We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Best place to Force SSL, password protect directories.
Best place to Force SSL, password protect directories.
Hi,
I'm still going through the learning curve of setting up Vesta CP, having just moved from ISPconfig. I'd like to make a couple of alterations to the apache config, but I'm not sure of the best place to do it, so I thought I'd ask here. I've been running apache and nginx servers for about ten years, so I'm familiar with the configuration process, I'm just not sure where the best place to put it is.
I see there are the following options.
1) .htaccess file in the webserver directory.
2) /home/admin/web/conf/apache2.conf and sapache2.conf
3) Additional files specified in IncludeOptional /home/admin/conf/web/apache2.domain.conf*
4) Making templates in /usr/local/vesta/data/templates/web/apache2
So, here are the things I'd like to do, and where I think I should be doing them. Please correct me if there is a better way!
Forcing SSL for a whole domain
Use approach 4), copy default.tpl and remove most of the content. Add "Redirect permanent / https://secure.example.com/" in that file. Copy default.stpl and leave unchanged.
OR ... I have nginx proxy enabled. Should I be using the nginx forceSSL template instead?
Forcing the webmail directory to SSL
In .htaccess or IncludeOptional for each site? Or can I do it globally?
Password protecting webmail / phpmyadmin directory
In .htaccess?
Removing phpmyadmin directory from a single site
Erm ... can't find which config sets this ... any clues?
Renaming phpmyadmin directory for all sites
I'd prefer not to have the default name. There are a lot of web-crawling bots poking around in /phpmyadmin and if there's a zero-day, its not pretty. How to change this across all websites on the server?
Thanks for any pointers!
I'm still going through the learning curve of setting up Vesta CP, having just moved from ISPconfig. I'd like to make a couple of alterations to the apache config, but I'm not sure of the best place to do it, so I thought I'd ask here. I've been running apache and nginx servers for about ten years, so I'm familiar with the configuration process, I'm just not sure where the best place to put it is.
I see there are the following options.
1) .htaccess file in the webserver directory.
2) /home/admin/web/conf/apache2.conf and sapache2.conf
3) Additional files specified in IncludeOptional /home/admin/conf/web/apache2.domain.conf*
4) Making templates in /usr/local/vesta/data/templates/web/apache2
So, here are the things I'd like to do, and where I think I should be doing them. Please correct me if there is a better way!
Forcing SSL for a whole domain
Use approach 4), copy default.tpl and remove most of the content. Add "Redirect permanent / https://secure.example.com/" in that file. Copy default.stpl and leave unchanged.
OR ... I have nginx proxy enabled. Should I be using the nginx forceSSL template instead?
Forcing the webmail directory to SSL
In .htaccess or IncludeOptional for each site? Or can I do it globally?
Password protecting webmail / phpmyadmin directory
In .htaccess?
Removing phpmyadmin directory from a single site
Erm ... can't find which config sets this ... any clues?
Renaming phpmyadmin directory for all sites
I'd prefer not to have the default name. There are a lot of web-crawling bots poking around in /phpmyadmin and if there's a zero-day, its not pretty. How to change this across all websites on the server?
Thanks for any pointers!
Re: Best place to Force SSL, password protect directories.
Alright, I had another look at this today, and I found a lot of answers.
First of all I found another couple of files which load the configuration for phpmyadmin and roundcube in /etc/apache2/conf.d
As I wanted to make the changes for all sites, this seemed the best place to do it.
For phpmyadmin url from http://domain.com/phpmyadmin to something else, eg http://domain.com/secretdatabase by editing /etc/apache2/conf.d/phpmyadmin.conf and changing the Alias line at the top. Restart Apache.
The same goes for roundcube and /etc/apache2/conf.d/roundcube.conf
This immediately makes it harder for web-bots to spot installations in the default locations.
Turning on SSL was also easy. For phpmyadmin this was also done in the phpmyadmin.conf file. Adding
In the section just under
<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
And then restarting apache.
For roundcube, this didn't work in the roundcube.conf file, but did work in the /var/lib/roundcube/.htaccess. Just add the lines at the top of the file, no <Directory> directive needed.
Password protection: Yep, that works for ALL sites by editing phpmyadmin.conf too. As my intention is just to stop bots getting in there and hammering away, I don't mind a single password for all users to access the phpmyadmin interface.
Question to admins / developers: Are the files in /etc/apache2/conf.d/ and /var/lib/roundcube/.htaccess ever likely to get over-written during an upgrade?
First of all I found another couple of files which load the configuration for phpmyadmin and roundcube in /etc/apache2/conf.d
As I wanted to make the changes for all sites, this seemed the best place to do it.
For phpmyadmin url from http://domain.com/phpmyadmin to something else, eg http://domain.com/secretdatabase by editing /etc/apache2/conf.d/phpmyadmin.conf and changing the Alias line at the top. Restart Apache.
The same goes for roundcube and /etc/apache2/conf.d/roundcube.conf
This immediately makes it harder for web-bots to spot installations in the default locations.
Turning on SSL was also easy. For phpmyadmin this was also done in the phpmyadmin.conf file. Adding
Code: Select all
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>
<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
And then restarting apache.
For roundcube, this didn't work in the roundcube.conf file, but did work in the /var/lib/roundcube/.htaccess. Just add the lines at the top of the file, no <Directory> directive needed.
Password protection: Yep, that works for ALL sites by editing phpmyadmin.conf too. As my intention is just to stop bots getting in there and hammering away, I don't mind a single password for all users to access the phpmyadmin interface.
Question to admins / developers: Are the files in /etc/apache2/conf.d/ and /var/lib/roundcube/.htaccess ever likely to get over-written during an upgrade?
Re: Best place to Force SSL, password protect directories.
So I guess I just have a couple of questions left.
Forcing SSL for a whole domain
Use approach 4), copy default.tpl and remove most of the content. Add "Redirect permanent / https://secure.example.com/" in that file. Copy default.stpl and leave unchanged.
OR ... I have nginx proxy enabled. Should I be using the nginx forceSSL template instead?
Making changes to phpmyadmin/webmail directories on a single site rather than all of them
What's the best approach for this? .htaccess files in the webdir? For example, some domains only have a website with static HTML, so no need for database access or webmail.
Forcing SSL for a whole domain
Use approach 4), copy default.tpl and remove most of the content. Add "Redirect permanent / https://secure.example.com/" in that file. Copy default.stpl and leave unchanged.
OR ... I have nginx proxy enabled. Should I be using the nginx forceSSL template instead?
Making changes to phpmyadmin/webmail directories on a single site rather than all of them
What's the best approach for this? .htaccess files in the webdir? For example, some domains only have a website with static HTML, so no need for database access or webmail.
Re: Best place to Force SSL, password protect directories.
use cloudflare ... and create a pagerule; problem solved ;) It's what I've been using for 5 years. No messing with https and http on a webserver level to force ssl and free (flex) ssl certificate. But just as easy with strict ssl.