Secret URL and Force Install ?

Post Reply
wonderfoolkid
Posts: 3
Joined: Tue May 23, 2023 3:55 pm

Hello,

I just wanted to ask for what is Secret URL and Force Install ?
User avatar
isscbta
Team Member
Posts: 130
Joined: Mon Jul 19, 2021 1:41 am
Has thanked: 15 times
Been thanked: 3 times

You can completely "lock" myVesta so it can be accessed only via secret URL, for example https://serverhost:8083/?MY-SECRET-URL
During installation you will be asked to choose a secret URL for your hosting panel.
  • Literally no PHP scripts will be alive on your hosting panel (won't be able to get executed), unless you access the hosting panel with secret URL parameter. Thus, when it happens that,
  • let's say, some zero-day exploit pops up - attackers won't be able to access it without knowing your secret URL - PHP scripts from VestaCP will be simply dead - no one will be able to interact with your panel unless they have the secret URL.
  • You can see for yourself how this mechanism was built by looking at:
    src/deb/for-download/php/php.ini - https://github.com/myvesta/vesta/blob/m ... p.ini#L496
    web/inc/secure_login.php - https://github.com/myvesta/vesta/blob/m ... _login.php
  • If you didn't set the secret URL during installation, you can do it anytime. Just execute in shell:

    Code: Select all

    echo "<?php \$login_url='MY-SECRET-URL';" > /usr/local/vesta/web/inc/login_url.php
Post Reply