Running DirectAdmin through a reverse proxy with Apache 2.2/2.4

0
Friday January 2nd 2015 at 11:19 AM
Linux Servers
DirectAdmin Web Interface Admin Level

DirectAdmin runs on port 2222 by default, for restrictive firewalls this port will likely be blocked hence you’ll be unable to login to the control panel. You could of course use a VPN or SSH tunnel, but unless your running those types of services on standard ports like 443, the most restrictive firewalls aren’t going to allow such actions. Instead what you can do is use a reverse proxy and run DirectAdmin on port 80/443 with a bit of a custom Apache configuration.

There is an official help article on the subject, written some time ago. It is however missing some detail, and does require additional work for Apache 2.4 that’s not mentioned. I’ll be going through how to create a reverse proxy on Apache 2.2 and 2.4, as well as how to secure it with SSL for absolute security.

Note: I setup a reverse proxy on CentOS 6, therefore restarting services is done using the “service” command which is specific to this OS, if you are running DirectAdmin on another OS like Debian or FreeBSD, you should use the correct command as per your server OS.

/usr/local/etc/rc.d/... FreeBSD
/etc/init.d/.... Debian/Ubuntu
/sbin/service .... RedHat (service should work however)

Proxy functionality in Apache

Depending on your version of custombuild you may have to recompile apache with specific flag of enabling proxy usage. Check if your configure.apache file has the –enable-proxy flag set. If it doesn’t you’ll need to recompile Apache with a custom configure.apache script, as custombuild will keep overwriting the main one within the configure directory if you edit it directly.

For me running custombuild 2.0 and Apache 2.4 I did not have to recompile anything as the defaults are configured for reverse proxy use already. Setups running custombuild 1.2 and Apache 2.2 will likely be different, so I’ll walk you through it if you need to.

cd /usr/local/directadmin/custombuild
mkdir -p custom/ap2
cp configure/ap2/configure.apache custom/ap2/configure.apache

Edit the copied configure.apache file within /custom/ap2 with your favourite editor and append:

"--enable-proxy"

To the very end of the file, you will need to add a backslash (\) on the second till last parameter for correct syntax. Once you’ve edited the configure file, rebuild apache.

./build clean
./build apache
./build php

It is a good idea to recompile php as well, to prevent any problems.

Loading the modules

Apache 2.4 users can skip this part entirely. For Apache 2.2 users, in your httpd.conf, check to make sure the LoadModule directive for libproxy.so is not commented out and the AddModule directive exists for mod_proxy.

LoadModule proxy_module       modules/libproxy.so
AddModule mod_proxy.c

After making these changes, restart Apache

service httpd restart

To check if you have mod_proxy compiled into your Apache installation, run:

/usr/sbin/httpd -l | grep mod_proxy

Creating a custom VirtualHost for the reverse proxy

First you need to create a virtualhost that will run the reverse proxy, this can be any domain/subdomain, but its easier to create a subdomain off your main domain the server is using, you will however need to make sure the created subdomain has an A record so it resolves. Start by creating a custom virtual_host2.conf file, if you have previously made modifications and have this file already in the custom folder, just append this additional config to it without copying over the template in the custom folder.

cd /usr/local/directadmin/data/templates
cp virtual_host2.conf custom
cd custom

Now open up virtual_host2.conf in the custom directory in your favourite editor.

Running the subdomain on port 80

If you aren’t interested in running SSL on the proxy, you can simply define this as your VirtualHost config and everything would be setup. This is basically the same config from the knowledge base article on the DirectAdmin help site.

<VirtualHost xxx.xxx.xxx.xxx:80>
    ServerName directadmin.domain.com
    ProxyRequests Off
    ProxyPass / http://localhost:2222/
    ProxyPassReverse / http://localhost:2222/
</VirtualHost>

However as I wanted to use SSL I’ll be going a little further. We start by creating a VirtualHost on port 80 and a subdomain for DirectAdmin to run on. This is actually only going to be used for redirects only, because we want the DirectAdmin login proxy over SSL. The IP address can be tweaked to your needs, I used the main shared IP of the server, because I have wildcard SSL and therefore the SSL setup will be valid. You can also run this on a dedicated IP if you wanted to use a single domain SSL certificate for valid SSL.

For some reason, when using SSL, DirectAdmin keeps redirecting requests to port 80, logins would keep being redirected back to the login page but on port 80. A rewrite rule seems to do the trick here.

<VirtualHost xxx.xxx.xxx.xxx:80>
    ServerName directadmin.domain.com
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

Running the reverse proxy with SSL

Next we’re going to add the VirtualHost that will provide the proxy functionality, which will run on port 443 (SSL). The IP address will need to match what you’ve used for the port 80 configuration.

<VirtualHost xxx.xxx.xxx.xxx:443>
   ServerName directadmin.domain.com
   SSLProxyEngine On
   ProxyRequests Off
   ProxyPass / https://localhost:2222/
   ProxyPassReverse / https://localhost:2222/
</VirtualHost>

This will create the proxy to run through Apache and allow you to access DirectAdmin when port 2222 is blocked.

For Apache 2.2 users this should be all you need to do on the VirtualHost side.

For Apache 2.4 users you will likely need some additional parameters in the VirtualHost.

Additional parameters for Apache 2.4

SSLProxyVerify none
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
ProxyPreserveHost Off

Without these parameters I kept receiving various 500/502 errors from the reverse proxy when running under SSL. The combination of the above, stopped this from happening. It is a bit of a hack, but as this proxy is running on the localhost side, so its not really that bad. Some argue running SSL on the proxy like this is slightly redundant as its internal, but I think its worth doing if you can for peace of mind and security.

Changing the SSL certificate/key:

If you are interested in creating truly valid SSL, you can use the certificate/key SSL parameters found within the default 443 VirtualHost configuration and define the specific certificate you want the reverse proxy to use. In my case Apache is already setup with my wildcard SSL therefore the proxy is also setup for SSL, if you are using a dedicated IP and need to set a different certificate/key file you can do that with the usual SSL parameters depending on if you have a pem or separate crt files.

SSLCertificateFile    /path/to/cert.crt
SSLCertificateKeyFile /path/to/privkey.key
SSLCACertificateFile /path/to/ca-bundle.crt

Add these to reverse proxy 443 VirtualHost config

Fix broken webmail/phpMyAdmin links

One downside to running DirectAdmin through a reverse proxy is it messes with the host header. This is a problem because DirectAdmin themes use this to correctly provide the links to various services like Roundcube, phpMyAdmin and others dynamically. In order to fix this, you need to update the ProxyPass and ProxyPassReverse address to the FQDN of your usual DirectAdmin login running on port 2222. That way the hostname will be correct when inside the Control Panel

ProxyPass / https://yourdomain.com:2222/
ProxyPassReverse / https://yourdomain.com:2222/

Replace yourdomain.com with the value of the normal URL the DirectAdmin login runs under.

Rewrite the httpd config files

Now you need to signal a rewrite of the Apache VirtualHost setup so these changes take effect, you can do this by running:

echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue

This will create a task for rewriting the httpd configs and put it into the queue, Your server will take a couple of minutes to process it.

DirectAdmin Config changes

As were using SSL, DirectAdmin will need to have SSL enabled also, make sure you have SSL set to 1 in your DirectAdmin config. You might also want to ssl_redirect_host to force SSL logins on the normal URL if you don’t already.

SSL=1
ssl_redirect_host=yourdomain.com

Because we have the DirectAdmin login in two places now, we’ll need to disable a security feature of DirectAdmin where by it checks the referer header, otherwise the reverse proxy won’t accept logins properly.

check_referer=0

Finally restart DirectAdmin for the config changes to take effect.

service directadmin restart

Test the reverse proxy

After that, your reverse proxy should be good to go and accept logins. Logout of any current DirectAdmin sessions under the normal :2222 URL, or use another browser that doesn’t have any valid DirectAdmin sessions, and test your login, you may also want to test bad logins, to make sure they are rejected. If everything worked, you should be logged into DirectAdmin with the one minor change of the browser title having the value you defined for ProxyPass and ProxyPassReverse appended before the usual DirectAdmin stuff. This confirms your going through the reverse proxy, and now you’ll be able to access DirectAdmin from even the most restrictive firewalls.

If you receive any errors (usually 500 related), you can view the Apache logs to further troubleshoot:

tail /var/log/httpd/error_log

Share This:

Tags: