[HOW TO] How to secure your sentora panel with SSL (HTTPS) easy guide

[khampol]

This post is really "shiny" ! Only one word = THANKS!

[carl.victor]

applying this tutorial in my vps
request to ip address, giving result of opening sentora login page
any suggestion?

[apinto]

applying this tutorial in my vps
request to ip address, giving result of opening sentora login page
any suggestion?

You say that when you access https://12.12.12.12 (your ip) it opens sentora panel login page?
That is normal behavior I think.

When theres nothing in the vhosts it defaults to the sentora login page.

[carl.victor]

You say that when you access https://12.12.12.12 (your ip) it opens sentora panel login page?
That is normal behavior I think.

When theres nothing in the vhosts it defaults to the sentora login page.

nope, i also have one active website
but requesting ip via browser gives me sentora login page

never mind, solve it with a little modification in 'http-panel-ssl.conf' and 'Global Sentora Entry' 

[apinto]

Great you solved it.

Can you kindky let us know what you modified to fix?
Just to help people who might have the same issue in the future.

[carl.victor]

a little bit different from the tutorial
moved sentora to port 2083, same as Cpanel

1. i created new configuration files /etc/sentora/configs/apache/http-panel-redir.conf
here is the configuration to force redirection from port 80 to port 2083

Code:

<virtualhost *:80>
  ServerName sentora.mydomain.tld
  RewriteEngine on
  ReWriteCond %{SERVER_PORT} !^2083$
  RewriteRule ^/?(.*) https://%{SERVER_NAME}:2083/$1 [NC,R,L]
</virtualhost>

then add this line to /etc/sentora/configs/apache/httpd.conf

Code:

Include /etc/sentora/configs/apache/http-panel-redir.conf

2. go to Server Admin > Sentora Config > set sentora apache port to 2083

3. go to Apache Admin, add these SSL configs to Global Sentora Entry

Code:

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "CDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNU$
SSLEngine on
SSLCertificateFile /path/to/my-certificate.crt
SSLCertificateKeyFile /path/to/my-key.decr.key
SSLCACertificateFile /path/to/my/root.ca.pem

4. restart apache, run the daemon using

Code:

php -q /etc/sentora/panel/bin/daemon.php

this configuration also works well if you want to redirect sentora panel fqdn only to ssl port (443)
just change the rewrite rules in first step to 

Code:

<virtualhost *:80>
   ServerName sentora.mydomain.tld
   RewriteEngine on
   RewriteCond %{HTTPS} !=on
   RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</virtualhost>

and change Sentora Apache port to 443

when requesting sentora fqdn (via port 80), it will redirects you to desired port and protocol (https)
but when requesting ip address, it will redirects to the first website listed in httpd-vhosts.conf
just a little protection to my sentora login page with noob-ways 

[mathijs]

I am getting an error on the last step:


SSLCertificateFile takes one argument, SSL Server Certificate file ('/path/to/fi le' - PEM or DER encoded)

[yarrha]

I followed the steps here and the https is working. Thanks

[zustudios]

So I had trouble securing my sentora panel with SSL and I had to create a topic over it. But now I understand it thanks to the help of Me.B. Thanks again. all credits go to you.

Okay let's start. There are a few requirements before we can start with this tutorial.

• Your Sentura panel is currently working fine.
  
• Your running apache
  
• You created SSL certificates self-signed or bought them. (don't ask how to do this, Google it)
  
• You aren't running anything else on port 443 currently.
  
• SSH access to your Box. (doh)
  

Okay ready? First off we need to enable SSL in apache.
Do this by enabling the module SSL with the following command:

Code:

a2enmod ssl

Note: Run this command as root or add sudo in front of it if you are on Debian / Ubuntu.

Let's make SSL a little more secure against Poodle attack and man in the middle attacks:
edit the file:  /etc/apache2/mods-enabled/ssl.conf
(nano /etc/apache2/mods-enabled/ssl.conf)

Scroll to around or on line 75, stating:
       #   The protocols to enable.
       #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
       #   SSL v2  is no longer supported

comment out the line stating:

Code:

SSLProtocol all

Add the following code under it,

Code:

       SSLProtocol all -SSLv2 -SSLv3
       SSLHonorCipherOrder on
       SSLCipherSuite "CDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5"

]

This disables vulnerable SSL protocols and makes your server more secure!

Let's do a short test to see if Apache is still working corrently

Code:

apachectl configtest

Test okay? Restart apache to make sure everything is okay?

Code:

service apache2 restart

*make sure you restart services as either sudo or root.

DOES THIS TEST FAIL?! STOP NOW DO NOT CONTINUE YET TILL YOU HAVE THIS FIXED!!

Time to get your SSL panel working right?
Yes that is right we are finally? there. We are going to enable your SSL panel! Woooo  

Go to the folder, /etc/sentura/configs/apache2/
You can use cd for this (doh...)

Code:

cd /etc/sentura/configs/apache2/

Time to create your SSL virtualhost file in this folder. This folder contains all the apache config files when you use Sentura. So let's make a new file called...   http-panel-ssl.conf

Code:

nano /etc/sentura/configs/apache2/http-panel-ssl.conf

Put the following information in it and edit the variables as given here.

Code:

Listen 443
# Configuration for Sentora control panel with SSL.
<VirtualHost *:443>
ServerAdmin zadmin@localhost
DocumentRoot "/etc/sentora/panel/"
ServerName yoursentora.admin.domainurl
ErrorLog "/var/sentora/logs/sentora-error.log"
CustomLog "/var/sentora/logs/sentora-access.log" combined
CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
AddType application/x-httpd-php .php
<Directory "/etc/sentora/panel/">
Options +FollowSymLinks -Indexes
  AllowOverride All
  Require all granted
</Directory>
SSLEngine on
 SSLCertificateFile /etc/apache2/ssl/ your SSL certificate CRT file
 SSLCertificateKeyFile /etc/apache2/ssl/ your SSL certificate key FILE
 SSLCACertificateFile /etc/apache2/ssl/ your ROOT CA certificate CRT file

</VirtualHost>

Please note: The SSL certificates in this example are in the folder /etc/apache2/ssl/ if yours are somewhere else you can also add em to another folder or make a symbolic link, as long as the path here is correct you are fine.

Done this? Great! Almost done. Save the file !  
Now, ready? Let's include this file into the apache config file that sentora uses as default which is, (in case you did not know this yet)

Code:

/etc/sentora/configs/apache/httpd.conf

Scroll all the way to the bottom where it states,

Code:

# Now we include the generic VHOST configuration file that holds all Sentora user hosted vhost data
Include /etc/sentora/configs/apache/httpd-vhosts.conf

Now add the following code right under that:

Code:

# Include SSL configuration for SSL panel
Include /etc/sentora/configs/apache/http-panel-ssl.conf

Save the file, and restart the apache service.

Code:

service apache2 restart

*sudo or root, remember? >_>

Okay, no errors? Your good to go, try going to your panel by putting https:// infront of the url!
That should be it!


Optional: Always force SSL.
In case you want to force SSL on the panel URL always in case you forget to type https:// or one of your users doesn't care about https? Do this,

Go to the folder /etc/sentora/panel/
Creata a new file called .htaccess

Code:

nano .htaccess

Add the following code in it at the bottom of the file:

Code:

#Enforce

SSL
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Save the file and your good to go!

*Please note this only works if mod_rewrite is enabled, to enable this:

Code:

a2enmod rewrite && service apache2 restart

Your panel should now be secured by SSL including all apps like phpmyadmin and others.

Optional: test your server at https://www.ssllabs.com/ssltest/index.html

Can we get the exact commands for centos 6.7 or centos 7? it's too confusing to translate to centos.

[zustudios]

Centos is almost similar to the above that apply only to Ubuntu.

On centos you need to modify /etc/httpd/conf/httpd.conf and include the new panel SSL conf file.

Thanks for the clean guide.

M B

Can someone make a guide for centos 7?Or at least explain the different steps  of ubuntu and centos?
when I add:# Include SSL configuration for SSL panel
Include /etc/sentora/configs/apache/http-panel-ssl.conf
apache fails to restart
Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
Active: failed (Result: exit-code) since Fri 2015-10-02 15:37:09 EDT; 49s ago
Process: 2623 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Process: 2622 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 2622 (code=exited, status=1/FAILURE)

Oct 02 15:37:09 panel.zuhost.tk systemd[1]: Starting The Apache HTTP Server...
Oct 02 15:37:09 panel.zuhost.tk httpd[2622]: AH00526: Syntax error on line 1...:
Oct 02 15:37:09 panel.zuhost.tk httpd[2622]: SSLCertificateFile: file '/etc/...y
Oct 02 15:37:09 panel.zuhost.tk systemd[1]: httpd.service: main process exit...E
Oct 02 15:37:09 panel.zuhost.tk kill[2623]: kill: cannot find process ""
Oct 02 15:37:09 panel.zuhost.tk systemd[1]: httpd.service: control process e...1
Oct 02 15:37:09 panel.zuhost.tk systemd[1]: Failed to start The Apache HTTP ....
Oct 02 15:37:09 panel.zuhost.tk systemd[1]: Unit httpd.service entered faile....
Hint: Some lines were ellipsized, use -l to show in full.

-- Logs begin at Fri 2015-10-02 14:41:27 EDT, end at Fri 2015-10-02 15:38:11 EDT
Oct 02 15:37:09 panel.zuhost.tk systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/lis...temd-devel
--
-- Unit httpd.service has begun starting up.
Oct 02 15:37:09 panel.zuhost.tk httpd[2622]: AH00526: Syntax error on line 17 of
Oct 02 15:37:09 panel.zuhost.tk httpd[2622]: SSLCertificateFile: file '/etc/apac
Oct 02 15:37:09 panel.zuhost.tk systemd[1]: httpd.service: main process exited,
Oct 02 15:37:09 panel.zuhost.tk kill[2623]: kill: cannot find process ""
Oct 02 15:37:09 panel.zuhost.tk systemd[1]: httpd.service: control process exite
Oct 02 15:37:09 panel.zuhost.tk systemd[1]: Failed to start The Apache HTTP Serv
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/lis...temd-devel
--
-- Unit httpd.service has failed.
--
-- The result is failed.
Oct 02 15:37:09 panel.zuhost.tk systemd[1]: Unit httpd.service entered failed st
Oct 02 15:38:11 panel.zuhost.tk sshd[2596]: pam_unix(sshdession): session clos
Oct 02 15:38:11 panel.zuhost.tk systemd-logind[352]: Removed session 21.
lines 1-23