Directadmin – build GeoIP2 in Directadmin’s NGINX and create country blocking for vhosts.

GeoIP is super helpful if you have troubles with a lot of nasty requests from some nasty countries :). Or, sometimes, you just want to lock some website or part of it ( administration ), so that it is accessible only from your country.

Things are a little different when you are using Directadmin control panel. I had this Directadmin with NGINX reverse proxy, so all NGINX is first point for requests made on your websites. Besides SSL offloading, you can also do filtering, country blocking … before request ends on backend ( Apache ).

So, here is how you can build GeoIP2 extension into your NGINX on Directadmin. I my case, I have Nginx as reverse proxy with Apache.

Check which NGINX version is installed on your server

[root@da nginx]# nginx -v
nginx version: nginx/1.23.1

Continue Reading

[SCRIPT] Install mod_security with OWASP ruleset and GeoIP2 NGINX modules with script.

Because I don’t own NGINX plus, I must build mod_security and geoip2 modules manually each time I set up a new server with NGINX. It’s good practice to have both installed, as it can increase security of your web application significantly. I was getting tired of building every time, so I created a script which will do that for you. This script is build for Rocky Linux 8, so it should work on CentOS 8 (Stream), AlmaLInux …

This script will auto-detect your NGINX version and will download source, build extensions and install ModSecurity also. It will also install necessary dependencies which are needed for install.  If you encounter errors, please check for errors on which library you need. It will also install OWASP ruleset for mod_security and configure your NGINX accordingly. Path to extensions will be inserted in your NGINX configuration by script.

You should install and configure geoipupdate and add geoip definitions in your nginx configuration.

I hope this helps you and saves you some time. Feel free to modify and customize the script according to your needs.

Here is the script: build nginx modules script

Migrate email accounts to different user account on the same cPanel server

Maybe you’ll want to merge two separate cPanel accounts on the same server, but you won’t be able to, because you can’t simply just delete domain from the first account, and you can’t add domain to the second account because it exists on the first one :).

You can migrate email and other user data simply, by creating backup of user account and delete it from cPanel. Below, I will show how to migrate just email. But you can also migrate websites like this.

  1. Make copy of primary user account (if websites, also make sure to dump databases of that user)
    root@cpanel [/home]# cp -rp useraccount1  useraccount1.bak
  2. Make copy of email aliases of primary account so they wont get lost after delete of primary account
    cp /etc/valiases/userdomain.com /etc/valiases/userdomain.com.bak
  3. Delete primary user account in cPanel – useraccount1 in our case
  4. Add domain of primary account to secondary account (useraccount2). Now you’ll be able to, because domain don’t exist on the system anymore.
  5. Copy settings from primary account from backup to secondary one (the one you added domain to) and set right permissions:
    root@cpanel [/home]# cp -rp /home/useraccount1.bak/etc/userdomain.com  /home/useraccount2/etc/userdomain.com
    chown -R useraccount2: /home/useraccount2/etc/userdomain.com
  6. Copy all email accounts to new account and set right permissions
     cp -rp /home/useraccount1.bak/mail/userdomain.com /home/useraccount2/mail/userdomain.com
    
    chown useraccount2:mail /home/useraccount2/mail/userdomain.com
    
    chown -R useraccount2: /home/useraccount2/mail/userdomain.com/*
  7. Recreate alliases
    cp /etc/valiases/userdomain.com.bak  /etc/valiases/userdomain.com

That’s it. You should be able to see email accounts for userdomain.com in new cPanel account. All passwords should remain the same as before.

Directadmin – x509: certificate signed by unknown authority – Letsencrypt

DST Root CA X3 expired on September 30, 2021. Because of this I got invalid certificate error when visiting Directadmin login in Chrome. Certificate itself was valid. CA certificate is problem. What you have to do is update system CA certificates. Also update letsencrypt via custombuild if you didn’t already.

Error was:

[root@server]# /usr/local/directadmin/scripts/letsencrypt.sh renew my.server.com
Setting up certificate for a hostname: my.server.com
2021/09/30 14:49:15 Could not create client: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get "https://acme-v02.api.letsencrypt.org/directory": x509: certificate signed by unknown authority
Certificate generation failed.

You have to update system CA certificates ( Centos in this case ):

[root@server ~]# yum install ca-certificates -y
....
[root@server ~]# update-ca-trust

Then try to create new certificate for server hostname:

[root@server]# /usr/local/directadmin/scripts/letsencrypt.sh request_single my.server.com 4096
Setting up certificate for a hostname: my.server.com
2021/09/30 14:51:50 [INFO] [my.server.com] acme: Obtaining SAN certificate
2021/09/30 14:51:51 [INFO] [my.server.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/35702261650
2021/09/30 14:51:51 [INFO] [my.server.com] acme: Could not find solver for: tls-alpn-01
2021/09/30 14:51:51 [INFO] [my.server.com] acme: use http-01 solver
2021/09/30 14:51:51 [INFO] [my.server.com] acme: Trying to solve HTTP-01
2021/09/30 14:51:57 [INFO] [my.server.com] The server validated our request
2021/09/30 14:51:57 [INFO] [my.server.com] acme: Validations succeeded; requesting certificates
2021/09/30 14:52:01 [INFO] [my.server.com] Server responded with a certificate.
Certificate for my.server.com has been created successfully!
DirectAdmin certificate has been setup.
...

Directadmin – ModSecurity: Request body (Content-Length) is larger than the configured limit (13107200)

I had problem with uploading files on Directadmin server with mod_security enabled. I set upload_max_filesize and post_max_size to 64M, and still recived error like this:

[Wed Aug 04 23:31:30.320425 1912] [:error] [pid 1418987:tid 140666332325632] [client 89.212.96.1:64983] [client 89.212.96.1] ModSecurity: Request body (Content-Length) is larger than the configured limit (13107200). [hostname "www.geekytuts.net"] [uri "/wp-admin/async-upload.php"] [unique_id "YQpCUpEZgUlp9rxIlbunrAAAnTQ"], referer: https://www.geekytuts.net/wp-admin/media-new.php

I found out that this behavior is not caused by any mod_security rules (Free ModSecurity Rules from Comodo) but by directive SecRequestBodyLimit setting . Default value is 12.5M and since I set 64M for file uploads, I changed this value the same – in bytes.

File which you want to modify is /etc/httpd/conf/extra/httpd-modsecurity.conf. In my case, I modifyed like this:

SecRequestBodyLimit 67108864
SecRequestBodyNoFilesLimit 1048576

Directadmin restore error: “your_user” is not a valid username

I had this weird error when I tried to restore some directadmin accounts on new server. Majority of accounts were restored successfully, but some returned this error:

user1 is not a valid username
user2 is not a valid username

I tried many things and than found out that there is default setting for username length in directadmin configuration max_username_length. Default value is 10, so if your username of account that you are trying to restore is larger than 10 characters, error will be returned. You have to edit directadmin configuration and set this variable.

[root@mx ~]# vi /usr/local/directadmin/conf/directadmin.conf

then edit max_username_length to larger value. I my example 20.

max_username_length=20

Build NGINX with GeoIP2 support from source

I used GeoIP library with Nginx for quite some time, but it came to EOL. GeoIP2 is now avalible. It is great tool for blocking unwanted traffic from your webserver. This was done on Centos 7. If you don’t want to pay for getpagespeed’s payed version, than you must build this module from source.

First, you’ll need to know your curent NGINX version


[root@myserver ~]# nginx -v
nginx version: nginx/1.16.1

Then, download exact same version of NGINX from this site and unpack it. In my case:


[root@myserver ~]# wget http://nginx.org/download/nginx-1.16.1.tar.gz
[root@myserver ~]# tar -xvzf nginx-1.16.1.tar.gz
[root@myserver ~]# cd nginx-1.16.1.tar.gz

Then you should download ngx_http_geoip2_module – geoip2 module for NGINX:


[root@myserver ~]# wget https://github.com/leev/ngx_http_geoip2_module/archive/master.zip
[root@myserver ~]# unzip master.zip

You should install GCC and Development Tools for dependencies.

[root@myserver ~]# yum groupinstall ‘Development Tools’
[root@myserver ~]# yum install gcc

Continue Reading

Fix high server load and memory/cpu consumption of clamd ( ClamAV )

I had troubles with one of Directadmin servers which was constantly loading because clamd process. When executing top command, clamd was always top on the list. As I researched, there is no way you can limit ClamAV’s memory and CPU consumption via its configuration itself. This is how you do it.

What you have to do is limit clamd within startup script, so that clamd will start with some limitations.

Just open ClamAV startup script. I this case CentOS 7:

vi /etc/systemd/system/clamd.service

Then add this lines. Of course change according to your needs.

IOSchedulingPriority = 7
CPUSchedulingPolicy = 5
MemoryLimit=256M
CPUQuota=30%
Nice = 19

Your startup script should now look something like this:

[Unit]
Description = Generic clamav scanner daemon
After = syslog.target nss-lookup.target network.target

[Service]
Type = simple
ExecStartPre=-/bin/mkdir -p /var/run/clamd
ExecStartPre=-/bin/chown -R clamav:clamav /var/run/clamd
ExecStart = /usr/local/sbin/clamd --foreground=yes
Restart = on-failure
PrivateTmp = true
IOSchedulingPriority = 7
CPUSchedulingPolicy = 5
MemoryLimit=256M
CPUQuota=30%
Nice = 19

[Install]
WantedBy = multi-user.target

Directadmin – instal imagick (ImageMagick PHP module) with pecl – multi php

It’s amazingly simple. If you have multi PHP instances installed, go to bin directory of the one for which you want to install imagick module. In this example, I’ll install it on php version 7.3. This is CentOS 7 with Directadmin. You don’t need custombuild in this procedure.

Go to PHP bin directory:
[root@wutang4eva ~]# cd /usr/local/php73/bin/

Then just install imagick module likeå this:
[root@wutang4eva bin]# ./pecl install imagick

If php_ini is not set, then add extension to your php.ini manualy:
Add extension=imagick.so to /usr/local/php73/lib/php.ini

Restart php-fpm for php version - if you are using fpm of coruse:
systemctl restart php-fpm73.service

Check if imagick is installed:
[root@wutang4eva bin]# ./php73 -m | grep imag
imagick

If you want on other PHP versions, just do the same for each version you need imagick on.

I hope this helps.

© 2024 geegkytuts.net
Hosted by SIEL


About author