Letsencrypt/certbot fails when proxying with Apache ProxyPass

I had an issue on Directadmin server where client had nodejs application for which apache had to proxy on port 3001. Becouse of this, letsencrypt was not able to reach .well-known/acme-challenge/ and certificate registration/renewal failed. Solution is simple, you have to exclude proxy when requesting .well-known/acme-challenge/.

This was error whent trying to check .well-known/acme-challenge:

$ curl http://mydomain.com/.well-known/acme-challenge/test.txt 
{"errors":[{"message":"Route /.well-known/test.txt doesn't exist.","extensions":{"code":"ROUTE_NOT_FOUND"}}]}%

So I added “ProxyPass !” directive just before where I create proxy directive to port 3001. Like so:

. . .
<Location /.well-known/acme-challenge>
     ProxyPass !
</Location>

<Location />
     Require all granted
     ProxyPass http://127.0.0.1:3000/
     ProxyPassReverse http://127.0.0.1:3000/
</Location>
. . . 

Then I was able tu make request to .well-known/acme-challenge sucsessfully:

> $ curl http://mydomain.com/.well-known/acme-challenge/test.txt 
It works!

I hope this helps! 🙂

Dovecot fails to reload after upgrade / code=exited, status=226/NAMESPACE

If your Dovecot fails to reload/restart after upgrade, chances are that your kernel is too old. But you can try and fix this problem with simple step bellow.

This was in syslog log:

systemd[20406]: dovecot.service: Failed at step NAMESPACE spawning /usr/bin/doveadm: No such file or directory
dovecot.service: Control process exited, code=exited status=226
systemd[1]: Reload failed for Dovecot IMAP/POP3 email server.

This was Dovecot service status:

● dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
Active: active (running) (Result: exit-code) since Tue 2021-09-07 19:31:12 CEST; 1 months 28 days ago
Docs: man:dovecot(1)
Process: 20406 ExecReload=/usr/bin/doveadm reload (code=exited, status=226/NAMESPACE)

To solve, you can try and edit dovecot service script and add coment to PrivateTmp variable.

root@mailmachine:~# vi /lib/systemd/system/dovecot.service

...
[Service]
Type=forking
ExecStart=/usr/sbin/dovecot
PIDFile=/var/run/dovecot/master.pid
ExecReload=/usr/bin/doveadm reload
ExecStop=/usr/bin/doveadm stop
#PrivateTmp=true
NonBlocking=yes
# Enable this if your systemd is new enough to support it:
#ProtectSystem=full
...

SNI support for Dovecot and Postfix

If you are in position that you need multiple SSL certificates for different domains on single mail server, you can do it with SNI. Of corse, on very old versions this is not supported. Check documentation first, if its supported for your version of Dovecot and Postfix.

Dovecot:

In case of incoming mailserver Dovecot it’s easy as listed bellow. I made file ssl-sni.conf in which I add SNI configurations for my domains. Then I included ssl-sni.conf in main dovecot config.

Create ssl-sni.conf and add your SNI definitions in it:

local_name mail.domain1.com {
ssl_cert = </etc/ssl/certs/domain1/fullchain.pem
ssl_key = </etc/ssl/certs/domain1/privkey.pem
}

local_name pop3.domain2.com {
ssl_cert = </etc/ssl/certs/domain2/fullchain.pem
ssl_key = </etc/ssl/certs/domain2/privkey.pem
}
...

Then include this in main dovecot config (you can add those configurations directly in dovecot.conf or 00-ssl.conf also. I just prefer separate this):

# SNI include
!include ssl-sni.conf

Postfix:

As for Postfix, configuration is also simple:

Inside /etc/postfix/, create file domain_ssl.map and add ssl definitions in it:

mail.domain1.com /etc/ssl/certs/domain1/privkey.pem /etc/ssl/certs/domain1/fullchain.pem
smtp.domain2.net /etc/ssl/certs/domain2/privkey.pem /etc/ssl/certs/domain2/fullchain.pem

Run postmap and restart Postfix:

[root@mail postfix]# postmap -F domain_ssl.map which will create domain_ssl.map.db
[root@mail postfix]# systemctl restart postfix

If everything is OK, you should now have SNI supported mail server.

Directadmin – ModSecurity: Request body (Content-Length) is larger than the configured limit (13107200)

I had problem with uploading files on Directadmin server with mod_security enabled. I set upload_max_filesize and post_max_size to 64M, and still recived error like this:

[Wed Aug 04 23:31:30.320425 1912] [:error] [pid 1418987:tid 140666332325632] [client 89.212.96.1:64983] [client 89.212.96.1] ModSecurity: Request body (Content-Length) is larger than the configured limit (13107200). [hostname "www.geekytuts.net"] [uri "/wp-admin/async-upload.php"] [unique_id "YQpCUpEZgUlp9rxIlbunrAAAnTQ"], referer: https://www.geekytuts.net/wp-admin/media-new.php

I found out that this behavior is not caused by any mod_security rules (Free ModSecurity Rules from Comodo) but by directive SecRequestBodyLimit setting . Default value is 12.5M and since I set 64M for file uploads, I changed this value the same – in bytes.

File which you want to modify is /etc/httpd/conf/extra/httpd-modsecurity.conf. In my case, I modifyed like this:

SecRequestBodyLimit 67108864
SecRequestBodyNoFilesLimit 1048576

Directadmin – get disk size information for every email account on your server/user

If you want to get information about how much of disk is consuming every email account on your Directadmin server, then you can use this command.

[root@post ~]# find /home/*/imap/*/*/ -maxdepth 1 -type d -exec du -sh {} \; | awk -F '/' {'print $6"@"$5 " -> " $1'}
info@domain1.si -> 60K 
test@domain1.si -> 60K 
lala@domain1.ba -> 529M 
info@somedomain.ba -> 529M 
igor@somedomain.eu -> 772K 
...

If you would want for every email account of some specific user, than you can use this:

[root@post ~]# find /home/user1/imap/*/*/ -maxdepth 1 -type d -exec du -sh {} \; | awk -F '/' {'print $6"@"$5 " -> " $1'}
info@domain1.si -> 1.3G 
test2@domain1.it -> 1.3G 
igor@test.si -> 68M 
...

Simple, but it can save some time 🙂

Build NGINX with GeoIP2 support from source

I used GeoIP library with Nginx for quite some time, but it came to EOL. GeoIP2 is now avalible. It is great tool for blocking unwanted traffic from your webserver. This was done on Centos 7. If you don’t want to pay for getpagespeed’s payed version, than you must build this module from source.

First, you’ll need to know your curent NGINX version


[root@myserver ~]# nginx -v
nginx version: nginx/1.16.1

Then, download exact same version of NGINX from this site and unpack it. In my case:


[root@myserver ~]# wget http://nginx.org/download/nginx-1.16.1.tar.gz
[root@myserver ~]# tar -xvzf nginx-1.16.1.tar.gz
[root@myserver ~]# cd nginx-1.16.1.tar.gz

Then you should download ngx_http_geoip2_module – geoip2 module for NGINX:


[root@myserver ~]# wget https://github.com/leev/ngx_http_geoip2_module/archive/master.zip
[root@myserver ~]# unzip master.zip

You should install GCC and Development Tools for dependencies.

[root@myserver ~]# yum groupinstall ‘Development Tools’
[root@myserver ~]# yum install gcc

Continue Reading

Make single Roundcube instance use multi different databases

I had to configure webmail service with Roundcube which would allow connecting multi mail servers o one platform. Every mail server had it’s own Roundcube instance already, but idea was, that only one installation can handle all mail servers.

I found out, that this can be done pretty symple with some php in roundcube configuration.

Open your roundcube configuration file, for example:

vi /var/www/roundcube/config/config.inc.php

Fetch correct hostname for specific webmail instance in php variable. 

$host = $_SERVER['SERVER_NAME'];

Then you should create switch statement that will be able to manage correct database connection and host for specific server name – mail service. You can also have different types of database. For example mysql and postgres.

Continue Reading

Fix high server load and memory/cpu consumption of clamd ( ClamAV )

I had troubles with one of Directadmin servers which was constantly loading because clamd process. When executing top command, clamd was always top on the list. As I researched, there is no way you can limit ClamAV’s memory and CPU consumption via its configuration itself. This is how you do it.

What you have to do is limit clamd within startup script, so that clamd will start with some limitations.

Just open ClamAV startup script. I this case CentOS 7:

vi /etc/systemd/system/clamd.service

Then add this lines. Of course change according to your needs.

IOSchedulingPriority = 7
CPUSchedulingPolicy = 5
MemoryLimit=256M
CPUQuota=30%
Nice = 19

Your startup script should now look something like this:

[Unit]
Description = Generic clamav scanner daemon
After = syslog.target nss-lookup.target network.target

[Service]
Type = simple
ExecStartPre=-/bin/mkdir -p /var/run/clamd
ExecStartPre=-/bin/chown -R clamav:clamav /var/run/clamd
ExecStart = /usr/local/sbin/clamd --foreground=yes
Restart = on-failure
PrivateTmp = true
IOSchedulingPriority = 7
CPUSchedulingPolicy = 5
MemoryLimit=256M
CPUQuota=30%
Nice = 19

[Install]
WantedBy = multi-user.target

Permanent block ratelimited user with Rspamd and fail2ban

This one was a little tricky. I had few mail servers with a lot of accounts. I setup rspamd instance in proxy mode. Then I called rspamd on every mail server with postfix milter. Rspamd works beautifully, ratelimiting is very useful too. But I in case of abusive mail sender, I wanted to permanently block IP from which spam originated. You can’t permanently block IPs with rspamd because ratelimit module can’t add IP address to some file.

So Fail2ban came to mind. I setup fail2ban on my rspamd installation and create filter which watches rspamd log and wait for cases when ratelimit is triggered. When fail2ban counts 10 cases of triggered ratelimit, filter puts IP of ratelimited sender to special blacklist file (ip_blacklist_ratelimit.map) which is included in rspamd multimap  definition – permanent block. Spamer IP is blocked permanently this way. 

I had few cases when some users password was stolen and spam was sending. Fail2ban and rspamd sucsessfuly banned those IPs. I also created action which will notify administrator when fail2ban blocks IP.

Rspamd ratelimit config:


# limit outgoing authenticated users
user = { 
bucket = [ 
{ 
burst = 10; # capacity of 10 messages in bucket 
rate = "1 / 1min"; # leak 1 messages per minute 
}, 
{ 
burst = 100; # capacity of 100 messages in bucket 
rate = "30 / 60min"; # leak 30 messages per hour 
}] 
}
}

Rspamd multimap definition for blocking blacklisted IPs:


# block users exceeded ratelimits 5 times
IP_BLACKLIST_RATELIMIT {
type = "ip";
prefilter = "true";
map = "${LOCAL_CONFDIR}/local.d/maps/ip_blacklist_ratelimit.map";
action = "reject";
}

Fail2ban jail configuration:


[rspamd-ratelimit]
enabled = true
action = rspamd-banip
ratelimit-alert[name=Rspamd-ratelimit, dest=terminator@myemail.com]
backend = auto
filter = rspamd-ratelimit
logpath = /var/log/rspamd/rspamd.log
maxretry = 10
bantime = 3600

Fail2ban filter for rspamd – rspamd-ratelimit.conf:


# Fail2Ban filter for rspamd ratelimit
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = rspamd_proxy
failregex = ^.*rspamd_proxy.*ip: .*?Ratelimit ".*?" exceeded

# Author: Igor Mazej

Fail2ban action for rspamd – rspamd-banip.conf:


#
# Author: Igor Mazej
#
#
[Definition]
actionstart = touch /etc/rspamd/local.d/maps/ip_blacklist_ratelimit.map
actionban = printf %%b "\n" >> /etc/rspamd/local.d/maps/ip_blacklist_ratelimit.map
actionunban = sed -i "//d" -i.backup /etc/rspamd/local.d/maps/ip_blacklist_ratelimit.map
[Init]

© 2024 geegkytuts.net
Hosted by SIEL


About author