Hi, I'm using the following apache directive to give my clients the control panel over https (port 443) instead of 9999 Code: SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPass / https://127.0.0.1:9999/ ProxyPassReverse / https://127.0.0.1:9999/ The SSLChecks are just to bypass a false certificate ;-). my firewall is blocking port 9999, so it's not less secure imo. But: something goes wrong with the loading of the page. Chrome gives adds /login/ (as expected; otherwise a session would already exist) BUT: other URL's are also with the /login/ ending Code: jquery.min.js:4 GET https://control.ichtushosting.com/login/nav.php?nav=side 404 (Not Found)send @ jquery.min.js:4ajax @ jquery.min.js:4loadMenus @ ispconfig.min.js:1loadInitContent @ ispconfig.min.js:1(anonymous function) @ ispconfig.min.js:1dispatch @ jquery.min.js:3r.handle @ jquery.min.js:3trigger @ jquery.min.js:3triggerHandler @ jquery.min.js:3ready @ jquery.min.js:2I @ jquery.min.js:2 jquery.min.js:4 GET https://control.ichtushosting.com/login/dashboard/dashboard.php 404 (Not Found)send @ jquery.min.js:4ajax @ jquery.min.js:4loadInitContent @ ispconfig.min.js:1(anonymous function) @ ispconfig.min.js:1dispatch @ jquery.min.js:3r.handle @ jquery.min.js:3trigger @ jquery.min.js:3triggerHandler @ jquery.min.js:3ready @ jquery.min.js:2I @ jquery.min.js:2 jquery.min.js:4 GET https://control.ichtushosting.com/login/keepalive.php 404 (Not Found)send @ jquery.min.js:4ajax @ jquery.min.js:4keepalive @ ispconfig.min.js:1loadInitContent @ ispconfig.min.js:1(anonymous function) @ ispconfig.min.js:1dispatch @ jquery.min.js:3r.handle @ jquery.min.js:3trigger @ jquery.min.js:3triggerHandler @ jquery.min.js:3ready @ jquery.min.js:2I @ jquery.min.js:2 jquery.min.js:4 GET https://control.ichtushosting.com/login/nav.php?nav=top 404 (Not Found)send @ jquery.min.js:4ajax @ jquery.min.js:4loadMenus @ ispconfig.min.js:1loadInitContent @ ispconfig.min.js:1(anonymous function) @ ispconfig.min.js:1dispatch @ jquery.min.js:3r.handle @ jquery.min.js:3trigger @ jquery.min.js:3triggerHandler @ jquery.min.js:3ready @ jquery.min.js:2I @ jquery.min.js:2 This should be: Code: https://control.ichtushosting.com/dashboard/dashboard.php https://control.ichtushosting.com/nav.php?nav=top https://control.ichtushosting.com/keepalive.php Right?
I just set this up earlier this week, what I have and seems to work fine (haven't seen any session issues) using port 8080 is: Code: # cat /etc/apache2/conf-enabled/local.conf # local (to this server) config snippets Alias /webmail /var/lib/roundcube <IfModule mod_proxy.c> ProxyRequests Off </IfModule> Code: # cat /etc/apache2/sites-enabled/000-default.conf <VirtualHost *:80> # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. ServerName default ServerAdmin [email protected] DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf </VirtualHost> <VirtualHost *:80> ServerName controlpanel.domain.com ServerAdmin [email protected] <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/ RewriteRule ^ - [END] RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] </IfModule> DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet Code: # cat /etc/apache2/sites-enabled/000-default-ssl.conf <IfModule mod_ssl.c> ## This is the default *:443 host, displaying a placeholder page <VirtualHost *:443> ServerName default ServerAdmin [email protected] ServerSignature Off SSLEngine on SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle SSLProtocol All -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder On DocumentRoot /var/www/html <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown <IfModule mod_headers.c> Header always add Strict-Transport-Security "max-age=15768000" </IfModule> </VirtualHost> ## This is the default controlpanel.domain.com for https (port 443), ## proxy to the real control panel on port 8080 <VirtualHost *:443> ServerName controlpanel.domain.com ServerAdmin [email protected] ServerSignature Off SSLEngine on SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle SSLProtocol All -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder On DocumentRoot /var/www/html SSLProxyEngine on <IfModule mod_proxy.c> ProxyRequests Off ProxyPreserveHost On ProxyPass /webmail "!" ProxyPass /roundcube "!" ProxyPass /squirrelmail "!" ProxyPass /phpmyadmin "!" ProxyPass / https://127.0.0.1:8080/ ProxyPassReverse / https://127.0.0.1:8080/ </IfModule> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown <IfModule mod_headers.c> Header always add Strict-Transport-Security "max-age=15768000" </IfModule> </VirtualHost> </IFModule> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet I had to enable the proxy and proxy_http apache modules. The 000-default-ssl.conf contents are mostly from 000-ispconfig.vhost (I'd love it if the SSL settings were in a common file included by both 000-ispconfig.vhost and 000-default-ssl.conf, so I don't have to try to manually track SSLCipherSuite changes and such). I think letsencrypt is still working with this (need to test more), but webmail and other things are fine so far. If you're running 3.1, you can easily setup letsencrypt for your control panel as well, and get rid of the certificate errors.
It was a bit more complicated for my setup, but I made it work . Control panel = https://control.domain.com not listening on port 9999 anywhere Uses the default 000-ispconfig.vhost At the moment uses Let's encrypt certificates Todo: configure let'secrypt to auto renew these certificates.
I added a new website (not subdomain) with control.domain.com as name. Afterwards I added this into the Apache options (on the Options tab, apache directives): Code: SSLProxyEngine On ProxyPreserveHost On SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPass /.well-known/ ! ProxyPass / https://localhost:8099/ ProxyPassReverse / https://localhost:8099/ the ssl options are needed because ispconfig listens on https, the Proxypass /.well-known/! makes sure the request from lets encrypt is not forwarded. The other proxy pass options are there to forward the request to the internal localhost on port 8099
So I did as you mentioned above but I got the following error: Code: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator at [email protected] to inform them of the time this error occurred, and the actions you performed just before this error. More information about this error may be available in the server error log. Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request. Apache/2.4.29 (Ubuntu) Server at wpanel.domain.com Port 443
Yes it worked perfectly, just had to enable the proxy modules, I thought I had already done so. Thanks!
