SSL acces to DA panel via user's domain

Richard G

Verified User
Joined
Jul 6, 2008
Messages
12,560
Location
Maastricht
If we want to force SSL now, it has to be https://server.admindomain.com:2222 or when not using the force option you can use http://userdomain.com:2222 (don't use the www in front of it because then .htaccess redirects can create issues).

Most (expecially long time) customers are used to enter DA by using http://www.userdomain.com:2222 which is also easy for them.

Since everything is going to SSL nowadays, I would like to ad a suggestion to create an easy or rather default option, for users to be able to visit https://www.userdomain.com:2222 as they did before, but then via SSL.

This is especially nice for resellers, who's customers won't see the browser switching to an admindomain.com url but are kept in their own userdomain.com url.

Like Cpanel has. Every customer can visit their control panel via their own domain name, also when using https.
 
Thank you for the idea.

But that has to be setup seperately for every customer. I was making a suggestion for a more automatically made setup so the users could use https://www.userdomain.com:2222 maybe by a selection option or something, or automated like if ssl is present then activate also https for DA access on the user's domain.
Like I said... like cpanel (installed by default), where al users can use either http or https userdomain.com/cpanel so something like userdomain/directadmin or something like that would also be nice. Or another way (favorite is the :2222 option).

So just that it has not to be the server's hostname and it has not to be setup for every user seperately. Especially since everything will become https/ssl in the near future.
 
Well not really, I use the custom template and it goes on each domain, and you can use the custom template also for the DNS record.

The only problem with this, is the SSL Certificate request that you cannot do as soon as you create the account (DNS issue can happen), so I provide those URLs that redirect to a main login interface where the SSL works.

I prefer not to open the 2222 port to the public, or anyway not to have to tell the user ":2222", while cp.yourdomain.com is way easier :)
 
Thank you for the explanation.
But I still like to keep this as a feature request which makes life a lot easier.
As you say, there is the thing with the certificate request when creating the account which is a fuzz again, and at the moment there are also still users not wanting ssl.

When the competition can make it, then maybe DA can too, hence the request/suggestion. :)
 
And here is where I think you're bit confused :)
What you're asking it is already there, the only problem is the certificate, and once again, as soon as the domain is registered the certificate cannot be requested straight away, because it is up to DNS propagation.

So, in cPanel to have https://customerdomain.com:1234 the domain customerdomain.com needs to have a certificate or the browser will return a certificate issue.
Also, using your own words... "and at the moment there are also still users not wanting ssl."

So basically, cPanel is forcing it, you say you want to keep the user to be able to decide, but still forcing them to have an SSL cert ;)
 
What you're asking it is already there,
I don't see how it would be already there. I think you don't understand what I'm trying to accomplish or suggest. I'll try to explain better.

So, in cPanel to have https://customerdomain.com:1234 the domain customerdomain.com needs to have a certificate or the browser will return a certificate issue.
Which is logical. That's no different with Directadmin when it could be used that way. But I also stated that they can also use http://customerdomain.com:1234 if they want. If they don't install Letsencrypt and the admin does not use the autoconf feature.

Cpanel is only forcing https for the panel itself if you use autoconf and create an SSL certificate as far as I know. I'm not sure if it's even force for the panel itself when the user has to create a letsencrypt certificate himself.

Anyway, even when the panel access is ssl forced, the user still has the choice to not use ssl on the website, that is not forced in any way.
Next to that... website.com/cpanel is also redirected to website.com:2083 so since DA is using 2222, couldn't such redirect (domain.com/panel or domain.com/directadmin or something like that) be redirected to https://domain.com:2222... after creating a certificat? Or is that not possible due to how the system is made?

My point: The server admin has to do 0 to accomplish this, maybe only enable letsencrypt and enable autoconf.

In Directadmin there is no automatic thing. If you enable https for your site, you can not visit https://www.yourdomain.com:2222 because it will give you a certificate error even when the domain has a valid certificate.

So you pointed to a help section.
I just tried that help link you pointed to, and you have to set this up for every seperate domain like this:
Admin Level -> Custom HTTPD Configuration -> cp.userdomain.nl

Next to that:
**Note** if you're running custombuild, you must recompile apache by adding "--enable-proxy" \ to the configure/ap2/configure.apache file, and recompiling apache and php.
Also, for apache 2, the template is virtual_host2.conf, not virtual_host.conf.
and it starts with:
First, create the cp.userdomain.nl domain under a User level, as a full domain somewhere.

As said, a lot of fuzz to get it right and even if used, you have to enable this cp subdomain for every separate user. That is way different then the way cpanel has it.
Understandable, because DA is not CP. But it could be a lot easier.

My suggestion was to have something like this (or by using :2222) so users can reach their DA control panel on their own domain like they're used to without all that work which an admin has to do now to accomplish it and even for every seperate user or having to fix around custom templates if you even know how.:)
 
Yes Richard, I do undertand :)
Maybe I didn't explain myself properly, so allow me to try again ^^

Every domain hosted on DA have the ability to access http://domain.tld:2222 by default, yes, the certificate will not be there., you can set DA to also (or only) run in https (usually port http/2222 https/2224)
To achieve what you ask the system will have to request a certificate on behalf of the user to add it only on the control panel listener, so everytime there is a new domain, DA will have to request a certificate (SNI) which include all hosted domains and restart itself.

It is quite a crazy behaviour in my opinion, I do agree on the cp.domain.tld (or domain.tld/panel) if you prefer, that would make more sense because the certificate will be part of the normal certificate creation.

That is something I do with all my customers, is not big deal following that guide, and some automation to make the certificate request can be put in place, still no matter if the user want or doesn't an SSL certificate for his domain, he will have to have one for the CP to achieve what you are asking for, the only difference is the mess that comes on doing it at DA level (meaning on DA itself rather than using Apache or NGINX to act as proxy).

I've been using the option I suggested for the past 3/4 years with the same implementation I did the first time, maybe I had to update it when Nginx+Apache option was introduced to have the "proxy" conditions, but beside that, it was a one time job which was fairly easy.

To avoid SSL issues and the needs to request an SSL Certiicate for customer's domain, I am simply redirecting http access to a single page (https://directadmin.crazynetwork.it) so customers will always have a valid SSL cert (because mantained by me, for me), if the customer doesn't have a certiicate and try to access https://directadmin.theirdomain.tld they will have an SSL issue, but usually the customer simply tipe directadmin.theirdomain.tld which redirect them to mine.

From the moment the client request the SSL Cert via DA, it will automatically also ask for the directadmin.theirdomain.tld one, so to fix any kind of possible problem.

Please note, is not just about DA, I do the same for webmail , phpmyadmin , dav , autoconfig and autodiscovery.
All those service are working the same way and perfectly for years now :)

So again, I do understand the needs and the comodity on having DA itself managing this bit (I requested it myself once I had everything in place providing all my templates to DA Staff but they told me that was better leave the admin the ability to chose about this), but it is still not big deal to do that with template, failry easy, fairly static and definetely compatible with future update due to the last "general" custom templates DA introduced not long time ago which I helped to implement and improve from their basic design

Hope it helps a bit :)
Best regards
 
Hello Sellerone.

You do understand what I want, but still.... I would like this as a future request, it's not a default existing thing the way it would be nice.

Ah, this makes more sense to me, that looks indeed what I'm searching for (almost) but I did not see you writing it that way:
you can set DA to also (or only) run in https (usually port http/2222 https/2224)
Yes but what I understood from your previous reply is that this can only be done via those custom template changes which have to be done for every user as I explained. I don't know how to do this another way.

It is quite a crazy behaviour in my opinion, I do agree on the cp.domain.tld (or domain.tld/panel) if you prefer, that would make more sense because the certificate will be part of the normal certificate creation.
Agreed, although I don't really understand why DA can not do this like cpanel with a domain.com/directadmin redirect to domain.com:2222 or :2224 or whatever is used.

As far as I can read from your explanation, you customized several things, templates, created redirects yourself. So this is still not default and still some work has to be done.
I understand and believe what you are explaining.

but it is still not big deal to do that with template, failry easy, fairly static and definetely compatible with future update due to the last "general" custom templates DA introduced not long time ago which I helped to implement and improve from their basic design
And hence the other part for the request. For you it's easy, maybe for some others too. But I don't have a clue on how to do this. I'm not in to coding and changing templates. I fix things, know about DNS and updating and security, but I don't like template changes, especially not without a "take this and change that" kind of manual. And I'm sure I'm not the only one.

Also I think you would be prepared to help me with this, which would be nice, but I would just like it as a future option, so everybody can benefit and make a choice how to use it by default.

So again, I do understand the needs and the comodity on having DA itself managing this bit
Great, that's the reason I posted the request. :)
 
Hi Richard,
I didn't notice that guide was updated and yes, the "new method A" show you the way for 1 domain, but if you scroll a bit to "old meethod B" it shows you how to do it in the template, just pay attention on the filesname for http/https and virtual_host virtual_host2

That is what I use, that's why I said it wasn't that hard, because once the template is done, is really matter of rewriting the configurations using Custombuild and all the customers will have the new settings.

For existing customer the only thing to do (if you're using the cp.domain.tld aproach) is to add the DNS record, while for new customerrs, if you customize also the dns_a.conf template, it will be added automatically :)

Anyway, I guess DA will consider this request depending on the users who are interested, and surely I am as long as it gives funcionality to customize things (as I would not like /panel nor cp.domain.tld but I prefer, now that all customers know it, keeping directadmin.domain.tld).

Best regards
 
Hello Sellerone.

Yes I hope so indeed. Hopefully more people are interested, but one never knows.
In any case thank you for your support and help in this matter.
 
This would be useful for resellers too, I get enough questions about DA access...... "can I use my own domain for directadmin?"....... Without said modification, no.

And to be honest, the current default out-of-the-box DA isn't really "reseller" minded
 
Back
Top