) https://127.0.0.1:2096/$1 [P] RewriteCond %{HTTP_HOST} ^whm\. RewriteCond %{HTTPS} on RewriteRule ^/(.*) https://127.0.0.1:2087/$1 [P] RewriteCond %{HTTP_HOST} ^webdisk\. RewriteCond %{HTTPS} on RewriteRule ^/(.*) https://127.0.0.1:2078/$1 [P]
Don't Redirect to SSL
In WHM, turn off Always redirect to SSL (WHM Home > Server Configuration > Tweak Settings).
Step 2: Use iptables to Limit Access to HTTPS Ports
If we block off the ports that allow HTTP access to cPanel services, we thus require users to use HTTPS. The following iptables settings will block HTTP access to different cPanel services except from 127.0.0.1 (which is probably safe to allow). Place these rules in /etc/rc.d/rc.local
to have them apply automatically every time the server reboots:
#cPanel is accessed via HTTP through port 2082 iptables -A INPUT -p tcp --dport 2082 -s 127.0.0.1 -j ACCEPT iptables -A INPUT -p tcp --dport 2082 -j DROP #WHM is accessed via HTTP through port 2086 iptables -A INPUT -p tcp --dport 2086 -s 127.0.0.1 -j ACCEPT iptables -A INPUT -p tcp --dport 2086 -j DROP #Webmail is accessed via HTTP through port 2095 iptables -A INPUT -p tcp --dport 2095 -s 127.0.0.1 -j ACCEPT iptables -A INPUT -p tcp --dport 2095 -j DROP #Web Disk is accessed via HTTP through port 2077 iptables -A INPUT -p tcp --dport 2077 -s 127.0.0.1 -j ACCEPT iptables -A INPUT -p tcp --dport 2077 -j DROP
Now users will only be able to access cPanel (and other services) via HTTPS.