In this post I will explain how to ensure your WHM/CPanel installation is accessed securely using SSL (HTTPS).

WHM and CPanel support SSL out of the box, as long as you connect to the right port.  The default SSL port for WHM is 2087, and the default SSL port for CPanel is 2083.  CPanel Webmail uses port 2096 for SSL by default.

  • Default WHM SSL port: 2087
    Example:  https://yourdomain.com:2087
  • Default CPanel SSL port: 2083
    Example: https://yourdomain.com:2083
  • Default CPanel Webmail Port: 2096
    Example: https://yourdomain.com:2096

However, the words whm, cpanel, and webmail are a lot easier to remember than port numbers like 2087, 2083, or 2096. So, I prefer to log in by putting them at the end of the URL.  Like this:

  • WHM: http://yourdomain.com/whm
  • CPanel: http://yourdomain.com/cpanel
  • Webmail: http://yourdomain.com/webmail

Unfortunately by default these URLs point to the insecure ports, and not the SSL ones.  Sure, you can you use “/securewhm” instead of “/whm” or “/securecpanel” instead of “/cpanel”, but that’s more typing, and there is no “/securewebmail” alias by default.  Besides, why would you ever want to log into these services without SSL?  Fortunately, you can change this behavior and have all of these URLs point to the SSL ports.

In Apache’s configuration file (httpd.conf), there are a number of ScriptAlias directives that tell Apache to point the above URLs to the appropriate scripts.  They’ll look something like this:

ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
#ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/sredirect.cgi
ScriptAliasMatch ^/?securecpanel/?$ /usr/local/cpanel/cgi-sys/sredirect.cgi
ScriptAliasMatch ^/?webmail/?$ /usr/local/cpanel/cgi-sys/wredirect.cgi
ScriptAliasMatch ^/?whm/?$ /usr/local/cpanel/cgi-sys/whmredirect.cgi
#ScriptAliasMatch ^/?whm/?$ /usr/local/cpanel/cgi-sys/swhmredirect.cgi
ScriptAliasMatch ^/?securewhm/?$ /usr/local/cpanel/cgi-sys/swhmredirect.cgi

Notice the two lines preceded by a ‘#’.  These lines tell Apache to point “/whm” and “/cpanel” to the SSL redirection scripts, but they are commented out.  Because of the way WHM/Cpanel handles httpd.conf, we can not just manually edit these entries.  The httpd.conf file is generated by WHM/Cpanel and our manual edits will be overwritten by WHM/Cpanel when it regenerated.  The easiest way to override these settings is to use WHMs built in Include Editor.  Here’s how:

  1. In the WHM main menu, under Service Configuration, click Apache Setup.
  2. On the Apache Setup page, click “Include Editor”.
  3. The most appropriate include to use for this is the Pre Virtual Host Include.
  4. Under Pre Virtual Host Include, click the “Select an Apache Version” menu, and select “All Versions”.
  5. A text area will open up.  In this text area, paste the following text:ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/sredirect.cgi
    ScriptAliasMatch ^/?whm/?$ /usr/local/cpanel/cgi-sys/swhmredirect.cgi
  6. Click the Update button.
  7. Wait for it to tell you that your include file was saved.
  8. Click the Restart Apache button.

Now try going to the standard “/whm” and “/cpanel” URLs for your site.

That takes care of WHM and CPanel, but we haven’t fixed the “/webmail” URL yet.  There isn’t a separate SSL script for webmail like there is for WHM and CPanel.  Instead, we need to edit the script manually:

  1. Open up “/usr/local/cpanel/cgi-sys/wredirect.cgi” in your favorite text editor.
  2. Find the line that says “ssl => 0);”.
  3. Change the ‘0′ to a ‘1′ and save the file.

Now try going to your “/webmail” URL.  You should be taken to the SSL port.

That’s all for this tip.  If you got invalid certificate errors when connecting using SSL, your probably using the default self signed cert installed with WHM.  Changing the certificate that WHM, CPanel, and CPanel Webmail use is something I’ll cover in a future blog entry.