CPanel Apache: Difference between revisions
Added basics |
→ModSecurity: labeled section |
||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=Basics= | =Basics= | ||
cPanel likes to have every site as a VirtualHost or ServerAlias, and it likes to have all of them in httpd.conf, and it will overwrite manual edits to this file. General edits to the file itself need to be added to one of these: | cPanel likes to have every site as a VirtualHost or ServerAlias, and it likes to have all of them in httpd.conf, and it will overwrite manual edits to this file. General edits to the file itself need to be added to one of these: | ||
/etc/apache2/conf.d/includes/pre_main_global.conf | <p>/etc/apache2/conf.d/includes/pre_main_global.conf</p> | ||
/etc/apache2/conf.d/includes/pre_virtualhost_global.conf | <p>/etc/apache2/conf.d/includes/pre_virtualhost_global.conf</p> | ||
/etc/apache2/conf.d/includes/post_virtualhost_global.conf | <p>/etc/apache2/conf.d/includes/post_virtualhost_global.conf</p> | ||
And after one of these is changed, you need to stop/start Apache for the change to take. | And after one of these is changed, you need to stop/start Apache for the change to take. | ||
If you need to add options for a specific VirtualHost, you need to create an Include file for it. cPanel supplies a commented out line in httpd.conf for each VirtualHost where it will look for this. Find it with: | If you need to add options for a specific VirtualHost, you need to create an Include file for it. cPanel supplies a commented out line in httpd.conf for each VirtualHost where it will look for this. Find it with: | ||
| Line 18: | Line 18: | ||
Rebuild it: | Rebuild it: | ||
/scripts/rebuildhttpdconf | /scripts/rebuildhttpdconf | ||
Or to add an Include for a specific user without a full rebuild: | |||
/scripts/ensure_vhost_includes --user=USERNAME | |||
You can test the syntax with: | You can test the syntax with: | ||
httpd -t | httpd -t | ||
| Line 25: | Line 27: | ||
Make sure it's still up: | Make sure it's still up: | ||
systemctl status httpd | systemctl status httpd | ||
= Templates = | |||
If you need to edit something that cPanel already puts in httpd.conf, you need to edit the templates that cPanel builds the file from. cPanel servers build the main httpd.conf from these files: | |||
<p>/var/cpanel/templates/apache2/main.default ==> Main Apache configuration</p> | |||
<p>/var/cpanel/templates/apache2/vhost.default ==> VirtualHost section</p> | |||
<p>/var/cpanel/templates/apache2/ssl_vhost.default ==> SSL VirtualHost section</p> | |||
If they need to be customized, don't change them. Create custom .local files instead: | |||
<p>/var/cpanel/templates/apache2/main.local</p> | |||
<p>/var/cpanel/templates/apache2/vhost.local</p> | |||
<p>/var/cpanel/templates/apache2/ssl_vhost.local</p> | |||
If you need to do this for a specific VirtualHost (changing a docroot for example), you edit the templates in /var/cpanel/userdata/$username/ instead. | |||
/scripts/rebuildhttpdconf | |||
Restart Apache. | |||
=Sites on custom ports = | |||
1. Add Listen line to /var/cpanel/templates/apache2/main.local | |||
PidFile [% main.pidfile.item.pidfile %] | |||
LockFile [% main.lockfile.item.lockfile %] | |||
Listen 0.0.0.0:9127 | |||
[% IF configured.ip_listen -%] | |||
[%- FOREACH ip IN configured.ip_listen -%] | |||
Listen [% ip %]:[% configured.main_port %] | |||
<p>2. Add subdomain with custom port to /usr/local/apache/conf/includes/post_virtualhost_global.conf</p> | |||
<p>3. /scripts/rebuildhttpdconf</p> | |||
<p>4. Open port in the firewall</p> | |||
<p>5. Site should resolve on the alternate port.</p> | |||
= ModSecurity = | |||
Make sure it's on: | |||
grep -i modsec /usr/local/apache/logs/error_log | tail | |||
If it hasn't been blocking things recently, investigate further. Check to see if WHM broke the configuration by looking at: | |||
[root@host ~]# ll /etc/apache2/conf.d/modsec | |||
total 12K | |||
drwxr-xr-x 2 root root 4.0K Jan 14 03:11 . | |||
drwxr-xr-x 8 root root 4.0K Jan 14 03:11 .. | |||
-rw------- 1 root root 759 Aug 31 12:26 modsec2.cpanel.conf | |||
-rw------- 1 root root 0 Aug 25 15:46 modsec2.cpanel.conf.PREVIOUS | |||
-rw------- 1 root root 0 Jan 12 14:27 modsec2.user.conf | |||
The modsec2.cpanel.conf should have among other things in it: | |||
SecRuleEngine "On" | |||
If not, you need to rebuild that file in WHM > Security Center > ModSecurity configuration. Use a radio button to change a setting, then move it back. Then you'll be able to re-save, which regenerates the file. | |||
==Global ModSecurity Whitelist== | |||
This is at /etc/apache2/conf.d/modsec2/whitelist.conf | |||
=Reserved IPs= | |||
Logging is not enabled for reserved IPs. Can be set in Apache Configuration > Reserved IPs Editor. Though accounts can be set up on these IPs. However, if you go to Show/Edit Reserved IPs in WHM, you can actually set IPs to not be available for cPanel accounts in addition. Weird. | |||
Latest revision as of 05:15, January 15, 2021
Basics
cPanel likes to have every site as a VirtualHost or ServerAlias, and it likes to have all of them in httpd.conf, and it will overwrite manual edits to this file. General edits to the file itself need to be added to one of these:
/etc/apache2/conf.d/includes/pre_main_global.conf
/etc/apache2/conf.d/includes/pre_virtualhost_global.conf
/etc/apache2/conf.d/includes/post_virtualhost_global.conf
And after one of these is changed, you need to stop/start Apache for the change to take. If you need to add options for a specific VirtualHost, you need to create an Include file for it. cPanel supplies a commented out line in httpd.conf for each VirtualHost where it will look for this. Find it with:
egrep -i 'DOMAIN.TLD' /etc/apache2/conf/httpd.conf | grep -i include
Then create the paths like so:
mkdir -p /etc/apache2/conf.d/userdata/std/2_4/username/domain.tld/ mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/username/domain.tld/
Yes, there's a different one for non-SSL, and one for SSL. If both versions of the site will need the same treatment, you can just write one .conf file in either location and symlink the other to it.
touch /etc/apache2/conf.d/userdata/std/2_4/username/domain.tld/mywonderful.conf ln -s /etc/apache2/conf.d/userdata/std/2_4/username/domain.tld/mywonderful.conf /etc/apache2/conf.d/userdata/ssl/2_4/username/domain.tld/mywonderful.conf
Then you add what you need to the .conf file, ensuring proper syntax.
Back up the Apache conf:
cp -av /etc/apache2/conf/httpd.conf{,.bak-$(date +'%Y%m%d-%H%M')}
Rebuild it:
/scripts/rebuildhttpdconf
Or to add an Include for a specific user without a full rebuild:
/scripts/ensure_vhost_includes --user=USERNAME
You can test the syntax with:
httpd -t
Then start/stop Apache:
systemctl stop httpd systemctl start httpd
Make sure it's still up:
systemctl status httpd
Templates
If you need to edit something that cPanel already puts in httpd.conf, you need to edit the templates that cPanel builds the file from. cPanel servers build the main httpd.conf from these files:
/var/cpanel/templates/apache2/main.default ==> Main Apache configuration
/var/cpanel/templates/apache2/vhost.default ==> VirtualHost section
/var/cpanel/templates/apache2/ssl_vhost.default ==> SSL VirtualHost section
If they need to be customized, don't change them. Create custom .local files instead:
/var/cpanel/templates/apache2/main.local
/var/cpanel/templates/apache2/vhost.local
/var/cpanel/templates/apache2/ssl_vhost.local
If you need to do this for a specific VirtualHost (changing a docroot for example), you edit the templates in /var/cpanel/userdata/$username/ instead.
/scripts/rebuildhttpdconf
Restart Apache.
Sites on custom ports
1. Add Listen line to /var/cpanel/templates/apache2/main.local
PidFile [% main.pidfile.item.pidfile %] LockFile [% main.lockfile.item.lockfile %] Listen 0.0.0.0:9127 [% IF configured.ip_listen -%] [%- FOREACH ip IN configured.ip_listen -%] Listen [% ip %]:[% configured.main_port %]
2. Add subdomain with custom port to /usr/local/apache/conf/includes/post_virtualhost_global.conf
3. /scripts/rebuildhttpdconf
4. Open port in the firewall
5. Site should resolve on the alternate port.
ModSecurity
Make sure it's on:
grep -i modsec /usr/local/apache/logs/error_log | tail
If it hasn't been blocking things recently, investigate further. Check to see if WHM broke the configuration by looking at:
[root@host ~]# ll /etc/apache2/conf.d/modsec total 12K drwxr-xr-x 2 root root 4.0K Jan 14 03:11 . drwxr-xr-x 8 root root 4.0K Jan 14 03:11 .. -rw------- 1 root root 759 Aug 31 12:26 modsec2.cpanel.conf -rw------- 1 root root 0 Aug 25 15:46 modsec2.cpanel.conf.PREVIOUS -rw------- 1 root root 0 Jan 12 14:27 modsec2.user.conf
The modsec2.cpanel.conf should have among other things in it:
SecRuleEngine "On"
If not, you need to rebuild that file in WHM > Security Center > ModSecurity configuration. Use a radio button to change a setting, then move it back. Then you'll be able to re-save, which regenerates the file.
Global ModSecurity Whitelist
This is at /etc/apache2/conf.d/modsec2/whitelist.conf
Reserved IPs
Logging is not enabled for reserved IPs. Can be set in Apache Configuration > Reserved IPs Editor. Though accounts can be set up on these IPs. However, if you go to Show/Edit Reserved IPs in WHM, you can actually set IPs to not be available for cPanel accounts in addition. Weird.