Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
CentOS-WebPanel Bugs / Re: Apache Re-Build broken. Again.
« on: May 14, 2021, 05:15:00 AM »
You cannot build/re-build anything that has to be downloaded from dl1.centos-webpanel.com, it seems that the host has some network problems. Watching the logs, it can be seen that the server tries to download the packages, but the connection resets almost every time. After 5 failed requests, the log says: Cannot download, giving up, continue with the build.
The build fails because of this, but the return message is : Build complete.
I think this is not a dinamically message, because it will say that the build is complete even if there are a lot of errors.
The build fails because of this, but the return message is : Build complete.
I think this is not a dinamically message, because it will say that the build is complete even if there are a lot of errors.
2
FTP / Re: TLS problem
« on: February 03, 2019, 11:40:42 PM »
You have to use it like this:
Code: [Select]
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2030,2031,2082,2083,2086,2087,2095,2096,30000:50000"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,2030,2031,2082,2083,2086,2087,2095,2096,587,993,995,30000:50000"
3
Installation / Re: Same hostname and domain. AutoSSL mismatch
« on: February 03, 2019, 11:35:59 PM »
1st of all, make sure that your hostname is set to srv1.domain.com , use this command in putty:
Wait for a few minutes so the DNS will propagate.
After that, set the hostname in cwp admin. When you set this, the cwp will automatically generate a SSL for your hostname, and your SSL will be generated for srv1.domain.com.
The next step is to generate a SSL for your other account you created : domain.com. Enter in your CWP user panel, and generate the SSL for domain.com.
You may encounter an httpd error after this. If your httpd is doing this, in putty write:
Next step is to go to Dashboard, and start httpd server.
Code: [Select]
hostname srv1.domain.comMake sure that the hostname is set in your dns too (especially if you use external dns server) and the PTR is correctly set for your hostname.Wait for a few minutes so the DNS will propagate.
After that, set the hostname in cwp admin. When you set this, the cwp will automatically generate a SSL for your hostname, and your SSL will be generated for srv1.domain.com.
The next step is to generate a SSL for your other account you created : domain.com. Enter in your CWP user panel, and generate the SSL for domain.com.
You may encounter an httpd error after this. If your httpd is doing this, in putty write:
Code: [Select]
killall -9 httpdThis code will close all the httpd unclosed connections.Next step is to go to Dashboard, and start httpd server.
4
Updates / Re: blank admin page and broken update script
« on: February 03, 2019, 11:28:56 PM »
It seems that you didn't upgrade the cwp panel when it needed the manual upgrade, so you missed some important stuff. I think that the only way is to reinstall the operating system.
Make sure that you will backup your files using FTP, the phpmyadmin and files from /var/vmail/, then reinstall the operating system along with the new cwp.
Make sure that you will backup your files using FTP, the phpmyadmin and files from /var/vmail/, then reinstall the operating system along with the new cwp.
5
SSL / Re: SSL for the mail server?
« on: February 03, 2019, 11:22:58 PM »
Hi,
Here is what I made to add a SSL for my mail server:
Keep in mind: The location for generated csr and key are in /etc/pki/tls/certs (for csr) and /etc/pki/tls/private (for key)
1. I bought a SSL certificate Comodo Positive SSL (it was the cheapest, any certificate would do this trick.) for the hostname (in your example: mail.domain.example).
2. Upload the generated certificates (yourdomainname.crt and yourdomainname.ca-bundle) on /etc/pki/tls/.
3. Combine the uploaded files into one:
6. Open /etc/dovecot/dovecot.conf and edit the lines:
Just be sure to enter the right path for your files! Verify your paths first.
Here is what I made to add a SSL for my mail server:
Keep in mind: The location for generated csr and key are in /etc/pki/tls/certs (for csr) and /etc/pki/tls/private (for key)
1. I bought a SSL certificate Comodo Positive SSL (it was the cheapest, any certificate would do this trick.) for the hostname (in your example: mail.domain.example).
2. Upload the generated certificates (yourdomainname.crt and yourdomainname.ca-bundle) on /etc/pki/tls/.
3. Combine the uploaded files into one:
Code: [Select]
cat /etc/pki/tls/yourdomainname.crt /etc/pki/tls/yourdomainname.ca-bundle >> /etc/pki/tls/certificate.crt4. Open /etc/postfix/main.cf and edit the lines:Code: [Select]
smtpd_tls_cert_file=/etc/pki/tls/certificate.crt
smtpd_tls_key_file=/etc/pki/tls/private/yourdomainname.key5. Delete from /etc/postfix/main.cf the lines with CAcert file, I had 2 of them in the file.6. Open /etc/dovecot/dovecot.conf and edit the lines:
Code: [Select]
ssl_cert = </etc/pki/tls/certificate.crt
ssl_key = </etc/pki/tls/private/yourdomainname.key7. Save and close the files, restart mail services, and your mail server SSL is working 100%.Just be sure to enter the right path for your files! Verify your paths first.
6
CentOS 7 Problems / Re: Can't Install on Dedicated Server
« on: November 04, 2017, 05:49:01 PM »Hi! Yes I am having this same exact issue on my fresh centos 7 install. how did you ever resolve this?
thank you much for your help!
Don't forget to setup your hostname before installation:
Code: [Select]
hostname your-domain.tldJust after you have done this you can run the installation.
8
Apache / Re: Starting httpd: AH00548: NameVirtualHost has no effect and will be removed in th
« on: October 16, 2017, 06:26:57 AM »
You have to kill the httpd processes.
Try this:
Also make sure that port 80 is not used by nginx/varnish. If there is one of them, you will have to rebuild vhosts from cwp.
Try this:
Code: [Select]
killall -9 httpd
service httpd restart
Also make sure that port 80 is not used by nginx/varnish. If there is one of them, you will have to rebuild vhosts from cwp.
9
E-Mail / Re: Replace ClamAV with BitDefender?
« on: October 12, 2017, 02:03:24 PM »
I will try to change them, and I will come with an update as soon as the tests will show reliability and stability for production.
10
E-Mail / Re: Email tester score its too low
« on: October 12, 2017, 06:31:18 AM »
1. The rDNS (reverse DNS) problem is because probably you are on a VPS and the rDNS/PTR record is not set.
If your VPS is on SolusVM, you need to go to Network tab in your SolusVM control panel and edit/save the rDNS record. Or you can ask the hosting provider to set the PTR record for you.
2. Only after that, you will have to setup the SPF and DKIM record from CWP -> Email -> DKIM Manager. Just select your domain, and check the "enable SPF", then "Add DKIM" and you're done.
If your VPS is on SolusVM, you need to go to Network tab in your SolusVM control panel and edit/save the rDNS record. Or you can ask the hosting provider to set the PTR record for you.
2. Only after that, you will have to setup the SPF and DKIM record from CWP -> Email -> DKIM Manager. Just select your domain, and check the "enable SPF", then "Add DKIM" and you're done.
11
Apache / [Tutorial] Apache HTTP2 Module
« on: October 12, 2017, 04:42:50 AM »
Hello.
First of all, we need to download & upgrade some apps:
1. OpenSSL (min. 1.0.2 is required to run ANPL)
We will use the latest 1.0.2l version.
After this you need to add the /usr/local/lib and /usr/local/ssl/lib directories to the LD_LIBRARY_PATH.
2. NGHTTP2 (needed for mod_http2)
3. APR
4. APR-Util
5. Apache
Because of the existing vulnerabilities in anterior versions, we will use the latest one 2.4.28.
6. Add and activate the http/2 module
You just have to open the apache config and add this line:
And finally turn on the http/2 protocol by adding this line to apache config (for all sites) or in ssl vhosts for the sites you want:
Restart Apache with: service httpd restart
Possible Problems:
1. Apache will not start because of the mod_security
If you had mod_security, probably you will have this error when restarting:
To repair it, you need to recompile and install the new mod_security:
After this, you run service httpd restart and the server should start.
First of all, we need to download & upgrade some apps:
1. OpenSSL (min. 1.0.2 is required to run ANPL)
We will use the latest 1.0.2l version.
Code: [Select]
cd ~
mkdir installers
cd installers
wget https://www.openssl.org/source/openssl-1.0.2l.tar.gz
tar -zxvf openssl-1.0.2l.tar.gz
cd openssl-1.0.2l
./config shared zlib-dynamic --prefix=/usr/local/ssl
make
make install
mv /usr/bin/openssl /root/
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
cd ..
After this you need to add the /usr/local/lib and /usr/local/ssl/lib directories to the LD_LIBRARY_PATH.
Code: [Select]
nano /etc/ld.so.conf.d/http2.conf
/usr/local/lib
/usr/local/ssl/lib
After you save it (Ctrl+X -> Yes), you need to run ldconfig2. NGHTTP2 (needed for mod_http2)
Code: [Select]
wget https://github.com/nghttp2/nghttp2/releases/download/v1.26.0/nghttp2-1.26.0.tar.gz
tar -zxvf nghttp2-1.26.0.tar.gz
cd nghttp2-1.26.0
export OPENSSL_CFLAGS="-I/usr/local/ssl/include"
export OPENSSL_LIBS="-L/usr/local/ssl/lib -lssl -lcrypto"
./configure
make
make install
cd ..
3. APR
Code: [Select]
wget http://mirrors.whoishostingthis.com/apache/apr/apr-1.6.2.tar.gz
tar -zxvf apr-1.6.2.tar.gz
cd apr-1.6.2
./configure
make
make install
cd ..
4. APR-Util
Code: [Select]
wget http://mirrors.whoishostingthis.com/apache/apr/apr-util-1.6.0.tar.gz
tar -zxvf apr-util-1.6.0.tar.gz
cd apr-util-1.6.0
./configure --with-apr=/usr/local/apr
make
make install
cd ..
5. Apache
Because of the existing vulnerabilities in anterior versions, we will use the latest one 2.4.28.
Code: [Select]
wget http://mirrors.whoishostingthis.com/apache/httpd/httpd-2.4.28.tar.gz
tar -zxvf httpd-2.4.28.tar.gz
cd httpd-2.4.28
cp -r ../apr-1.6.2 srclib/apr
cp -r ../apr-util-1.6.0 srclib/apr-util
./configure --enable-so --prefix=/usr/local/apache --with-ssl=/usr/local/ssl --enable-unique-id --enable-ssl=shared --enable-rewrite --enable-deflate --enable-suexec --with-suexec-docroot="/home" --with-suexec-caller="nobody" --with-suexec-logfile="/usr/local/apache/logs/suexec_log" --enable-asis --enable-filter --with-pcre --with-included-apr --enable-headers --enable-expires --enable-proxy --enable-rewrite --enable-userdir --enable-http2
make
make install
cd
6. Add and activate the http/2 module
You just have to open the apache config and add this line:
Code: [Select]
LoadModule http2_module modules/mod_http2.soAnd finally turn on the http/2 protocol by adding this line to apache config (for all sites) or in ssl vhosts for the sites you want:
Code: [Select]
Protocols h2 http/1.1Restart Apache with: service httpd restart
Possible Problems:
1. Apache will not start because of the mod_security
If you had mod_security, probably you will have this error when restarting:
Code: [Select]
Starting httpd: httpd: Syntax error on line 509 of /usr/local/apache/conf/httpd.conf: Syntax error on line 5 of /usr/local/apache/conf.d/mod_security.conf: Cannot load modules/mod_security2.so into server: /usr/local/apache/modules/mod_security2.so: undefined symbol: apr_crypto_block_cleanup
To repair it, you need to recompile and install the new mod_security:
Code: [Select]
cd ~/installers
wget https://www.modsecurity.org/tarball/2.9.2/modsecurity-2.9.2.tar.gz
tar -zxvf modsecurity-2.9.2.tar.gz
cd modsecurity-2.9.2
./configure --with-apxs=/usr/local/apache/bin/apxs
make
make install
cd
After this, you run service httpd restart and the server should start.
12
SSL / Re: how to redirect non-ssl-enabled virtual hosts to default page
« on: November 11, 2015, 01:30:35 PM »
If you're trying to redirect from https to http, try this code in .htaccess
Otherwise, if you're trying to get redirect from http to http, try this one
Code: [Select]
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]Otherwise, if you're trying to get redirect from http to http, try this one
Code: [Select]
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
13
SSL / Re: letsencrypt.org implementation
« on: November 10, 2015, 12:55:54 PM »
No, i used this one:
https://raymii.org/s/articles/Lets_Encrypt_Directadmin.html
But i'll try to make a tutorial for cwp, because i encountered some problems with python2.6 and virtualenv.
https://raymii.org/s/articles/Lets_Encrypt_Directadmin.html
But i'll try to make a tutorial for cwp, because i encountered some problems with python2.6 and virtualenv.
14
How to / [Tutorial] Strong SSL Security for Apache
« on: November 10, 2015, 12:52:30 PM »
This tutorial shows you how to set up strong SSL security on the Apache2 webserver.
Disable SSLv2 and SSLv3
SSL v2 is insecure, so we need to disable it. We also disable SSLv3, as TLS 1.0 suffers a downgrade attack, allowing an attacker to force a connection to use SSLv3 and therefore disable forward secrecy. SSLv3 allows exploiting of the POODLE bug.
To do this, you'll have to edit the /usr/local/apache/conf.d/vhosts-ssl.conf for every VirtualHost that you have.
After "SSLEngine on" line, insert this line:
The Cipher Suite
Forward Secrecy ensures the integrity of a session key in the event that a long-term key is compromised. PFS accomplishes this by enforcing the derivation of a new key for each and every session. This means that when the private key gets compromised it cannot be used to decrypt recorded SSL traffic. The cipher suites that provide Perfect Forward Secrecy are those that use an ephemeral form of the Diffie-Hellman key exchange. Their disadvantage is their overhead, which can be improved by using the elliptic curve variants.
The following two ciphersuites are recommended by Mozilla Foundation.
After "SSLProtocol All -SSLv2 -SSLv3" line, add:
Or if you need backward compatibility (IE6/WinXP), add this line:
By using this configuration in your ssl vhosts, you are protected by POODLE attack and your server supports Forward Secrecy with modern browsers.
Disable SSLv2 and SSLv3
SSL v2 is insecure, so we need to disable it. We also disable SSLv3, as TLS 1.0 suffers a downgrade attack, allowing an attacker to force a connection to use SSLv3 and therefore disable forward secrecy. SSLv3 allows exploiting of the POODLE bug.
To do this, you'll have to edit the /usr/local/apache/conf.d/vhosts-ssl.conf for every VirtualHost that you have.
After "SSLEngine on" line, insert this line:
Code: [Select]
SSLProtocol All -SSLv2 -SSLv3The Cipher Suite
Forward Secrecy ensures the integrity of a session key in the event that a long-term key is compromised. PFS accomplishes this by enforcing the derivation of a new key for each and every session. This means that when the private key gets compromised it cannot be used to decrypt recorded SSL traffic. The cipher suites that provide Perfect Forward Secrecy are those that use an ephemeral form of the Diffie-Hellman key exchange. Their disadvantage is their overhead, which can be improved by using the elliptic curve variants.
The following two ciphersuites are recommended by Mozilla Foundation.
After "SSLProtocol All -SSLv2 -SSLv3" line, add:
Code: [Select]
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDHOr if you need backward compatibility (IE6/WinXP), add this line:
Code: [Select]
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4By using this configuration in your ssl vhosts, you are protected by POODLE attack and your server supports Forward Secrecy with modern browsers.
15
SSL / Re: letsencrypt.org implementation
« on: November 10, 2015, 09:23:37 AM »
You can already use letsencrypt if you we're accepted in their beta stage. The single problem is that the renewal is not yet automated, but you can issue the cert if you're domains are whitelisted in their beta.
Pages: [1]
