CPanel Apache

From My Wiki
Revision as of 04:56, January 15, 2021 by J-Admin (talk | contribs) (ModSecurity: added section)
Jump to navigation Jump to search

Basics

cPanel likes to have every site as a VirtualHost or ServerAlias, and it likes to have all of them in httpd.conf, and it will overwrite manual edits to this file. General edits to the file itself need to be added to one of these:

/etc/apache2/conf.d/includes/pre_main_global.conf

/etc/apache2/conf.d/includes/pre_virtualhost_global.conf

/etc/apache2/conf.d/includes/post_virtualhost_global.conf

And after one of these is changed, you need to stop/start Apache for the change to take. If you need to add options for a specific VirtualHost, you need to create an Include file for it. cPanel supplies a commented out line in httpd.conf for each VirtualHost where it will look for this. Find it with: 

egrep -i 'DOMAIN.TLD' /etc/apache2/conf/httpd.conf | grep -i include

Then create the paths like so: 

mkdir -p /etc/apache2/conf.d/userdata/std/2_4/username/domain.tld/
mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/username/domain.tld/

Yes, there's a different one for non-SSL, and one for SSL. If both versions of the site will need the same treatment, you can just write one .conf file in either location and symlink the other to it. 

touch /etc/apache2/conf.d/userdata/std/2_4/username/domain.tld/mywonderful.conf
ln -s /etc/apache2/conf.d/userdata/std/2_4/username/domain.tld/mywonderful.conf /etc/apache2/conf.d/userdata/ssl/2_4/username/domain.tld/mywonderful.conf

Then you add what you need to the .conf file, ensuring proper syntax.

Back up the Apache conf: 

cp -av /etc/apache2/conf/httpd.conf{,.bak-$(date +'%Y%m%d-%H%M')}

Rebuild it: 

 /scripts/rebuildhttpdconf

You can test the syntax with: 

 httpd -t

Then start/stop Apache: 

systemctl stop httpd
systemctl start httpd

Make sure it's still up: 

systemctl status httpd

ModSecurity

Make sure it's on: 

grep -i modsec /usr/local/apache/logs/error_log | tail

If it hasn't been blocking things recently, investigate further. Check to see if WHM broke the configuration by looking at: 

[root@host ~]# ll /etc/apache2/conf.d/modsec
total 12K
drwxr-xr-x 2 root root 4.0K Jan 14 03:11 .
drwxr-xr-x 8 root root 4.0K Jan 14 03:11 ..
-rw------- 1 root root  759 Aug 31 12:26 modsec2.cpanel.conf
-rw------- 1 root root    0 Aug 25 15:46 modsec2.cpanel.conf.PREVIOUS
-rw------- 1 root root    0 Jan 12 14:27 modsec2.user.conf

The modsec2.cpanel.conf should have among other things in it: 

SecRuleEngine "On"

If not, you need to rebuild that file in WHM > Security Center > ModSecurity configuration. Use a radio button to change a setting, then move it back. Then you'll be able to re-save, which regenerates the file.

Global Whitelist

This is at /etc/apache2/conf.d/modsec2/whitelist.conf

Retrieved from "https://wiki.whatplanetisthis.net/index.php?title=CPanel_Apache&oldid=40"