I have panel ISP under https://vps123.example.net:8080/ with self-signed certificate. On the server I have website let's say website.com which has let's encrypt ssl certificate (with HSTS turned on). What should be default behavior when I put in web browser address bar https://website.com:8080? At the moment I have something what shows attached screen. When I use address https://website.com site of course opens normally. Next question is - how alternatively disable port 8080 for website.com?
ISPConfig doesn't setup a name virtual host, it "owns" port 8080 itself, so any name used to access your server on port 8080 will hit the ispconfig installation. Once you get past the ssl error, you should have an ispconfig login screen. You can create a name virtual host (eg. vps123.example.net) on port 443 then setup a reverse proxy for that site to localhost:8080. You then block off port 8080 in your firewall, and your ispconfig control panel will be available only through that vhost.
Unfortunatelly I can't do this, because HSTS feature enabled makes impossible to accept self-signed certificate/ ssl error. Of course I could disable HSTS but for website.com I need this enabled. I am not sure I get the point. After above operations ispconfig panel will be available only through vps123.example.net:443? But what will be with access to panel via another web domain e.x. website2.com:8080, will it be locked, or 404?
correct what I suggested was to block port 8080 entirely, so it is inaccessible via any name - your website2.com will server a normal website as it always has, and website2.com:443 will be configured if the SSL checkbox is enabled, but will still just serve the normal site. only the vps123.example.net vhost will get you to the control panel (which I believe is what you wanted?).
Yes I want this effect. I try to find out something about and there is some problem. I have virtual host started from something like this <VirtualHost _default_:8080> and between <VirtualHost> tags is full ispconfig vhost configuration. Questions: 1. Should I do virtual host like You said above? or 2. Could I change only port here <VirtualHost _default_:443> or 3. Maybe create one more file .vhost vps123.example.net:443 and copy there config from current ispconfg vhost file? What is the algorythm? 4. After this operations panel will be accessible on which port like https://vps123.example.net:443 or still https://vps123.example.net:8080 (what should be written in web browser address bar?). 5. Should I remove current ispconfig virtualhost? PS My setup (copied default file /etc/apache2/sites-available/ispconfig.vhost to my-ispconfig.vhost and created symlink in sites-enabled): ###################################################### # This virtual host contains the configuration # for the ISPConfig controlpanel ###################################################### Listen 443 #8080 NameVirtualHost *:443 #8080 <VirtualHost vps123.example.net:443> ServerAdmin [email protected] ##ADDED LINES #<Proxy *> # Order deny,allow # Allow from all #</Proxy> #<Location /> # ProxyPass http://localhost:8080/ #</Location> ProxyRequests Off ProxyPreserveHost On ProxyPass / https://localhost:8080/ ProxyPassReverse / https://localhost:8080/ ##END <Directory /var/www/ispconfig/> <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> </Directory> <Directory /usr/local/ispconfig/interface/web/> <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> </Directory> <IfModule mod_fcgid.c> DocumentRoot /var/www/ispconfig/ SuexecUserGroup ispconfig ispconfig <Directory /var/www/ispconfig/> Options -Indexes +FollowSymLinks +MultiViews +ExecCGI AllowOverride AuthConfig Indexes Limit Options FileInfo <FilesMatch "\.php$"> SetHandler fcgid-script </FilesMatch> FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php Require all granted </Directory> IPCCommTimeout 7200 MaxRequestLen 15728640 </IfModule> <IfModule mpm_itk_module> DocumentRoot /usr/local/ispconfig/interface/web/ AssignUserId ispconfig ispconfig AddType application/x-httpd-php .php <Directory /usr/local/ispconfig/interface/web> # php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp" Options +FollowSymLinks AllowOverride None Require all granted php_value magic_quotes_gpc 0 </Directory> </IfModule> # ErrorLog /var/log/apache2/error.log # CustomLog /var/log/apache2/access.log combined ServerSignature Off <IfModule mod_security2.c> SecRuleEngine Off </IfModule> # SSL Configuration SSLEngine On SSLProtocol All -SSLv3 SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHAHE-RSA-AES256-SHA256HE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHAES-CBC3-SHA:!DSS SSLHonorCipherOrder On <IfModule mod_headers.c> Header always add Strict-Transport-Security "max-age=15768000" RequestHeader unset Proxy early </IfModule> SSLUseStapling On SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors Off </VirtualHost> <IfModule mod_ssl.c> SSLStaplingCache shmcb:/var/run/ocsp(128000) </IfModule> <Directory /var/www/php-cgi-scripts> AllowOverride None Require all denied </Directory> <Directory /var/www/php-fcgi-scripts> AllowOverride None Require all denied </Directory>
You could accomplish what you want in two ways, 1) setup a standard vhost for vps123.example.net which does a reverse proxy connection to localhost:8080, or 2) copy the ispconfig vhost file to be used for vps123.example.net and alter a few things (primarily the port number and server name) to run as a namevhost. You seem to have mixed both approaches in the above config. I've posted working proxy config in the past on the forums here I think 2 times, you could see if you find those. We've since switched from that type of a config to a dedicated container for the control panel which runs on port 443, so I can't cut/paste code I have working in production at at this time.
Thank You Jesse for answer. I still have some doubt. What means standard vhost - something like default one? You said that I mixed both approaches - do You mean from point 1 and 2? I am affraid I don't fully understand. Above config cover point 2 of Your answer and has altered these lines (commented old port number, put 443 as new, default virtualhost changed to vps123.example.net, put Proxy lines to localhost:8080): Listen 443 #8080 NameVirtualHost *:443 #8080 <-- need here put "vps123.example.net" too instead of *? <VirtualHost vps123.example.net:443> and added: ##ADDED LINES #<Proxy *> # Order deny,allow # Allow from all #</Proxy> #<Location /> # ProxyPass http://localhost:8080/ #</Location> ProxyRequests Off ProxyPreserveHost On ProxyPass / https://localhost:8080/ ProxyPassReverse / https://localhost:8080/ ##END Btw I have to find configs You said above, becouse I don't know which added lines should be commented/uncommented (I based on found configs on the internet).
There is no need to do reverse proxy, use 443 and block 8080. Just follow my post here: https://www.howtoforge.com/communit...cates-into-ispconfig.71055/page-7#post-355116. This way you will maintain your https://vps123.example.net:8080 but change it to LE SSL. This should simple and straightforward.
Do You mean that I should create website which name will be name of the vps (so created website would be vps123.example.net)? PS Do You know maybe what should I do based on information provided by me in one earlier post? I am curious how to setup reverse proxy properly and I think I am close to resolve the issue.
Yes. The created website would be vps123.example.net. And no. I am not good with reverse proxy. I never did it successfully.
Thank for answer Ahrasis. I will check this and for sure give response. This is highly important thing for me. I will post feedback in next week. Weekend time.
I want to check both options so Jesse, I setup VirtualHost: Code: Listen 443 NameVirtualHost *:443 <VirtualHost 193.X.X.X:443> ServerName vps123.example.net ServerAlias www.vps123.example.net ProxyPass / https://localhost:8080/ ProxyPassReverse / https://localhost:8080/ </VirtualHost> Should I also put directives like: Code: DocumentRoot /var/www/ispconfig SSLEngine On SSLCertificateFile /path/to/isp/ssl_cert or they are not required here? Ispconfig.vhost has inside whole SSL configuration.
You do need to enable SSL and point to the correct cert inside the vhost, yes. There is example working config at https://www.howtoforge.com/communit...ispconfig-paneladress-8080.73572/#post-346298 and https://www.howtoforge.com/community/threads/3-1-update-reverse-proxypass-apache.73210/
Does this new vhost will redirect or something like redirect to default ispconfig.vhost or this default won't be used anymore? I will check Your example configs. As I see I should set <IfModule mod_proxy.c> and inside it lines ProxyPass and ProxyPassReverse. And there is two <VirtualHost> in one vhost file. So maybe I just copy whole text from ispconfig.vhost file, paste it at the bottom of this file and just add ServerName, ServerAlias and ProxyPass, ProxyPassReverse, can it be?
The example at https://www.howtoforge.com/community/threads/3-1-update-reverse-proxypass-apache.73210/ creates a 000-default-ssl.conf file which has 2 virtualhost entries and serves 2 purposes - the first virtualhost entry (servername default) is the default port 443 site, which is served for any port 443 connections that don't match a more specific vhost (eg. if you don't setup ssl for a hosted domain xyz.com in ispconfig, then https://xyz.com/ will be served from this vhost); the second virtualhost entry would match the server's hostname (vps123.example.net in your example) and proxy the connection to port 8080 to access the ispconfig interface. You could put them in separate files if you prefer.
Heh I am definitely dumb... I see this example about which You say but now I am confused. In your first post You advise me to create virtualhost with reverse proxy and block port 8080. Now I see I should create 2 virtualhost for 2 different purposes. Hmm... I am confused. This is my first try with reverse and ISP, maybe this is the problem.
After following this thread for a while, I am still confused why an easier solution is not being used. Why do you need to use a reverse proxy for ispc port?
The vhost performing a reverse proxy which I mentioned in my first post is the 2nd vhost in the example config.