[Guide] How to Proxy DirectAdmin Hostname to Port 443 using LiteSpeed (LSWS)

[souzadavi]

To document my DA configurations, I'm writing a new guide using AI to help draft the text below. Any feedback or advice is welcome.

Many users struggle to access DirectAdmin on port :2222 due to corporate firewalls. While DirectAdmin suggests creating a sub-domain (like cp.domain.com), many administrators prefer using the main server hostname (e.g., https://server.example.com) directly on port 443 without the port number.

If you are running LiteSpeed Web Server, you cannot simply use ProxyPass in Apache templates without additional configuration. LSWS requires a defined "External App" to authorize the proxy, otherwise, you will receive a 403 Forbidden error.

Here is the working method to proxy your hostname to DirectAdmin securely.

Prerequisites​

• DirectAdmin with LiteSpeed Web Server installed.
• A valid SSL certificate on your hostname (server.example.com).
• Access to the LiteSpeed WebAdmin Console (usually port 7080).

Step 1: Create the External App in LiteSpeed​

This is the most critical step. LiteSpeed strictly verifies proxy targets.

1. Log in to your LSWS WebAdmin Console (e.g., https://server.example.com:7080).
2. Navigate to Server → External App.
3. Click Add and select Web Server as the type.
4. Fill in the configuration exactly as follows:
   • Name:DirectAdmin
     • Important: It must match the RewriteRule destination we will create later.
   • Address: https://127.0.0.1:2222
   • Max Connections: 10 (or higher if needed)
   • Initial Request Timeout (secs): 60
   • Retry Timeout (secs): 0
5. Click Save.

Step 2: Configure the Redirect Rule (.htaccess)​

Since the hostname usually serves content from /var/www/html, we can use an .htaccess file to handle the redirection.

1. SSH into your server.
2. Edit or create the .htaccess file in the default document root:

nano /var/www/html/.htaccess

3. Add the following rules:

Options +FollowSymLinks
RewriteEngine On

# 1. Force HTTPS
RewriteCond %{HTTPS} off
# E se NÃO for um envio de dados (POST)...
RewriteCond %{REQUEST_METHOD} !=POST
# Então redireciona para HTTPS. Isso protege o login de quebrar.
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# FIX FOR MOBILE ISSUE LOGIN (optional)
#RewriteRule ^CMD_LOGIN$ https://server.example.com:2222/CMD_LOGIN [P,L]

# DO NOT PROXY THIS URI
RewriteCond %{REQUEST_URI} !^/phpMyAdmin [NC]
RewriteCond %{REQUEST_URI} !^/phpmyadmin [NC]
RewriteCond %{REQUEST_URI} !^/roundcube [NC]
RewriteCond %{REQUEST_URI} !^/webmail [NC]


# 2. Proxy Reverse to DirectAdmin
# IMPORTANT: The target URL below must match the "Name" you created in Step 1 exactly.
RewriteCond %{HTTP_HOST} ^server\.example\.com(:.*)?$ [NC]
RewriteRule ^(.*)$ https://DirectAdmin/$1 [P,L]

Replace server.example.com with your actual hostname.

Copy and change owner .htaccess file (fix for mobile access)

cp /var/www/html/.htaccess /home/admin/domains/sharedip/.htaccess && chown admin:admin /home/admin/domains/sharedip/.htaccess

Step 3: Apply Changes​

1. Go back to the LSWS WebAdmin Console.
2. Perform a Graceful Restart of LiteSpeed.

Step 4: DirectAdmin Configuration Check​

Ensure you do not have a forced redirect loop configured in DirectAdmin.Check your directadmin.conf:

/usr/local/directadmin/directadmin c | grep ssl_redirect_host

If this returns a value, you should disable it, as the .htaccess is now handling the SSL forcing.

Step 5: WHMCS template (optional)​

File: /templates/twenty-one-child/clientareaproductdetails.tpl

Find:

{if $moduleclientarea} {$moduleclientarea} {/if}

Replace For:

{if $moduleclientarea}
                                <div class="text-center module-client-area" style="display: flex; flex-wrap: wrap; justify-content: center; gap: 10px;">
                                   
                                    {* --- Variável Comum: Campo Hidden de Logout --- *}
                                    {assign var="meuCampoHidden" value='<input type="hidden" name="LOGOUT_URL" value="https://yourdomain-logout-url-destination/"> </form>'}
                           
                                    {* --- BOTÃO 1: Login Principal (Mantém a porta :2222 original) --- *}
                                    {* Apenas injetamos o campo de logout no form original *}
                                    {$moduleclientarea|replace:'</form>':$meuCampoHidden}
                           
                                    {* --- BOTÃO 2: Login Alternativo (Sem a porta :2222) --- *}
                                    {* Passo 1: Pegamos o HTML original *}
                                    {assign var="formAlt" value=$moduleclientarea}
                           
                                    {* Passo 2: Removemos a porta :2222 da URL de ação do form *}
                                    {assign var="formAlt" value=$formAlt|replace:':2222':''}
                           
                                    {* Passo 3: Alteramos o TEXTO do botão para indicar que é a via alternativa *}
                                    {assign var="formAlt" value=$formAlt|replace:'value="Login no DirectAdmin"':'value="Login Alternativo"'}
                           
                                    {* Passo 4: Alteramos o ESTILO para diferenciar visualmente (Cinza) *}
                                    {assign var="formAlt" value=$formAlt|replace:'class="button"':'class="button" style="background-color: #6c757d; border-color: #6c757d;"'}
                           
                                    {* Passo 5: Injeta o logout e renderiza o botão alternativo *}
                                    {$formAlt|replace:'</form>':$meuCampoHidden}
                           
                                </div>
                            {/if}

 

[souzadavi]

I encountered an issue with the configuration mentioned above specifically when users try to connect via third-party mobile apps (e.g., clicking a link inside WhatsApp).

Since I haven't found a direct fix for the mobile app behavior yet, I implemented a workaround by adding a secondary button to the WHMCS product details page. This allows the user to choose between the standard proxy connection (default) or an alternative login using port 2222 if the first one fails.

Here is the code snippet:

{if $moduleclientarea}
    <div class="text-center module-client-area" style="display: flex; flex-wrap: wrap; justify-content: center; gap: 10px;">
       
        {* --- Common Variable: Hidden Logout Field --- *}
        {assign var="myHiddenField" value='<input type="hidden" name="LOGOUT_URL" value="https://www.yourdomain.com.br/"> </form>'}

        {* --- BUTTON 1: Standard Login (No Port / Proxy) --- *}
        {* Remove :2222 if it exists and inject logout *}
        {$moduleclientarea|replace:':2222':''|replace:'</form>':$myHiddenField}


        {* --- BUTTON 2: Alternative Login (Port 2222) --- *}
        {* Step 1: Get the original HTML (which usually contains port 2222) *}
        {assign var="formAlt" value=$moduleclientarea}

        {* Step 2: Change button TEXT to indicate it is an alternative *}
        {assign var="formAlt" value=$formAlt|replace:'value="Login no DirectAdmin"':'value="Login Alternativo (2222)"'}

        {* Step 3: Change button STYLE (optional, to make it distinct/grey) *}
        {assign var="formAlt" value=$formAlt|replace:'class="button"':'class="button" style="background-color: #555; border-color: #555;"'}

        {* Step 4: Inject logout and Render *}
        {$formAlt|replace:'</form>':$myHiddenField}

    </div>
{/if}

 

[souzadavi]

I updated the tutorial above to fix mobile login error.