run almalinux on kvm

kevin lin

• June 17, 2025 08:15
• Edited

Hi 
i got a question.Please any body could tell me How to fix it 

Current situation
The host machine (Ubuntu) runs Apache, and there are multiple websites on 80/443, and I don't want to touch them.

WHM/cPanel is installed on the kvm virtual machine (AlmaLinux), and the service listens to 2087 (HTTPS) by default.

Requirement
You can reach the WHM interface on the VM by visiting https://whm.xxx.com (without writing the port).

Other subdomains and websites still use 80/443 of the host Apache and are not affected.

Tried solutions
Apache mod_proxy (reverse proxy to 192.168.122.124:2087)

After configuration, 502 or SSL handshake errors are often reported, and Session Cookie is abnormal.

Handwritten iptables/nftables DNAT forwarding

PREROUTING DNAT can hit, FORWARD/POSTROUTING rules still do not work after multiple debugging, external connection to host 2087 is still "Connection refused".

Using libvirt's built-in <forward> port forwarding will be overwritten by net-destroy /default and other operations.

• 

  cPRex Jurassic Moderator

  • June 17, 2025 11:27

  Hey there!  Does the cPanel instance have a unique IP address from the parent instance?

  0
• 

  kevin lin

  • June 17, 2025 13:10

  Hi, the cPanel/KVM guest is currently on libvirt’s default NAT network with an internal IP (192.168.122.124) and does not have its own public IP separate from the host. From the outside, only the host’s IP is reachable.

  0
• 

  cPRex Jurassic Moderator

  • June 17, 2025 15:56

  That isn't going to be a supported implementation of cPanel as it would be required to have a separate IP address from the parent server in order to function like a typical VPS/KVM.  I don't have any good recommendations to get this working.

  0
• 

  kevin lin

  • June 18, 2025 02:12

  Hi cPRex,
  thanks for clarifying — I understand that cPanel on a KVM guest really needs its own IP in order to work properly. I’ll request an additional public IP from our provider and switch the VM’s NIC to bridged mode.

  If for some reason we can’t get a second IP, is there any reverse-proxy or port-forwarding approach you’d recommend (for example Apache mod_proxy with SSLProxyEngine on)? Or would that simply be too unstable / unsupported?

  Thanks again for your insight!

  0
• 

  cPRex Jurassic Moderator

  • June 18, 2025 02:18

  I wouldn't be able to say for sure with any certainty as that just isn't something we test on our end.

  0
• 

  kevin lin

  • June 18, 2025 07:50

  Hi cPRex,

  Thank you for the clarification. I understand that running WHM on a NAT’d KVM setup isn’t a scenario you officially test, so it’s outside your supported configurations.

  Could you point me to any documentation or best-practice notes for this kind of environment? Are there known caveats or pitfalls I should watch out for if I proceed with a reverse-proxy or bridged networking approach?

  In the meantime I’ll request a second public IP and switch the VM to bridged mode, but any pointers you can share would be very helpful.

  Thanks again for your time and assistance.

  Best regards,
  Kevin

  0
• 

  cPRex Jurassic Moderator

  • June 18, 2025 16:56

  I really don't have any guides that will be helpful here as this just isn't the intended way that cPanel operates.

  You will want to ensure a 1:1 NAT configuration if that's how things are configured on the machine: https://docs.cpanel.net/knowledge-base/general-systems-administration/1-1-nat/

  0
• 

  kevin lin

  • June 19, 2025 05:55

  Hi cPRex,

  Thank you for pointing me to the 1:1 NAT guide. I’ll proceed to configure a true one-to-one NAT mapping so that the VM’s internal IP (192.168.122.124) is directly reachable via my host’s public IP on port 443→2087, per your documentation: 

  0

Please sign in to leave a comment.