Running DirectAdmin through apache on port 80


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"

Top Level » DirectAdmin

Running DirectAdmin through apache on port 80Last Modified: Nov 14, 2019, 4:11 pm
Several people are unable to connect to DirectAdmin on port 2222 due to firewalls or proxies.  It is possible to setup Apache to allow DirectAdmin to run through Apache using its proxy options.

In this example, we'll setup DirectAdmin to run through with server IP .  Type your server's hostname here: .
This can be tweaked however you wish.
**Note** if you're running custombuild, you must recompile apache by adding "--enable-proxy" \ to the configure/ap2/configure.apache file, and recompiling apache and php.
Also, for apache 2, the template is virtual_host2.conf, not virtual_host.conf.

new method A

With the custom template system, we can add sufficient overrides to not need to make any changes to the templates themselves.
  1. First, create the cp.domain.com domain under a User level, as a full domain somewhere.  This will allow you to setup SSL with LetsEncrypt very easily.
  2. Next, go to:

    Admin Level -> Custom HTTPD Configuration -> cp.domain.com

    and in the top |CUSTOM| token textarea, we'll insert:

    |*if SSL_TEMPLATE="1"|
    |?HAVE_PHP1_FCGI=0|
    |?HAVE_PHP2_FCGI=0|
    |?HAVE_PHP1_FPM=0|
    |?HAVE_PHP2_FPM=0|
    |?CLI=0|
    |?HAVE_PHP1_CLI=0|
    |?HAVE_PHP2_CLI=0|
    |?SUPHP=0|
    |?HAVE_PHP1_SUPHP=0|
    |?HAVE_PHP2_SUPHP=0|
           ProxyRequests off
           SSLProxyEngine on

           ProxyPass /phpmyadmin !
           ProxyPass /phpMyAdmin !
           ProxyPass /webmail !
           ProxyPass /roundcube !

           ProxyPass / https://server.hostname.com:2222/
           ProxyPassReverse / https://server.hostname.com:2222/
           #ProxyPreserveHost On
    |*else|
           RewriteEngine On
           RewriteCond %{HTTPS} off
           RewriteCond %{REQUEST_URI} !^/.well-known
           RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    |*endif|

  3. You'll need to set

    cd /usr/local/directadmin
    ./directadmin set x_forwarded_from_ip 1.2.3.4
    ./directadmin set check_referer_port 0

    for your server IP, in to the directadmin.conf, if you want client IP logging/blocking to work correctly, and disable the port check as 443!=2222.
And you're done.  The above assumes that you've setup SSL for your hostname with this guide, so that the actual :2222 access matches, in the Proxy settings above.
Because cp.domain.com is a User Level domain, it cannot be your server.hostname.com, so they'll probably be different.

old method B

1) Duplicate the VirtualHost template:

cd /usr/local/directadmin/data/templates
cp virtual_host.conf custom
cd custom

You can copy all of the virtual_host*.conf files if you wish to access it with any method (https etc).

2) Make the changes to the template.  Edit the newly copied virtual_host.conf files (repeat this for the other VirtualHost files if you copied them).  Add

<VirtualHost |IP|:80>
   ServerName cp.|DOMAIN|
   ProxyRequests Off
   ProxyPass / http://127.0.0.1:2222/
   ProxyPassReverse / http://127.0.0.1:2222/
</VirtualHost>

To the end of the virtual_host.conf file, just after the virtualhost that is already there. (Yes, there will be 2 in one file).  Repeat this for the other files if you copied them (but use 443 for the ssl version, with the ssl related options).   If this is apache 2, you may need to add "SSLProxyEngine on" into the virtualhost if you are using DA with SSL.

3) Skip this step with apache 2.4.
Enable mod_proxy in your /etc/httpd/conf/httpd.conf file.  Edit that file and uncomment the followig lines (remove the # character)

LoadModule proxy_module       modules/libproxy.so

AddModule mod_proxy.c

Note that if you have mod_proxy compiled into your httpd binary (with apache 2), you only need to add the AddModule entry.  To check your httpd binary, type:

/usr/sbin/httpd -l

and look for the mod_proxy bits.

4) rewrite the user httpd.conf files:

echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue



Wait a few minutes for the rewrite to happen and for apache to restart itself.

5) You'll also need to add a cp A record for all your domains so that cp.domain.com actually resolves.  To get DA to add one by default for new zones:

cd /usr/local/directadmin/data/templates
cp dns_a.conf custom
cd custom
echo "cp=|IP|" >> dns_a.conf



6) Note that the Proxy requets will use a "Host" apache header value of "localhost", which causes the webmail, squirrelmail and phpMyAdmin links to be (eg): http://localhost/webmail.  You can change that by adding:

|?HOSTNAME=yourhost.com|

at the very top of /usr/local/directadmin/data/skins/enhanced/header.html so that it overwrite the previous setting of "localhost".   Another method would be to use "ProxyPass / http://yourhost.com:2222/" instead of "ProxyPass / http://localhost:2222/".

7) As of DA 1.49.2, enable the X-Forwarded-For header option, so you get the correct IPs in the logs:
https://www.directadmin.com/features.php?id=1825

Note that you will likely need to shut off the Referer Header Check for DA versions 1.34.5 and newer.
Also, you cannot run DA with https if the proxy connection to the client is going to be just http (non-ssl).  The reason is that there is a secure cookie flag when DA run with https, which tells the browser that this cookie should only be allowed on https connections.


Nginx


proxy_pass value for Nginx assuming cp.domain.com and 1.2.3.4

server {
   listen 1.2.3.4:80;
   server_name cp.domain.com;

   include /etc/nginx/webapps.conf;

   location / {
       proxy_pass       http://server.hostname.com:2222/;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_redirect http://cp.domain.com:2222/ http://cp.domain.com/;
   }
}

and add that to:

/etc/nginx/nginx-includes.conf

and restart nginx.


LiteSpeed


LiteSpeed is slightly different in terms of using the ProxyPass option.   For new method A, step 2, use the following instead:

|*if SSL_TEMPLATE="1"|
|?HAVE_PHP1_FCGI=0|
|?HAVE_PHP2_FCGI=0|
|?HAVE_PHP1_FPM=0|
|?HAVE_PHP2_FPM=0|
|?CLI=0|
|?HAVE_PHP1_CLI=0|
|?HAVE_PHP2_CLI=0|
|?SUPHP=0|
|?HAVE_PHP1_SUPHP=0|
|?HAVE_PHP2_SUPHP=0|
      RewriteEngine On
      #RewriteCond %{REQUEST_URI} !^/?(phpmyadmin|phpMyAdmin|webmail|roundcube|)/
      RewriteRule ^(.*)$ https://cp.|DOMAIN|:2222/$1 [P,L]
|*else|
      RewriteEngine On
      RewriteCond %{HTTPS} off
      RewriteCond %{REQUEST_URI} !^/.well-known
      RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
|*endif|

Note, LiteSpeed dose not allow proxying to just any value. You if you get this in the error.log

[REWRITE] Proxy target is not defined on external application list, please add a 'web server' with name 'https://cp.domain.com:2222

then you'll need to add an approved proxy web server in your LSWS panel login:

Configuration -> Server -> External App -> Add

for each host that will connect to DA.   Should we find some way to override the "Host" value sent to LSWS from the redirect, then the value in the template could be unified, saving the need to load up everyone's cp.|DOMAIN| in the LSWS admin area.  You'l also need to hit the "graceful reload" option after changing things.


You may need to use this feature to tell DA to trust certain X-forwarded-for values.

Errors

If you're still unable to login run DA in debug mode, level 2000.

    Checking referer https://server.hostname.com/ to server.hostname.com:2222
    Referer port (443) does not match DA's (2222): https://server.hostname.com/

    In which case, you'd need to disable the port during the referer checks: https://www.directadmin.com/features.php?id=2194
 
Related Helpfiles
Using a custom VirtualHost template
Setting up webmail.domain.com as default for new domains.

© 2018 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST