Skip to content

AdminCP Extra Security for nginx web server

IP Filtering

1. Connect to the master server via SSH

2. Create the additional configuration file in /usr/local/svmstack/nginx/conf/services/ directory:

touch /usr/local/svmstack/nginx/conf/services/blockip.conf

3. Set up list of allowed/denied IP addresses, here is an example:

deny 192.168.1.1;
allow 192.168.1.0/24;
allow 10.1.1.0/16;
allow 2001:0db8::/32;
deny all; 

Check for more information on Nginx documentation portal

1. (Optional) In case of the WHMCS module or otherwise accessing SolusVM graphs via API /graphs directory should be excluded from IP restriction. Open the file /usr/local/svmstack/nginx/conf/services/custom/legacy-master-after-php-location-443.conf and add the following:

location /graphs {
    allow all;
}

2. Restart the service to apply the changes:

systemctl restart svmstack-nginx.service
OR
/etc/init.d/svmstack-nginx restart

Additional authentication for AdminCP area

1. Connect to the master server via SSH

2. Create a file that will contain login/password pairs:

touch /usr/local/svmstack/nginx/.htpasswd
3. Add login and password pair. Replace solusvmadmin with required login name. Do not forget ":" delimiter sign at the end of the login name:

sh -c "echo -n 'solusvmadmin:' >> /usr/local/svmstack/nginx/.htpasswd"
sh -c "openssl passwd -apr1 >> /usr/local/svmstack/nginx/.htpasswd"

4. Create a backup of the /usr/local/svmstack/nginx/conf/services/legacy-master.conf file:

cp -a /usr/local/svmstack/nginx/conf/services/legacy-master.conf > /root/ 

5. Customize the file and add the following directive to the end of "server" section for 5656 and 443 ports for server with PHP 8:

Note: Use the php -v command to check the PHP version.

location ^~ /admincp/ {
    auth_basic "Restricted Content";
    auth_basic_user_file /usr/local/svmstack/nginx/.htpasswd;
    location ~ \.php$ {
        include services/custom/legacy-master-inside-php-location-443.conf;
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_read_timeout 3600;
        fastcgi_pass unix:/usr/local/svmstack/fpm8/socket/web.sock;
        fastcgi_index index.php;
        include fastcgi.conf;
        fastcgi_param HTTPS \$https;
        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
    }
}

Note: In case you are using server with PHP 7 and earlier versions, use the below customization:

location ^~ /admincp/ {
    auth_basic "Restricted Content";
    auth_basic_user_file /usr/local/svmstack/nginx/.htpasswd;
    location ~ \.php$ {
        include services/custom/legacy-master-inside-php-location-443.conf;
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_read_timeout 3600;
        fastcgi_pass unix:/usr/local/svmstack/fpm/socket/web.sock;
        fastcgi_index index.php;
        include fastcgi.conf;
        fastcgi_param HTTPS \$https;
        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
    }
}

6. After that restart the service to apply the changes:

systemctl restart svmstack-nginx.service
OR
/etc/init.d/svmstack-nginx restart

Back to top