Secure admin panel

  • Some people want to secure their admin panel. That means prevent automatical redirects to the login panel when browsing non existing subdomains oder ip of the server. Here's a howto, to solve this problem. (for debian squeeze, should be work with other dist)


    go to /etc/imscp/apache/


    edit 00_master_fcgi.conf and 00_master_itk.conf
    Before the first VirtualHost
    set:

    Code
    1. <VirtualHost {BASE_SERVER_IP}:80> DocumentRoot {APACHE_WWW_DIR}/default <Directory {APACHE_WWW_DIR}/default> Options FollowSymLinks Allow from all </Directory></VirtualHost>


    edit 00_master_ssl_fcgi.conf and 00_master_ssl_itk.conf
    Before the first VirtualHost
    set:

    Code
    1. <VirtualHost {BASE_SERVER_IP}:443> DocumentRoot {APACHE_WWW_DIR}/default <Directory {APACHE_WWW_DIR}/default> Options FollowSymLinks Allow from all </Directory> SSLEngine On SSLCertificateFile {GUI_CERT_DIR}/{SERVER_HOSTNAME}.pem SSLCertificateChainFile {GUI_CERT_DIR}/{SERVER_HOSTNAME}.pem</VirtualHost>


    Now create a folder /var/www/virtual/default and create there an index.html or a .htaccess for redirect to another domain..


    generate new config files and restart the services

    Code
    1. perl /var/www/imscp/engine/setup/imscp-setup


    PS: maybe the devs can include it in the next version of i-mscp :)

    Edited once, last by mafioso ().

  • I'll give it a try too, it's one of the features in my MUST list :)

  • Hi, I've been reading about this, and I cannot understand what do you want to do (i thought you wanted to redirect to ssl by default which I am interested in to)


    If I understant what you want is that for non existant domains, you want to see some website (such you company page)?


    That has nothing to do with security as far as I know ...

    Edited once, last by aseques ().

  • I think it has got something with security, because not all people want to show their guests the admin panel (mistaken, deleted subdomain..)
    Also some hackers are searching for the server ip and browse to this ip..


    Maybe you can include in the admin panel a selectbox, or somethink like that :D (Also for the redirects /pma/ etc.)


    How you can automaticly redirect to https, just use this codesnippet (maybe in the /var/www/imscp/gui/library/login-functions.php or a file like that..


    [code=php]
    if($_SERVER["HTTPS"] != "on") {
    header("HTTP/1.1 301 Moved Permanently");
    header("Location: https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);
    exit();
    }
    [/php]

    Edited once, last by mafioso ().

  • Ok, I understand what you what, about your idea, it has a major flaw when using https.
    When using https on the cert you MUST write your domain (so it doesn't complain about security), so for anyone connecting through https is trivial to know the real server name, and your control panel wouldn't be hidden anymore.

  • But maybe it's not so got, if someone knows the panels system..^^ I think it's not so professional hehe :D (For commercial usage)


  • But maybe it's not so got, if someone knows the panels system..^^ I think it's not so professional hehe :D (For commercial usage)


    Do you know plesk? It's one of the most popular control panels, you pay big cash for it (altough I don't like it that much). When you use plesk, the "security" feature you're asking is not there.
    Another thing is ticket #158, that could ease the job of sysadmins by separating control panel from standard hostings, but it's NOT a security viable solution (IMHO)