Manual Installation of Nginx in Cpanel Apache in proxy mode

1. In order to get the cPanel server ready for nginx – you must first install an apache module called mod_rpaf

Login as root:
# cd /usr/local/src
# wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz
# tar xvzf mod_rpaf-0.6.tar.gz
# cd mod_rpaf-0.6
# /usr/local/apache/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c

2. Doing so will install the module into the Apache module directory.

Then Go to your  Web Host Manager (WHM) follow the tree here:
Main >> Service Configuration >> Apache Configuration > Include Editor > Pre Main Include and Select the apache version that is running on your cPanel server. and then add following code section there, and replace (place your ips here without the brakets) with the list of IP addresses on your Cpanel server:

==================================================
LoadModule rpaf_module modules/mod_rpaf-2.0.so

RPAFenable On
# Enable reverse proxy add forward

RPAFproxy_ips 127.0.0.1  (place all your ips here without the brakets)

RPAFsethostname On
# let rpaf update vhost settings allowing to have
# the same hostnames as in the “actual” configuration for the
# forwarding apache installation

RPAFheader X-Real-IP
# Allows you to change which header we have mod_rpaf looking for
# when trying to find the ip the that is forwarding our requests
===================================================

3. Once this is completed – we are ready to move Apache to another port. To move the apache to another port follow the below:

Go to your WHM  >> “tweak settings”  and change the apache port from 80 to 81 (find 0.0.0.0:80 and change it to 0.0.0.0.:81)

4. Do the following

# /usr/local/cpanel/whostmgr/bin/whostmgr2 –updatetweaksettings

5. Check your “/usr/local/apache/conf/httpd.conf”  for any occurrences of port 80,
#  vi /usr/local/apache/conf/httpd.conf

Find for port 80 if you found any occurrences of port 80 then rebuild your apache configuration file by running
# /scripts/rebuildhttpdconf   and make sure your httpd.conf file is up to date

6. Then run
# /etc/init.d/httpd restart

7. Now install Nginx. You must install pcre library in order to install Nginx on your cPanel server:

# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-7.9.tar.gz
# tar xvzf pcre-7.9.tar.gz
# cd pcre-7.9
# ./configure
# make
# make install

Now Install Nginx

#wget http://sysoev.ru/nginx/nginx-0.7.63.tar.gz
# tar xvzf nginx-0.7.63.tar.gz
# cd nginx-0.7.63
# ./configure
# make
# make install

9. Create nginx.sh file and put the below code section to the file :

# vi  nginx.sh
===================================================================
#!/bin/sh

cat > “/usr/local/nginx/conf/nginx.conf” <<EOF
user  nobody;
# no need for more workers in the proxy mode
worker_processes  2;

error_log  logs/error.log info;

worker_rlimit_nofile  8192;

events {
worker_connections  1024; # you might need to increase this setting for busy servers
use epoll; #  Linux kernels 2.6.x change to epoll
}

http {
server_names_hash_max_size 2048;

include    mime.types;
default_type  application/octet-stream;

sendfile on;
tcp_nopush on;
tcp_nodelay on;

keepalive_timeout  10;

gzip on;
gzip_min_length  1100;
gzip_buffers  4 32k;
gzip_types    text/plain application/x-javascript text/xml text/css;
ignore_invalid_headers on;

client_header_timeout  3m;
client_body_timeout 3m;
send_timeout     3m;
connection_pool_size  256;
client_header_buffer_size 4k;
large_client_header_buffers 4 32k;
request_pool_size  4k;
output_buffers   4 32k;
postpone_output  1460;

include “/usr/local/nginx/conf/vhost.conf”;
}

EOF

/bin/cp /dev/null /usr/local/nginx/conf/vhost.conf

cd /var/cpanel/users
for USER in *; do
for DOMAIN in `cat $USER | grep ^DNS | cut -d= -f2`; do
IP=`cat $USER|grep ^IP|cut -d= -f2`;
ROOT=`grep ^$USER: /etc/passwd|cut -d: -f6`;
echo “Converting $DOMAIN for $USER”;

cat >> “/usr/local/nginx/conf/vhost.conf” <<EOF
server {
access_log off;

error_log  logs/vhost-error_log warn;
listen    80;
server_name  $DOMAIN www.$DOMAIN;

location ~* \.(gif|jpg|jpeg|png|ico|wmv|3gp|avi|mpg|mpeg|mp4|flv|mp3|mid|js|css|html|htm|wml)$ {
root   $ROOT/public_html;
}

location / {
client_max_body_size    10m;
client_body_buffer_size 128k;

proxy_send_timeout   90;
proxy_read_timeout   90;

proxy_buffer_size    4k;
# you can increase proxy_buffers here to suppress “an upstream response
#  is buffered to a temporary file” warning
proxy_buffers     16 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;

proxy_connect_timeout 30s;

proxy_redirect  http://www.$DOMAIN:81   http://www.$DOMAIN;
proxy_redirect  http://$DOMAIN:81   http://$DOMAIN;

proxy_pass   http://$IP:81/;

proxy_set_header   Host   \$host;
proxy_set_header   X-Real-IP  \$remote_addr;
proxy_set_header   X-Forwarded-For \$proxy_add_x_forwarded_for;
}
}
EOF
done
done
===================================================================================

8. Save the file and change the permision and then run :
# chmod 755 nginx.sh
# sh nginx.sh

9. Now Check the  Nginx configuration
#/usr/local/nginx/sbin/nginx -t

=============================
Great install instructions, everything worked fine just some additional info if you get error like  invalid event type “rtsig” when you run this commmand: # /usr/local/nginx/sbin/nginx -t

To correct this error you should do this: vi /usr/local/nginx/conf/nginx.conf
Find line 11 and change “rtsig” to “epoll” .

This error occures in case your server is using kernel 2.4.x
===============================

10. Restart Nginx
# /usr/local/nginx/sbin/nginx

11. create init script

# vi /etc/init.d/nginx
And put the below code section to the file:
========================================================================
#!/bin/sh
#
# nginx – this script starts and stops the nginx daemin
# Taken from http://www.hikaro.com
# chkconfig:   – 85 15
# description:  Nginx is an HTTP(S) server, HTTP(S) reverse \
#               proxy and IMAP/POP3 proxy server
# processname: nginx
# config:      /usr/local/nginx/conf/nginx.conf
# pidfile:     /usr/local/nginx/logs/nginx.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0

nginx=”/usr/local/nginx/sbin/nginx”
prog=$(basename $nginx)

NGINX_CONF_FILE=”/usr/local/nginx/conf/nginx.conf”

lockfile=/var/lock/subsys/nginx

start() {
[ -x $nginx ] || exit 5
[ -f $NGINX_CONF_FILE ] || exit 6
echo -n $”Starting $prog: ”
daemon $nginx -c $NGINX_CONF_FILE
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}

stop() {
echo -n $”Stopping $prog: ”
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}

restart() {
configtest || return $?
stop
start
}

reload() {
configtest || return $?
echo -n $”Reloading $prog: ”
killproc $nginx -HUP
RETVAL=$?
echo
}

force_reload() {
restart
}

configtest() {
$nginx -t -c $NGINX_CONF_FILE
}

rh_status() {
status $prog
}

rh_status_q() {
rh_status >/dev/null 2>&1
}

case “$1″ in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart|configtest)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
;;
*)
echo $”Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}”
exit 2
esac
========================================================================================

11. save the code and execute
# chmod +x /etc/init.d/nginx

12. make it start when the server run
# /sbin/chkconfig nginx on

13.You can run following command to check if its running:

# service nginx start
# service nginx stop
# service nginx restart
# service nginx reload
# service nginx configtest
# service nginx status

14. To Create an automatic virtualhost entry in nginx virtualhost configuration  (/usr/local/nginx/conf/vhost.conf)  when cPanel account get created on the server follow the below instructions:

Go to the cPanel script that is :

# vi /scripts/postwwwacct
# chmod 755 /scripts/postwwwacct
and put the same code that is used in “nginx.sh” in the step 9 and it will create an virtualhost entry to the nginx.

15.To remove virtualhost entry from nginx virtualhost configuration (/usr/local/nginx/conf/vhost.conf)  when cPanel account get terminated from the server follow the below instructions:

Go to the cPanel script that is :

# vi /scripts/postwkillacct
# chmod 755 /scripts/postwkillacct

and put the same code that is used in “nginx.sh” in the step 9 and it will create an virtualhost entry to the nginx.

DONE!! Cheers!!!!

Domain unable to unsuspend in Plesk 9.5

After upgrading plesk to latest release one of our domain on plesk server was unable to unsuspend thus giving the following error.

“Warning: The domain is still suspended for the following reason: Domain is temporarily suspended for backing up or restoring”

Though it appear to be backup issue but backups were not running for the domain making it quite confusing, So we had the following method to unsuspend the domain.

Login into shell and ran the following command.

/usr/local/psa/bin/domain -u domain.com -status enabled

Segmentation fault

Voila !! So here is the problem plesk binaries is showing segmentation fault so it appears that the plesk upgrade didn’t go properly.  Plesk itself work on these binaries which here appears to be a problem.  Now Login into plesk and under “Updates ” select the plesk base package option and re-install the Plesk Base packages to make the plesk binaries working again.  You should receive a email when the updates are completed.

Follow the steps to reconfigure the domain in plesk database.

Reconfigure Domain:

/usr/local/psa/admin/sbin/websrvmng –reconfigure-vhost –vhost-name=domain.com

Change the status for domain

/usr/local/psa/bin/domain -u domain.com -status enabled

You should get a message the Object successfully enabled, Thats it the domain should be unsuspended in Plesk.

What is VPN ( Virtual Private Network)

VPN stands for Virtual Private Network. A VPN uses the Internet as it’s transport mechanism, while maintaining the security of the data on the VPN. VPNs commonly are used to connect local area networks (LANs) into wide area networks (WANs) using the Internet.

Some of the basic requirements for VPN

1] User Permission: Enable a user to access the VPN. To do this, go to AD Users and Computers, select the user who need to access the VPN, click Dial-in. Check Allow access on the Remote Access Permission (Dial-in or VPN).

2] IP Configuration:  The VPN server should have a static IP address and assign the arrange IP addresses to VPN clients. The VPN server must also be configured with DNS and WINS server addresses to assign to the VPN client during the connection.

3] Data Encryption: Data carried on the public network should be rendered unreadable to unauthorized clients on the network.
4] Protocol Support. The TCP/IP is common protocols used in the public network. The VPN also include IP, Internetwork Packet Exchange (IPX), NetBEUI and so on.

5] Firewall Ports. When you place a VPN server behind your firewall, be sure to enable IP protocol 47 (GRE) and TCP port 1723.

6] Interface(s) for VPN server. If your network doesn’t have a router or the VPN is also a gateway, your computer must have at least two interfaces, one connecting to the Internet and another connecting to the LAN. If it is behind a router, you just need one NIC.

7] One interface for VPN client. The interface can be a dial-in modem, or a dedicated connection to the Internet.
Downloading the new  version of OpenVPN

Running Windows Plesk control panel on additional port 443.

One of our windows server required plesk to run on dedicated ip on port 443 because of ISP restriction as they only allowed access to port 443 and 80. By default Plesk Control Panel Web site in IIS is configured to listen on port 8443 on all IP addresses. A dedicated IP address needs to be used for Plesk Plesk Control Panel and none of domains hosted on the server for that ip.  This is required to avoid conflicts with existing websites

The following needs to be done:

1. Go to IIS management console

2. Find PleskControlPanel web site

3. Click on Properties

4. Click on Advanced button in Web Site tab

5. Add SSL identity for the Web Site

6. Set IP address that you want to use and set SSL port to 443

7. Apply

Then edit Apache configuration file %plesk_dir%admin\conf\httpd.conf.

1. Find the line

Listen 8443

2. Add the following line below that

Listen IP_address:443

Retsart Plesk Control Panel service using tray monitor.

WHM locked out – cphulkd

Today we were locked out on one of our server by cphulkd. When trying to access the server from WHM we were getting the following message. Thus not allowing us to login into WHM also we were not able to access shell.

—————————————————————————————
This account is currently locked out because a brute force attempt was detected. Please wait 10 minutes and try again. Attempting to login again will only increase this delay. If you frequently experience this problem, we recommend having your username changed to something less generic.
—————————————————————————————

This is done by ‘cphulkd’ – Cpanel Brute Force Protection service.

cphulkd: Cpanel Brute Force Protection service. This service monitors failed authentication attempts and locks out accounts after the threshold is met.

To re-enable your account, login via ssh and disable cphulkd using the command below.

# /usr/local/cpanel/bin/cphulk_pam_ctl –disable

This should allow you to login to WHM and double check your cphulk settings.

You can view IP addresses that have been blocked via the WHM interface: WHM -> Security -> Security Center -> cPHulk Brute Force Protection in the Brutes table. On that screen, you can also customize brute force protection settings.

Flush DB will remove all blocked IPs:

WHM -> Security Center -> cPHulk Brute Force Protection -> Click on Flush DB

Well the other way to this is given below.

ssh to the server login as root and type the following at the prompt

[root@server:] mysql

mysql> use cphulkd;

mysql>BACKUP TABLE  brutes TO ‘/path/to/backup/directory’;

mysql> SELECT * FROM brutes WHERE `IP`=’xxx.xxx.xxx.xxx’;

mysql> DELETE FROM brutes WHERE `IP`=’xxx.xxx.xxx.xxx’;

mysql>quit

Hopefully this helps you as well. You can contact us anytime if you have any problems. Just click on live chat and we are here to assist you.

Installing ClamAV on CentOS 4

Installing Clamav antivirus software on your linux centos server is quite easy. The best way to do this is using yum to look for the ClamAV packages in Dag’s repositories.

Adding the Dag’s repositories on your server.

1.) Connect to the server with root login and password.

2.) Type in the command cd /etc/yum.repos.d and press Enter. This will bring us to the Yum repository configuration directory.

3.) From this directory download the Yum repository configuration file by typing in the command
wget http://24×7servermanagement.com/downloads/dag-clamav.repo and press Enter. This is what the file dag-clamav.repo looks like

4.) To install ClamAV AntiVirus, type in the command
yum install clamav clamav-devel clamd and press Enter. When asked to confirm download, type in y and press Enter.

5.) To use ClamAV AntiVirus, type in the command clamscan and press Enter
For ex. if you need to scan the entire /home directory:-  cd /home then run clamscan -vr

6.) To update the virus database, type in the command freshclam and press Enter

Installing OpenVZ on CentOS

One virtualization product that is different from the others is OpenVZ. It will only do Linux-on-Linux virtualization as it is an OS-level virtualization product, where others are machine or hardware virtualization products. Essentially, OpenVZ is a glorified Linux chroot or BSD jail system that allows you to completely isolate processes from each other, increase security by keeping bits separate, and tightly control resource utilization. OpenVZ refers to these “virtual machines” as containers, virtual private servers (VPS), or virtual environments (VE).

As a result, OpenVZ is much lighter on system resources than full virtualization products like VMware or Xen.

Installing OpenVZ is quite simple. It requires a special kernel to provide the virtualization support it needs, and this can be obtained easily via the OpenVZ project itself. While the kernels are meant for RHEL4 and RHEL5, they will work on CentOS and track the upstream kernels quite closely.

To begin, you must download the OpenVZ repository control file in order for yum to become aware of the repository, and import the repository’s GPG signing key.

This can be done by executing:

# cd /etc/yum.repos.d/

# yum update

The final command downloads the repository metadata for the OpenVZ repositories. By default, only the RHEL5 and utils repositories are enabled; you can enable other repositories if you are interested in trying newer kernels. For CentOS 5, be sure to use the RHEL5 repository.

To install the OpenVZ kernel, execute:

# yum install ovzkernel.x86_64

Substitute “x86_64″ above for “i386″ if you are running a 32-bit system. Once the kernel is installed, edit /boot/grub/grub.conf to make sure that the entry for the OpenVZ kernel is the default (if it is the first entry in the file, make sure that default=0 is set; if it is the third entry, use default=2; it should be the first entry, however).

Next, edit /etc/sysctl.conf and add:

net.ipv4.conf.all.send_redirects = 0

This will enable IPv4 forwarding, disable the proxy arp, enable source route verification, and disable all of the interfaces from sending redirects. It also enables the magic sysrq key. Some of these options may already be defined; if so, simply comment any you find earlier in the file.

You will also need to disable SELinux by setting SELINUX=disabled in /etc/sysconfig/selinux.

Now reboot the system. When it comes back up, install the OpenVZ utilities:

# yum install vzctl.x86_64 vzquota.x86_64

You do not need to specify the architecture on a 32-bit system; specifying it on the x86_64 platform is desirable; otherwise, it will want to install both the i386 and x86_64 packages.

Once this is done, execute:

# service vz start

Installation is complete and you are ready to set up your first OpenVZ virtual machine. I’ll look at creating an OpenVZ container in the future; in the meantime you can look at the OpenVZ wiki to read about how to create OS templates. Let me know if you have any specific questions about OpenVZ.

Apache internal dummy connection in access_log

Sometimes you will notice the following lines in apaches access_log causing more memory resources.

::1 – - [09/May/2008:14:53:29 -0400] “GET / HTTP/1.0″ 200 5043 “-” “Apache (internal dummy connection)”

As per the following Link http://wiki.apache.org/httpd/InternalDummyConnection it is said that these requests are perfectly normal and you do not, in general, need to worry about them. They can simply be ignored. But you can see a large number of those internal dummy connection causing apache more memory resources and at the same time the cpu load on the Apache2.2 server maxes out at nearly 100%. So here is what you can do to stop this.

Edit httpd.conf file and add the following, Make sure the customlog directive is already added so just need to make the changes given below.

SetEnvIf Remote_Addr “::1″ dontlog
CustomLog /var/log/httpd/access.log combined env=!dontlog

Webmail error: A fatal error has occurred DB Error: connect failed

While accessing the Webmail URL sometimes you get the following error during attempting to login into Webmail:

A fatal error has occurred
DB Error: connect failed
Details have been logged for the administrator.

Please make sure that the following line exist in /etc/my.cnf:

socket=/var/lib/mysql/mysql.sock

Also check that Mysql service is running and /var/lib/mysql/mysql.sock socket exists..

Make sure that the ‘horde’ user is able to connect to the ‘horde’ database with a password from etc/psa/.webmail.shadow using the command:

# mysql -uhorde -p`cat /etc/psa/.webmail.shadow` -D horde

If /etc/psa/.webmail.shadow is missing, put some password into this file and change the password for the ‘horde’ user in the ‘mysql’ database using the query listed below.

If you get the error, make sure that the only one ‘horde’ MySQL user exists in the ‘user’ table in ‘mysql’ database and try to change it’s password with mysql query like:

# mysql -uadmin -p`cat /etc/psa/.psa.shadow` -D mysql

mysql> update user set password=password(“THE_PASSWORD_FROM_WEBMAIL.SHADOW”) where user=”horde”;

mysql> FLUSH PRIVILEGES;

Look into “psa-horde” log (by default: /var/log/psa-horde). If you see something like:

Nov 02 12:55:06 HORDE [emergency] [horde] DB Error: connect failed: [nativecode=Access denied for user: 'root@localhost' (Using password: NO)] ** Array [on line 1329 of "/usr/share/psa-horde/lib/Horde/DataTree/sql.php"]

make sure that sql.safe_mode is disabled in php.ini, it should be like:

sql.safe_mode=Off

Restart Apache after changes in php.ini have been made

Install ImageMagick on cpanel

Here is one simple way to install imagemagick on centos based cpanel servers.

/scripts/installimagemagick

This worked for us quite good, Hopefully this should help others.