Access panel with domain name

hi i want to access the panel using domain name like panel.domain.tld. i’m add dns records but still i can’t log through the domain. how can i configure it?

Yes can. HCP can access thru any local domains as long it points to server’s main IP & port.
Note - If you using cloudflare DNS, the panel.domain record must be grey cloud (No Proxy).

Actually im finding ways to block this way. HCP must not listen via any domains. :slight_smile:

1 Like

Hi rmjtechnologies,
Thank you for your valuable replies.
But as a deve, we should make this easier & think of future upgrade paths. What do you think about below approach?

Adding the below single line on '/usr/local/hestia/web/inc/main.php' ?

//START Check if this request came from server's assigned hostname 
$referer= strtok($_SERVER['HTTP_HOST'], ':');if ($referer != exec('hostname')) {header("Location: //$referer "); exit;}
/* END */

The above code will check,

  • If the requesting domain is matching the hostname, which assigned on HCP?
  • If is not matching, redirect to referrer domain itself & not letting to use HCP.

Your suggestion is nice, but I think that any modification made to /usr/local/hestia/web/inc/main.php will be overwritten when Hestia is updated.
I don’t think this is the case for /usr/local/hestia/nginx/conf/nginx.conf.

Haha. I provide the suggestion for HCP team to include on main.php as this is another security enhancement.

We may drill thru more enhancement steps to VALIDATE/CHECK if there is any option from panel itself too.

  1. Like if user want to restrict by hostname
  2. Like if user dont like to restrict
1 Like

Hi @ rmjtechnologies,

  • The php approach (fiule: main.php) i mentioned was inside server’s UI files, which is controlled internally by HCP variables only.
  • HTTP_HOST - yes easily able to spoof. But this suggestion is to minimise the chances. If you have 100 domains in your server, any of those 100 domains, hacker could try his luck on port scanning & get higher chance to find the HCP:port easily. If we restrict to server’s hostname/IP only, the chances are too less for hackers.
  • The file ofcourse will be overwritten, thats we requesting HCP team to consider as core file.
  • The linked forum answer says AS IS & asking us to submit pull request for consideration.

I think in combination the nginx rate limiter it would be a nice add-on.
See https://github.com/hestiacp/hestiacp/issues/784

With the current suggestion it’s not usefull and could hinder in some cases when multiple servers are setup behind physical firewalls and other cases.

1 Like