Apache “require ip” is not working when behind proxy. How to limit website access to IP when Apache is behind proxy.

I had a case where Apache did not respect the directives in .htaccess with ‘require ip‘ and I couldn’t limit the website to certain addresses. The problem is that when Apache is behind a proxy ( HAProxy in this case ), the ‘require ip‘ will not pass the correct IP address. The correct IP address of the visitor is located in the ‘X-Forwarded-For’ variable. Therefore, .htaccess needs to be modified so that instead of ‘require ip’, it will respect another variable into which we will pass the values of ‘X-Forwarded-For’.

Below is an example of how it was solved in a case where it was necessary to request a password only if the website visitor did not come from a specific IP address which is added to the exceptions.”

Example:

<If "%{HTTP_HOST} == 'this.isnowworking.com'">
SetEnv IF_MATCHES_HOST true
AuthUserFile /etc/httpd/.htpasswd
AuthType Basic
AuthName "Restricted access"

SetEnvIF X-Forwarded-For "1.1.1.1" AllowIP
SetEnvIF X-Forwarded-For "2.2.2.2" AllowIP
SetEnvIF X-Forwarded-For "3.3.3.3" AllowIP

<RequireAny>
Require valid-user
Require env AllowIP
</RequireAny>
</If>

Directadmin – build GeoIP2 in Directadmin’s NGINX and create country blocking for vhosts.

GeoIP is super helpful if you have troubles with a lot of nasty requests from some nasty countries :). Or, sometimes, you just want to lock some website or part of it ( administration ), so that it is accessible only from your country.

Things are a little different when you are using Directadmin control panel. I had this Directadmin with NGINX reverse proxy, so all NGINX is first point for requests made on your websites. Besides SSL offloading, you can also do filtering, country blocking … before request ends on backend ( Apache ).

So, here is how you can build GeoIP2 extension into your NGINX on Directadmin. I my case, I have Nginx as reverse proxy with Apache.

Check which NGINX version is installed on your server

[root@da nginx]# nginx -v
nginx version: nginx/1.23.1

Continue Reading

How to clean Zimbra mail queue as root user

You may come across a problem when trying to clean Zimbra mail queue as Zimbra user as lack of privileges.

When trying to log in as Zimbra and run the command below, I came across a privilege’s problem as Zimbra user was unable to run postsuper command:

[zimbra@mailmachine root]$  mailq | tail -n +2 | awk 'BEGIN { RS = "" } / spam.user@spammer.net/ { print $1 }' | tr -d '*!' | postsuper -d -
postsuper: fatal: use of this command is reserved for the superuser

If you check mail queue as root user, you won’t see Zimbra messages. What you can do, is use binaries of Zimbra. Here is how I was able to clean mail queue with root user for Zimbra:

[root@mailmachine sbin]# /opt/zimbra/common/sbin/mailq | tail -n +2 | awk 'BEGIN { RS = "" } / spam.user@spammer.net/ { print $1 }' | tr -d '*!' | /opt/zimbra/common/sbin/postsuper -d -

postsuper: F22125044F450: removed
postsuper: F24D45044B05C: removed
postsuper: F31595048D7A0: removed
postsuper: F307B50478E75: removed
postsuper: F155F5049BCF0: removed
postsuper: F3A22504CAC00: removed
postsuper: F40E2504A3B49: removed
...

This will successfully clean Zimbra mail queue – messages from user spam.user@spammer.net. You may have different paths to your mailq and postsuper. I noticed that on some installations, path is “/opt/zimbra/postfix/sbin/postsuper”.

cPanel – Roundcube error – “Error: Server Error(OK)”

One of the email accounts suddenly experienced trouble when searching in Roundcube. After a while, error occurred to user: “Error: Server Error(OK)”. At first, I thought it was a dovecot index problem, so I regenerated them, but the error was still there. Then I thought that may be IMAP server timeout, but it wasn’t a case, because it worked in mailboxes that were larger than this one.

Inside mail log I saw error below. But the mailbox wasn’t corrupted:

[01-Dec-2022 12:22:38 Earth/Universe] Unexpected condition from IMAP server, closed or corrupt connection to IMAP. Possible mailbox corruption.

This was an error inside Roundcube error log (“/home/username/logs/roundcube/errors”). This error didn’t seemed with issue that was experienced – search error, but cPanel support stated that is related to database corruption.

[01-Dec-2022 12:23:38 Earth/Universe]: <77d0888c> DB Error: [1] no such table: collected_addresses (SQL Query: SELECT * FROM "collected_addresses" WHERE "user_id" = '1' AND "type" = '2' AND ("email" LIKE 'username@domain.com') ORDER BY "name" ASC, "email" ASC LIMIT 10) in /usr/local/cpanel/base/3rdparty/roundcube/program/lib/Roundcube/rcube_db.php on line 566 (GET /cpsess4226161538/3rdparty/roundcube/index.php?_task=addressbook&_action=photo&_email=username%40domain.com&_error=1)

So, I tried to regenerate Roundcube database for this user (and backup old one first, of course):

[root@cpanel ~]# cd /home/username/etc/domain.com/
[root@cpanel domain.com]# mv user.emailaddress.rcube.db user.emailaddress.rcube.db.backup

Then, just login into Roundcube again and, a new db file should be generated. This sorted out the issue with search functionality.

Migrate email accounts to different user account on the same cPanel server

Maybe you’ll want to merge two separate cPanel accounts on the same server, but you won’t be able to, because you can’t simply just delete domain from the first account, and you can’t add domain to the second account because it exists on the first one :).

You can migrate email and other user data simply, by creating backup of user account and delete it from cPanel. Below, I will show how to migrate just email. But you can also migrate websites like this.

  1. Make copy of primary user account (if websites, also make sure to dump databases of that user) 
    root@cpanel [/home]# cp -rp useraccount1  useraccount1.bak
  2. Make copy of email aliases of primary account so they wont get lost after delete of primary account 
    cp /etc/valiases/userdomain.com /etc/valiases/userdomain.com.bak
  3. Delete primary user account in cPanel – useraccount1 in our case
  4. Add domain of primary account to secondary account (useraccount2). Now you’ll be able to, because domain don’t exist on the system anymore.
  5. Copy settings from primary account from backup to secondary one (the one you added domain to) and set right permissions: 
    root@cpanel [/home]# cp -rp /home/useraccount1.bak/etc/userdomain.com  /home/useraccount2/etc/userdomain.com
chown -R useraccount2: /home/useraccount2/etc/userdomain.com
  6. Copy all email accounts to new account and set right permissions 
     cp -rp /home/useraccount1.bak/mail/userdomain.com /home/useraccount2/mail/userdomain.com

chown useraccount2:mail /home/useraccount2/mail/userdomain.com

chown -R useraccount2: /home/useraccount2/mail/userdomain.com/*
  7. Recreate alliases 
    cp /etc/valiases/userdomain.com.bak  /etc/valiases/userdomain.com

That’s it. You should be able to see email accounts for userdomain.com in new cPanel account. All passwords should remain the same as before.

Change email password on Directadmin with CLI / command line

It can happen that you don’t have access to Direcadmin’s GUI, but you have root access. I had this situation with one installation with very old OS on which the license was unable to update. So because of invalid license, control panel was not accessible. You can change email password from command line like this.

  • Go to virtual directory where passwords are saved
    myDA:~# cd /etc/virtual/mydomain.com/
    myDA:/etc/virtual/mydomain.com# 
  • You can generate new crypted passowrd like bellow. “mynewpassword” is new password.
    [root@server ~]# openssl passwd -1 -salt saltsalt mynewpassword
    $1$saltsalt$XCrU04m/7D.n5Ami6FbHo/

  • Copy generated hash from previous step and change it inside  /etc/virtual/mydomain.com/passwd

That’s it. You should be able to log in into the email account with a new password.

Found this here. Thank you very much!

Country block/allow with iptables and ipset

Here is a simple way to restrict access to your server from country’s that you don’t want to be able to connect to your services. On website www.ipdeny.com you can find IP lists for specific country’s. With a simple script, you can regularly update those lists so that they are up-to-date with new addresses. In my case, I needed a way to allow some services only available from specific countries. You can also change logic a little bit and blocking only specific county. 

This will work on Linux server with installed iptables and ipset. Ipset will contain all addresses provided from ipdeny.com. 

First, if you don’t already have it, install ipset.

[root@server ~]# dnf install ipset

Then, you’ll need to create ipset array which will contain all addresses. 

ipset create allow_cc hash:net family inet hashsize 1024 maxelem 65536

Continue Reading

mysql_secure_installation: command not found

It’s always a good idea to do basic MySQL security measures after installing fresh version of MariaDB server. For this task, I always used “mysql_secure_installation” command, which was part of installation. Some time ago, I’ve got stucked when trying to do so on MariaDB version 10.7. After some searching around, I guess command was changed.

[root@server ~]# mysql_secure_installation
-bash: mysql_secure_installation: command not found

This is a correct way on newer MariaDB versions:

root@server ~]# mariadb-secure-installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!
. . .

 

Find occurrences of the same string between two files with grep

I had this issue many times. Find the same occurrences of string between two different files so that you can pervent duplicates.

You should create foor loop that will take every line from file 1 and compare it to records in file 2.

for i in `file1.txt`; do grep -E "^$i\$" file2.txt; done

This will output only the exact strings that occurres in both files.

Letsencrypt/certbot fails when proxying with Apache ProxyPass

I had an issue on Directadmin server where client had nodejs application for which apache had to proxy on port 3001. Becouse of this, letsencrypt was not able to reach .well-known/acme-challenge/ and certificate registration/renewal failed. Solution is simple, you have to exclude proxy when requesting .well-known/acme-challenge/.

This was error whent trying to check .well-known/acme-challenge:

$ curl http://mydomain.com/.well-known/acme-challenge/test.txt 
{"errors":[{"message":"Route /.well-known/test.txt doesn't exist.","extensions":{"code":"ROUTE_NOT_FOUND"}}]}%

So I added “ProxyPass !” directive just before where I create proxy directive to port 3001. Like so:

. . .
<Location /.well-known/acme-challenge>
     ProxyPass !
</Location>

<Location />
     Require all granted
     ProxyPass http://127.0.0.1:3000/
     ProxyPassReverse http://127.0.0.1:3000/
</Location>
. . . 

Then I was able tu make request to .well-known/acme-challenge sucsessfully:

> $ curl http://mydomain.com/.well-known/acme-challenge/test.txt 
It works!

I hope this helps! 🙂

© 2025 geegkytuts.net
Hosted by SIEL


About author