Auto Force TLS
Hi,
After trying to figure out how to setup WHM/cPanel to serve secured connections only, I have ran into another roadblock caused by my noob knowledge level of WHM/cPanel.
What I am trying to accomplish is to have any (feature added) site(s) on the VPS run/redirect to httpS:// connections only. Anyone entering Example Blog " Much example should be redirected to the secured httpS connection, so basically it not possible to view any of the sites and pages without a TLS connection.
What I have tried, without any success is to add:
to 1: Pre Main Include -> Restart Apache, no success. 2: Pre VirtualHost Include -> Restart Apache, no success either. My understanding is that one can add these rules via the Include Editor, but after reading the following cPanel Forum post Force SSL for all websites I am not a 100% sure about my assumption. This is because the answer from @cPanelMichael is to have a look on the Modify Apache Virtual Hosts with Include Files documentation page. I am loving the whole GUI aspect of managing your server/vps, but I am starting to feel like it is at the same knowledge/skill level as being able to CLI'ing your way around your server. Maybe this is where I am missing something vitaly important; WHM/cPanel is not a 100% GUI replacement for the CLI and one has to CLI his/her way around from time-to-time to properly configure the server/vps. Anyone willing to educate me on what it is that I am doing wrong? Thanks again in advance
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]to 1: Pre Main Include -> Restart Apache, no success. 2: Pre VirtualHost Include -> Restart Apache, no success either. My understanding is that one can add these rules via the Include Editor, but after reading the following cPanel Forum post Force SSL for all websites I am not a 100% sure about my assumption. This is because the answer from @cPanelMichael is to have a look on the Modify Apache Virtual Hosts with Include Files documentation page. I am loving the whole GUI aspect of managing your server/vps, but I am starting to feel like it is at the same knowledge/skill level as being able to CLI'ing your way around your server. Maybe this is where I am missing something vitaly important; WHM/cPanel is not a 100% GUI replacement for the CLI and one has to CLI his/her way around from time-to-time to properly configure the server/vps. Anyone willing to educate me on what it is that I am doing wrong? Thanks again in advance
-
My understanding is that one can add these rules via the Include Editor, but after reading the following cPanel Forum post Force SSL for all websites I am not a 100% sure about my assumption. This is because the answer from @cPanelMichael is to have a look on the Modify Apache Virtual Hosts with Include Files documentation page.
Hello, I recommend using the steps documented for "Apply to all virtual hosts on the system" and "Without SSL" at: Modify Apache Virtual Hosts with Include Files - EasyApache 4 - cPanel Documentation Otherwise, your rewrite rules would apply globally on the server instead of in each virtual host where it's needed. Thank you.0 -
Thanks again @cPanelMichael ! So if I understand you correctly, for global applied non-ssl to ssl rules I will have to CLI with SSH, navigate to /etc/apache2/conf.d/userdata/std/2_4/
and do something along the lines oftouch rewrite.conf
and then follow this up bynano rewrite.conf
(you may LOL at the n00b way of describing/doing it, no problem at all.) and add the following:RewriteEngine on RewriteCond %{HTTP:X-Forwarded-Proto} !=https RewriteRule /(.*) https://%{HTTP_HOST}/$1 [R=301,L]
If so, what about theRewriteEngine on
line above. If I want to create another global custom rule that uses the Rewrite Engine (i.e. www to non-www) should this be added to every config.file or is this RewriteEngine allready set to on by WHM/cPanel somewhere in a higher prioritised config file? If not, does the alphabetical order of the custom config.files matter? In other words does the filenonwww.conf
get loaded before the filerewrite.conf
? Also in the opening line
should one add the public IP address (i.e. 1.2.3.4:80) or the network ip address (127.0.0.1:80)? Again, I am asking this because of my unfamiliarity with WHM/cPanel, so my appologies for asking the obvious if one read the correct chapter/section of the cPanel docs.0 -
Hello, You'd actually need to leave the "VirtualHost" section itself out of the include file. Here's a post with a working example for this functionality: SOLVED - HTTPS Redirection For All VirtualHosts If you wanted to add an additional rewrite rule, I recommend adding it as part of the same include file so you can sort the rules based on how you want them utilized. Thank you. 0 -
Hi @cPanelMichael Although I have to admit that I was a bit frustrated about the absence of cut-and-paste examples, you pointing me to the appropriate cPanel docs and thus forcing me to actually try this has helped me a great deal with understanding the finer points of working with WHM/cPanel. Thanks for this and your mentoring! I have "mkdir -p" several files in /etc/apache2/conf.d/userdata/ssl/2_4/ one of these files contains the following: # ---------------------------------------------------------------------- # | Security Headers | # ---------------------------------------------------------------------- # ---------------------------------------------------------------------- # | HTTP Strict Transport Security (HSTS) | # ---------------------------------------------------------------------- Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains" # ---------------------------------------------------------------------- # | Reducing MIME type security risks | # ---------------------------------------------------------------------- Header set X-Content-Type-Options "nosniff" # ---------------------------------------------------------------------- # | Clickjacking | # ---------------------------------------------------------------------- Header set X-Frame-Options "DENY" # `mod_headers` cannot match based on the content-type, however, # the `X-Frame-Options` response header should be send only for # HTML documents and not for the other resources. Header unset X-Frame-Options # ---------------------------------------------------------------------- # | Reducing MIME type security risks | # ---------------------------------------------------------------------- Header set X-Content-Type-Options "nosniff" # ---------------------------------------------------------------------- # | Reflected Cross-Site Scripting (XSS) attacks | # ---------------------------------------------------------------------- # (1) (2) Header set X-XSS-Protection "1; mode=block" # `mod_headers` cannot match based on the content-type, however, # the `X-XSS-Protection` response header should be send only for # HTML documents and not for the other resources. Header unset X-XSS-Protection # ---------------------------------------------------------------------- # | Referrer Policy | # ---------------------------------------------------------------------- Header set X-Frame-Options "strict-origin-when-cross-origin"
Thanks again and count on me bothering you and your colleagues on this forum in the very near future! Kindly, W.0
Please sign in to leave a comment.
Comments
4 comments