Sandeep B.

In this tutorial we’ll secure Memcached server from UDP attacks which are common now a days, if you’re not using firewall and the memcached port is closed for the world you’re safe from this attacks. If your Memcached server is only used by your local server then add the below line which will disable UDP and only listen to localhost IP, which will prevent your server from being exposed on the internet by disabling the UDP protocol. UDP Protocol is now old technology which is not required anymore. TCP is more secure and today all are using it with Memcached. Edit memcached config file : nano /etc/sysconfig/memcached Add this line -l 127.0.0.1 -U 0 under OPTIONS=”” quotes like : OPTIONS="-l 127.0.0.1,::1 -U 0" ** at the end it will look like this : PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="64" OPTIONS="-l 127.0.0.1,::1 -U 0" If your Memcached server is binding with ip, add the following OPTIONS line, which will only disable the UDP protocol: OPTIONS="-U 0" After that you need to restart the memcached server and done. service memcached restart

In this tutorial I’ll show you how you can upgrade PostgreSQL from older version to latest version at the time of writing 13 is the latest version, This is tested in CWP and other servers running centos 7 and 8 i.e. el7/el8. The upgrade procedure is little bit complicated and you need to follow the below steps one by one : Step 1 : Backup all the data mkdir /home/pgsql chown -R postgres:postgres /home/pgsql su - postgres pg_dumpall > /home/pgsql/backup exit Step 2 : Uninstalling/removing the current version of PostgreSQL : systemctl stop postgresql mv /var/lib/pgsql/data/ /home/pgsql/data.old rpm -e --nodeps postgresql postgresql-devel postgresql-libs postgresql-server If you already installed from official repo i.e. version 9,10,11 and 12 (skip this steps if you didn’t used official repo to install pgsql) do this : systemctl stop postgresql-# mv /var/lib/pgsql/#/data/ /home/pgsql/#/data.old rpm -e --nodeps postgresql# postgresql#-devel postgresql#-libs postgresql#-server replace “#”with the version number i.e. 9/10/11/12/13/14 Step 3 : Now install the Latest version of PostgreSQL : EL7/Centos 7 : yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm yum install -y yum-utils centos-release-scl-rh yum-config-manager --disable centos-sclo-rh yum --enablerepo=centos-sclo-rh install llvm-toolset-7-clang yum install postgresql15-server postgresql15-devel EL8/Centos 8 : dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm dnf -qy module disable postgresql dnf install postgresql15-server postgresql15-devel Step 4 : Now copying the configuration file to new installation of PostgreSQL : Centos 7/8/EL7/EL8 : su - postgres mv /var/lib/pgsql/15/data/pg_hba.conf /var/lib/pgsql/15/data/pg_hba.conf.bak wget -O https://www.alphagnu.com/upload/pg_hba.conf /var/lib/pgsql/15/data/pg_hba.conf chown -R postgres:postgres /var/lib/pgsql/15/data/pg_hba.conf /usr/pgsql-15/bin/initdb exit if you have used official repo to install pgsql (skip this step if you didn’t installed any pgsql from official repo before) : su - postgres /usr/pgsql-15/bin/initdb cp /home/pgsql/#/data.old/pg_hba.conf /var/lib/pgsql/15/data/ cp /home/pgsql/#/data.old/postgresql.conf /var/lib/pgsql/15/data/ exit replace “#” with version number you used above Step 5 : Now start PostgreSQL and enable it to start on boot : systemctl enable postgresql-15 systemctl start postgresql-15 Step 6 : Restore the previous backups done in Step 1 su - postgres psql -d postgres -f /home/pgsql/backup Step 7 : Create symlink of new version of service : systemctl stop postgresql rm -rf /usr/lib/systemd/system/postgresql.service ln -s /usr/lib/systemd/system/postgresql-15.service /usr/lib/systemd/system/postgresql.service systemctl daemon-reload systemctl stop postgresql-15.service systemctl enable postgresql systemctl restart postgresql EXTRA upgrading phpPgAdmin in CWP : cd /usr/local/cwpsrv/var/services yum install cwpPgphp -y yum reinstall cwpPgphp -y mv phpPgAdmin phpPgAdmin.bak wget https://github.com/phppgadmin/phppgadmin/releases/download/REL_7-13-0/phpPgAdmin-7.13.0.zip unzip phpPgAdmin-7.13.0.zip mv phpPgAdmin-7.13.0 phpPgAdmin rm -rf phpPgAdmin-7.13.0.zip

In this tutorial I’ll guide you how you can enable TLSv1.3 in CWP-httpd/Apache (when only Apache webserver installed) I’ve tested this and it seems to be working fine. HTTPS performance has been made faster and safer for every user and every device after you enable the tls 1.3 you’ll notice faster website loading. Transportation Layer Security (TLS) 1.3 protocol provides unparalleled privacy and performance compared to previous versions of TLS and non-secure HTTP. Performance has a major impact on user experience. TLS 1.3 represents a pivotal turning point for HTTPS performance. Modern mobile networks will routinely add over 100ms of latency to each request. TLS 1.3 makes page load times significantly faster for mobile devices, improving the user experience for your visitors. This tutorial will enable HTTP/2 and TLSv1.3 automatically if you’re using nginx as proxy or nginx + php-fpm follow this tutorial too : Step 1 Installing few Dependencies needed for the Apache build : Installing Autoconf : cd /usr/local/src rm -rf autoconf-* wget https://ftp.gnu.org/gnu/autoconf/autoconf-latest.tar.gz tar zxvf autoconf-latest.tar.gz cd autoconf-*/ ./configure --prefix=/usr make && make install Installing Openssl : cd /usr/local/src rm -rf openssl* wget https://www.openssl.org/source/openssl-3.0.9.tar.gz -O openssl.tar.gz tar -xf openssl.tar.gz rm -rf openssl.tar.gz mv openssl-* openssl cd openssl ./config --prefix=/usr/local/opensslso --openssldir=/usr/local/opensslso zlib shared make && make install *Building openssl will take some time Installing Nghttp2 : cd /usr/local/src rm -rf Python-* wget https://www.python.org/ftp/python/3.8.12/Python-3.8.12.tgz tar xvf Python-3.8.12.tgz cd Python-3.8*/ ./configure --enable-optimizations make altinstall cd /usr/local/src rm -rf nghttp2-* yum install libtool -y wget https://github.com/nghttp2/nghttp2/releases/download/v1.47.0/nghttp2-1.47.0.tar.gz tar zxvf nghttp2-1.47.0.tar.gz cd nghttp2-*/ ./configure --prefix=/usr PKG_CONFIG_PATH=/usr/local/opensslso/lib/pkgconfig make && make install Step 2 : Building Apache (latest) el7/Centos7 : cd /usr/local/src rm -rf /usr/local/src/apache* wget --no-cache https://www.alphagnu.com/upload/apache-rebuild-new7.sh yum install uuid uuid-devel libuuid-devel pcre-devel -y chmod 755 apache-rebuild-new7.sh sh apache-rebuild-new7.sh Run this commands to disable cwp-httpd update so your config shouldn’t get lost when there is an update : cat /etc/yum.conf |grep "^exclude="|grep httpd 1> /dev/null 2> /dev/null || echo 'exclude=httpd*' >> /etc/yum.conf cat /etc/yum.conf |grep "^exclude="|grep cwp-httpd 1> /dev/null 2> /dev/null || echo 'exclude=cwp-httpd' >> /etc/yum.conf Building Apache (latest) el8/Centos8 : cd /usr/local/src rm -rf /usr/local/src/apache* wget --no-cache https://www.alphagnu.com/upload/apache-rebuild-new8.sh dnf install uuid uuid-devel libuuid-devel pcre-devel -y chmod 755 apache-rebuild-new8.sh sh apache-rebuild-new8.sh Run this commands to disable cwp-httpd update so your config shouldn’t get lost when there is an update : dnf module disable httpd cat /etc/yum.conf |grep "^exclude="|grep httpd 1> /dev/null 2> /dev/null || echo 'exclude=httpd*' >> /etc/yum.conf cat /etc/yum.conf |grep "^exclude="|grep cwp-httpd 1> /dev/null 2> /dev/null || echo 'exclude=cwp-httpd' >> /etc/yum.conf **This Apache script will enable HTTP/2 and TLSv1.3 automatically and installs latest version of apache. Troubleshoot : if you rebuilt webserver and TLS 1.3 is stopped working run this two commands to get the TLS 1.3 back again (when using apache only webserver) sed -i 's/All -SSLv2 -SSLv3/-All +TLSv1.2 +TLSv1.3 /g' /usr/local/apache/conf.d/ssl.conf systemctl restart httpd Checking TLSv1.3: That's it you’re done to check TLSv1.3 is working or not check this via the online checker, ensure you’ve ssl installed for the domain you’re checking : GO to this link and enter the url to check TSL 1.3 protocol : https://www.cdn77.com/tls-test

In this tutorial We’ll install Apache 2.4 and enable HTTP/2 Support in CWP. HTTP/2 will make our applications faster, simpler, and more robust — a rare combination — by allowing us to undo many of the HTTP/1.1 workarounds previously done within our applications and address these concerns within the transport layer itself. Even better, it also opens up a number of entirely new opportunities to optimize our applications and improve performance! The primary goals for HTTP/2 are to reduce latency by enabling full request and response multiplexing, minimize protocol overhead via efficient compression of HTTP header fields, and add support for request prioritization and server push. To implement these requirements, there is a large supporting cast of other protocol enhancements, such as new flow control, error handling, and upgrade mechanisms, but these are the most important features that every web developer should understand and leverage in their applications. This tutorial is now old to enable http/2 and TLS1.3 go to New tutorial : Ensure you already have SSL certs/LE certs installed for your domains HTTP2 will only work with HTTPS let’s get started Ensure you’ve root access and ssh access in order to install/upgrade this packages :- Upgrading OS to latest version : yum clean all yum -y update Upgrading Autoconf : cd /usr/local/src rm -rf autoconf-* wget https://ftp.gnu.org/gnu/autoconf/autoconf-latest.tar.gz tar zxvf autoconf-latest.tar.gz cd autoconf-*/ ./configure --prefix=/usr make && make install Installing openssl : cd /usr/local/src rm -rf openssl* wget https://www.openssl.org/source/openssl-1.1.1u.tar.gz tar zxvf openssl-1.1.1u.tar.gz cd openssl-1.1.1u ./config --prefix=/usr/local/opensslso --openssldir=/usr/local/opensslso zlib shared make && make install *Building openssl will take some time Installing Nghttp2 : nghttp2 is an implementation of HTTP/2 cd /usr/local/src rm -rf nghttp2-* yum install libtool -y wget https://github.com/nghttp2/nghttp2/releases/download/v1.42.0/nghttp2-1.42.0.tar.gz tar zxvf nghttp2-1.42.0.tar.gz cd nghttp2-*/ ./configure --prefix=/usr make && make install Install APR: cd /usr/local/src rm -rf apr* wget https://archive.apache.org/dist/apr/apr-1.6.5.tar.gz wget https://archive.apache.org/dist/apr/apr-util-1.6.1.tar.gz tar -xf apr-1.6.5.tar.gz tar -xf apr-util-1.6.1.tar.gz cd /usr/local/src/apr-1.6.5 ./configure --prefix=/usr/local/apr1 make make install cd /usr/local/src/apr-util-1.6.1 ./configure --with-apr=/usr/local/apr1 --prefix=/usr/local/apr-util1 make make install Rebuilding Apache with http2 support from CWP GUI : First backup the httpd.conf cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak Goto Apache Settings >> Apache Re-Build >> Select Next : Next delete/replace all with this flags/lines under “Additional configuration” : ./configure --enable-so --prefix=/usr/local/apache --enable-unique-id --enable-ssl=/usr/local/opensslso --enable-rewrite --enable-deflate --enable-suexec --with-suexec-docroot="/home" --with-suexec-caller="nobody" --with-suexec-logfile="/usr/local/apache/logs/suexec_log" --enable-asis --enable-filter --with-pcre --with-apr=/usr/local/apr1/bin/apr-1-config --with-apr-util=/usr/local/apr-util1/bin/apu-1-config --enable-headers --enable-expires --enable-proxy --enable-rewrite --enable-userdir --enable-http2 then Click on Start Compiler in background. After you built Apache we need to enable HTTP/2 withing Apache config : nano /usr/local/apache/conf.d/http2.conf then add this line and save it : LoadModule http2_module modules/mod_http2.so LogLevel http2:info Protocols h2 h2c http/1.1 OR You can also use this command to create and add the lines automatically : cat > /usr/local/apache/conf.d/http2.conf << EOF LoadModule http2_module modules/mod_http2.so LogLevel http2:info Protocols h2 h2c http/1.1 EOF Restart Apache : service httpd restart you can check http/2 is enabled or not via this site: https://tools.keycdn.com/http2-test If something goes wrong restore the Apache httpd.conf backup : rm -rf /usr/local/apache/conf/httpd.conf cp /usr/local/apache/conf/httpd.conf.bak /usr/local/apache/conf/httpd.conf service httpd restart

In this Topic we’re going to add Swap space to Linux OS (RHEL, CentOS, Ubuntu) to prevent memory full issues. Swap is important when your server frequently going out of memory and got hanged (OOM) this can cause MySQL database corruption and many issues with the server. Before we get started I like to inform that this tutorial is only valid for KVM/XEN/VMWARE/Dedicated type servers. For Openvz and other container based servers this tutorial will not work. Swap space in Linux is used when the amount of physical memory (RAM) is full. If the system needs more memory resources and the RAM is full, inactive pages in memory are moved to the swap space. While swap space can help machines with a small amount of RAM, it should not be considered a replacement for more RAM. Swap space is located on hard drives, which have a slower access time than physical memory. Protection against OOM (out of memory) errors, crashes, memory-related system unpredictability/instability. Increases available memory to the system and allows more programs to be run concurrently & more safely Prevent server non responsiveness/ hangs Step 1 : Follow this commands one by one : cd /var touch swap.img chmod 600 swap.img STEP 2 : We’ll create 1GB (1024MB) of Swap : dd if=/dev/zero of=/var/swap.img bs=1024k count=1000 if you want to create 2 gb swap increase the “count” value to “2000” for 3gb increase “count” to : “3000” ############### 2gb eg. : dd if=/dev/zero of=/var/swap.img bs=1024k count=2000 3gb eg. : dd if=/dev/zero of=/var/swap.img bs=1024k count=3000 ############### result will look like this : [root@srv1 var]# dd if=/dev/zero of=/var/swap.img bs=1024k count=1000 1000+0 records in 1000+0 records out 1048576000 bytes (1.0 GB) copied, 3.30777 s, 317 MB/s STEP 3 : Creating swap img file : mkswap /var/swap.img result will look like this : [root@srv1 var]# mkswap /var/swap.img Setting up swapspace version 1, size = 1023996 KiB no label, UUID=5813e8e7-1034-4700-84c2-c06905e26535 STEP 4 : Enabling Swap : swapon /var/swap.img Checking Swap : free -h [root@srv1 var]# free -h total used free shared buff/cache available Mem: 1.9G 260M 144M 27M 1.6G 1.5G Swap: 999M 0B 999M Step 5 : making it Enable during server boot, run the below command which will add entry in /etc/fstab : echo "/var/swap.img none swap sw 0 0" >> /etc/fstab All done, you just enabled Swap partition on your server. let me know how it goes as i tried to make the tutorial as simple as could be. TO create/modify/delete existing swap first off the swap : Swap Off : swapoff -a Then delete the swap file : rm -rf /var/swap.img After deleting follow the STEPs above from very first (Skip Step 5 if already executed this command before) .

Here are the list of best and cheap hosting providers for CWP - Control Web Panel, some hosting provider will allow emails some are not choose correct one as per your requirements : This are not sponsored or affiliated URLs, this are added honestly in the list after using them with CWP. Below are all providing KVM server. ALSO don't go with opnvz/lxc container based vps servers as they have many limitations. First : Cloudfanatic They provides KVM and semi dedicated servers starting from 2.99$ and you can easily upgrade it via contacting the support. They have unlocked SMTP port 25 and providing ipv6 and ipv4 addresses, if you didn't get ipv6 ip you can request them to add it and it will be added by the support agent. If you wish to Purchase extra IPv4 then the cost is very low per month. They also have wide varieties of Latest Linux OS and having there own data centers. They provide unmetered Bandwidth at 1Gbps suitable for any CMS. I've personally using them for years (previously they are servercheap.net). CWP runs stable there. Second : Hetzner Hetzner is Germany based hosting provider they have CLoud VPS and Dedicated servers at very cheap rates, also they are providing ARM vps server at very low rates. IF you wish to go with them always choose AMD series cpu as they are performing very well in my test environments. They don't allow email sending as SMTP port 25 is blocked by default. You need Valid photo ID in order to use them as server provider. Prices are unbeatable. Third : OVH OVH have all the server options like dedicated and cloud VPS private and public they also provide ipv4 and ipv6 addresses, Recently they have some tragedy of burned down of there server rooms which caused many data losses probably they are doing regular maintenance of there server equipment and hardware. There IP are already listed in some RBL and not recommend to use them as EMAIL server, if you're thinking to go with them go for it as they provide genuine resources and they also have DDOS protected Network and complete transparency in term of uptime. Medium to high price VPS and dedicated servers. Fourth : Contabo Contabo is also a Germany based hosting provider, They also have dedicated server and VPS server also they are know for providing high RAM and DISK allocation under VPS. I used them for 2 month but not happy with the server performance its lagging a lot for me probably I've been allocated a bad node in busy host server i.e. there are lots of noisy neighbors 🙂, there network is stable as in there I didn't had any issues. Also they provides SSD disk with vps server but you'll surprise to know that they limits the disk speed i.e. you'll barely get full ssd speed. They have unlocked email port 25 and you can use them as email only server. They provide both ipv4 and ipv6 network. Price is low but they will ask One time setup fees. Fifth : You can go with Digital Ocean or VULTR I personally don't like them to use as main server (due to high costs) there smaller vps are good for VPN and development tasks and they don't allow email sending from the server. IF you're looking for particular server regions they have wide varieties of locations and datacenters in the world. They do provide private ip, ipv4 and ipv6.

Update Roundcube on CWP, the new Version of Roundcube 1.5 LTS have clear Interface with modern look also in this version some major security holes were fixed. It is recommended to update the roundcube to latest version. Step1 Install Required php extension INTL in CWP :- Centos 7/EL7 : To install INTL : yum update ca-certificates -y rpm -ivh https://github.com/mysterydata/md-disk/raw/main/libicu69-69.1-4.el7.x86_64.rpm curl -s -L https://www.alphagnu.com/upload/tmp/cwp_rc_fix.sh | bash To remove INTL : curl -s -L https://www.alphagnu.com/upload/tmp/cwp_rc_fix_remove.sh | bash Centos 8 stream/EL8 : To install INTL : dnf update ca-certificates -y rpm -ivh https://github.com/mysterydata/md-disk/raw/main/libicu69-69.1-4.el8.x86_64.rpm curl -s -L https://www.alphagnu.com/upload/tmp/el8/cwp_rc_fix_el8.sh | bash To remove INTL : curl -s -L https://www.alphagnu.com/upload/tmp/cwp_rc_fix_remove.sh | bash Step 2 Download roundcube script from official source : cd /usr/local/src rm -rf roundcube* wget https://github.com/roundcube/roundcubemail/releases/download/1.5.8/roundcubemail-1.5.8-complete.tar.gz Now extract the archive file : tar xf roundcubemail-1.5.8-complete.tar.gz Step 3 Update the Roundcube installation : cd roundcubemail-1.5.8 sed -i "s@\/usr\/bin\/env php@\/usr\/bin\/env \/usr\/local\/cwp\/php71\/bin\/php@g" /usr/local/src/roundcubemail-1.5.8/bin/installto.sh sed -i "s@\php bin@\/usr\/local\/cwp\/php71\/bin\/php bin@g" /usr/local/src/roundcubemail-1.5.8/bin/installto.sh bin/installto.sh /usr/local/cwpsrv/var/services/roundcube Installation Instructions : Upgrading from 1.4.11. Do you want to continue? (y/N) type : y and hit enter At last you’ll see this message upon installation complete : Running update script at target... Executing database schema update. Updating database schema (2020020100)... [OK] Updating database schema (2020020101)... [OK] Updating database schema (2020091000)... [OK] Updating database schema (2020122900)... [OK] This instance of Roundcube is up-to-date. Have fun! All done. All done check by login into roundcube

Today we’ll learn how we can optimize and repair MySQL databases via command line interface, probably you’ve already optimized and repaired dbs via phpMyAdmin options and its easy to use, but what about you’ve too many databases and wanting to repair and optimize it at once? No worry today I’ll show you easy way to do it via CLI with single command each for repairing and optimizing databases. To Repair ALL Database you need to simply run this command : mysqlcheck -r --all-databases If you want to Repair single database then use this : mysqlcheck -r user_db *user_db is the db name, replace with your one. To Optimize ALL Database you need to simply run this command : mysqlcheck -o --all-databases If you want to Optimize single database then use this : mysqlcheck -o user_db *user_db is the db name, replace with your one. Extras : If you need to specify username to do the repair and optimize task you can add this pipes : mysqlcheck -r -u root -p --all-databases mysqlcheck -o -u root -p --all-databases of for single database : mysqlcheck -r user_db -u root -p mysqlcheck -o user_db -u root -p *this will ask the password for mysql root user

In this tutorial I’ll guide you how to install mod_remoteip an Apache module to restore original visitor’s ip When using cloudflare service. You may have encountered issue with cloudflare proxy ip when you checked the log and found all the ips are from cloudflare to cope with this situation we need to configure mod_remoteip with cloudflare’s trusted address. Lets get started : Ensure you logged in as root user, ssh. Step 1 : Enable mod_remoteip : a2enmod remoteip Step 2 : Now we need to modify and add some configs to apache2.conf apt install nano nano /etc/apache2/apache2.conf Now add this line at the last of the config file : RemoteIPHeader X-Forwarded-For Now you need to replace the line for log format : Find : LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined and replace that line with : LogFormat "%a %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined i.e. I’ve added only “%a” Step 3 : Then we need to create Apache Cloudflare trusted proxies conf file : **create “remoteip.conf” file in location “/etc/apache2/conf-available/” nano /etc/apache2/conf-available/remoteip.conf Now paste this config and save it : RemoteIPHeader CF-Connecting-IP RemoteIPTrustedProxy 173.245.48.0/20 RemoteIPTrustedProxy 103.21.244.0/22 RemoteIPTrustedProxy 103.22.200.0/22 RemoteIPTrustedProxy 103.31.4.0/22 RemoteIPTrustedProxy 141.101.64.0/18 RemoteIPTrustedProxy 108.162.192.0/18 RemoteIPTrustedProxy 190.93.240.0/20 RemoteIPTrustedProxy 188.114.96.0/20 RemoteIPTrustedProxy 197.234.240.0/22 RemoteIPTrustedProxy 198.41.128.0/17 RemoteIPTrustedProxy 162.158.0.0/15 RemoteIPTrustedProxy 104.16.0.0/12 RemoteIPTrustedProxy 172.64.0.0/13 RemoteIPTrustedProxy 131.0.72.0/22 RemoteIPTrustedProxy 2400:cb00::/32 RemoteIPTrustedProxy 2606:4700::/32 RemoteIPTrustedProxy 2803:f800::/32 RemoteIPTrustedProxy 2405:b500::/32 RemoteIPTrustedProxy 2405:8100::/32 RemoteIPTrustedProxy 2a06:98c0::/29 RemoteIPTrustedProxy 2c0f:f248::/32 Next restart Apache service and check the log and check the real ips are now logging : systemctl restart apache2

In this tutorial I’m going to instruct you how you can generate and enable DNSSEC security for DNS. This is most requested instruction by the visitors. DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types like A, AAAA, MX, CNAME, etc. By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and wasn’t altered en-route, opposed to a fake record injected in a man-in-the-middle attack. First install haveged to generate keys : EL/centos/redhat yum install -y haveged systemctl enable haveged In below command examples replace “domain.tld” with your domain name Second Change the Directory to /var/named : cd /var/named/ Third generate ZSK Key : dnssec-keygen -L 3600 -a RSASHA256 -b 2048 -r /dev/urandom domain.tld Fourth generate KSK key dnssec-keygen -L 3600 -r /dev/urandom -f KSK -a RSASHA256 -b 4096 domain.tld Fifth adding keys to domain zone file cat /var/named/Kdomain.tld.+008+*.key >> /var/named/domain.tld.db Sixth sign the zone file : dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o domain.tld -t domain.tld.db Seventh only for el7/centos 7 edit named configuration file /etc/named.conf and add this line (don't add this line on el8/centos 8 stream/almalinux 8 and above as this will not work): dnssec-lookaside auto; ** find this lines dnssec-enable yes; dnssec-validation yes; add dnssec-lookaside auto; after it Now you need to edit domain zone file config in /etc/named.conf and rename the zone file to signed : // zone domain.tld zone "domain.tld" {type master; file "/var/named/domain.tld.db";}; // zone_end domain.tld to // zone domain.tld zone "domain.tld" {type master; file "/var/named/domain.tld.db.signed";}; // zone_end domain.tld Centos/el/RHEL Reload/Restart the named service : service named reload or systemctl reload named and you’re done.

Varnish is an HTTP accelerator designed for content-heavy dynamic web sites as well as APIs. In contrast to other web accelerators, such as Squid, which began life as a client-side cache, or Apache and nginx, which are primarily origin servers, Varnish was designed as an HTTP accelerator. Here how you can optimize varnish cache server in CWP Install Varnish cache from CWP Webserver Settings >> Webserver conf For Centos 7/EL7 : Edit this file : /etc/varnish/varnish.params and replace all lines with the below configs : # Varnish environment configuration description. This was derived from # the old style sysconfig/defaults settings # Set this to 1 to make systemd reload try to switch VCL without restart. RELOAD_VCL=1 # Set WARMUP_TIME to force a delay in reload-vcl between vcl.load and vcl.use # This is useful when backend probe definitions need some time before declaring # configured backends healthy, to avoid routing traffic to a non-healthy backend. #WARMUP_TIME=0 # Main configuration file. You probably want to change it. VARNISH_VCL_CONF=/etc/varnish/default.vcl # Default address and port to bind to. Blank address means all IPv4 # and IPv6 interfaces, otherwise specify a host name, an IPv4 dotted # quad, or an IPv6 address in brackets. # VARNISH_LISTEN_ADDRESS=192.168.1.5 VARNISH_LISTEN_PORT=82 # Admin interface listen address and port VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1 VARNISH_ADMIN_LISTEN_PORT=6082 # Shared secret file for admin interface VARNISH_SECRET_FILE=/etc/varnish/secret # Backend storage specification, see Storage Types in the varnishd(5) # man page for details. VARNISH_STORAGE="malloc,1024M" # User and group for the varnishd worker processes VARNISH_USER=varnish VARNISH_GROUP=varnish # Other options, see the man page varnishd(1) DAEMON_OPTS="-p thread_pools=30 -p thread_pool_min=600 -p thread_pool_max=20000 -p connect_timeout=600 -p thread_pool_timeout=600 -P /run/varnish.pid" then restart varnish server from cwp admin dashboard For centos 8 stream/almalinux/rockylinux : Edit this systemed service file : /usr/lib/systemd/system/varnish.service Then find ExecStart= directive and replace the full line with below config : ExecStart=/usr/sbin/varnishd -a :82 -f /etc/varnish/default.vcl -p thread_pools=30 -p thread_pool_min=600 -p thread_pool_max=20000 -s malloc,1G -p connect_timeout=600 -p thread_pool_timeout=600 -P /run/varnish.pid it will look like below config example : Then run daemon reload command : systemctl daemon-reload After restart the varnish server from cwp dashbaord.

In this tutorial we’ll going to learn how to configure Apache mod_remoteip in order to restore original ip when using cloudflare proxy. We’ve another blog post upon how we can configure mod_cloudflare to restore ip which for some are not at all working. This is the method which is working and recommended in cloudflare website. So without wasting time lets get started with this simple steps. : Step 1 : Enabling mod_remoteip in Apache config : sed -i '/LoadModule remoteip_module modules/ s/^#//g' /usr/local/apache/conf/httpd.conf Step 2 : Now we’re going to configure cloudflare original ip config : first of all create a file named “cloudflare.conf” in /usr/local/apache/conf.d cd /usr/local/apache/conf.d nano cloudflare.conf then copy paste below config and save it : #LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined RemoteIPHeader CF-Connecting-IP RemoteIPTrustedProxy 173.245.48.0/20 RemoteIPTrustedProxy 103.21.244.0/22 RemoteIPTrustedProxy 103.22.200.0/22 RemoteIPTrustedProxy 103.31.4.0/22 RemoteIPTrustedProxy 141.101.64.0/18 RemoteIPTrustedProxy 108.162.192.0/18 RemoteIPTrustedProxy 190.93.240.0/20 RemoteIPTrustedProxy 188.114.96.0/20 RemoteIPTrustedProxy 197.234.240.0/22 RemoteIPTrustedProxy 198.41.128.0/17 RemoteIPTrustedProxy 162.158.0.0/15 RemoteIPTrustedProxy 104.16.0.0/12 RemoteIPTrustedProxy 172.64.0.0/13 RemoteIPTrustedProxy 131.0.72.0/22 RemoteIPTrustedProxy 2400:cb00::/32 RemoteIPTrustedProxy 2606:4700::/32 RemoteIPTrustedProxy 2803:f800::/32 RemoteIPTrustedProxy 2405:b500::/32 RemoteIPTrustedProxy 2405:8100::/32 RemoteIPTrustedProxy 2a06:98c0::/29 RemoteIPTrustedProxy 2c0f:f248::/32 *you can remove “#” uncomment from in front of LogFormat for customized log format. Step 3 : Restart Apache webserver and done : systemctl restart httpd

In this tutorial we’ll use redirect rules for HTTP to HTTPS (mod_rewrite – Apache) htaccess rule on CWP, I’m assuming you’ve already installed ssl certs and enabled https support for your website if you not done it yet then stop here this can break websites if ssl is not already installed. SSL is very important nowadays for better security and SEO benefits, if you didn’t installed ssl for your sites yet consider upgrading to https, this will build trust towards your visitors and google gives better ranking in search engine (I’m not a SEO expert but noticed this changes). Lets get started : Using Apache as main server (only) : Rewrite rule as follows, this need to be added in your sites .htaccess : RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] Forcing non www to www and https : RewriteEngine On RewriteCond %{HTTPS} off [OR] RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC] RewriteRule ^ https://www.%1%{REQUEST_URI} [L,NE,R=301] Forcing www to non www and https : RewriteEngine On RewriteCond %{HTTPS} off [OR] RewriteCond %{HTTP_HOST} ^www\. [NC] RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC] RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301] this also add Permanent 301 Redirect. If upper rules doesn’t works for your Websites And Getting “Too Many redirects” then you should consider below htaccess rule. Using Apache as backend server behind NGINX/VARNISH server : This need to be added in your sites .htaccess : Rewrite rule as follows, this need to be added in your sites .htaccess : SetEnvIf X-Forwarded-Proto "https" HTTPS=on RewriteEngine on RewriteCond %{HTTPS} !=on RewriteCond %{HTTP:X-Forwarded-Proto} !https [NC] RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] OR RewriteCond %{HTTPS} off RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [NE,L,R=301] OR RewriteCond %{HTTP:X-Forwarded-Proto} =https RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] To force all traffic to use both the www domain and SSL HTTPS, use the following rules: RewriteEngine On RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301] RewriteCond %{HTTPS} !=on RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] To force all traffic to use non www domain and SSL HTTPS, use the following rules: RewriteEngine On RewriteCond %{HTTP_HOST} ^domain\.tld$ [OR] RewriteCond %{HTTP_HOST} ^www\.domain\.tld$ SetEnvIf X-Forwarded-Proto "https" HTTPS=on RewriteCond %{HTTPS} !=on RewriteCond %{HTTP:X-Forwarded-Proto} !https [NC] RewriteRule ^ https://domain.tld/$1 [L,R=301] OR RewriteEngine On RewriteCond %{HTTP_HOST} ^domain\.tld$ [OR] RewriteCond %{HTTP_HOST} ^www\.domain\.tld$ SetEnvIf X-Forwarded-Proto "https" HTTPS=on RewriteCond %{HTTPS} !=on RewriteCond %{HTTP:X-Forwarded-Proto} !https [NC] RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] replace “domain\.tld” with domain name and tld eg “alphagnu\.com” Hope this Post was helpful, stay tuned will be more in future.

learn how you can easily disable mysql strict mode in MySQL/MariaDB Server on any Linux os such as Centos/Ubuntu/RHEL/AlmaLinux and in Linux Server Control panel like CWP, HestiaCP etc. Strict mode controls how MySQL handles invalid or missing values in data-change statements such as INSERT or UPDATE. A value can be invalid for several reasons. To Disable MySQL strict mode simply add below config in my.cnf usually in /etc/my.cnf ensure you added it under [mysqld] section see example below in this tutorial : sql_mode="NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" How to find the my.cnf ? mostly my.cnf is located in this locations : if there is no my.cnf files then create one in this location /etc/my.cnf with below config : # # This group is read both by the client and the server # use it for options that affect everything # [client-server] [mysqld] sql_mode="NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" # # include *.cnf from the config directory # !includedir /etc/my.cnf.d **please note you need to change the permission if you’ve newly created the my.cnf to user:group i.e. : mysql:mysql

In this tutorial we’ll configure XFS disk quota in centos and CWP control web panel. In server xfs quota setup will not work because of Kernel parameter is set to “noquota” we’ll bypass and configure it with the help of below tutorial which is easy to follow and configure. The XFS quota subsystem manages limits on disk space (blocks) and file (inode) usage. XFS quotas control or report on usage of these items on a user, group, or directory or project level. Install quota packages : yum -y install quota* For EL8/RHEL 8/CentOS 8 only : dnf --enablerepo=Devel install quota* Now we’ll check the disk type and double check if it is XFS file system : mount | grep ' / ' output : If you’ve separate disk/partition for /home : mount | grep ' /home ' output **** if you see “xfs“ and “noquota” in output proceed with this steps : Edit grub and add this kernel grub parameter rootflags=uquota,pquota : rootflags=uquota,pquota under GRUB_CMDLINE_LINUX option at last and under quotes chattr -i /etc/default/grub nano /etc/default/grub Example : GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" GRUB_DEFAULT=saved GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console" GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet rootflags=uquota,pquota" GRUB_DISABLE_RECOVERY="true" For Almalinux 9 and above run : grubby --args="rootflags=uquota,pquota" --update-kernel=ALL Now backup current grub config and rebuild grub : cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.orig grub2-mkconfig -o /boot/grub2/grub.cfg On some OS boot path has been changed for EFI [EFI BOOT] : /boot/efi/EFI/centos/grub.cfg Check if you’ve EFI grub support is there : If this command reports there is no such file you can ignore this step ls /boot/efi/EFI/centos/grub.cfg For Almalinux check for extra EFI grub config: ls /boot/efi/EFI/almalinux/grub.cfg If file is present then you also need to rebuild EFI grub : cp /boot/efi/EFI/centos/grub.cfg /boot/efi/EFI/centos/grub.cfg.orig grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg For Almalinux: cp /boot/efi/EFI/almalinux/grub.cfg /boot/efi/EFI/almalinux/grub.cfg.orig grub2-mkconfig -o /boot/efi/EFI/almalinux/grub.cfg Now edit fstab : edit file: /etc/fstab and add usrquota,grpquota example: /dev/mapper/centos_root / xfs defaults,usrquota,grpquota 0 0 before example : after example : Then reboot you Server : reboot Then check if the quota is enabled or not “noquota” should be gone now and replaced with “usrquota,grpquota” : mount | grep ' / ' For CWP only : Activate quota as XFS for / in CWP.admin go to Left Menu -> Server Settings -> Disk Quota , and set Quota Partition: / Quota Type: xfs If you’ve separate disk/partition for /home : edit file: /etc/fstab and add usrquota,grpquota example: before example after example Then reboot you Server : reboot Then check if the quota is enabled or not “noquota” should be gone now and replaced with “usrquota,grpquota” : For /home mount | grep ' /home ' /dev/mapper/centos-root-home on /home type xfs (rw,relatime,attr2,inode64,usrquota,grpquota) For CWP only : Activate quota as XFS for /home in CWP.admin go to Left Menu -> Server Settings -> Disk Quota , and set Quota Partition: /home Quota Type: xfs Done you’ve enabled xfs quota update the packages for the users by selecting update quota for users option and check the disk quota. CWP only : After enabling the quota run this command to update the user quota in CWP : /scripts/cwp_api account update_diskquota_all

In this tutorial It will be about updating Apache version to latest possible version in CWP. In CWP, Apache is the main and default web-server by default it will install stable old version of Apache, you can always update it to latest version and stay up to date with the below script, it will download the latest possible version and do the update job. The Apache HTTP Server, colloquially called Apache, is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. Apache is developed and maintained by an open community of developers under the auspices of the Apache Software Foundation. You need to follow this simple commands to update Apache in CWP : cd /usr/local/src rm -rf /usr/local/src/apache* wget --no-cache https://www.alphagnu.com/upload/apache-rebuild.sh yum install uuid uuid-devel libuuid-devel pcre-devel -y chmod 755 apache-rebuild.sh sh apache-rebuild.sh Current version downloaded by this script : 2.4.62 After installation if apache failed to start with below error : rebuild the webserver config/vhosts i.e from admin >> webservers settings >> select webservers >> click button save and rebuild configuration

MariaDB 10.11 is now very stable and many features has been added and improved in this version you can check all lists of changes here I’ve checked MariaDB 10.11 with WordPress, Joomla, xenforo, IPS forum and some more PHP scripts which depends on MySQL DB are working fine with this version hence it is safe to upgrade to this version. Short description about MariaDB : MariaDB is designed as a drop-in replacement of MySQL with more features, new storage engines, fewer bugs, and better performance. MariaDB is developed by many of the original developers of MySQL who now work for the MariaDB Foundation and the MariaDB Corporation, and by many people in the community. Step 1 : Remove MariaDB 10.0/10.1/10.2/10.3/10.x To upgrade Mariadb 10.11 in Centos 7/CWP do this : Before installing it is recommended to backup your databases, although it is not necessary if you followed this steps carefully. First backup your current my.cnf config : cp /etc/my.cnf /etc/my.cnf.bak Remove MariaDB 10.0/10.1/10.2/10.3/10.xx : systemctl stop mariadb mysql mysqld systemctl disable mariadb rpm --nodeps -ev MariaDB-server At this point MariaDB 10.0/10.1/10.2/10.3.10.xx will be removed completely but the databases are not removed don’t need to worry. Then Install MariaDB 10.11 : Step 2 : Installation/Updating from MariaDB 10.0/10.1/10.2/10.3/10.xx to MariaDB 10.11 To upgrade Mariadb to 10.11 in Centos 7 CWP do this : Install/enable Official repo for mariadb 10.11: yum install nano epel-release -y Now edit/create the Repo file : Ensure you don’t have any other MariaDB repo file in /etc/yum.repos.d if exists delete or backup the existing repo file : mv /etc/yum.repos.d/mariadb.repo /etc/yum.repos.d/mariadb.repo.bak nano /etc/yum.repos.d/mariadb.repo then paste this lines and save it : to install Mariadb 10.11 [mariadb] name = MariaDB baseurl = https://rpm.mariadb.org/10.11/centos/$releasever/$basearch module_hotfixes = 1 gpgkey = https://rpm.mariadb.org/RPM-GPG-KEY-MariaDB gpgcheck = 1 After that we’ll install Mariadb 10.11 : yum clean all yum install MariaDB-server MariaDB-client net-snmp perl-DBD-MySQL -y yum update -y To upgrade Mariadb 10.11 in Centos 8 stream/almalinux 8/rockylinux 8 do this : Now edit/create the Repo file : Ensure you don’t have any other MariaDB repo file in /etc/yum.repos.d if exists delete or backup the existing repo file : mv /etc/yum.repos.d/mariadb.repo /etc/yum.repos.d/mariadb.repo.bak nano /etc/yum.repos.d/mariadb.repo add this lines and save it : [mariadb] name = MariaDB baseurl = https://rpm.mariadb.org/10.11/centos/$releasever/$basearch module_hotfixes = 1 gpgkey = https://rpm.mariadb.org/RPM-GPG-KEY-MariaDB gpgcheck = 1 After that update Mariadb 10.11 : yum clean all yum install MariaDB-server MariaDB-client net-snmp perl-DBD-MySQL -y yum update -y Step 3 : Restore the my.cnf file : rm -rf /etc/my.cnf cp /etc/my.cnf.bak /etc/my.cnf Then enable mariadb to start on boot and start the service : systemctl enable mariadb service mariadb start Step 4 : After Installation we need to upgrade current databases by this command : mysql_upgrade --force that’s it you’ve successfully upgraded MariaDB 10.0/10.1/10.2/10.3/10.xx to MariaDB 10.11. You can confirm the version by running this command from terminal ssh: mysql -V

MariaDB is an open source relational database management system (DBMS) that is a compatible drop-in replacement for the widely used MySQL database technology. MariaDB is based on SQL and supports ACID-style data processing with guaranteed atomicity, consistency, isolation and durability for transactions. To Install Mariadb 10.11 in Centos 9 stream/almalinux 9/rockylinux 9 do this : Now edit/create the Repo file : Ensure you don’t have any other MariaDB repo file in /etc/yum.repos.d if exists delete or backup the existing repo file then create the repo file : nano /etc/yum.repos.d/mariadb.repo add this lines and save it : [mariadb] name = MariaDB baseurl = https://rpm.mariadb.org/10.11/centos/$releasever/$basearch module_hotfixes = 1 gpgkey = https://rpm.mariadb.org/RPM-GPG-KEY-MariaDB gpgcheck = 1 After that update Mariadb 10.11 : yum clean all yum install MariaDB-server MariaDB-client net-snmp perl-DBD-MySQL -y yum update -y No follow on screen setup by running this command : mysql_secure_installation ** if you installed fresh copy of MAriadb just now and this command is asking password just hit Enter button To login to the MariaDB server, enter the following command with the password that was set previously, mysql -u root -p Done you’ve installed Mariadb 10.11 on Centos 9/EL9

Install OCI8 php extension in CWP/Centos8/Centos7. This OCI8 extension lets you access Oracle Database. These functions allow you to access Oracle Database. They support SQL and PL/SQL statements. Basic features include transaction control, binding of PHP variables to Oracle placeholders, and support for large object (LOB) types and collections. Oracle’s scalability features such as Database Resident Connection Pooling (DRCP) and result caching are also supported. For el8/Centos 8/stream/Rocky/Almalinux : First download the required Oracle instantclient packages : cd /usr/local/src wget https://download.oracle.com/otn_software/linux/instantclient/215000/oracle-instantclient-basic-21.5.0.0.0-1.el8.x86_64.rpm wget https://download.oracle.com/otn_software/linux/instantclient/215000/oracle-instantclient-sqlplus-21.5.0.0.0-1.el8.x86_64.rpm wget https://download.oracle.com/otn_software/linux/instantclient/215000/oracle-instantclient-devel-21.5.0.0.0-1.el8.x86_64.rpm wget https://download.oracle.com/otn_software/linux/instantclient/215000/oracle-instantclient-jdbc-21.5.0.0.0-1.el8.x86_64.rpm Second Installation : cd /usr/local/src dnf localinstall oracle* --nogpgcheck For el7/Centos 7: First download the required Oracle instantclient packages : cd /usr/local/src wget https://download.oracle.com/otn_software/linux/instantclient/215000/oracle-instantclient-basic-21.5.0.0.0-1.x86_64.rpm wget https://download.oracle.com/otn_software/linux/instantclient/215000/oracle-instantclient-sqlplus-21.5.0.0.0-1.x86_64.rpm wget https://download.oracle.com/otn_software/linux/instantclient/215000/oracle-instantclient-devel-21.5.0.0.0-1.x86_64.rpm wget https://download.oracle.com/otn_software/linux/instantclient/215000/oracle-instantclient-jdbc-21.5.0.0.0-1.x86_64.rpm Second Installation : cd /usr/local/src yum localinstall oracle* --nogpgcheck Now install OCI8 php extension : Now you need to install oci8 php extension via below process, please note the versions for oci8 are sensitive with the php version. For php switcher : php 7.x : cd /usr/local/src wget https://pecl.php.net/get/oci8-2.2.0.tgz tar -zxvf oci8-2.2.0.tgz cd oci8-2.2.0 phpize ./configure make && make install php 8.0 (only): cd /usr/local/src wget https://pecl.php.net/get/oci8-3.0.1.tgz tar -zxvf oci8-3.0.1.tgz cd oci8-3.0.1 phpize ./configure make && make install php 8.1 (only): cd /usr/local/src wget https://pecl.php.net/get/oci8-3.2.1.tgz tar -zxvf oci8-3.2.1.tgz cd oci8-3.2.1 phpize ./configure make && make install Now add this line at the end of this file /usr/local/php/php.ini : extension=oci8.so Now you can check the phpinfo there you can see oci8 is now enabled. For php selector and php-fpm if you need to install oci8 for php 7.4 then replace phpize and ./configure with : **change 74 to 80 for php 8.0 or to 81 for php 8.1 For php selector 7.4 : /opt/alt/php74/usr/bin/phpize ./configure --with-php-config=/opt/alt/php74/usr/bin/php-conf For php-fpm 7.4: /opt/alt/php-fpm74/usr/bin/phpize ./configure --with-php-config=/opt/alt/php-fpm74/usr/bin/php-config example : cd /usr/local/src wget https://pecl.php.net/get/oci8-2.2.0.tgz tar -zxvf oci8-2.2.0.tgz cd oci8-2.2.0 /opt/alt/php74/usr/bin/phpize ./configure --with-php-config=/opt/alt/php74/usr/bin/php-config make && make install and then add this line in php.ini : extension=oci8.so **restart php-fpm service or stop the php service and start it from cwp php-fpm module.

Installation of mod_passenger in CWP- Control WebPanel in Centos 7/EL7/Centos 8 Stream/El8 easily with this below steps provided. Ensure you run this command as root user. mod_passenger enables Phusion Passenger to host Ruby, Python, and Node.js apps on the Apache server. Phusion Passenger specializes in managing these types of apps by restarting them in the case of an app crash, keeping heavy-resource usage in check, and more. By enabling this feature, you will be able to add Ruby, Python, and Node.js apps onto your server. First install some requirements like ruby gem and rack and dependencies Centos 7/EL7 : yum install apr apr-devel ruby rubygem-rake ruby-devel curl-devel libcurl-devel apr-util apr-util-devel -y gem install "rubygems-update:<3.0.0" --no-document update_rubygems gem install rack -v 1.6.13 Centos 8 Stream/EL8/AlmaLinux/Rocky Linux/Oracle Linux : dnf install apr apr-devel ruby rubygem-rake ruby-devel curl-devel libcurl-devel apr-util apr-util-devel -y gem install rubygems-update gem update --system gem install rack Now install mod_passenger in CWP Apache mkdir -p /usr/local/pbuild cd /usr/local/pbuild rm -rf latest_stable_tarball passenger* wget https://www.phusionpassenger.com/latest_stable_tarball tar -xzvf latest_stable_tarball rm -rf /usr/local/pbuild/passenger-*.tar.gz mv /usr/local/pbuild/passenger-* /usr/local/pbuild/passenger cd /usr/local/pbuild/passenger/bin export APXS2=/usr/local/apache/bin/apxs export APR_CONFIG=/usr/bin/apr-1-config ./passenger-install-apache2-module you’ll get some prompts which you need to press enter and proceed with default options and don’t select another option until you know what you’re doing. Now add the module in Apache, select all, copy and paste in terminal/ssh and hit enter key: cat > /usr/local/apache/conf.d/passenger.conf << "EOF" LoadModule passenger_module /usr/local/src/pbuild/passenger/buildout/apache2/mod_passenger.so <IfModule mod_passenger.c> PassengerRoot /usr/local/pbuild/passenger PassengerDefaultRuby /usr/bin/ruby </IfModule> EOF then restart apache systemctl restart httpd you can check if mod_passenger is loaded in apache as module or not via this command. if the command outputs the passenger_module then you’re good to go : /usr/local/apache/bin/httpd -M | grep passenger

Today we’ll learn How to enable or Disable SHA1 system-wide cryptographic policy and why we’re disabling SHA-1? because SHA-1 hash function has an inherently weak design, and advancing cryptanalysis has made it vulnerable to attacks, Centos/RHEL 8 and Centos/RHEL 9 does not use SHA-1 by default. Nevertheless, some third-party applications, for example, public signatures, still use SHA-1. To disable the use of SHA-1 in signature algorithms on your system, you can use the NO-SHA1 policy module. DISABLE SHA-1 : update-crypto-policies --set DEFAULT:NO-SHA1 And reboot the system to apply it systemwide. ENABLE SHA-1 : In the internet there are thousands or lakhs of devices still uses SHA-1 Algorithm Like older OS for example Centos 6 peoples are still using it due to very light in resources and there old applications are still running there. From This old OS if you’re trying to connect to a modern OS like EL9/centos 9 for example with SSH you’ll get error like below : no hostkey alg If you check the error massage in modern OS it will show like below : To fix this you need to enable SHA-1 algorithm in your modern OS for example in EL9/Centos 9 : Run the below command to enable SHA-1 update-crypto-policies --set DEFAULT:SHA1 That’s it you’ve enabled System-wide crypto policy to enable SHA1 a system reboot will also recommended after enabling SHA1

In this tutorial we’ll learn how you can use openssl to generate CSR and RSA Private key. CSR is needed when you issue paid SSL certificate. A CSR (Certificate Signing Request) is a specially formatted encrypted message sent from a Secure Sockets Layer (SSL) digital certificate applicant to a certificate authority (CA). The CSR validates the information the CA requires to issue a certificate. RSA key is a private key based on RSA algorithm. Private Key is used for authentication and a symmetric key exchange during establishment of an SSL/TLS session. It is a part of the public key infrastructure that is generally used in case of SSL certificates. RSA keys are of 2 types for ssl certs i.e. the lengths are 2048 and 4096. This command will generate CSR and RSA private key within seconds For 2048 Key length : openssl req -nodes -newkey rsa:2048 -sha256 -keyout domainname.key -out domainname.csr For 4096 key length : openssl req -nodes -newkey rsa:4096 -sha256 -keyout domainname.key -out domainname.csr After you completed below form the 2 files are created domainname.key and domainname.csr in the same dir you’ve currently use pwd to get the current dir path you’ll be asked below questions : root@server:~# openssl req -nodes -newkey rsa:4096 -sha256 -keyout domainname.key -out domainname.csr Generating a RSA private key .....................................................................................................................................................................................................................................................................................++++ ........++++ writing new private key to 'domainname.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:IN Locality Name (eg, city) []:IN Organization Name (eg, company) [Internet Widgits Pty Ltd]:WORDPRESS Organizational Unit Name (eg, section) []:BLOG Common Name (e.g. server FQDN or YOUR name) []:alphagnu.com Email Address []:emailid@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:alphagnu **A challenge password should be empty hit enter key Type ls command to list if the files are generated : root@server:~# ls domainname.csr domainname.key

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). Basically they provide hassle free no cost ssl for your domains, recently Let’s Encrypt introduced WIldcard ssl for your domain, now you can use wildcard free ssl for your domain and for multiple subdomain with just single SSL cert (no need to issue certs for every subdomain) even WordPress MultiSite (https ) run fine with it. The key principles behind Let’s Encrypt are: Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal. Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers. Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect. Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt. Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization. In this tutorial we’ll cover and Issue Wildcard Let’s Encrypts ssl for domain. This tutorial will work on several Linux distributions like Redhat, CentOS (el7,el8), Ubuntu, fedora etc. Let’s get started :- Step 1 Change the directory to root : cd /root Step 2 For Let’s Encrypt to work we need ACME client protocol (also ensure cURL is installed) : yum install socat curl https://get.acme.sh | sh /root/.acme.sh/acme.sh --set-default-ca --server letsencrypt OR yum install socat git git clone https://github.com/Neilpang/acme.sh.git cd ./acme.sh ./acme.sh --install /root/.acme.sh/acme.sh --set-default-ca --server letsencrypt you’ll see it will download and add acme script. Step 3 Issuing wildcard ssl for domain via command line : this command will ask you to add some dns TXT records for validation purpose it is necessory to add those record otherwise cert issuing will fail. acme.sh --issue -d alphagnu.com -d *.alphagnu.com --dns --force if you’re getting : It seems that you are using dns manual mode. Read this link first: https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode then run this command (recommended): acme.sh --issue -d alphagnu.com -d *.alphagnu.com --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please * replace alphagnu.com with your domain name after you run this command it will ask you to add TXT record like below : [root@demo ~]# acme.sh --issue -d alphagnu.com -d *.alphagnu.com --dns --force [Wed Mar 14 10:18:10 EDT 2018] Registering account [Wed Mar 14 10:18:13 EDT 2018] Registered [Wed Mar 14 10:18:13 EDT 2018] ACCOUNT_THUMBPRINT='MO7DtJidci1tp4CNPDUbQA0_jPjR3tKy8uQE-Q_Bb7k' [Wed Mar 14 10:18:13 EDT 2018] Creating domain key [Wed Mar 14 10:18:13 EDT 2018] The domain key is here: /root/.acme.sh/alphagnu.com/alphagnu.com.key [Wed Mar 14 10:18:13 EDT 2018] Multi domain='DNS:alphagnu.com,DNS:*.alphagnu.com' [Wed Mar 14 10:18:13 EDT 2018] Getting domain auth token for each domain [Wed Mar 14 10:18:15 EDT 2018] Getting webroot for domain='alphagnu.com' [Wed Mar 14 10:18:15 EDT 2018] Getting webroot for domain='*.alphagnu.com' [Wed Mar 14 10:18:15 EDT 2018] Add the following TXT record: [Wed Mar 14 10:18:15 EDT 2018] Domain: '_acme-challenge.alphagnu.com' [Wed Mar 14 10:18:15 EDT 2018] TXT value: 'YABz8SMXk_qqrIrUgx5_DWSjBUSuDsdvIxJ4RIEwMUQ' [Wed Mar 14 10:18:15 EDT 2018] Please be aware that you prepend _acme-challenge. before your domain [Wed Mar 14 10:18:15 EDT 2018] so the resulting subdomain will be: _acme-challenge.alphagnu.com [Wed Mar 14 10:18:15 EDT 2018] Add the following TXT record: [Wed Mar 14 10:18:15 EDT 2018] Domain: '_acme-challenge.alphagnu.com' [Wed Mar 14 10:18:15 EDT 2018] TXT value: 'j4x7b-mzV7cCYCHT_LfLaAW0wDYMeeYayMMvindIGko' [Wed Mar 14 10:18:15 EDT 2018] Please be aware that you prepend _acme-challenge. before your domain [Wed Mar 14 10:18:15 EDT 2018] so the resulting subdomain will be: _acme-challenge.alphagnu.com [Wed Mar 14 10:18:15 EDT 2018] Please add the TXT records to the domains, and retry again. [Wed Mar 14 10:18:15 EDT 2018] Please add '--debug' or '--log' to check more details. [Wed Mar 14 10:18:15 EDT 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh You can see the TXT records are already mentioned here as : [Wed Mar 14 10:18:15 EDT 2018] Add the following TXT record: [Wed Mar 14 10:18:15 EDT 2018] Domain: '_acme-challenge.alphagnu.com' [Wed Mar 14 10:18:15 EDT 2018] TXT value: 'YABz8SMXk_qqrIrUgx5_DWSjBUSuDsdvIxJ4RIEwMUQ' [Wed Mar 14 10:18:15 EDT 2018] Add the following TXT record: [Wed Mar 14 10:18:15 EDT 2018] Domain: '_acme-challenge.alphagnu.com' [Wed Mar 14 10:18:15 EDT 2018] TXT value: 'j4x7b-mzV7cCYCHT_LfLaAW0wDYMeeYayMMvindIGko' Now you need to add this records don’t add this eg. use the actual TXT record which shown on your shell console (A records DNS and TXT record): A record _acme-challenge.alphagnu.com poiniting to the server IP TXT record _acme-challenge.alphagnu.com value : “YABz8SMXk_qqrIrUgx5_DWSjBUSuDsdvIxJ4RIEwMUQ” TXT record _acme-challenge.alphagnu.com value : “j4x7b-mzV7cCYCHT_LfLaAW0wDYMeeYayMMvindIGko” Add wildcard dns : *.alphagnu.com. 14400 IN A 107.152.32.123 * replace alphagnu.com with your domain name ultimately DNS config will look like this : Step 4 : After adding the DNS wait for the DNS propagation and run this command to issue the certs : acme.sh --renew -d alphagnu.com -d *.alphagnu.com --dns --force * replace alphagnu.com with your domain name Or (recommeneded) : acme.sh --renew -d alphagnu.com -d *.alphagnu.com --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please * replace alphagnu.com with your domain name this is dns manual mode, it can not be renewed automatically. you will have to add a new txt record to your domain by your hand when you renew your cert. you can check TXT record updated or not via this command : dig -t txt dig -t txt _acme-challenge.alphagnu.com * replace alphagnu.com with your domain name all set, you’ll see certs are now issued successfully. Cert, Chain file and Private Key will be saved under : /root/.acme.sh/yourdomain.com with name : alphagnu.com.cer <<=== Cert file alphagnu.com.key <<=== Private Key fullchain.cer <<=== CA Chain file/bundle file Now you can use this file in ssl vhost just update/add the path (you can search on google how to add ssl vhost for nginx and Apache) : Also ensure you’ve enabled wildcard vhost for apache or nginx whatever your main webserver is. Or use multiple vhost with same cert paths as mentioned below. apache : SSLCertificateFile /root/.acme.sh/alphagnu.com/alphagnu.com.cer SSLCertificateKeyFile /root/.acme.sh/alphagnu.com/alphagnu.com.key SSLCertificateChainFile /root/.acme.sh/alphagnu.com/fullchain.cer nginx : ssl_certificate /root/.acme.sh/alphagnu.com/fullchain.cer; ssl_certificate_key /root/.acme.sh/alphagnu.com/alphagnu.com.key; * replace alphagnu.com with your domain name Step 5 : To renew the certs you just need to run this command ensure you run this command in 90 days, update TXT dns record if shown as mentioned above in step 3: acme.sh --issue -d alphagnu.com -d *.alphagnu.com --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please or acme.sh --renew -d alphagnu.com -d *.alphagnu.com --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please * replace alphagnu.com with your domain name Automatic Cert Renew (only if you used Auto DNS add via API): For more info about DNS api and how to do it visit this offiial page : https://github.com/Neilpang/acme.sh/tree/master/dnsapi Auto renew let’s encrypt certs via Cron job : add this daily cron for the auto renew check : 0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

If you have a MariaDB/MySQL VPS server with 4GB of RAM, you can optimize its performance by following these steps: If you’re looking for more than 4gb of ram configuration just divide the value with 4 and multiply the result with the amount of RAM, for example : 256/4 = 64 and you want it for 8 gb of ram just multiply it with the result i.e. 64 x 8 = 512 For MariaDB : Edit the MariaDB configuration file /etc/my.cnf.d/server.cnf using your favorite text editor: nano /etc/my.cnf.d/server.cnf Add the following lines under the [mysqld] section: default-storage-engine = InnoDB innodb_flush_method = O_DIRECT innodb_log_file_size = 128M innodb_buffer_pool_size = 128M max_allowed_packet = 128M max_connections = 200 key_buffer_size = 256M tmp_table_size = 64M max_heap_table_size = 64M For MySQL : Edit the MySQL configuration file /etc/my.cnf using your favorite text editor: nano /etc/my.cnf Add the following lines under the [mysqld] section: default-storage-engine = InnoDB innodb_flush_method = O_DIRECT innodb_log_file_size = 128M innodb_buffer_pool_size = 128M max_allowed_packet = 128M max_connections = 200 key_buffer_size = 256M tmp_table_size = 64M max_heap_table_size = 64M After you’ve added this values restart MariaDB/Mysql server : MariaDB server restart : systemctl restart mariadb MySQL server restart : systemctl restart mysql mysqld

Today we’ll learn how you can enable query cache in MariaDB server, it has several caching mechanisms to improve performance the query cache stores results of SELECT queries so that if the identical query is received in future, the results can be quickly returned. This is extremely useful in high-read, low-write environments (such as most websites). It does not scale well in environments with high throughput on multi-core machines, so it is disabled by default. Here are the steps to enable query cache in MariaDB: Check if query cache is enabled: Before enabling query cache, you should check if it’s already enabled or not. You can do this by logging into your MariaDB server and executing the following command: SHOW VARIABLES LIKE 'query_cache_type'; example : type mysql in command line and hit enter it will bring the mysql console and then execute show variable command [root@server ]# mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 9 Server version: 10.11.2-MariaDB-log MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> SHOW VARIABLES LIKE 'query_cache_type'; +------------------+-------+ | Variable_name | Value | +------------------+-------+ | query_cache_type | OFF | +------------------+-------+ 1 row in set (0.001 sec) If the value of query_cache_type is OFF, it means that query cache is not enabled. Enable query cache: To enable query cache, you need to modify the mariadb configuration file and add the below configs under [mysqld] section. For CWP/centos file is located in : /etc/my.cnf or /etc/my.cnf.d/server.cnf For ubuntu/Debian file is located in : /etc/mysql/my.cnf Open the file in a text editor and add the following lines: query_cache_type = 1 query_cache_size = 128M query_cache_limit = 4M The query_cache_type variable is set to 1 to enable query cache, query_cache_size specifies the size of the cache in megabytes, and query_cache_limit specifies the maximum size of a single query that can be cached. Restart MariaDB server: After modifying the my.cnf configuration file, you need to restart the MariaDB server to apply the changes. You can do this by running the following command: systemctl restart mariadb Verify query cache is enabled: To verify that query cache is enabled, you can log into the MariaDB server and execute the SHOW VARIABLES LIKE 'query_cache_type'; command again. If the value of query_cache_type is now ON, it means that query cache has been enabled. By following these steps, you can enable query cache in MariaDB and improve the performance of your database queries.