This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

[HOW TO] How to secure your sentora panel with SSL (HTTPS) easy guide
#31
RE: [HOW TO] How to secure your sentora panel with SSL (HTTPS) easy guide
(02-12-2015, 09:24 AM)SupaYoshi Wrote: So I had trouble securing my sentora panel with SSL, and I thusly had to create a topic of it. But I now understand SSL thanks to the help of 'Me.B.', thank you yet again. Wink all credits go to you.

Okay, so let's get started. There are a few requirements before we can get started with this tutorial.
  • Your Sentura panel is currently working without hassle.
  • You're running apache
  • You have created a self-signed SSL certificate or bought one. (Do not ask how to do this, please google it instead.)
  • You are not currently running anything else on port 443.
  • SSH access to your Box. (duh)

Okay, ready? First off we need to enable SSL in apache.
Do this by enabling the SSL module with the following command:
Code:
a2enmod ssl
Note: Do run this command as root, or add sudo in front of it if you are on Debian/Ubuntu.

Let's make SSL a little more secure against a Poodle attack as well as man in the middle attacks:
Edit the file:  /etc/apache2/mods-enabled/ssl.conf
(nano /etc/apache2/mods-enabled/ssl.conf)

Scroll to around or on line 75, stating:
       #   The protocols to enable.
       #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
       #   SSL v2  is no longer supported

Comment out the line stating:
Code:
SSLProtocol all
Add the following code below it,
Code:
       SSLProtocol all -SSLv2 -SSLv3
       SSLHonorCipherOrder on
       SSLCipherSuite "CDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5"
]

This disables vulnerable SSL protocols and makes your server more secure.

Let's perform a short test to see if Apache is still currently running:
Code:
apachectl configtest
Test results okay? Then restart apache to make sure everything is okay.
Code:
service apache2 restart
*make sure you restart services as either sudo or root.

Did the test fail? STOP NOW, DO NOT CONTINUE UNTIL YOU HAVE FIXED THE ERROR!!

Now it is time to get your SSL panel working correctly.
Yes that's right, we are finally there. Wink We are going to enable your SSL panel! Woooo.  Cool

Go to the folder: /etc/sentura/configs/apache2/
You can use cd for this (duh...)
Code:
cd /etc/sentora/configs/apache2/

Time to create your SSL virtualhost file in this folder. This folder contains all the apache config files when you use Sentora. Now let's make a new file called: http-panel-ssl.conf
Code:
nano /etc/sentora/configs/apache2/http-panel-ssl.conf

Put the following information in it and edit the variables as given here.


Code:
Listen 443
# Configuration for Sentora control panel with SSL.
<VirtualHost *:443>
ServerAdmin zadmin@localhost
DocumentRoot "/etc/sentora/panel/"
ServerName yoursentora.admin.domainurl
ErrorLog "/var/sentora/logs/sentora-error.log"
CustomLog "/var/sentora/logs/sentora-access.log" combined
CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
AddType application/x-httpd-php .php
<Directory "/etc/sentora/panel/">
Options +FollowSymLinks -Indexes
  AllowOverride All
  Require all granted
</Directory>
SSLEngine on
 SSLCertificateFile /etc/apache2/ssl/ your SSL certificate CRT file
 SSLCertificateKeyFile /etc/apache2/ssl/ your SSL certificate key FILE
 SSLCACertificateFile /etc/apache2/ssl/ your ROOT CA certificate CRT file

</VirtualHost>
Please note: The SSL certificates for this example are in the folder /etc/apache2/ssl/ if yours are somewhere else you can also add them to another folder or make a symbolic link, as long as the path there is correct you are fine.

Done? Great! Almost completely done. Now save the file !  Big Grin
Now, ready? Let's include this file in the apache config file that sentora uses as default: (in case you did not know this yet)
Code:
/etc/sentora/configs/apache/httpd.conf
Scroll all the way to the bottom where it states the following:
Code:
# Now we include the generic VHOST configuration file that holds all Sentora user hosted vhost data
Include /etc/sentora/configs/apache/httpd-vhosts.conf
Now add the following code right below that:
Code:
# Include SSL configuration for SSL panel
Include /etc/sentora/configs/apache/http-panel-ssl.conf

Save the file, and restart the apache service.
Code:
service apache2 restart
*sudo or root, remember? >_>

Okay, no errors? You're good to go, try going to your panel by putting https:// in front of the URL!
That should be all!


Optional: Always force SSL.
In case you want to force SSL on the panel URL, in case you forget to type https://, or one of your users doesn't care about https? Do as follows:

Go to the folder /etc/sentora/panel/
Creat a a new file called .htaccess
Code:
nano .htaccess
Add the following code to it at the bottom of the file:
Code:
#Enforce
SSL
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Save the file and you're good to go!

*Please note this only works if mod_rewrite is enabled, to enable this do the following:
Code:
a2enmod rewrite && service apache2 restart

Your panel should now be secured by SSL including all apps like phpmyadmin and others.

Optional: test your server at https://www.ssllabs.com/ssltest/index.html

Hello!
Grammar nazi here.
I just wanted to increase the readability of your post, so please do not take offence at my humble commentary upon thy thread!
Reply
Thanks given by:
#32
RE: [HOW TO] How to secure your sentora panel with SSL (HTTPS) easy guide
I've done my best to translate this procedure to CentOS 6.8 but have failed. It appears from the error holding apache up from starting indicates I have multiple entries pointing/bound to port 443, but tentatively commenting any or all of them out seems to little to nothing and I get a critical apache error that will not allow the panel or an instance of Apache to run.

Code:
# service httpd start:
Starting httpd: [Tue Nov 15 16:12:16 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
(98)Address already in use: make_sock: could not bind to address [::]:443

Code:
# apachectl configtest
[Tue Nov 15 16:14:25 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
Syntax OK

Code:
grep -ir 443 /etc/httpd/conf*
/etc/httpd/conf.d/ssl.conf:Listen 443
/etc/httpd/conf.d/ssl.conf:<VirtualHost _default_:443>
/etc/httpd/conf.d/ssl.conf:
#ServerName
www.example.com:443

BTW,
Code:
apachectl configtest

ran fine during that part of the tutorial initially...

I don't know what to do to progress with this issue. Can anyone give me a hand troubleshooting this? It is likely I have screwed up and commented out the panel url but I am going to start over proofing the process - although since I have done this a number of times and always ended up with this error, I am not expecting to find a fix without some help - when set up just as in the post, I just get an additional error... Thanks in advance.
Everyone makes mistakes, but to truly screw up it takes the root password!
Reply
Thanks given by:
#33
RE: [HOW TO] How to secure your sentora panel with SSL (HTTPS) easy guide
This is an older version. You may want to review this newer tutorial: http://forums.sentora.org/showthread.php?tid=3096
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#34
RE: [Thread moved] How to secure your sentora panel with SSL (HTTPS) easy guide
I have now posted my issue with using Let'sEncrypt to that forum thread, thanks.

----> http://forums.sentora.org/showthread.php...3#pid18523
(11-17-2016, 02:46 PM)TGates Wrote: This is an older version. You may want to review this newer tutorial: http://forums.sentora.org/showthread.php?tid=3096

Thank you for replying, but my sole purpose at this point is only to secure the panel subdomain and everything I have tried fails. The one you referred me to is the only one I have not tried as it is intended for the doc root.

I had really high hopes for the LetsEncrypt procedure, but that went pretty much like all of the other methods and simply breaks Apache. And it left me with nothing in any of the logs about the failure. Do you have any help on this procedure for me?

----> Let's Encrypt for Sentora Login

I got one method to work, but I had to comment the "Listen *:443" and such at the top of the file as it was not letting Apache bind to any ports for they were already in use; it then kept adding them back at every cron job execution. Just a thought, could this be the bug I saw noted about CentOS loading additional configs?

Any help would be appreciated. Thanks.

(platform is CentOS 6.8...)
Everyone makes mistakes, but to truly screw up it takes the root password!
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Secure Sentora With SSLForFree Chris L 1 4 ,596 01-22-2020, 09:19 PM
Last Post: ralphharder
Fail2ban for Sentora (Centos 7) bbspike 14 44 ,369 01-14-2020, 07:32 AM
Last Post: Vedran B
Timeout for Sentora Admin Panel minufreelance 12 44 ,868 11-24-2018, 12:33 PM
Last Post: fearworks

Forum Jump:


Users browsing this thread: 1 Guest(s)