Page tree
Skip to end of metadata
Go to start of metadata

IP Filtering

This is an extra level of security on the SolusVM Admin Area. You can filter ip addresses using the whitelist but you can go one step further and filter the ip addresses at the web-server level.

An example is given below on how to activate this kind of filtering.

1.Edit /etc/lighttpd/lighttpd.conf and insert the following code:

$HTTP["remoteip"] !~ "10.0.0.5|10.0.0.6" {
$HTTP["url"] =~ "^/admincp" {
url.access-deny = ( "" )
}
} 
  
Replace 10.0.0.5 and/or 10.0.0.6 with the ip address(es) you want to access the admin area.

2.Restart lighttpd:

service lighttpd restart

Htpasswd authentication

You can protect the AdminCP with an additional authentication level using htpasswd.

1.Enable mod_auth in lighttpd.

2.Edit /etc/lighttpd/lighttpd.conf on your master and check it's enabled. The modules stanza should look like this:

server.modules = (
    "mod_auth",
    "mod_access",
    "mod_fastcgi",
    "mod_accesslog"
  )  
                           

3.Add the following section to your /etc/lighttpd/lighttpd.conf:

auth.backend = "htpasswd"
  auth.backend.htpasswd.userfile = "/usr/local/solusvm/.admincp-htpasswd"
  auth.require = ("/admincp" => (
     "method"  => "basic",
     "realm"   => "",
     "require" => "valid-user"
  ))
  

4.nd result should be like this:

 

 

server.modules              = (
                                "mod_auth",
                                "mod_access",
                                "mod_fastcgi",
                                "mod_accesslog" )
                                                                
server.document-root        = "/usr/local/solusvm/www/"
server.errorlog             = "/var/log/lighttpd/error.log"

index-file.names            = ( "index.php", "index.html",
                                "index.htm", "default.htm" )

mimetype.assign             = (
  ".pdf"          =>      "application/pdf",
  ".gz"           =>      "application/x-gzip",
  ".tar.gz"       =>      "application/x-tgz",
  ".tgz"          =>      "application/x-tgz",
  ".tar"          =>      "application/x-tar",
  ".zip"          =>      "application/zip",
  ".gif"          =>      "image/gif",
  ".jpg"          =>      "image/jpeg",
  ".jpeg"         =>      "image/jpeg",
  ".png"          =>      "image/png",
  ".css"          =>      "text/css",
  ".html"         =>      "text/html",
  ".htm"          =>      "text/html",
  ".js"           =>      "text/javascript",
  ".log"          =>      "text/plain",
  ".conf"         =>      "text/plain",
  ".text"         =>      "text/plain",
  ".txt"          =>      "text/plain",
  ".dtd"          =>      "text/xml",
  ".xml"          =>      "text/xml",
  ".bz2"          =>      "application/x-bzip",
  ".tbz"          =>      "application/x-bzip-compressed-tar",
  ".tar.bz2"      =>      "application/x-bzip-compressed-tar",
  ""              =>      "application/octet-stream",
 )

server.tag                 = "SolusVM" 
accesslog.filename          = "/var/log/lighttpd/access.log"

auth.backend = "htpasswd"
  auth.backend.htpasswd.userfile = "/usr/local/solusvm/.admincp-htpasswd"
  auth.require = ("/admincp" => (
     "method"  => "basic",
     "realm"   => "",
     "require" => "valid-user"
  ))
  
url.access-deny             = ( "~", ".inc" )

$HTTP["url"] =~ "\.pdf$" {
  server.range-requests = "disable"
}

static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

fastcgi.server             = ( ".php" =>
                               ( "localhost" =>
                                 (
                                   "socket" => "/var/run/lighttpd/php-fastcgi.socket",
                                   "bin-path" => "/usr/bin/php-cgi"
                                 )
                               )
                            )

server.port                = 5353
server.pid-file            = "/var/run/lighttpd.pid"
server.username            = "solusvm"
server.groupname           = "solusvm"

 $SERVER["socket"] == "0.0.0.0:5656" {
 ssl.engine = "enable"
 ssl.pemfile = "/usr/local/solusvm/ssl/cert.pem"
 }
  

5.Create the password file:

htpasswd -c /usr/local/solusvm/.admincp-htpasswd SAMPLEUSERNAME
The htpasswd tool may not be installed on your server because it's part of httpd. There's plenty of online generators you can use. i.e http://www.htaccesstools.com/htpasswd-generator/

6.Restart lighttpd:

service lighttpd restart


  • No labels