Disallow Direct IP Browsing on WHM cPanel Servers.md

Disallow Direct IP Browsing on WHM/cPanel Servers

Last Updated 2022-09-07 by Kevin Roth

Some Linux web servers are browsable by direct IP. This can be disabled for security purposes.

Modify Apache main default template

1. Create custom Apache main defaults template

   $ sudo cp /var/cpanel/templates/apache2_4/ea4_main.default /var/cpanel/templates/apache2_4/ea4_main.local
   $ sudo nano /var/cpanel/templates/apache2_4/ea4_main.local
   

2. Under "Define default vhosts for shared IPs" add the following after ServerAdmin line:

       # KJR 2022-04-01 Disallow direct IP browsing
       RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
       RewriteRule ^(.*)$ / [L,R=403]
       ErrorDocument 403 "Sorry, direct IP access not allowed."
   

Modify Apache Pre Main Include

1. In WHM, go to Apache Configuration -> Include Editor Under "Pre Main Include" select "All Versions" and add the following:

   # Enforce SNI to disable direct IP browsing
   SSLStrictSNIVHostCheck on
   

2. You will be prompted to restart Apache after modifying the pre main include. Restart the service.

Nginx Config

If you are running Nginx as a reverse proxy, you must set the proxy_ssl_server_name setting to "on" in order to pass the server name through TLS Server Name Indication (SNI).

Add the following to one of your Nginx config files (found in /etc/nginx/conf.d/):

proxy_ssl_server_name on;