CPanel Apache

From My Wiki
Revision as of 05:15, January 15, 2021 by J-Admin (talk | contribs) (ModSecurity: labeled section)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Basics

cPanel likes to have every site as a VirtualHost or ServerAlias, and it likes to have all of them in httpd.conf, and it will overwrite manual edits to this file. General edits to the file itself need to be added to one of these:

/etc/apache2/conf.d/includes/pre_main_global.conf

/etc/apache2/conf.d/includes/pre_virtualhost_global.conf

/etc/apache2/conf.d/includes/post_virtualhost_global.conf

And after one of these is changed, you need to stop/start Apache for the change to take. If you need to add options for a specific VirtualHost, you need to create an Include file for it. cPanel supplies a commented out line in httpd.conf for each VirtualHost where it will look for this. Find it with: 

egrep -i 'DOMAIN.TLD' /etc/apache2/conf/httpd.conf | grep -i include

Then create the paths like so: 

mkdir -p /etc/apache2/conf.d/userdata/std/2_4/username/domain.tld/
mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/username/domain.tld/

Yes, there's a different one for non-SSL, and one for SSL. If both versions of the site will need the same treatment, you can just write one .conf file in either location and symlink the other to it. 

touch /etc/apache2/conf.d/userdata/std/2_4/username/domain.tld/mywonderful.conf
ln -s /etc/apache2/conf.d/userdata/std/2_4/username/domain.tld/mywonderful.conf /etc/apache2/conf.d/userdata/ssl/2_4/username/domain.tld/mywonderful.conf

Then you add what you need to the .conf file, ensuring proper syntax.

Back up the Apache conf: 

cp -av /etc/apache2/conf/httpd.conf{,.bak-$(date +'%Y%m%d-%H%M')}

Rebuild it: 

 /scripts/rebuildhttpdconf

Or to add an Include for a specific user without a full rebuild: 

/scripts/ensure_vhost_includes --user=USERNAME

You can test the syntax with: 

 httpd -t

Then start/stop Apache: 

systemctl stop httpd
systemctl start httpd

Make sure it's still up: 

systemctl status httpd

Templates

If you need to edit something that cPanel already puts in httpd.conf, you need to edit the templates that cPanel builds the file from. cPanel servers build the main httpd.conf from these files:

/var/cpanel/templates/apache2/main.default ==> Main Apache configuration

/var/cpanel/templates/apache2/vhost.default ==> VirtualHost section

/var/cpanel/templates/apache2/ssl_vhost.default ==> SSL VirtualHost section

If they need to be customized, don't change them. Create custom .local files instead:

/var/cpanel/templates/apache2/main.local

/var/cpanel/templates/apache2/vhost.local

/var/cpanel/templates/apache2/ssl_vhost.local

If you need to do this for a specific VirtualHost (changing a docroot for example), you edit the templates in /var/cpanel/userdata/$username/ instead. 

/scripts/rebuildhttpdconf

Restart Apache.

Sites on custom ports

1. Add Listen line to /var/cpanel/templates/apache2/main.local 

PidFile [% main.pidfile.item.pidfile %]
LockFile [% main.lockfile.item.lockfile %]
Listen 0.0.0.0:9127
[% IF configured.ip_listen -%]
[%- FOREACH ip IN configured.ip_listen -%]
Listen [% ip %]:[% configured.main_port %]

2. Add subdomain with custom port to /usr/local/apache/conf/includes/post_virtualhost_global.conf

3. /scripts/rebuildhttpdconf

4. Open port in the firewall

5. Site should resolve on the alternate port.

ModSecurity

Make sure it's on: 

grep -i modsec /usr/local/apache/logs/error_log | tail

If it hasn't been blocking things recently, investigate further. Check to see if WHM broke the configuration by looking at: 

[root@host ~]# ll /etc/apache2/conf.d/modsec
total 12K
drwxr-xr-x 2 root root 4.0K Jan 14 03:11 .
drwxr-xr-x 8 root root 4.0K Jan 14 03:11 ..
-rw------- 1 root root  759 Aug 31 12:26 modsec2.cpanel.conf
-rw------- 1 root root    0 Aug 25 15:46 modsec2.cpanel.conf.PREVIOUS
-rw------- 1 root root    0 Jan 12 14:27 modsec2.user.conf

The modsec2.cpanel.conf should have among other things in it: 

SecRuleEngine "On"

If not, you need to rebuild that file in WHM > Security Center > ModSecurity configuration. Use a radio button to change a setting, then move it back. Then you'll be able to re-save, which regenerates the file.

Global ModSecurity Whitelist

This is at /etc/apache2/conf.d/modsec2/whitelist.conf

Reserved IPs

Logging is not enabled for reserved IPs. Can be set in Apache Configuration > Reserved IPs Editor. Though accounts can be set up on these IPs. However, if you go to Show/Edit Reserved IPs in WHM, you can actually set IPs to not be available for cPanel accounts in addition. Weird.

Retrieved from "https://wiki.whatplanetisthis.net/index.php?title=CPanel_Apache&oldid=45"