ISPsystem software products of the 5th generation run through ihttpd (a built-in web-server).
Ihttpd passes all requests to the software kernel. Therefore, a control panel will be accessible by any domain name resolved to the IP address that ihttpd listens.
For example, ihttpd listens to 10.10.10.10 and port 1500. If you point domain.com to 10.10.10.10, the control panel will open at https://domain.com:1500/.
Nginx
You can configure the control panel to run via Nginx + ihttpd. Add server into the Nginx configuration file.
server {
listen 10.10.10.10:443;
server_name 10.10.10.10;
ssl on;
ssl_certificate /usr/local/mgr5/etc/manager.crt;
ssl_certificate_key /usr/local/mgr5/etc/manager.key;
client_max_body_size 20m;
set $mgr_proxy "https://10.10.10.10:1500";
location ^~ /manimg/ {
alias /usr/local/mgr5/skins/;
}
location / {
proxy_pass $mgr_proxy;
proxy_redirect $mgr_proxy /;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Secret <random symbols>;
chunked_transfer_encoding off;
}
location ^~ /mancgi/ {
proxy_pass $mgr_proxy;
proxy_redirect $mgr_proxy /;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Secret <random symbols>;
chunked_transfer_encoding off;
}
}
If you use BILLmanager 6, you need to add the following section:
location ^~ /api2/{
proxy_pass $mgr_proxy;
proxy_redirect $mgr_proxy /;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Secret <random symbols>;
chunked_transfer_encoding off;
}
The client_max_body_size directive defines the file size that Nginx can pass to the control panel (for example, it is required by the "File manager" module in ISPmanager). Enter a required value.
Add the ForwardedSecret directive into the COREmanager configuration file and control panel configuration file
Example:
ForwardedSecret mary123
ForwardedSecret is a key consisting of letters and figures that is used for authentication by specific IP addresses (if Nginx is used). It is used for protection against security attacks.
Please note, a secret phrase that is specified in the Nginx configuration file (the proxy_set_header X-Forwarded-Secret directive) must match the phrase in the control panel's configuration file (the ForwardedSecret directive).
Restart Nginx and the control panel to apply the changes. Execute the command:
killall core
SPDY
If the spdy protocol is used, you should add the following directives:
proxy_set_header User-Agent $http_user_agent;
proxy_set_header Accept $http_accept;
proxy_set_header Accept-Language $http_accept_language;
proxy_set_header ISP-Client $http_isp_client;
proxy_set_header Referer $http_referer;
proxy_set_header Content-Type $http_content_type;
proxy_set_header Cookie $http_cookie;
proxy_set_header Pragma $http_pragma;
proxy_set_header Cache-Control $http_cache_control;
proxy_set_header Accept-Encoding $http_accept_encoding;
RAW Paste Data
Apache
You can configure the control panel to run via Apache with proxying to ihttpd.
Make sure the following modules are enabled in Apache:
- proxy_module
- proxy_connect_module
- proxy_http_module
Add VirtualHost into the Apache configuration file:
<VirtualHost 10.10.10.10:80>
ServerName domain.com
ServerAlias www.domain.com
Redirect / https://domain.com/
</VirtualHost>
<VirtualHost 10.10.10.10:443>
ServerName domain.com
ServerAlias www.domain.com
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLEngine On
SSLCertificateFile /usr/local/mgr5/etc/manager.crt
SSLCertificateKeyFile /usr/local/mgr5/etc/manager.key
ProxyRequests Off
ProxyPreserveHost On
ProxyVia full
RequestHeader set X-Forwarded-Secret <arbitrary character set>
RequestHeader set X-Forwarded-For $remote_addr
<proxy *>
Order deny,allow
Allow from all
</proxy>
ProxyPass / https://10.10.10.10:1500/
ProxyPassReverse / https://10.10.10.10:1500/
</VirtualHost>
Apply the Apache configuration:
apachectl graceful
Add the ForwardedSecret directive into the COREmanager configuration file:
Example:
ForwardedSecret mary123
The ForwardedSecret value in the panel configuration file and COREmanager should match the value specified in the RequestHeader set X-Forwarded-Secret directive in the Apache configuration file.
Restart the panel to apply the changes in the COREmanager and panel configuration files:
killall core
To set up an SSL certificate, add the following information into the panel configuration file /usr/local/mgr5/etc/ihttpd.conf:
listen {
ip 10.10.10.10
redirect
sni {
domain_cert /usr/local/mgr5/etc/manager.crt
domain_key /usr/local/mgr5/etc/manager.key
domains domain.com
}
}