The default way for restricting cPanel or WHM access to HTTPS with Apache requires proxying to a backend via HTTPS. LSWS does not allow this. If you try to redirect traffic through LSWS to cPanel on the backend via HTTPS, you will get 500 errors and entries like the following in your error log:
[ERROR] [REWRITE] Absolute URL with leading 'http://' is required for proxy, URL: https://127.0.0.1:2083/
Instead, we recommend that you use iptables to block access on the necessary ports. This wiki will take you through the steps for setting this up.
You are going to need to remove the old rules and settings that asked LSWS to proxy to a backend via HTTPS.
Under /var/cpanel/templates/apache2_2/main.default
comment out the following rewrite rules:
RewriteCond %{HTTP_HOST} ^cpanel\. RewriteCond %{HTTPS} on RewriteRule ^/(.*) https://127.0.0.1:2083/$1 [P] RewriteCond %{HTTP_HOST} ^webmail\. RewriteCond %{HTTPS} on RewriteRule ^/(.*) https://127.0.0.1:2096/$1 [P] RewriteCond %{HTTP_HOST} ^whm\. RewriteCond %{HTTPS} on RewriteRule ^/(.*) https://127.0.0.1:2087/$1 [P] RewriteCond %{HTTP_HOST} ^webdisk\. RewriteCond %{HTTPS} on RewriteRule ^/(.*) https://127.0.0.1:2078/$1 [P]
In WHM, turn off Always redirect to SSL (WHM Home > Server Configuration > Tweak Settings).
If we block off the ports that allow HTTP access to cPanel services, we thus require users to use HTTPS. The following iptables settings will block HTTP access to different cPanel services except from 127.0.0.1 (which is probably safe to allow). Place these rules in /etc/rc.d/rc.local
to have them apply automatically every time the server reboots:
#cPanel is accessed via HTTP through port 2082 iptables -A INPUT -p tcp --dport 2082 -s 127.0.0.1 -j ACCEPT iptables -A INPUT -p tcp --dport 2082 -j DROP #WHM is accessed via HTTP through port 2086 iptables -A INPUT -p tcp --dport 2086 -s 127.0.0.1 -j ACCEPT iptables -A INPUT -p tcp --dport 2086 -j DROP #Webmail is accessed via HTTP through port 2095 iptables -A INPUT -p tcp --dport 2095 -s 127.0.0.1 -j ACCEPT iptables -A INPUT -p tcp --dport 2095 -j DROP #Web Disk is accessed via HTTP through port 2077 iptables -A INPUT -p tcp --dport 2077 -s 127.0.0.1 -j ACCEPT iptables -A INPUT -p tcp --dport 2077 -j DROP
Now users will only be able to access cPanel (and other services) via HTTPS.