Running DirectAdmin through apache on port 80

Enter Your Query:

Use '%' for wildcards and quotes for "exact phrases"

Running DirectAdmin through apache on port 80

Last Modified: Oct 3, 2019, 5:21 pm

Several people are unable to connect to DirectAdmin on port 2222 due to firewalls or proxies. It is possible to setup Apache to allow DirectAdmin to run through Apache using its proxy options.

In this example, we'll setup DirectAdmin to run through with server IP . Type your server's hostname here: .
This can be tweaked however you wish.
**Note** if you're running custombuild, you must recompile apache by adding "--enable-proxy" \ to the configure/ap2/configure.apache file, and recompiling apache and php.
Also, for apache 2, the template is virtual_host2.conf, not virtual_host.conf.

new method A

With the custom template system, we can add sufficient overrides to not need to make any changes to the templates themselves.

First, create the cp.domain.com domain under a User level, as a full domain somewhere. This will allow you to setup SSL with LetsEncrypt very easily.
Next, go to:
Admin Level -> Custom HTTPD Configuration -> cp.domain.com
and in the top |CUSTOM| token textarea, we'll insert:
|*if SSL_TEMPLATE="1"|
|?HAVE_PHP1_FCGI=0|
|?HAVE_PHP2_FCGI=0|
|?HAVE_PHP1_FPM=0|
|?HAVE_PHP2_FPM=0|
|?CLI=0|
|?HAVE_PHP1_CLI=0|
|?HAVE_PHP2_CLI=0|
|?SUPHP=0|
|?HAVE_PHP1_SUPHP=0|
|?HAVE_PHP2_SUPHP=0|
ProxyRequests off
SSLProxyEngine on

ProxyPass /phpmyadmin !
ProxyPass /phpMyAdmin !
ProxyPass /webmail !
ProxyPass /roundcube !

ProxyPass / https://server.hostname.com:2222/
ProxyPassReverse / https://server.hostname.com:2222/
#ProxyPreserveHost On
|*else|
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/.well-known
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
|*endif|
You'll need to set
cd /usr/local/directadmin
./directadmin set x_forwarded_from_ip 1.2.3.4
./directadmin set check_referer_port 0
for your server IP, in to the directadmin.conf, if you want client IP logging/blocking to work correctly, and disable the port check as 443!=2222.

And you're done. The above assumes that you've setup SSL for your hostname with this guide, so that the actual :2222 access matches, in the Proxy settings above.
Because cp.domain.com is a User Level domain, it cannot be your server.hostname.com, so they'll probably be different.

old method B

1) Duplicate the VirtualHost template:

cd /usr/local/directadmin/data/templates
cp virtual_host.conf custom
cd custom

You can copy all of the virtual_host*.conf files if you wish to access it with any method (https etc).

2) Make the changes to the template. Edit the newly copied virtual_host.conf files (repeat this for the other VirtualHost files if you copied them). Add

<VirtualHost |IP|:80>
   ServerName cp.|DOMAIN|
   ProxyRequests Off
   ProxyPass / http://127.0.0.1:2222/
   ProxyPassReverse / http://127.0.0.1:2222/
</VirtualHost>

To the end of the virtual_host.conf file, just after the virtualhost that is already there. (Yes, there will be 2 in one file). Repeat this for the other files if you copied them (but use 443 for the ssl version, with the ssl related options). If this is apache 2, you may need to add "SSLProxyEngine on" into the virtualhost if you are using DA with SSL.

3) Skip this step with apache 2.4.
Enable mod_proxy in your /etc/httpd/conf/httpd.conf file. Edit that file and uncomment the followig lines (remove the # character)

LoadModule proxy_module modules/libproxy.so

AddModule mod_proxy.c

Note that if you have mod_proxy compiled into your httpd binary (with apache 2), you only need to add the AddModule entry. To check your httpd binary, type:

/usr/sbin/httpd -l

and look for the mod_proxy bits.

4) rewrite the user httpd.conf files:

echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue

Wait a few minutes for the rewrite to happen and for apache to restart itself.

5) You'll also need to add a cp A record for all your domains so that cp.domain.com actually resolves. To get DA to add one by default for new zones:

cd /usr/local/directadmin/data/templates
cp dns_a.conf custom
cd custom
echo "cp=|IP|" >> dns_a.conf

6) Note that the Proxy requets will use a "Host" apache header value of "localhost", which causes the webmail, squirrelmail and phpMyAdmin links to be (eg): http://localhost/webmail. You can change that by adding:

|?HOSTNAME=yourhost.com|

at the very top of /usr/local/directadmin/data/skins/enhanced/header.html so that it overwrite the previous setting of "localhost". Another method would be to use "ProxyPass / http://yourhost.com:2222/" instead of "ProxyPass / http://localhost:2222/".

7) As of DA 1.49.2, enable the X-Forwarded-For header option, so you get the correct IPs in the logs:
https://www.directadmin.com/features.php?id=1825

Note that you will likely need to shut off the Referer Header Check for DA versions 1.34.5 and newer.
Also, you cannot run DA with https if the proxy connection to the client is going to be just http (non-ssl). The reason is that there is a secure cookie flag when DA run with https, which tells the browser that this cookie should only be allowed on https connections.

Nginx

proxy_pass value for Nginx assuming cp.domain.com and 1.2.3.4

server {
listen 1.2.3.4:80;
server_name cp.domain.com;

include /etc/nginx/webapps.conf;

location / {
proxy_pass http://server.hostname.com:2222/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http://cp.domain.com:2222/ http://cp.domain.com/;
}
}

and add that to:

/etc/nginx/nginx-includes.conf

and restart nginx.

You may need to use this feature to tell DA to trust certain X-forwarded-for values.

Errors

If you're still unable to login run DA in debug mode, level 2000.

Checking referer https://server.hostname.com/ to server.hostname.com:2222
Referer port (443) does not match DA's (2222): https://server.hostname.com/

https://www.directadmin.com/features.php?id=2194

Related Helpfiles

Using a custom VirtualHost template

Setting up webmail.domain.com as default for new domains.