Nginx template for redirecting users to HestiaCP dashboard

dpin · July 9, 2024, 2:11am

I am trying to redirect my clients to HestiaCP using the subdomain panel.clientdomain.tld.

Details:

I am using port 2083 for the dashboard and have added a tpl and stpl.
I added an alias to the domain as panel.domain.tld and issued a Let’s Encrypt certificate without any issues.
I added an A record pointing panel.clientdomain.tld to the server IP.
The result is a bad certificate domain error because the certificate is pointing to the domain of my server, and the installed certificate is for hostname.mydomain.tld.

Error in Firefox:

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for panel.clientdomain.tld:2083. The certificate is only valid for my.server.tld.

/usr/local/hestia/data/templates/web/nginx/default-redirect-cli2083.stpl

Summary

server {
    listen      %ip%:%proxy_ssl_port% ssl;
    server_name %domain_idn% %alias_idn%;
    error_log   /var/log/%web_system%/domains/%domain%.error.log error;

    ssl_certificate     %ssl_pem%;
    ssl_certificate_key %ssl_key%;
    ssl_stapling        on;
    ssl_stapling_verify on;

    # TLS 1.3 0-RTT anti-replay
    if ($anti_replay = 307) { return 307 https://$host$request_uri; }
    if ($anti_replay = 425) { return 425; }

    include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;

    location / {
        if ($host = 'panel.%domain%') {
            proxy_pass https://%ip%:2083;
        } else {
            proxy_pass https://%ip%:%web_ssl_port%;
        }

        location ~* ^.+\.(%proxy_extensions%)$ {
            try_files $uri @fallback;
            root %sdocroot%;
            access_log /var/log/%web_system%/domains/%domain%.log combined;
            access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
            expires max;
        }
    }

    location @fallback {
        proxy_pass https://%ip%:%web_ssl_port%;
    }

    location ~ /\.(?!well-known\/|file) {
        deny all;
        return 404;
    }

    location /error/ {
        alias %home%/%user%/web/%domain%/document_errors/;
    }

    proxy_hide_header Upgrade;

    include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
}

/usr/local/hestia/data/templates/web/nginx/default-redirect-cli2083.tpl

Summary

#=========================================================================#
# Default Web Domain Template                                             #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS   #
# https://hestiacp.com/docs/server-administration/web-templates.html      #
#=========================================================================#

server {
	listen      %ip%:%proxy_port%;
	server_name %domain_idn% %alias_idn%;
	error_log   /var/log/%web_system%/domains/%domain%.error.log error;

	include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;

	location ~ /\.(?!well-known\/|file) {
		deny all;
		return 404;
	}

	location / {
		if ($host = 'panel.%domain%') {
			return 301 https://$host:2083$request_uri;
		}

		proxy_pass http://%ip%:%web_port%;

		location ~* ^.+\.(%proxy_extensions%)$ {
			try_files  $uri @fallback;

			root       %docroot%;
			access_log /var/log/%web_system%/domains/%domain%.log combined;
			access_log /var/log/%web_system%/domains/%domain%.bytes bytes;

			expires    max;
		}
	}

	location @fallback {
		proxy_pass http://%ip%:%web_port%;
	}

	location /error/ {
		alias %home%/%user%/web/%domain%/document_errors/;
	}

	include %home%/%user%/conf/web/%domain%/nginx.conf_*;
}

Is there another approach achieve this?
Thanks for the help

eris · July 9, 2024, 5:11am

if ($host = ‘panel.%domain%’) {
return 301 https://$host:2083$request_uri;
}

You should return
return 301 https://panel.%domain% instead

Take a look at:

github.com

jaapmarcus/web-templates/blob/master/templates/nginx/cp.stpl

#=======================================================================#
# Default Web Domain Template                                           #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
#=======================================================================#

server {
    listen      %ip%:%proxy_ssl_port% ssl http2;
    server_name %domain_idn% %alias_idn%;
    index       index.php index.html index.htm;
    ssl_certificate      %ssl_pem%;
    ssl_certificate_key  %ssl_key%;
    ssl_stapling on;
    ssl_stapling_verify on;
    error_log  /var/log/%web_system%/domains/%domain%.error.log error;

    include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;

    location / {
        proxy_pass      https://%ip%:8083;
    }

This file has been truncated. show original

github.com

jaapmarcus/web-templates/blob/master/templates/nginx/cp.tpl

#=======================================================================#
# Default Web Domain Template                                           #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
#=======================================================================#

server {
    listen      %ip%:%proxy_port%;
    server_name %domain_idn% %alias_idn%;
    index       index.php index.html index.htm;
        
    include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;

    location / {
    return 301 https://%domain_idn%/;
    }

    location /error/ {
        alias   %home%/%user%/web/%domain%/document_errors/;
    }

This file has been truncated. show original

And replace 8083 with 2083 this will remove always the :xxx requirement …

dpin · July 10, 2024, 11:06am

Hey @eris, I get the idea, but I’m still stuck.

I’m trying to use panel.domain.com as a way for customers to access their control panel instead of domain.com.

I changed the port in your template to 2083, but I’m running into two problems:

When customers go to domain.com, it redirects them to domain.com/login, so they can’t see their webpage.
panel.domain.com redirects correctly to panel.domain.com/login, but there’s a certificate issue. The browser picks up the certificate from the server where Hestia is installed, not the one that includes ‘panel.domain.com’.

I tried tweaking the templates, but no luck so far

eris · July 10, 2024, 11:21am

Yes because by default hestia is hostname.com:8083

Two things: You have 2 options:

Create in each user account pannel.domain.com and assign the cp.tpl to it. It should work fine
Or redirect to hostname.com:2083

system · August 9, 2024, 11:21am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.