Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
1
Updates / Re: Snort rule blocking updates
« on: December 23, 2021, 01:08:19 PM »You did not add any error in your post actually.
From the log snippet I posted...
Code: [Select]
action="drop"The Snort rule causes the connection to the CWP update server to drop.
2
Updates / Snort rule blocking updates
« on: December 17, 2021, 04:04:19 PM »
Just want to share this...
I tried updating CWP Pro from within the admin panel and by command (sh /scripts/update_cwp --verbose). Both methods failed without any errors. The admin panel would remain covered by a modal with a spinner icon. The terminal window would display only the following:
My CWP is behind a gateway device that utilizes Snort for IPS. I had to not only disable a particular rule but also reboot the gateway device. Simply reloading the Snort rules was not sufficient ¯\_(ツ)_/¯
The rule: 21420 (https://www.snort.org/rule_docs/1-21420)
Log snippet:
Hope this may help others.
I tried updating CWP Pro from within the admin panel and by command (sh /scripts/update_cwp --verbose). Both methods failed without any errors. The admin panel would remain covered by a modal with a spinner icon. The terminal window would display only the following:
Code: [Select]
[root@cwp ~]# sh /scripts/update_cwp --verbose
====================================================
============= CentOS Web Panel Cron ================
====================================================
###########################
Firewall Flush Daily Blocks
###########################
######################
Update Server Packages
######################
My CWP is behind a gateway device that utilizes Snort for IPS. I had to not only disable a particular rule but also reboot the gateway device. Simply reloading the Snort rules was not sufficient ¯\_(ツ)_/¯
The rule: 21420 (https://www.snort.org/rule_docs/1-21420)
Log snippet:
Code: [Select]
2021:12:17-09:43:17 gateway snort[27335]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER RealNetworks RealPlayer compressed skin overflow attempt" group="340" srcip="151.80.90.199" dstip="192.168.0.110" proto="6" srcport="80" dstport="46488" sid="21420" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-09:44:41 gateway snort[27335]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER RealNetworks RealPlayer compressed skin overflow attempt" group="340" srcip="198.27.104.40" dstip="192.168.0.110" proto="6" srcport="80" dstport="49798" sid="21420" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-09:44:41 gateway snort[27335]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER RealNetworks RealPlayer compressed skin overflow attempt" group="340" srcip="198.27.104.40" dstip="192.168.0.110" proto="6" srcport="80" dstport="49798" sid="21420" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-09:45:21 gateway snort[27335]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER RealNetworks RealPlayer compressed skin overflow attempt" group="340" srcip="137.74.148.116" dstip="192.168.0.110" proto="6" srcport="80" dstport="52826" sid="21420" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
Hope this may help others.
3
CentOS 7 Problems / Re: .htaccess deny access not working
« on: February 10, 2021, 01:34:37 PM »
After lots of testing, this seems to work but I would like to know if this is the most efficient solution:
Should I add/remove anything (other than the comments) to the new rule?
All that I'm trying to do is bypass that nginx static files rule for specific directories that rely on .htacces files.
Code: [Select]
location / {
#### MY NEW RULE ###
location ~ /(my_files/uploads/files|dir1|dir2) {
#deny all;
#return 404;
proxy_pass http://192.168.1.5:8181;
include proxy.inc;
}
#### MY NEW RULE ###
location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot|sh)$ {
root /home/<userAccount>/<site.tld>;
expires max;
try_files $uri @backend;
}
error_page 405 = @backend;
error_page 500 = @custom;
add_header X-Cache "HIT from Backend";
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Content-Type-Options nosniff;
proxy_pass http://192.168.1.5:8181;
include proxy.inc;
}Should I add/remove anything (other than the comments) to the new rule?
All that I'm trying to do is bypass that nginx static files rule for specific directories that rely on .htacces files.
4
CentOS 7 Problems / Re: .htaccess deny access not working
« on: February 09, 2021, 12:48:43 PM »...convert Apache .htaccess rules to nginx syntax.Since that nginx rule applies to the root of the website, can a block of code be simply added to the nginx vhost conf file that will exempt specified directories from that rule so .htaccess files can be used to forbid access to those specific directories? If so, can you please provide a code sample and where it should be placed in the nginx conf file. In other words, I want to keep that rule as the default for the website but exempt specific directories from it.
5
CentOS 7 Problems / .htaccess deny access not working
« on: February 09, 2021, 06:01:57 AM »
My CWP is set up with Nginx & Varnish & Apache.
I'm using a few different web apps that come with their own custom .htaccess files that do different things for different directories. One thing that was puzzling me is the fact that some .htaccess files were not denying access to some directories even though the files are properly coded. It took me a long time to figure out that the following block in the NGINX vhost config files is causing the issue:
So even if I have a proper .htaccess file which denies access to a directory, users can still view/download (via web browser) any of the file types that are specified in the code snippet above.
So what is the proper way to fix this situation of the .htaccess files being essentially bypassed?
I'm using a few different web apps that come with their own custom .htaccess files that do different things for different directories. One thing that was puzzling me is the fact that some .htaccess files were not denying access to some directories even though the files are properly coded. It took me a long time to figure out that the following block in the NGINX vhost config files is causing the issue:
Code: [Select]
location / {
location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot|sh)$ {
root /home/<userAccount>/mysite.com;
expires max;
try_files $uri @backend;
}
error_page 405 = @backend;
error_page 500 = @custom;
add_header X-Cache "HIT from Backend";
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Content-Type-Options nosniff;
proxy_pass http://192.168.1.5:8181;
include proxy.inc;
}
So even if I have a proper .htaccess file which denies access to a directory, users can still view/download (via web browser) any of the file types that are specified in the code snippet above.
So what is the proper way to fix this situation of the .htaccess files being essentially bypassed?
6
CentOS-WebPanel Bugs / Re: BUG: Nginx Vhosts created with shared IP when set to other IPs
« on: July 17, 2020, 04:55:45 PM »Quote
And today I've realized that if you do any changes that trigger the .conf files be rebuilt, you must manually edit each of the domains conf files again. Ugh! Now that is a pain.I reported this bug two years ago
What's the point of being able to specify specific IP's for each user/domain if that info is not being used when CWP rebuilds the vhosts?
Come on Devs... Please fix this.
If anyone reading this post has a support contract with CWP, please open a ticket for this.
7
Updates / Re: Update proof configurations
« on: July 16, 2020, 01:38:19 PM »
OK... The cloud has lifted. I now understand the changes to the way templates and configs are handled in CWP.
In order to edit the main server config, you simply create a new config file and add your edits to it. That file will be included, automatically.
I did encounter a small bug. I get the following error when creating a new config file in CWP->WebServer Settings->WebServers Conf Editor->Apache->conf.d
In order to edit the main server config, you simply create a new config file and add your edits to it. That file will be included, automatically.
I did encounter a small bug. I get the following error when creating a new config file in CWP->WebServer Settings->WebServers Conf Editor->Apache->conf.d
Code: [Select]
Notice: Undefined variable: file_size in /usr/local/cwpsrv/htdocs/resources/admin/modules/file_editor.php on line 0Although the file was successfully created.
8
Updates / Re: Update proof configurations
« on: July 16, 2020, 10:54:37 AM »
I understand that CWP now has a vhost template editor/switcher but I don't see that same type of functionality being offered for server config files such as Apache's 'httpd.conf' file.
So, for example, if I want to enable an Apache module (that is not enabled by default) such as 'mod_remoteip.so', do I have to manually edit the 'httpd.conf' file every time I rebuild Apache or is there a better way?
So, for example, if I want to enable an Apache module (that is not enabled by default) such as 'mod_remoteip.so', do I have to manually edit the 'httpd.conf' file every time I rebuild Apache or is there a better way?
9
Updates / Update proof configurations
« on: July 15, 2020, 12:25:13 PM »
My CWP install is behind a gateway device so all logged IP's are 192.168.1.1. Because of a CWP bug (don't know if it was ever fixed), I am using Nginx & Varnish & Apache.
Before updating (which update I do not know), I had my CWP set up to log the client IP's. It was using mod_rpaf with x-forward but it seems an update has removed the mod_rpaf option from the control panel.
What is the proper way to setup client IP logging so that the custom config does not get blown away by a future update?
Before updating (which update I do not know), I had my CWP set up to log the client IP's. It was using mod_rpaf with x-forward but it seems an update has removed the mod_rpaf option from the control panel.
What is the proper way to setup client IP logging so that the custom config does not get blown away by a future update?
10
Other / Re: CWPPRO
« on: June 20, 2020, 10:48:40 PM »
Mine keeps periodically reverting from CWPPro to free. This is very frustrating.
Running
Anyone have any suggestions? Is there a static IP address or a specific port that I need to whitelist that handles license verification?
Running
Code: [Select]
sh /scripts/update_cwpandCode: [Select]
sh /usr/local/cwpsrv/htdocs/resources/scripts/update_cwpDo not help.Anyone have any suggestions? Is there a static IP address or a specific port that I need to whitelist that handles license verification?
11
CentOS-WebPanel Bugs / Re: Backup error since last update
« on: March 24, 2020, 12:17:40 PM »
I never created a scheduled backup so it shouldn't even attempt a backup.
Does anyone know how to disable?
UPDATE: I deleted the cron job. That should stop it, right?
Does anyone know how to disable?
UPDATE: I deleted the cron job. That should stop it, right?
12
CentOS-WebPanel Bugs / Backup error since last update
« on: March 23, 2020, 12:56:01 PM »
Daily, I'm getting an email with the following data:
Email subject:
Body of the email:
I haven't attempted to schedule any backup jobs because I backup the whole VM with Veeam. When I visit CWP Settings->NEW Backup (beta) tab and click on Log Monitor, I see the following:
So I guess there are two issues;
Email subject:
Code: [Select]
Cron <root@cwp> /usr/local/cwp/php71/bin/php-cgi -d max_execution_time=10000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron_newbackup.phpBody of the email:
Code: [Select]
PHP Warning: SQLite3::exec(): database is locked in /usr/local/cwpsrv/htdocs/resources/admin/include/cron_newbackup.php on line 0I haven't attempted to schedule any backup jobs because I backup the whole VM with Veeam. When I visit CWP Settings->NEW Backup (beta) tab and click on Log Monitor, I see the following:
Code: [Select]
Log Monitor
2020-03-23 00:15:01 Backup Initiated
2020-03-23 00:15:01 ["account1","account2","account3","account4"]
2020-03-23 00:15:01 Starting compression
2020-03-23 00:15:01
2020-03-23 00:15:04 UPDATE backups SET LASTEXEC = "2020-03-23 00:15:04", STRUN ="0" WHERE ID="1"
tail -f /var/log/cwp/cron_backup.logSo I guess there are two issues;
- Why is a backup attempted when I never scheduled it?
- What is causing it to error out?
13
SSL / Re: AutoSSL not working
« on: October 24, 2019, 08:08:00 PM »@jeffshead
This may help you:
...rate limit...
Thanks but as I mentioned in my last post, I can obtain certs from LE (for the same domains) using my gateway so I haven't hit any limits. I encounter the issue only with CWP.
What CWP logs should I be checking to see what is happening?
14
SSL / Re: AutoSSL not working
« on: October 23, 2019, 11:39:08 PM »
Ok… Let me start over.
I currently have commercial SSL certs for all of my domains. I manually installed them and they are working. I wanted to start using AutoSSL but it always fails without any errors when I remove an existing cert and use the AutoSSL tab. It actually says it completed successfully but it never does for any domain.
I am behind a gateway so CWP is NAT’ed. I do not use CWP’s BIND DNS Server nor do I use CWP’s email services. I use an external DNS provider and I have a separate email server that handles all email for all of the domains I host on the CWP server.
My DNS records at my DNS provider are all correct. In fact, my gateway appliance has built-in Let’s Encrypt functionality and it can successfully obtain a Let’s Encrypt SSL cert for any of my domains so that means the DNS records are correct. The problem I run into is that I also have to have certs on the CWP server or a couple of my web apps fail to work properly.
@adamjedgar
- The records I posted in my previous reply are the contents of the HOSTS file on the CWP server.
- I do have a separate/different A record for each domain just as you posted in number 1 of your response.
- Number 2 of your response is part of the issue. CWP automatically creates a CNAME for the www sub of every account and it will not let you create a separate www subdomain so there is no option on the AutoSSL tab to get a cert for only www.
AutoSSL fails to work for any of my domains including the domains that have both the base domain and the www sub hosted on the CWP server. I even created a test.mysite.com subdomain and allowed enough time for the DNS to propagate. It failed too. Just to be clear, I'm not actually using mysite.com. I'm using it as a substitute for my real domain names, only in my forum posts.
I currently have commercial SSL certs for all of my domains. I manually installed them and they are working. I wanted to start using AutoSSL but it always fails without any errors when I remove an existing cert and use the AutoSSL tab. It actually says it completed successfully but it never does for any domain.
I am behind a gateway so CWP is NAT’ed. I do not use CWP’s BIND DNS Server nor do I use CWP’s email services. I use an external DNS provider and I have a separate email server that handles all email for all of the domains I host on the CWP server.
My DNS records at my DNS provider are all correct. In fact, my gateway appliance has built-in Let’s Encrypt functionality and it can successfully obtain a Let’s Encrypt SSL cert for any of my domains so that means the DNS records are correct. The problem I run into is that I also have to have certs on the CWP server or a couple of my web apps fail to work properly.
@adamjedgar
- The records I posted in my previous reply are the contents of the HOSTS file on the CWP server.
- I do have a separate/different A record for each domain just as you posted in number 1 of your response.
- Number 2 of your response is part of the issue. CWP automatically creates a CNAME for the www sub of every account and it will not let you create a separate www subdomain so there is no option on the AutoSSL tab to get a cert for only www.
AutoSSL fails to work for any of my domains including the domains that have both the base domain and the www sub hosted on the CWP server. I even created a test.mysite.com subdomain and allowed enough time for the DNS to propagate. It failed too. Just to be clear, I'm not actually using mysite.com. I'm using it as a substitute for my real domain names, only in my forum posts.
15
SSL / Re: AutoSSL not working
« on: October 21, 2019, 12:52:59 PM »try to create a seprate A records for www, I have not tested but it should work. Also you can use domains default DNS settings and create A records for www (A=IP of server 1) and non-www ( A= IP of server 2) and create the host records.My CWP is NAT'ed so all IP's for the domains are local. I use a DNS provider so I rely on the vanity DNS servers that I have specified with them for resolution. I already have separate A records for the public IP's of 'mysite.com' and 'www.mysite.com' registered with my DNS provider.
Below is what is currently in my HOSTS file:
Code: [Select]
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 cwp.mysite.com
127.0.0.1 autoreply.cwp.mysite.com
