Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - kandalf

Pages: [1] 2 3 4
1
When creating a cron job that includes a > redirection (for example > /dev/null 2>&1), the crontab module throws a JavaScript error and the table fails to render.
Key detail: this only happens in the client area (user panel). When the exact same cron is created directly from the admin area, it works perfectly. The cron syntax is identical in both cases.
The console shows:
Code: [Select]
Uncaught TypeError: Cannot read properties of undefined (reading 'length')
    at cronTable (?module=crontab:3340:16)
    at Object.complete (?module=crontab:3022:11)
    ...
    at createCron (?module=crontab:3016)

The redirection (> /dev/null 2>&1) is the standard way to suppress output and avoid cron emails, and the commands work fine via crontab -e over SSH. So this looks like a parsing issue in the client area frontend (cronTable) when handling commands containing >, rather than a problem with the cron itself. It also used to work correctly in older versions, so something seems to have regressed.
Questions:

Has anyone else hit this in the client area and found a workaround?
Could the CWP team look into why cronTable in the client area fails on commands containing > / 2>&1, while the admin area handles them fine?


2
SSL / Recommended acme.sh cron for CWP AutoSSL renewals?
« on: May 26, 2026, 08:49:55 AM »
I noticed that on some CWP servers the acme.sh cron is configured like this:

bash /root/.acme.sh/acme.sh --cron --home /root/.acme.sh

But on other CWP servers it is configured like this:

bash /root/.acme.sh/acme.sh --cron --home /root/.acme.sh/cwp_certs

Since CWP seems to store AutoSSL certificates under:

bash /root/.acme.sh/cwp_certs/

I would like to confirm which cron is currently the correct/recommended one for CWP AutoSSL renewals.

Should we use:

bash /root/.acme.sh/acme.sh --cron --home /root/.acme.sh/cwp_certs

or should CWP handle this differently?

I recently had a case where the cron using /root/.acme.sh was running daily, but it did not seem to process the certificates inside cwp_certs, so some SSL certificates were not renewed automatically.

Can someone from the CWP team or the community clarify the recommended setup?

3
Setup: CWP on AlmaLinux 8.10, nginx 1.24.0 from appstream, default config with "user nobody;".

After every nginx package update, uploads larger than client_body_buffer_size start failing. The RPM resets /var/lib/nginx and /var/lib/nginx/tmp to "nginx:root 0770", so the nobody worker can't traverse into them to write client body temp files. SELinux is off, this is just DAC.

Confirm with:
    rpm -q --queryformat "[%{FILEMODES:perms} %{FILEUSERNAME}:%{FILEGROUPNAME} %{FILENAMES}\n]" nginx | grep /var/lib/nginx

The usual chown fix works until the next update.

Permanent fix that survives updates: move the temp paths out of /var/lib/nginx into /var/cache/nginx (not owned by any RPM) and add them to nginx.conf:

    client_body_temp_path /var/cache/nginx/client_body 1 2;
    fastcgi_temp_path     /var/cache/nginx/fastcgi 1 2;
    uwsgi_temp_path       /var/cache/nginx/uwsgi 1 2;
    scgi_temp_path        /var/cache/nginx/scgi 1 2;

Anyone else hitting this? Would it make sense for CWP to ship the default nginx.conf with these paths set, or switch the default user to "nginx" to match the RPM?

4
After installing a new AlmaLinux server with CWP, what components should we really update manually to keep the server secure?

I know Apache currently has a serious security issue, and the default Nginx version installed with CWP also seems quite old. But it is not fully clear which components are handled by the OS, which ones are handled by CWP, and which ones we need to update manually.

For example, should we update Apache, Nginx, PHP versions, Roundcube, MariaDB, OpenSSL, OpenSSH, Postfix, Dovecot, CSF, ModSecurity, etc.?

Also, shouldn’t this be one of the main priorities of the CWP team? One of the reasons to use a control panel is to avoid having to manually inspect every component and guess what is outdated or vulnerable.

Can the community please share useful links, tutorials, or checklists explaining what really needs to be updated after installing CWP and the safest way to keep everything updated over time?

This would make life easier for everyone using CWP.

5
Updates / Is CWP dead? Looking for alternatives
« on: January 11, 2026, 11:58:23 AM »
I have several production servers running CWP, but it feels completely abandoned. No relevant updates for years, security issues take forever to fix with zero communication, and the changelog is stagnant.

PHP is at 8.5 but we're stuck on 8.3. Roundcube, Nginx, Apache versions are all outdated and never updated.

What do you recommend? I'm seriously considering moving to cPanel despite the cost. I like CWP's features (PHP, Node.js, backups, mail server), but everything feels dated. Support is terrible, no blog or notifications about critical updates.

What alternatives exist? Is anyone else feeling this way? What other panels have similar tools but a more active community?

6
CSF Firewall / Should we update CSF to V15??
« on: January 11, 2026, 11:48:59 AM »
CSF updates stopped in August. What's the recommended approach: update to V15 or use the workaround from https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/csf-firewall-error-oops-unable-to-download-no-host-option-provided/ to keep v14.24?

I need some opinions, I have multiple servers and I want to go to a secure approach

7
I’m reporting a critical security issue affecting multiple servers running CWP (CentOS Web Panel). During a security review on a Laravel-based website hosted via CWP, I found malicious PHP files in the public/ folder that allowed arbitrary code execution.

🛑 What I Found

On my server, inside /home/username/public_html/public/ and /home/username/public_html/, I found two suspicious files:
   •   nbpafebaef.jpg – Contains PHP code despite the .jpg extension:
<?php echo md5("gewafwaef1");die;?>

   •   defauit.php – A PHP script with a misleading name (looks like “default.php”).

These files execute when accessed via a browser. This confirms that PHP is being executed from the public folder, even if disguised with a .jpg extension.

🔍 Widespread Issue – Other Sites Also Affected

After further investigation, I found that other unrelated websites also running CWP have the exact same malicious files in the same locations:
   •   https://basaranturizm.com/
   •   https://coutos.pt/

This strongly suggests a systemic vulnerability, likely related to how CWP manages public folders or file permissions. These sites are not connected to me — I simply found them through Google search using the filename.

❗ Possible Vectors

Some possibilities include:
   •   Insecure permissions on public/ allowing PHP file uploads or writes
   •   Compromise via CWP File Manager or outdated software
   •   Global vulnerability in CWP’s file handling or directory security

⚠️ Request to CWP Team

Please investigate this urgently. It’s very likely that:
   •   CWP has a flaw allowing code execution in public folders
   •   Default permissions or services are enabling attackers to inject files across multiple servers

If CWP developers need any of the samples or log details, I’m happy to provide them privately.


8
I'd like to suggest adding support for Supervisor in CWP. While I personally use it mostly for managing Laravel queue workers, there are many other use cases where Supervisor is essential, like handling background jobs, WebSocket servers, scheduled tasks, or any long-running process that needs to stay alive and restart automatically if it fails.

It would be great if CWP could:
   •   Include Supervisor by default or offer a one-click install option from the panel;
   •   Optionally provide a basic GUI to manage .ini files and control/restart processes;
   •   Show the status of running Supervisor-managed processes from within the interface.

This would make CWP even more powerful for developers and sysadmins running modern web applications that rely on persistent background processes.

Thanks again, and I hope this can be considered for a future release!

9
PHP Selector / Support for PHP 8.4
« on: January 17, 2025, 04:09:45 PM »
When do we will get support for PHP 8.4, it was releases some months ago and we should have it available as soon as possible

10
SSL / How to create wildcard Certificate?
« on: September 18, 2024, 01:21:35 PM »
I have a new website that have multi tenancy, a user can create a subdomain on the fly and I need to create a wildcard certificate for this domain.
Any way of doing that on CWP?

11
Updates / CWP-CentOS-Stream-AppStream.repo Is down
« on: June 26, 2024, 09:33:26 AM »
I have servers with Centos 8 Delayed and cannot run yum update, it return this error:

Code: [Select]
yum update
CentOS-Stream - AppStream                                                                                                                                                                                     520  B/s | 257  B     00:00
Errors during downloading metadata for repository 'Stream-AppStream':
  - Status code: 404 for http://repo.centos-webpanel.com/8-cwp-stream/stable/AppStream/x86_64/os/repodata/repomd.xml (IP: 198.27.104.39)
Error: Failed to download metadata for repo 'Stream-AppStream': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

How can I solve this?

12
Installation / When we will have a production release for EL9
« on: June 20, 2024, 08:59:08 AM »
CentOS 7 is about to reach its End-of-Life (EOL). I need to upgrade it, and currently the recommended version is EL8. However, I think the ideal solution would be to move to EL9.  However, I'm hesitant to install CWP in its beta stage since these are production servers.

Do you think we'll have a final version of CWP for EL9 within the next month?

I'm planning to go to AlmaLinux 9 what do you think about that?

13
PHP / PHP-FPM number of processes per user
« on: June 17, 2024, 03:41:59 PM »
In Manage WebServers Configuration we have PHP-FPM default template config where we can select the number of processes each user, however I don't find any place where I can set a specific number of processes for a specific user.

Where can I select for example the processes-50 for a specific user without apply it to all other users?

14
E-Mail / SSL Cert Update Issues with Mail Server
« on: April 12, 2024, 09:16:23 AM »
I'm running into a recurring issue on my CWP setup where every time my SSL certificate gets updated, my mail server starts acting up and throws certificate errors. I end up having to manually rebuild the mail server to get everything running smoothly again, which is becoming quite a hassle.

Has anyone else faced this? How are you all managing SSL cert renewals for your mail servers? Any scripts or settings that you could share would be a huge help.

Looking forward to some tips or guidance on how to automate this process a bit more, so I don’t have to keep doing everything manually.

Cheers!

15
Updates / How to upgrade the OS
« on: June 29, 2023, 11:25:18 AM »
I currently manage three servers, one running CentOS 7 and two running CentOS 8 Stream. All of them use CWP Pro. As CentOS 7 is nearing its end of life, I'm considering upgrading to either AlmaLinux or RockyLinux. I understand that there are ways to upgrade from CentOS 7 to AlmaLinux, but I'm concerned about potential compatibility issues with CWP. I'm leaning towards setting up a new server entirely to avoid these issues. Has anyone here already done this?

On the CentOS 7 server, I host around 100 domains. I'm trying to figure out the most efficient way to migrate these to a new server. Is there a method to move all accounts at once, or will I have to transfer each user account manually?

Furthermore, if I switch to a new machine, the IP will change. Will I need to inform all of my clients to update the IP on their nameservers?

Any suggestions to simplify this process will be greatly appreciated.

Pages: [1] 2 3 4