[Guide] How to Proxy DirectAdmin Hostname to Port 443 using LiteSpeed (LSWS)

S

souzadavi

Verified User
Joined
May 26, 2022
Messages
24
To document my DA configurations, I'm writing a new guide using AI to help draft the text below. Any feedback or advice is welcome.

Many users struggle to access DirectAdmin on port :2222 due to corporate firewalls. While DirectAdmin suggests creating a sub-domain (like cp.domain.com), many administrators prefer using the main server hostname (e.g., https://server.example.com) directly on port 443 without the port number.

If you are running LiteSpeed Web Server, you cannot simply use ProxyPass in Apache templates without additional configuration. LSWS requires a defined "External App" to authorize the proxy, otherwise, you will receive a 403 Forbidden error.

Here is the working method to proxy your hostname to DirectAdmin securely.

Prerequisites​

  • DirectAdmin with LiteSpeed Web Server installed.
  • A valid SSL certificate on your hostname (server.example.com).
  • Access to the LiteSpeed WebAdmin Console (usually port 7080).

Step 1: Create the External App in LiteSpeed​

This is the most critical step. LiteSpeed strictly verifies proxy targets.
  1. Log in to your LSWS WebAdmin Console (e.g., https://server.example.com:7080).
  2. Navigate to ServerExternal App.
  3. Click Add and select Web Server as the type.
  4. Fill in the configuration exactly as follows:
    • Name: https://server.example.com:2222
      • Note: Replace server.example.com with your actual hostname.
      • Important: The name MUST include the protocol (https://) and the port (:2222). It must match the RewriteRule destination we will create later.
    • Address: https://127.0.0.1:2222
    • Max Connections: 10 (or higher if needed)
    • Initial Request Timeout (secs): 60
    • Retry Timeout (secs): 0
  5. Click Save.

Step 2: Configure the Redirect Rule (.htaccess)​

Since the hostname usually serves content from /var/www/html, we can use an .htaccess file to handle the redirection.

  1. SSH into your server.
  2. Edit or create the .htaccess file in the default document root:

Bash: 
nano /var/www/html/.htaccess


3. Add the following rules:

Apache config: 
Options +FollowSymLinks
RewriteEngine On

# 1. Force HTTPS
RewriteCond %{HTTPS} off
# E se NÃO for um envio de dados (POST)...
RewriteCond %{REQUEST_METHOD} !=POST
# Então redireciona para HTTPS. Isso protege o login de quebrar.
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# FIX FOR MOBILE ISSUE LOGIN
RewriteRule ^CMD_LOGIN$ https://server.example.com:2222/CMD_LOGIN [P,L]

# 2. Proxy Reverse to DirectAdmin
# IMPORTANT: The target URL below must match the "Name" you created in Step 1 exactly.
RewriteCond %{HTTP_HOST} ^server\.example\.com(:.*)?$ [NC]
RewriteRule ^(.*)$ https://server.example.com:2222/$1 [P,L]

Replace server.example.com with your actual hostname.

Step 3: Apply Changes​

  1. Go back to the LSWS WebAdmin Console.
  2. Perform a Graceful Restart of LiteSpeed.

Step 4: DirectAdmin Configuration Check​

Ensure you do not have a forced redirect loop configured in DirectAdmin.Check your directadmin.conf:


Bash: 
/usr/local/directadmin/directadmin c | grep ssl_redirect_host
If this returns a value, you should disable it, as the .htaccess is now handling the SSL forcing.

Step 5: WHMCS template (otional)​

File: clientareaproductdetails.tpl

Find:
HTML: 
{$moduleclientarea}

Replace:
HTML: 
{$moduleclientarea|replace:':443':''}

Complete Code:
HTML: 
{if $moduleclientarea}
    <div class="text-center module-client-area">
        {* Remove :443 da URL para evitar erro 404 no proxy *}
        {$moduleclientarea|replace:':443':''}
    </div>
{/if}

Troubleshooting​

I get a 403 Forbidden Error:This happens if the RewriteRule destination in .htaccess does not strictly match the Name of the External App in LiteSpeed.

"Not Secure" Warning:If you see a certificate warning, ensure your hostname has a valid SSL certificate generated via Let's Encrypt in the DirectAdmin dashboard.
 
Last edited:
I encountered an issue with the configuration mentioned above specifically when users try to connect via third-party mobile apps (e.g., clicking a link inside WhatsApp).

Since I haven't found a direct fix for the mobile app behavior yet, I implemented a workaround by adding a secondary button to the WHMCS product details page. This allows the user to choose between the standard proxy connection (default) or an alternative login using port 2222 if the first one fails.

Here is the code snippet:


HTML: 
{if $moduleclientarea}
    <div class="text-center module-client-area" style="display: flex; flex-wrap: wrap; justify-content: center; gap: 10px;">
       
        {* --- Common Variable: Hidden Logout Field --- *}
        {assign var="myHiddenField" value='<input type="hidden" name="LOGOUT_URL" value="https://www.yourdomain.com.br/"> </form>'}

        {* --- BUTTON 1: Standard Login (No Port / Proxy) --- *}
        {* Remove :2222 if it exists and inject logout *}
        {$moduleclientarea|replace:':2222':''|replace:'</form>':$myHiddenField}


        {* --- BUTTON 2: Alternative Login (Port 2222) --- *}
        {* Step 1: Get the original HTML (which usually contains port 2222) *}
        {assign var="formAlt" value=$moduleclientarea}

        {* Step 2: Change button TEXT to indicate it is an alternative *}
        {assign var="formAlt" value=$formAlt|replace:'value="Login no DirectAdmin"':'value="Login Alternativo (2222)"'}

        {* Step 3: Change button STYLE (optional, to make it distinct/grey) *}
        {assign var="formAlt" value=$formAlt|replace:'class="button"':'class="button" style="background-color: #555; border-color: #555;"'}

        {* Step 4: Inject logout and Render *}
        {$formAlt|replace:'</form>':$myHiddenField}

    </div>
{/if}
 
You must log in or register to reply here.
Back
Top