Client ISPConfig Admin Panel Access

Discussion in 'Installation/Configuration' started by cjsdfw, Mar 11, 2024.

  1. cjsdfw

    cjsdfw Member

    I have a security concern related to a client access of their ISPConfig Access Panel, let me explain:
    Say my ISPConfig Access Panel is accessible at this server URL:
    https://srv1.MyAdminDomain.com:8080/
    and I define a new client and website in ISPConfig:
    https://clientdomain.com

    If the client tries to access the ISPConfig Access Panel from their website URL instead of the server URL:
    https://clientdomain.com:8080
    Apache will server the ISPConfig Access Panel at the client website URL but under http and not https, exposing the session traffic to hackers should the client decide to proceed with the security certificate pointed to the server domain.

    Since I can't guarantee the ISPConfig Access Panel is accessed by clients from the server URL, I would like to redirect clients attempting to access the ISPConfig Access Panel from their website URL to the Server URL:
    https://clientdomain.com:8080 Gets Redirected to https://srv1.MyAdminDomain.com:8080/
    I just can't figure out how to accomplish this objective and would appretiate some help.

    I tried creating a virtual host on the client website to tend to port 8080 traffic using Reverse Proxy or RedirectPermanent but it does not redirect:
    Code:
    <VirtualHost *:8080>
            DocumentRoot /var/www/clients/client9/web11/web
            ServerName clientdomain.com
            ProxyPass / https://clientdomain.com:8080/
            ProxyPassReverse / https://srv1.MyAdminDomain.com:8080/
            ProxyPreserveHost On
            ProxyRequests Off
    </VirtualHost>
    
    Or using ReWrite
    Code:
    <VirtualHost *:8080>
        DocumentRoot /var/www/clients/client9/web11/web
        ServerName clientdomain.com
        RedirectPermanent / https://srv1.MyAdminDomain.com:8080/
    </VirtualHost>
    
    Any help would be appretiated. If I should not be attempting this please let me know too.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's not the case, you should have tested this before posting claims that the traffic is unencrypted. If you look closely at the security details, your web browser will show you that the session is fully encrypted. You can see this even easily in the URL bar, the URL has still https:// (as you have even shown yourself in your post) and not http://. There is no basis for your security concern at all here. If a client accesses the URL from his client domain, then the connection is as securely encrypted as if he would use the server URL. The simple reason for this is that ISPConfig uses a non-standard port 8080 which is not accessible by HTTP at all, so your client can never access it by http, no matter which hostname or IP he uses (unlike port 80/443 combination, which allows access by http instead of https). The only difference between using the right URL and wrong URL is that he will get a warning from the web browser that tells him that he is using the wrong URL and not the one the SSL cert is issued for. But this does not affect the encryption and security of the connection.
     
    Last edited: Mar 11, 2024
  3. cjsdfw

    cjsdfw Member

    Thanks Till.
    My apollogies. You are right, I do get messages that the certificate is not valid as it belongs to the server and that made me think is was not encrypted but I understand now the traffic is encrypted, just not trusted by the browser:
    Code:
    Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for clientdomain.com:8080. The certificate is only valid for srv1.MyAdminDomain.com.
    Again, thanks for the explanation.
     
    till likes this.

Share This Page