VestaCP additional protection


Active Member
Hi everybody,

I'm a little paranoid about my VestaCP installation where my control panel can be accessed through its IP, so I took some steps to harden it a little.

First, I check the server's hosts file /etc/hosts to ensure i have the right fqdn (  vcp)

Then I added a line to /etc/resolv.conf (search

Generate a Basic Auth file (htpasswd -c -d /etc/nginx/htpasswd myusername)

Replaced the Nginx configuration as follows: 

#Replace vcp nginx configuration
rm -f /usr/local/vesta/nginx/conf/nginx.conf
vi /usr/local/vesta/nginx/conf/nginx.conf
auser admin;
worker_processes 1;
error_log /usr/local/vesta/log/nginx-error.log;
pid /var/run/;

events {
worker_connections 128;
use epoll;

http {
# Main settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_header_timeout 1m;
client_body_timeout 1m;
client_header_buffer_size 2k;
client_body_buffer_size 256k;
client_max_body_size 100m;
large_client_header_buffers 4 8k;
send_timeout 30;
keepalive_timeout 60 60;
reset_timedout_connection on;
server_tokens off;
server_name_in_redirect off;
server_names_hash_max_size 512;
server_names_hash_bucket_size 512;

# Log format
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format bytes '$body_bytes_sent';
access_log /dev/null main;

# SSL PCI Compliance
ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;

# Mime settings
include /usr/local/vesta/nginx/conf/mime.types;
default_type application/octet-stream;

# Compression
gzip on;
gzip_comp_level 9;
gzip_min_length 512;
gzip_buffers 8 64k;
gzip_types text/plain text/css text/javascript
gzip_proxied any;

# Proxy settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Set-Cookie;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;

# Error pages
error_page 403 /error/403.html;
error_page 404 /error/404.html;
error_page 502 503 504 /error/50x.html;

# Vhost
server {
listen 443;
if ($http_host = "") {
return 403;
deny all;
satisfy all;

rewrite ^ permanent;
ssl on;
ssl_certificate /usr/local/vesta/ssl/certificate.crt;
ssl_certificate_key /usr/local/vesta/ssl/certificate.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server {
if ($http_host = "") {
return 403;
listen 8083;
root /usr/local/vesta/web;
charset utf-8;
ssl on;
ssl_certificate /usr/local/vesta/ssl/certificate.crt;
ssl_certificate_key /usr/local/vesta/ssl/certificate.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

error_page 404 /error/404/index.html;
error_page 403 /error/index.html;
error_page 500 /error/index.html;

location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/htpasswd;
expires max;
index index.php;

location /error/ {
expires max;
index index.html;

location /rrd/ {
expires off;

location /backup/ {
root /;

location ~ \.php$ {
include /usr/local/vesta/nginx/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/local/vesta/web/$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_pass unix:/var/run/vesta-php.sock;
fastcgi_intercept_errors on;

Last I restart the Nginx (/etc/init.d/vesta restart)

In my desktop I added to my hosts file (

So I can access my control panel using

My question: Is my setting correct? Is there any way I can harden it more?