cPanel Questions -- Force/rediredct subdomains to https (webmail.domain.com), and redirect to remove www. from domain

[heliolo]

Hello, I have two questions regarding cPanel.

First, I would like to force all subdomains (cpanel.domain.com, webmail.domain.com, etc.) to use https. I have the SSL certs setup through AutoSSL, and I can access the secure version by manually typing in https, but I would like to force this behavior for safety/security concerns. It seems like this can be done using WHM, but I don't actually have a good idea of what WHM (Web Host Manager) is. Is this the software that Heliohost uses to provide each user with their own cPanel login and individual customization? If so, do users have any access to this interface?

Next, I was having issues redirecting traffic pointed to the www. version of my domain name to the non-www. version. In cPanel, I have configured a redirect to match both www. and non-www. that points to the base domain name (https://example.com). However, this redirect only works for requests sent to http://www.example.com. Accessing https://www.example.com does not redirect to the non-www. version. I previously was self-hosting my site, and was able to accomplish this functionality through nginx redirect rules. Is there anything I am missing in setting up this redirect?

 

Thank you!

[Krydos]

WHM allows you to edit and delete all the accounts on the server, so no you don't have access to that.

We use Apache not Nginx, but you can easily do redirects using modrewrite in your .htaccess file.

[heliolo]

Hi Krydos, thanks for the response.

I have been trying to use the .htaccess to force HTTPS on all subdomains but am having some trouble. From searching around this is what I currently have:

RewriteEngine on

RewriteCond %{HTTP_HOST} ^www\.(.+)
RewriteCond %{HTTPS}s/%1 ^(on(s)|offs)/(.+)
RewriteRule ^ http%2://%3%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This works for everything on the main domain (http -> https) and (www -> non-www), but it doesn't have any effect on the subdomains (cpanel or webmail).

I have tried placing the .htaccess in both the public_html/ folder as well as the in the home directory, both have the same behavior. Do you have any ideas on what could be the problem?

 

I have also tried other solutions posted around online:

=== 1 ===
RewriteCond %{HTTPS} =off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

=== 2 ===
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^((?!www\.)[^.]+)\.example\.com$
RewriteRule ^ https://%1.example.com%{REQUEST_URI} [NE,L,R]

Thanks

[Krydos]

Put this in the .htaccess file in the webroot of each domain and subdomain to force https:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} !^/.well-known/ [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Are you trying to remove www from the beginning of your domain too?

[heliolo]

Yes, I am also trying to remove the www and that is working on the main domain with the first .htaccess I posted.

Apologies for the many dumb questions but where is the webroot for the premade subdomains (cpanel/webmail)? There are no entries under the subdomain tabs in cPanel that would have the document root. I tried placing the code you posted in the .cpanel/ and mail/ directories but neither had any effect.

Should I create subdomain entries and define the document root for those desired subdomains?

[wolstech]

23 minutes ago, heliolo said:

where is the webroot for the premade subdomains (cpanel/webmail)

There isn't one. We intentionally allow insecure connections because as crazy as it sounds there are places where encryption is interfered with or outright banned (some middle-east and Asian countries, certain work networks, etc.), and we have users in those places who wouldn't be able to access our services if we forced SSL.

That said, you can override these subdomains by creating your own subdomain with the same name. Just create it, then put a script in the docroot to redirect the user (e.g. you could make a subdomain called cpanel.domain.com and set it to redirect to https://heliohost.org/login/ ).

[Krydos]

Oh, I thought he was talking about actual subdomains, not the special proxy subdomains.

[heliolo]

Ah okay got it. Thanks for the explanation and help, didn't ever consider that encryption could be a bad thing.

[Krydos]

This map might be interesting for you https://www.gp-digital.org/world-map-of-encryption/ Some countries you can get fined or go to jail for using encryption.

[wolstech]

It's kind of interesting to see USA and Canada as the only two major countries left where there's no law against it.

Ignoring China and Russia, the next two largest countries are probably Brazil and Australia...Brazil is known for banning services that don't allow government access to the data, and Australia mandates backdoors if clear access isn't available.

Edited July 14, 2021 by wolstech
Clarify