Setup an automatic reverse proxy in external server

[Santiago Rodriguez]

Hello,
Its my first post in that formum.

I want to create a web hosting service with cPanel, but I want to hide the real server IP, I think that I can use a reverse proxy, but I see that I need to add manually each domain to the reverse proxy, and I don't know how to point the domains to the reverse proxy and keep working the cPanel DNS

I want to create a reverse proxy in another server that I don't need to add each domain manually to the proxy and the domains be automatically pointed to the reverse proxy keeping working the cPanel DNS tool.

 

[cPRex]

Hey there - welcome to the Forum!

We don't have any ready-made tools that would exactly handle this configuration. cPanel does support Nginx (NGINX with Reverse Proxy | cPanel & WHM Documentation) so you may be able to configure that for your needs and still have it work with all the default cPanel tools.

 

[Santiago Rodriguez]

OK will to see that, thanks, anything I will to reply

 

[rbairwell]

I want to create a web hosting service with cPanel, but I want to hide the real server IP,

The easiest way to do this would be to use a service such as Cloudflare or Fastly which will act as the proxy server - along with offering DoS protection and a whole host of other things.

I want to create a reverse proxy in another server that I don't need to add each domain manually to the proxy and the domains be automatically pointed to the reverse proxy keeping working the cPanel DNS tool.

The best way I can think of of achieving this is by having your proxy server (whose IP address will still be known to the general internet) forward the port requests to your web server - IPTables can do this : however, be aware that a request for a page will hit your proxy server, which will then forward it to your main server, which will then reply with the content which the proxy server will have to send on - there'll be a delay at each stage and your bandwidth usage (which may just be internal if both servers are in the same location) will double. This is why the CDN providers such as Cloudflare cache the content. Oh - and don't forget you've got the cost of running the second server as well.

keeping working the cPanel DNS tool

You should be able to change the Zone template files in WHM to always reflect the proxy server (and so will ignore the web server's own IP address) and then if you have these zones slaved to a third party name service such as CloudNS then the name requests won't hit your main server and it'll remain relatively hidden.

Personally, I think that cPanel is the wrong tool for what you are trying to achieve and I do feel you have underestimated the complexities of running a "hidden web service": whilst using a CDN or IP forwarding and 3rd party name servers will keep things reasonably hidden, there will be ways of finding out the IP address of the server (if you let customers sign up and upload files, it'll be easy enough for them to make a script which will reveal the real IP address, hostname etc).

 

[Santiago Rodriguez]

Thanks @rbairwell
I have that iptables rules, I'm right?:

-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination cpanel-ip:80
-A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination cpanel-ip:443
-A PREROUTING -p tcp -m tcp --dport 2083 -j DNAT --to-destination cpanel-ip:2083
-A PREROUTING -p tcp -m tcp --dport 2087 -j DNAT --to-destination cpanel-ip:2087
-A PREROUTING -p tcp -m tcp --dport 3306 -j DNAT --to-destination cpanel-ip:3306
-A PREROUTING -p tcp -m tcp --dport 20 -j DNAT --to-destination cpanel-ip:20
-A PREROUTING -p tcp -m tcp --dport 21 -j DNAT --to-destination cpanel-ip:21
-A PREROUTING -p tcp -m tcp --dport 25 -j DNAT --to-destination cpanel-ip:25
-A PREROUTING -p tcp -m tcp --dport 26 -j DNAT --to-destination cpanel-ip:26
-A PREROUTING -p tcp -m tcp --dport 53 -j DNAT --to-destination cpanel-ip:53
-A PREROUTING -p tcp -m tcp --dport 110 -j DNAT --to-destination cpanel-ip:110
-A PREROUTING -p tcp -m tcp --dport 143 -j DNAT --to-destination cpanel-ip:143
-A PREROUTING -p tcp -m tcp --dport 465 -j DNAT --to-destination cpanel-ip:465
-A PREROUTING -p tcp -m tcp --dport 587 -j DNAT --to-destination cpanel-ip:587
-A PREROUTING -p tcp -m tcp --dport 873 -j DNAT --to-destination cpanel-ip:873
-A PREROUTING -p tcp -m tcp --dport 993 -j DNAT --to-destination cpanel-ip:993
-A PREROUTING -p tcp -m tcp --dport 995 -j DNAT --to-destination cpanel-ip:995
-A PREROUTING -p tcp -m tcp --dport 2077 -j DNAT --to-destination cpanel-ip:2077
-A PREROUTING -p tcp -m tcp --dport 2078 -j DNAT --to-destination cpanel-ip:2078
-A PREROUTING -p tcp -m tcp --dport 2082 -j DNAT --to-destination cpanel-ip:2082
-A PREROUTING -p tcp -m tcp --dport 2086 -j DNAT --to-destination cpanel-ip:2086
-A PREROUTING -p tcp -m tcp --dport 2089 -j DNAT --to-destination cpanel-ip:2089
-A PREROUTING -p tcp -m tcp --dport 2091 -j DNAT --to-destination cpanel-ip:2091
-A PREROUTING -p tcp -m tcp --dport 2095 -j DNAT --to-destination cpanel-ip:2095
-A PREROUTING -p tcp -m tcp --dport 2096 -j DNAT --to-destination cpanel-ip:2096
-A PREROUTING -p tcp -m tcp --dport 2195 -j DNAT --to-destination cpanel-ip:2195
-A PREROUTING -p tcp -m tcp --dport 2703 -j DNAT --to-destination cpanel-ip:2703
-A PREROUTING -p tcp -m tcp --dport 6277 -j DNAT --to-destination cpanel-ip:6277
-A PREROUTING -p tcp -m tcp --dport 24441 -j DNAT --to-destination cpanel-ip:24441
-A PREROUTING -p tcp -m tcp --dport 2079 -j DNAT --to-destination cpanel-ip:2079
-A PREROUTING -p tcp -m tcp --dport 2080 -j DNAT --to-destination cpanel-ip:2080
-A PREROUTING -p tcp -m tcp --dport 1 -j DNAT --to-destination cpanel-ip:1
-A PREROUTING -p tcp -m tcp --dport 7 -j DNAT --to-destination cpanel-ip:7
-A PREROUTING -p tcp -m tcp --dport 37 -j DNAT --to-destination cpanel-ip:37
-A PREROUTING -p tcp -m tcp --dport 43 -j DNAT --to-destination cpanel-ip:43
-A PREROUTING -p tcp -m tcp --dport 113 -j DNAT --to-destination cpanel-ip:113
-A POSTROUTING -j MASQUERADE

If I'm right I have ready the IP fowarding, now I need to change the cPanel DNS Zone templates and setup the name servers.

I'm new in cPanel and now my question is what I need to change in Zone Templates and how?

And how I setup the nameservers?, Only add two A records ns1 and ns2 with the ip of the proxy server?

 

[rbairwell]

Those forwarding rules look correct at first glance - but, to be totally honest, it's been getting on to nearly 20 years since I last had to do it (and that was with a cPanel server). You do seem to be missing port 53 UDP though and HTTP/3 uses UDP on port 80 (but that doesn't seem support by cPanel at the moment).

I would change in "Basic WebHost Manager Setup" at the bottom to set your nameservers to your remote nameservers: I'd then and the IP addresses of those nameservers to IP Functions->Configure Remote Service IPs->Remote Name Server IPs so cPanel is aware of them.

You might be able to get away by modifying "Basic WebHost Manager Setup->Basic Config->The IPv4 address to setup" to your proxy server's IP address: but this isn't something I've tried myself so I've got no idea how/if it'll work how/if it'll affect licencing checks etc etc (and, thinking about it, it might break Apache's virtual host configuration if you have multiple IPs setup)>

If that doesn't work, under DNS Functions->Edit Zone Templates (docs), I would then edit "standard" and where it has %ip% and %ipv6%, I would change those to be the appropriate IP address of your proxy server: then any domains you create on the server will be populated with the fixed IP address.

I use CloudNS for my nameservers (I used to use cPanel DNSOnly, but it worked out cheaper to use CloudNS): if you setup the script they provide for Secondary DNS with cPanel Primary Server and then setup Slave DNS with PowerDNS to handle the updates (on step 3 - ignore the IP addresses listed on that page, use the ones in your CloudNS profile) and that should mean the only nameserver requests to hit your server should come from CloudNS (so you may just want to tweak your forwarding rules to allow port 53 on UDP and TCP from their IP addresses direct access). Of course, there are plenty of other secondary/slave DNS providers out there (and there's nothing stopping you just hosting the domain name at, say, Cloudflare Domains, Google Domains, Gandi, Godaddy etc - and then making manual updates there: just remember to disable the DNS options under Packages->Feature Manager so customer's don't get confused and try modifying their domain records on your server as it won't work).

If you want your proxy server to act as the nameserver, just ensure that ns1.example.com and ns2 are setup with the IP address of that server (and, if if example.com is using those nameservers themselves, to setup the glue records at your registrar) - however, every request for a domain name record will have to go through the proxy server which will add delay.

 

[Santiago Rodriguez]

Thanks again @rbairwell, let me do this and see how goes all.