Running DirectAdmin through a reverse proxy with Apache 2.2/2.4

DirectAdmin runs on port 2222 by default, for restrictive firewalls this port will likely be blocked hence you’ll be unable to login to the control panel. You could of course use a VPN or SSH tunnel, but unless your running those types of services on standard ports like 443, the most restrictive firewalls aren’t going to allow such actions. Instead what you can do is use a reverse proxy and run DirectAdmin on port 80/443 with a bit of a custom Apache configuration.
There is an official help article on the subject, written some time ago. It is however missing some detail, and does require additional work for Apache 2.4 that’s not mentioned. I’ll be going through how to create a reverse proxy on Apache 2.2 and 2.4, as well as how to secure it with SSL for absolute security.
Note: I setup a reverse proxy on CentOS 6, therefore restarting services is done using the “service” command which is specific to this OS, if you are running DirectAdmin on another OS like Debian or FreeBSD, you should use the correct command as per your server OS.
/usr/local/etc/rc.d/... FreeBSD /etc/init.d/.... Debian/Ubuntu /sbin/service .... RedHat (service should work however)
Proxy functionality in Apache
Depending on your version of custombuild you may have to recompile apache with specific flag of enabling proxy usage. Check if your configure.apache file has the –enable-proxy flag set. If it doesn’t you’ll need to recompile Apache with a custom configure.apache script, as custombuild will keep overwriting the main one within the configure directory if you edit it directly.
For me running custombuild 2.0 and Apache 2.4 I did not have to recompile anything as the defaults are configured for reverse proxy use already. Setups running custombuild 1.2 and Apache 2.2 will likely be different, so I’ll walk you through it if you need to.
cd /usr/local/directadmin/custombuild mkdir -p custom/ap2 cp configure/ap2/configure.apache custom/ap2/configure.apache
Edit the copied configure.apache file within /custom/ap2 with your favourite editor and append:
"--enable-proxy"
To the very end of the file, you will need to add a backslash (\) on the second till last parameter for correct syntax. Once you’ve edited the configure file, rebuild apache.
./build clean ./build apache ./build php
It is a good idea to recompile php as well, to prevent any problems.
Loading the modules
Apache 2.4 users can skip this part entirely. For Apache 2.2 users, in your httpd.conf, check to make sure the LoadModule directive for libproxy.so is not commented out and the AddModule directive exists for mod_proxy.
LoadModule proxy_module modules/libproxy.so AddModule mod_proxy.c
After making these changes, restart Apache
service httpd restart
To check if you have mod_proxy compiled into your Apache installation, run:
/usr/sbin/httpd -l | grep mod_proxy
Creating a custom VirtualHost for the reverse proxy
First you need to create a virtualhost that will run the reverse proxy, this can be any domain/subdomain, but its easier to create a subdomain off your main domain the server is using, you will however need to make sure the created subdomain has an A record so it resolves. Start by creating a custom virtual_host2.conf file, if you have previously made modifications and have this file already in the custom folder, just append this additional config to it without copying over the template in the custom folder.
cd /usr/local/directadmin/data/templates cp virtual_host2.conf custom cd custom
Now open up virtual_host2.conf in the custom directory in your favourite editor.
Running the subdomain on port 80
If you aren’t interested in running SSL on the proxy, you can simply define this as your VirtualHost config and everything would be setup. This is basically the same config from the knowledge base article on the DirectAdmin help site.
<VirtualHost xxx.xxx.xxx.xxx:80> ServerName directadmin.domain.com ProxyRequests Off ProxyPass / http://localhost:2222/ ProxyPassReverse / http://localhost:2222/ </VirtualHost>
However as I wanted to use SSL I’ll be going a little further. We start by creating a VirtualHost on port 80 and a subdomain for DirectAdmin to run on. This is actually only going to be used for redirects only, because we want the DirectAdmin login proxy over SSL. The IP address can be tweaked to your needs, I used the main shared IP of the server, because I have wildcard SSL and therefore the SSL setup will be valid. You can also run this on a dedicated IP if you wanted to use a single domain SSL certificate for valid SSL.
For some reason, when using SSL, DirectAdmin keeps redirecting requests to port 80, logins would keep being redirected back to the login page but on port 80. A rewrite rule seems to do the trick here.
<VirtualHost xxx.xxx.xxx.xxx:80> ServerName directadmin.domain.com RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </VirtualHost>
Running the reverse proxy with SSL
Next we’re going to add the VirtualHost that will provide the proxy functionality, which will run on port 443 (SSL). The IP address will need to match what you’ve used for the port 80 configuration.
<VirtualHost xxx.xxx.xxx.xxx:443> ServerName directadmin.domain.com SSLProxyEngine On ProxyRequests Off ProxyPass / https://localhost:2222/ ProxyPassReverse / https://localhost:2222/ </VirtualHost>
This will create the proxy to run through Apache and allow you to access DirectAdmin when port 2222 is blocked.
For Apache 2.2 users this should be all you need to do on the VirtualHost side.
For Apache 2.4 users you will likely need some additional parameters in the VirtualHost.
Additional parameters for Apache 2.4
SSLProxyVerify none SSLProxyCheckPeerCN Off SSLProxyCheckPeerName Off ProxyPreserveHost Off
Without these parameters I kept receiving various 500/502 errors from the reverse proxy when running under SSL. The combination of the above, stopped this from happening. It is a bit of a hack, but as this proxy is running on the localhost side, so its not really that bad. Some argue running SSL on the proxy like this is slightly redundant as its internal, but I think its worth doing if you can for peace of mind and security.
Changing the SSL certificate/key:
If you are interested in creating truly valid SSL, you can use the certificate/key SSL parameters found within the default 443 VirtualHost configuration and define the specific certificate you want the reverse proxy to use. In my case Apache is already setup with my wildcard SSL therefore the proxy is also setup for SSL, if you are using a dedicated IP and need to set a different certificate/key file you can do that with the usual SSL parameters depending on if you have a pem or separate crt files.
SSLCertificateFile /path/to/cert.crt SSLCertificateKeyFile /path/to/privkey.key SSLCACertificateFile /path/to/ca-bundle.crt
Add these to reverse proxy 443 VirtualHost config
Fix broken webmail/phpMyAdmin links
One downside to running DirectAdmin through a reverse proxy is it messes with the host header. This is a problem because DirectAdmin themes use this to correctly provide the links to various services like Roundcube, phpMyAdmin and others dynamically. In order to fix this, you need to update the ProxyPass and ProxyPassReverse address to the FQDN of your usual DirectAdmin login running on port 2222. That way the hostname will be correct when inside the Control Panel
ProxyPass / https://yourdomain.com:2222/ ProxyPassReverse / https://yourdomain.com:2222/
Replace yourdomain.com with the value of the normal URL the DirectAdmin login runs under.
Rewrite the httpd config files
Now you need to signal a rewrite of the Apache VirtualHost setup so these changes take effect, you can do this by running:
echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue
This will create a task for rewriting the httpd configs and put it into the queue, Your server will take a couple of minutes to process it.
DirectAdmin Config changes
As were using SSL, DirectAdmin will need to have SSL enabled also, make sure you have SSL set to 1 in your DirectAdmin config. You might also want to ssl_redirect_host to force SSL logins on the normal URL if you don’t already.
SSL=1 ssl_redirect_host=yourdomain.com
Because we have the DirectAdmin login in two places now, we’ll need to disable a security feature of DirectAdmin where by it checks the referer header, otherwise the reverse proxy won’t accept logins properly.
check_referer=0
Finally restart DirectAdmin for the config changes to take effect.
service directadmin restart
Test the reverse proxy
After that, your reverse proxy should be good to go and accept logins. Logout of any current DirectAdmin sessions under the normal :2222 URL, or use another browser that doesn’t have any valid DirectAdmin sessions, and test your login, you may also want to test bad logins, to make sure they are rejected. If everything worked, you should be logged into DirectAdmin with the one minor change of the browser title having the value you defined for ProxyPass and ProxyPassReverse appended before the usual DirectAdmin stuff. This confirms your going through the reverse proxy, and now you’ll be able to access DirectAdmin from even the most restrictive firewalls.
If you receive any errors (usually 500 related), you can view the Apache logs to further troubleshoot:
tail /var/log/httpd/error_log