We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
SSL for control panel IP
Re: SSL for control panel IP
In order to have SSL on the panel you need to edit /usr/local/vesta/nginx/conf/nginx.conf, uncomment the # HTTPS server part (at the bottom).
Since the SSL certificate is read by admin user (and root), you need to uncomment the # user part too.
My nginx.conf looks like this now:
As you see, my certificate is located here:
ssl_certificate /usr/local/vesta/ssl/certificate.crt;
ssl_certificate_key /usr/local/vesta/ssl/certificate.key;
Since the SSL certificate is read by admin user (and root), you need to uncomment the # user part too.
My nginx.conf looks like this now:
Code: Select all
user admin;
worker_processes 1;
error_log /usr/local/vesta/log/nginx-error.log;
pid /var/run/vesta-nginx.pid;
events {
worker_connections 128;
use epoll;
}
http {
# Main settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_header_timeout 1m;
client_body_timeout 1m;
client_header_buffer_size 2k;
client_body_buffer_size 256k;
client_max_body_size 100m;
large_client_header_buffers 4 8k;
send_timeout 30;
keepalive_timeout 60 60;
reset_timedout_connection on;
server_tokens off;
server_name_in_redirect off;
server_names_hash_max_size 512;
server_names_hash_bucket_size 512;
# Log format
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format bytes '$body_bytes_sent';
access_log /dev/null main;
# SSL PCI Compliance
# ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Mime settings
include /usr/local/vesta/nginx/conf/mime.types;
default_type application/octet-stream;
# Compression
gzip on;
gzip_comp_level 9;
gzip_min_length 512;
gzip_buffers 8 64k;
gzip_types text/plain text/css text/javascript
application/x-javascript;
gzip_proxied any;
# Proxy settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Set-Cookie;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
# Error pages
error_page 403 /error/403.html;
error_page 404 /error/404.html;
error_page 502 503 504 /error/50x.html;
# Vhost
server {
listen 8083; #change the port if you want something else, I'm not using default port
server_name _;
root /usr/local/vesta/web;
charset utf-8;
ssl on;
ssl_certificate /usr/local/vesta/ssl/certificate.crt;
ssl_certificate_key /usr/local/vesta/ssl/certificate.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
error_page 404 /error/404/index.html;
error_page 403 /error/index.html;
error_page 500 /error/index.html;
location / {
expires max;
index index.php;
}
location /error/ {
expires max;
index index.html;
}
location /rrd/ {
expires off;
internal;
}
location /backup/ {
root /;
internal;
}
location ~ \.php$ {
include /usr/local/vesta/nginx/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/local/vesta/web/$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_pass unix:/var/run/vesta-php.sock;
fastcgi_intercept_errors on;
break;
}
}
}
As you see, my certificate is located here:
ssl_certificate /usr/local/vesta/ssl/certificate.crt;
ssl_certificate_key /usr/local/vesta/ssl/certificate.key;
Re: SSL for control panel IP
Hi demlasjr,
Thanks for your post. I want to enable the SSL on port 8083 as well for the VestaCP admin panel so that anybody who logs in does not receive 'unsecure page error'.
Confirm that by changing Nginx.conf file that solves the problem? I have a Comodo SSL cert and they gave me 4 files. Which should i use?
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
mydomainname_com.crt
My guess is the 'mydomainname_com.crt' file ?
Thanks
Thanks for your post. I want to enable the SSL on port 8083 as well for the VestaCP admin panel so that anybody who logs in does not receive 'unsecure page error'.
Confirm that by changing Nginx.conf file that solves the problem? I have a Comodo SSL cert and they gave me 4 files. Which should i use?
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
mydomainname_com.crt
My guess is the 'mydomainname_com.crt' file ?
Thanks
Re: SSL for control panel IP
In the field “SSL Certificate Authority / Intermediate (optional)” put the three files:
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
AddTrustExternalCARoot.crt
...and:
/usr/local/vesta/ssl/certificate.crt:
Your Certificate - domain.tld.crt
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
AddTrustExternalCARoot.crt
Thanks.
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
AddTrustExternalCARoot.crt
...and:
/usr/local/vesta/ssl/certificate.crt:
Your Certificate - domain.tld.crt
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
AddTrustExternalCARoot.crt
Thanks.
-
- Posts: 1
- Joined: Fri Dec 04, 2015 12:57 pm
Re: SSL for control panel IP
Don't forget to restart the `/usr/local/vesta/nginx/sbin/vesta-nginx` process, which is separate from the nginx process that serves as a proxy. I got hung up on that for a while before I realized why my changes to `/usr/local/vesta/nginx/conf/nginx.conf` weren't being respected.