AdminCP Extra Security for nginx web server¶
IP Filtering¶
1. Connect to the master server via SSH
2. Create the additional configuration file
in /usr/local/svmstack/nginx/conf/services/
directory:
touch /usr/local/svmstack/nginx/conf/services/blockip.conf
3. Set up list of allowed/denied IP addresses, here is an example:
deny 192.168.1.1;
allow 192.168.1.0/24;
allow 10.1.1.0/16;
allow 2001:0db8::/32;
deny all;
Check for more information on Nginx documentation portal
1. (Optional) In case of the WHMCS module or otherwise accessing
SolusVM graphs via API /graphs directory should be excluded from IP
restriction. Open the
file /usr/local/svmstack/nginx/conf/services/custom/legacy-master-after-php-location-443.conf
and add the following:
location /graphs {
allow all;
}
2. Restart the service to apply the changes:
systemctl restart svmstack-nginx.service
/etc/init.d/svmstack-nginx restart
Additional authentication for AdminCP area¶
1. Connect to the master server via SSH
2. Create a file that will contain login/password pairs:
touch /usr/local/svmstack/nginx/.htpasswd
sh -c "echo -n 'solusvmadmin:' >> /usr/local/svmstack/nginx/.htpasswd"
sh -c "openssl passwd -apr1 >> /usr/local/svmstack/nginx/.htpasswd"
4. Create a backup of
the /usr/local/svmstack/nginx/conf/services/legacy-master.conf
file:
cp -a /usr/local/svmstack/nginx/conf/services/legacy-master.conf > /root/
5. Customize the file and add the following directive to the end of "server" section for 5656 and 443 ports for server with PHP 8:
Note: Use the php -v
command to check the PHP version.
location ^~ /admincp/ {
auth_basic "Restricted Content";
auth_basic_user_file /usr/local/svmstack/nginx/.htpasswd;
location ~ \.php$ {
include services/custom/legacy-master-inside-php-location-443.conf;
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_read_timeout 3600;
fastcgi_pass unix:/usr/local/svmstack/fpm8/socket/web.sock;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_param HTTPS \$https;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
}
}
Note: In case you are using server with PHP 7 and earlier versions, use the below customization:
location ^~ /admincp/ {
auth_basic "Restricted Content";
auth_basic_user_file /usr/local/svmstack/nginx/.htpasswd;
location ~ \.php$ {
include services/custom/legacy-master-inside-php-location-443.conf;
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_read_timeout 3600;
fastcgi_pass unix:/usr/local/svmstack/fpm/socket/web.sock;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_param HTTPS \$https;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
}
}
6. After that restart the service to apply the changes:
systemctl restart svmstack-nginx.service
/etc/init.d/svmstack-nginx restart