• Home

Items filtered by date: December 2014

Tuesday, 13 July 2021 12:45

Outlook 2016/2019 PayPal Receipt Printing - Only print pages 1 and 2

This all started because I printout my PayPal receipts and because of their formatting can take several sheets of paper. Often the last sheet would just have 1 word on it.

I started by manually just printing the first 2 pages, but this is time consuming so I wrote a macro just to print the first 2 pages of the PayPal receipt to the default printer so I could achieve the same thing but with 1 button click which is what I will show you how to do below.

Then I moved on and configured my printer to print 2 pages on every sheet. So instead of an average of 3 A4 pages every receipt I now just use 1. This has the added advantage that some times a receipt is 1 page and sometimes it is 2 pages so no more paper that what is absolutely needed is used.

I then also created a memo style in Outlook with the margins reduced. (Optional)

This is best solution for printing PayPal Receipts.

See Print 2 full pages on single sheet of paper with HP a printer | QuantumWarp

 

Instructions

To get this to work there are several parts, building the macro (which is done for you), installing the macro and then creating a button in Quick Access Toolbar to run it.

The Macro (2022)

' Outlook 2016/2019 PayPal Receipt Printing - Only print pages 1 and 2

Sub PayPal_Receipt_Printing()

SendKeys "%"
SendKeys "FPR"
SendKeys "%{S}"
SendKeys "1-2"
SendKeys "{ENTER}"
DoEvents
SendKeys "{NUMLOCK}{NUMLOCK}"

End Sub

Old Version

The code below worked for a while but recently stopped working after a Windows update but I am leaving it here for reference because there might old versions of office this is needed for and I can see what I changed to get it to work.

' Outlook 2016/2019 PayPal Receipt Printing - Only print pages 1 and 2

Sub PayPal_Receipt_Printing()

SendKeys "%FPR"
SendKeys "%S"
SendKeys "1-2"
SendKeys "{ENTER}"
DoEvents
SendKeys "{NUMLOCK}{NUMLOCK}"

End Sub

How I fixed this

  • The error started occuring after a Windows/Office Update
  • When i run a macro in office it makes a noise/alert/bong and appears not to run
    • This alert was caused by incorrect keypresses generated by the macro caused by changes to how the code is interpreted after an update.
    • The macro is running correctly, but not as you expect.
    • Becasue the macro does not crash, there are no error to be generated.
  • I found the error by REMMING out all of the lines in the VBA and check each line/action until the issue is found.
    • I run each line one by one to see where the bong was generated.
    • I REMMED out all the lines except the first one, checked, then uncommented the second line and rechecked etc..
  • I fixed the script by appling these changes:
    • SendKeys "%FPR" is now broken into 2 lines. For some reason the code on one line was not longer accepted.
      • SendKeys "%"
      • SendKeys "FPR"
    • I have also changed SendKeys "%S" to SendKeys "%{s}" as there was a change in how the asset on the print dialogue box is selected or how this particular line was handled.

Code explained

  • SendKeys "%FPR"
    • Press the keys: Alt --> F --> P --> R
    • Use to work but stop working after a recent update.
  • SendKeys "%"
    • Press the keys: Alt
    • Works fine when it is on its own
  • SendKeys "%{FPR}"
    • While holding the ALT key press F --> P --> R
    • This should work

Install the Macro and create a Quick Access Toolbar button

Test Print

Remembering that this script will use your default printer, do a test print and then you are done.

The rest of this article is for reference.

Notes

 

Numlock gets turned off when using SendKeys

The NumLock would always turn off after running the script no matter what. These are my notes on resolving this issue.

When you use SendKeys the NumLock is turned off due to a bug in Visual Basic.

Solutions from Microsoft

I found these towards the end of my research and they pretty much the best way of fixing this issue.

Executing two or more SendKeys statements in a row results in turning off the NumLock key. This problem may also affect the CapsLock and ScrollLock keys.

My Solution 1 - DoEvents

If you look in the script above you can see the following code taken from SendKeys is messing with my NumLock key via VBA code in Access form - Stack Overflow

DoEvents
SendKeys "{NUMLOCK}{NUMLOCK}"

This solution seems to work really well and perhaps can be expanded for Caps Lock and Scroll Lock if needed.

My Solution 2 - Sense NumLock state and then restore after SendKeys (GetKeyState/GetAsyncKeyState)

I spent quite a bit of time trying this but could not get it to work so I am including my notes and research here for future reference.

The code below I managed to get to sense when a key was pressed down and shows how to use the High/Low bit thing by using Hex codes

' Get Numlock status

Private Const VK_NUMLOCK = &H90
Private Const VK_SCROLL = &H91
Private Const VK_CAPITAL = &H14

Private Declare PtrSafe Function GetAsyncKeyState Lib "user32" (ByVal vKey As Long) As Long

Private Function KeyDown(ByVal vKey As Long) As Boolean
   KeyDown = GetAsyncKeyState(vKey) And &H8001
End Function

Sub Test_Key_down()

If KeyDown(vbKeyNumlock) Then MsgBox "The NumLock key is pressed down!"

End Sub

Notes

  • I can then get state before running the code and restore it aftewwards to fix bug.
  • I cannot get the live state of the NumLock using this method
  • All Declare Statements must now include the PtrSafe keyword when running in 64-bit versions of Microsoft Office. The PtrSafe keyword indicates a Declare statement is safe to run in 64-bit versions of Microsoft Office.
  • SendKeys is messing with my NumLock key via VBA code in Access form - Stack Overflow - Answers here.
  • &H8001 = checks if the key is down has been pressed in this process. it is not cleared until new process.
  • &H8000 = checks if the key is down
  • &H0001 / &H1 = checks if the key has been pressed in this process. it is not cleared until new process.
  • this only does keys, I cant get it to recognise the state of the numlock light
  • process/message que clears after about 5 seconds
  • 0x8001 = Low bit
  • 0x8001 = High bit
  • 0x8001 =  -32767
  • If the function succeeds, the return value specifies whether the key was pressed since the last call to GetAsyncKeyState, and whether the key is currently up or down.
  • If the most significant bit is set, the key is down, and if the least significant bit is set, the key was pressed after the previous call to GetAsyncKeyState. However, you should not rely on this last behavior; for more information, see the Remarks.

My Solution 3 - Sense NumLock state and then restore after SendKeys (Keyboard Events)

I never tried this option as it looked very complicated and I do not want to learn VB.

Outlook VB General Notes

Published in Microsoft Office
Read more...
Tuesday, 22 June 2021 06:55

CWP Full setup in VirtualBox on Windows behind a NAT

These instructions are for CWPpro but will work for the most part with the free version of Control Web Panel. For the yearly cost of the Pro version it is worth paying the $12 and trying the full software out from the start. This will also support the project.

For reference I used:

  • CentOS-7-x86_64-Minimal-2009
  • CWPpro v0.9.8.1074
  • VirtualBox v6.1.22-144080

Following these instructions will take around 5 Hours to complete and this assumes you have built your Windows 10 Pro PC.

I do not cover every aspect because I am not a professional but this should be a good baseline. But what it does cover is:

  • Setting up a Windows 10 Pro PC (not extensively).
  • Setting up a Oracle VirtualBoc Virtual Machine instance with all of the correct settings.
  • Setting up of CWP and all of those settings that most people want.
  • Configuring your local network with OpenWRT

Just follow the guide through from beginning to end and everything will work. I built the guide as I figured things out.

Prerequisites

It is easier to get these things together before you start.

 

Setup Windows 10 Pro PC

You can use your own Virtual Machine server if you have one. My preference is VirtualBox because it is free but VMWare should do just fine.

Check your RAID

Not everyone will use a RAID, but should. A few simple checks to make sure everything is correct is a good idea.

The information below is for standard RAIDs found on Desktop PCs and not ones on ZFS or anything funky like that.

  1. If you are using SSDs on your RAID check to make sure your RAID has presented the RAID as an SSD otherwise you might burnout your drives quicker. This should only be an issue on old RAIDS pre-SSD.
  2. Check your hardware RAID is recognise as 1 drive in Disk Management so you know you have configured it correctly.
  3. Install any RAID specific drivers/utilities that came with your motherboard or RAID card so you can do proper monitoring of the drives hardware.
  4. Configure and RAID utilities to send you email alerts.
  5. When SSDs are used in a RAID:
    • the 'Scheduled Optimisation' should be disabled (if not already) because you cannot trim a RAID as it is made up of more than one drive, and these commands are direct drive commands. Newer RAIDs will have this feature built into their utilities which can see the drives independantly and can make the appropriate adjustments.
    • 'Scheduled Optimisation' is found in the Windows defrag utility and this is where I can check these settings.
  6. Standard drives in a RAID can be defragged as normal because the commands will be handled correctly.

Create a VirtualBox VM

These are my settings for VirtualBox but you might want to modify them slightly which will be fine.

If a setting is not mentioned or is crossed out below, leave it as default.

Using the wizard create your VM with the following settings

Using the Guided or expert mode will give the same outcome.

  • Name and Operating System
    • Name: CWP
    • Machine Folder: C:\Users\{user}\VirtualBox VMs
    • Type: Linux
    • Version: Red Hat (64-bit)
  • Memory size: 4096MB
  • Hard Disk
    • Create a new virtual disk now
    • VDI (Virtual Disk Image)
    • Fixed Size
    • File location and size
      • 50GB
      • C:\Users\{user}\VirtualBox VMs\CWP\CWP.vdi
      • This will create a file that is 50GB so will add 50GB of wear to your SSD. But don’t worry this is ok and expected and is a one time deal.

 

Edit new VM Machine settings

There is currently a bug with rebooting a VM when running in EFI mode with more than 1 CPU. See notes below.

 

CWP/CentOS works with each type of VirtualBox Start Up. You should look into which one suits you best.

I use Normal until everything is setup and then use Headless when it goes into production.

We now need to finish configuring the VM so it performs better with CentOS Linux.

  • Only change settings mentioned, the rest should be left as default
  • General --> Description
  • Control Web Panel
  • System --> Motherboard --> Boot Order
  • Optical
  • Hard Disk
  • Eject ISO after OS setup
  • System --> Motherboard --> Chipset
  • System --> Motherboard --> Enable EFI
  • System --> Motherboard --> Hardware Clock in UTC Time = off. This keeps the time the same as the Host
  • System --> Motherboard --> Processors --> 2 CPUs (My Host has 6 cores)
  • System --> Acceleration --> Paravirtualization Interface --> KVM
  • System --> Acceleration --> VT-x/AMD-V --> Enabled (If present)
  • Display
    • Video Memory: 64MB (Default: 16mb / VMSVGA)
    • Graphics Controller: VBoxSVGA + no 3D acceleration
    • Enable 3D Acceleration: yes
  • Storage
    • SATA Controller
      • Name: SATA
      • Type: AHCI
      • Port Count: 2
      • Use Host I/O Cache: off
    • HDD/SSD
      • Solid-state Drive: Yes if you are using SSD
      • Hot-pluggable: off, leave this off
    • Add optical Drive to the SATA controller with the following:
      • Live CD/DVD: no
      • Hot-Pluggable: no
    • Remove the IDE Controller
    • NetworkAdapter 1
      • EnabledAttached to: Bridged Adapter
      • Promiscuous Mode: Deny

Notes

 

Install CentOS (Minimal)

I will install CentOS using EFI but pay attention to the reset bug

CentOS 7 (Minimal) is the recommended version of the OS to use when installing CWP. It should be also noted there is no uninstaller but you should never need one.

  • Read the Official Installation Instructions
  • Mount CentOS-7-x86_64-Minimal-2009.iso in the optical drive
  • Set the Optical drive to boot first. (for EFI bios this is currently ignored)
  • Power on the VM
  • If UEFI Interactive Shell appear instead of the CentOS DVD booting then follow the instructions below, else skip this section. This is a VirtualBox Bug.
    • Let the timeout finish or press Esc (both end up at the same place)
    • Type exit (and press return)
    • Select Boot Manager

    • Select UEFI VBOX CD-ROM VB1-1a2b3c4d
      • CentOS option does not work
      • This loads EFI/BOOT/BOOTX64.EFI
    • CentOS DVD will now boot
  • Select Install CentOS 7

  • Set your language and click `Continue`

    • The keyboard layout will change to your localization.
  • Installation Summary should now be shown:

    • Configure 'Installation Destination'

      • This needs to be set manually.
      • Go in and select the disk and leave everything on auto unless you want something different
      • Installation Destination: Just click into it and check the information. Do not change anything. Click `Done`
    • Configure 'Network and Host Name'

      • Configure Ethernet (enp0s3)Enable Ethernet (enp0s3)

        • General --> Automatically connect to this network when it is available: yes
        • General --> All users may connect to this network: yes
        • IPv4 Settings --> Method: Manual
        • IPv4 Settings --> Addresses --> Add
          • Address: 192.168.1.11
          • Netmask: 255.255.255.0
          • Gateway: 192.168.1.1
        • IPv4 Settings --> DNS servers: 192.168.1.1
        • IPv4 Settings --> Require IPv4 addressing for this connection to complete: Yes
        • IPv6 Settings --> Method: Ignore
        • Click `Save`
      • Enable Ethernet (enp0s3) (if not already)
      • Set Host name
        • Host name server.mydomain.com
        • Click `Apply`
      • Check setting are correct in the summary.
      • Click `Done`
    • All settings should now be correct.
    • Click `Begin Installation`
    • CentOS will now install the required files
    • Set a Root Password (Once the file installation has completed)

      You will now see
      • Do not create a user account here, we will do that later.
  • Click 'Finish Configuration' (CentOS is now sucessfully installed, but some configuration still needs to be done)

    You will now see
  • Click `Reboot`
  • CentOS Automatically ejects the DVD so you dont have to do anything
  • Remove the CentOS DVD
    • it might have already been ejected by CentOS installer
    • Login with your root credentials
    • enter the command shutdown (this will power CentOS off)
    • Eject the CentOS-7-x86_64-Minimal-2009.iso from the VM
    • Change the boot order by deselecting the Optical drive is no longer a boot device.
    • Power up the VM
  • The VM will now reboot
  • Login with your root credentials when the terminal appears
  • Configure the network card with the static IP you have selected for CWP (if not already done in the CentOS wizard)
    • use `NetworkManager Text User Interface`
      • Command 
        nmtui

or 

nmtui edit enp0s3 (might work)
      • IPv4 Configuratioin
        • Addresses: 192.168.1.11/24 (or 192.168.1.11)
        • Gateway: 192.168.1.1
        • DNS Servers 192.168.1.1
      • Search domains: leave empty
      • Routing: No custom routes
      • Never use this network for default route: leave unticked
      • Ignore automatically obtained routes: leave unticked
      • Ignore automatically obtained DNS parameters: leave unticked
      • Ignore IPv6 Configuration: Ignore
      • Automatically connect: Yes
      • Available to all users: Yes
    • Goto the command prompt
  • Setup Hostname (server.mydomain.com) (if not already done in the CentOS wizard)
    • Use either the nmtui utility or type the following into the terminal
      hostname server.mydomain.com
    • Default is localhost.localdomain

  • Preparing Server
    • Install required packages for CWP installation: 
      yum -y install wget
    • Update your server to the latest version (might take a while)
      yum -y update
    • Reboot the server
      reboot

Notes

 

Install CWP

Now your VM has CentOS insatlled we can proceed and install CWP.

CWP installer can run more than 30 minutes because it needs to compile Apache and php from source but might be a lot quicker on modern PCs.

  • Boot the VM to the CentOS terminal prompt or (optionally) this is a good time to start using PuTTY if you know what you are doing so you can copy and paste from the terminal.
    • You can use the local IP 192.168.1.11 and port 22
  • Login with root
  • Run the commands (the last one might take a while)
    cd /usr/local/src
wget http://centos-webpanel.com/cwp-el7-latest
sh cwp-el7-latest -restart yes --phpfpm 7.4
    The --phpfpm 7.4 switch did not work for me.
  • When the installer is finished, you will see your credentials displayed, copy them down safely. 
    #############################
#      CWP Installed        #
#############################

Go to CentOS WebPanel Admin GUI at http://SERVER_IP:2030/

http://13.13.13.13:2030
SSL: https://13.13.13.13:2031
---------------------
Username: root
Password: ssh server root password
MySQL root Password: xxxxxxxxxxxx

#########################################################
          CentOS Web Panel MailServer Installer
#########################################################
SSL Cert name (hostname): server.mydomain.com
SSL Cert file location /etc/pki/tls/ private|certs
#########################################################

Visit for help: www.centos-webpanel.com
Write down login details and press ENTER for server reboot!
Please reboot the server!
Reboot command: shutdown -r now
  • Reboot the server as requested
    shutdown -r now

Notes

Create Primary Domain User Account

Although you don't have to create an account for the Primary Domain on the server for it to work, it makes sense too unless you have a reason otherwise.

  • User Accounts --> New Account
  • Domain: mydomain.com
  • Username: mydomain
  • Package: default (we will change this later)
  • Reseller: Ticked
  • Leave the rest of the settings as they are

Configure CWP (Preliminary – Error Messages)

Now that CWP is installed we need to configure it

  • Log in to your CWP cpanel using the link provided by the installer on your server. You will need to use FireFox to get past the SSL issues.
    Control WebPanel Admin GUI at: http://13.13.13.13:2030/ or https://13.13.13.13:2031/
    • The local IP 192.168.1.11 will work if these don't at the minute
  • Username: root
  • Password: YOUR_ROOT_PASSWORD

Ypu will now see some errors as shown in the picture below (or similiar)

  • CWP Settings --> Edit Settings
    • (WARNING! Your root Email address for notifications isn't set.) (WARNING! Possible NAT networking detected, Please check the following settings.)
    • Shared IP: should be your public IP and does not need changing. (13.13.13.13)
    • Apache port: should be 80 and does not need changing
    • Set Admin email: no-reply@quantumwarp.com
      Forward server system emails: yes (for now)
    • CSF/LFD Alerts: no-reply@quantumwarp.com (for now)
    • NAT Local IP: should be 192.168.1.11 (what you set on the network in CentOS earlier)
      (If you see multiple IPs in the drop down see the notes below)
      Activate NAT-ed network configuration: Yes
      Read instructions by clicking the link
    • Default DNS Zone template, leave as default.tpl
    • CWP Updates: leave as Stable
    • Rebuild vHosts: yes
    • GoAccess Stats: Leave ticked (not sure why this setting is here)
    • Save changes
    • WebServer Settings --> Select Webservers --> Save & Rebuild Configuration (dont change anything on this page yet)
  • Enable Firewall
    • (CSF/LFD Firewall is NOT enabled on your server, click here to enable it.)
    • Security --> Firewall Manger
    • Enable Firewall (button at top)
  • Change SSH port for security
    • (on the Service and Firewall) (WARNING: Security vulnerability! Your server is using default SSH Port 22, to make your server more secure change SSH port in config file /etc/ssh/sshd_config and in CSF firewall !)
    • You dont have to do this if you are behind a NAT and you are never going to present SSH to the internet, but it is still recommended.
    • SSH Server
      • Services --> SSH Configuration
      • Change `#Port` --> `Port 8128`
      • Click Save
      • Goto Dashboard
      • Restart SSH Server
      • Click on SSH Server Status button to check it is now on the new port
    • CSF Firewall
      • Security --> CSF Firewall --> Firewall Configuration
      • Add the port 8128 to the end of the values + remove port 22:
        • # Allow incoming TCP ports
        • # Allow outgoing TCP ports
      • Save Changes
      • Security --> Firewall Manager
      • Restart the Firewall
      • Test SSH (with PuTTY)
    • Enable Mod Security
      • (Mod Security is NOT enabled on your server, click here to enable it.)
      • Security --> Mod Security
      • Click ‘Install Mod Security now’ button
      • Enable Comodo WAF rules (if not already) (are OSWASP better?)
      • Make sure Process the rules is selected
      • Click `Save Configurations` just to make sure.
      • Restart Apache Webserver: The button is at the top right.
    • Fix the following error shown on the page `Server Settings --> Change Hostname`
      Your Hostname is: server.mydomain.com and it resolves to IP: (ERROR: You don't have a valid hostname set!)
      • DNS Functions --> List DNS Zones --> mydomain.com.db --> Edit Records
      • Add a new record
        • Record Name: server
        • TTL: 14400
        • Direction IPv4 address: 13.13.13.13 (your public IP)
      • Goto the top right of the page and you will see the 'Info' box
      • Restart BIND DNS Server
      • Some times you have to wait and Flush your DNS on your PC as the domain did not immediately come on.
      • When it did not work straight away I deleted it and then added another subdomain to see if that worked and it did, i then added the server subdomain afain and it worked. (restarted BIND inbetween change)
      • Manage Hostname in CentOS Web Panel | Hostwinds
      • CWP DNS Part 1 : How to Configure DNS properly for CentOS WebPanel on CentOS 7.6 - This covers the server nameserver and hostname DNS, not very clear but it is the issue I am having and go through a bunch of things (if needed)
    • Hidden Processes – Security Issue (Hide system processes from users - Control WebPanel Wiki) (Hide all processes if not owned by the user is NOT activated on your server, click here to enable it.)
      • This requires at least one account to be setup and the error be resolved.
      • Security --> Secure Processes
      • Click ‘Enable Protection’
      • Test the protection is working
    • Reboot server
      • Server Settings --> Reboot Server --> Reboot Server Now

Notes

Configure CWP (in-depth)

In this section we will complete the setup of CWP now we have got rid of the errors.

Hostname

  • Refresh the Hostname
    • (Server Settings --> Change Hostname)
    • Keep all the settings the same and just click 'Change Hostname'
    • This will:
      • Refresh/Create all of the relevant settings
      • Trigger SSL creation
      • Generate the DNS zone for the server (i.e. server.mydomain.com.db). This is not created during the intial setup, either by design or is a bug.

Notes

  • No SSL on the servers hostname
    • This could be caused by the server no yet having polling Letsencrypt yet
    • Fixes (assumes hostname settings are correct)
      1. Access https://server.mydomain.com:2031/ which should trigger a lookup
      2. Refresh Hostname: Server Settings --> Change Hostname --> Change Hostname (this will not change anything but trigger lookups if needed)
  • Cannot Access Cpanel via hostname
    • You need to make sure that you have set up port forwarding.
    • If you are trying to access via the server hostname and you are local, then you need to make sure that the forwarding rules have NAT Loopback enabled (otherwise you will go made). I modified my rules so for these admin panels that NAT Loopback happens but the panels are not accessibly from the internet.
  • Changing Hostname (If you need to change your hostname in the future becasue CWP does not handle the removal of the old server name)
    • Use the process above
    • Delete the old DNS zone manually for the old hostname.
    • Make sure the server's name is not defined as a subdomain in your Primary Domain User Account DNS Zone.
    • Don't forget that the old name might still be cached in other places because of TTL so it might still ping for a while. If you are still setting up you could just power all of your equipment down to speed things up.
    • Delete DKIM entries in:
      • /etc/opendkim/TrustedHosts
      • /etc/opendkim/SigningTable
      • /etc/opendkim/KeyTable
      • /etc/opendkim/userkeys/[old server domain folder]

Nameservers

For this you need a real domain (mydomain.com) and your public static Ip (13.13.13.13) from earlier.

  • Register Nameservers at a registrar
    • Login to your account at the registrar for your domain
    • Register the following Child Name Servers under your domain:
      Child Name Servers are Name Servers which are registered under your Domain Name.
      Once registered, you can use these Child Name Servers in turn as Name Servers for registering other Domain Names
      • ns1.mydomain.com 13.13.13.13
      • ns2.mydomain.com 13.13.13.13
      • It is correct to have the same IP twice (for most people)
      • Now you might have to also register these as Parent Name Servers aswell under domains account.
  • Change CWP Name Servers
    • DNS Functions --> Edit Nameservers IPs
    • Changes name servers to:
      • Name Server 1: ns1.mydomain 13.13.13.13
      • Name Server 2: ns2.mydomain 13.13.13.13
    • Keep Options ‘Update DNS zone file’ and ‘Restart DNS Server’ ticked
    • Save changes
    • Dashboard --> Service Status --> BIND DNS Server --> Restart
    • Server Settings --> Reboot Server --> Reboot Server Now
    • Reboot your router (this is important to get rid of improper routing it might have stored)

Notes

  • The domain resolution test done when you save the nameservers, I think, is done by CWP servers (ie external to your internal server).
  • If you get the error: 
    ns1.mydomain.com resolves to ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> A ns1.mydomain +short @8.8.8.8 ;; global options: +cmd ;; connection timed out; no servers could be reached 
ns2.mydomain.com resolves to


    This is cause by one or both of these:

      1. The Nameservers DNS update has not propagated yet.
      2. The DNS port 53 is not open or properly forwarded on your NAT router.
  • If you get the error Nameserver is not authoritative when checking mydomain.com on leafdns then this is probably because you have not setup a hosting account to match your servers primary domain (mydomain.com).
  • How To setup Name servers
  • Original Nameservers for reference 
    ns1.centos-webpanel.com resolves to 54.36.136.192
ns2.centos-webpanel.com resolves to 198.27.104.41 

ns1.centos-webpanel.com 127.0.0.1
ns2.centos-webpanel.com 127.0.0.1

Correct DNS Zone on Primary Domain User Account

Now that the name servers have been changed, the Primary user account needs to be updated to reflect the change

  • (DNS Functions --> List DNS Zones --> mydomain.com.db --> Edit Records)
  • Change the following (text replace, might be in many records) (edit file is quicker)
    • The RNAME on your primary account should be postmaster.mydomain.com
      • the RNAME is an email address where the `@` is swapped with a `.`
      • I do not have an address postmaster@mydomain.com but when i rebuilt the Zone it uses the email from the mydomain.com user account.
    • centos-webpanel.com --> mydomain.com

Notes

  • Do not rebuild the zone, this will wipe out many Zone records
  • The primary user account some records in it that will not be re-added by rebuilding the domain so would need adding manually. 
    server 14400 IN A 31.125.252.137

ns1.mydomain.com. 14400 IN A 31.125.252.137

ns2.mydomain.com. 14400 IN A 31.125.252.137
  • I am not 100% the nameserver A records becasue the ns1.mydomain.com and ns2. mydomain.com have their own record files (ns1.mydomain.com.db / ns2.mydomain.com.db)
  • smtp, pop, pop3, imap, webmail, cpanel, cwp subdomains are missing, DKIM is not setup properly and the SPF record is missing.
  • See forum questions below for a full text comparison of an account before and after a rebuild.
  • Only the records that were created before changing your name server are corrupted.

Set rDNS and PTR

These must be changed at your ISP or IP provider. These records allow your server domain to be worked out from the IP address.

A good rDNS is better for your server reputation and will allow more successful delvery of email.

Plusnet/BT/UK ISPs: By default thier IPs from ISP are on the Spamhaus 'Policy Block List' because it should not be sending emails. So you might need to contact your ISP to have the Ip removed from the list. I did manage to remove myself from the SPAMHaus PBL list byt looking up my IP and then expanding the message at the bottom, fill in the required information and soon after I was removed for the list. This might not be the case for all ISPs.

Port Forwarding

CentOS Mostly Used Ports - Control WebPanel Wiki

  • Only open the ports you require.
  • These are the ports I have forwarded to allow the basic functionality of the server on the internet but keeps all admin functions (such as control panel) restricted to my local network. You dont even need the email ones if you are not running email and some people dont use Port 25 as standard
    • 25 - SMTP/EMAIL
    • 26 - SMTP (this port is not enabled in the firewall by default)
    • 53 - BIND/DNS
    • 80 - HTTP / Apache Web server
    • 110 - POP3/EMAIL
    • 143 - IMAP
    • 443 - HTTPS / Apache Web server SSL
    • 465 - SMTP/EMAIL SSL/TLS
    • 993 - IMAP/EMAIL SSL
    • 995 - POP3/EMAIL SSL
    • 2030 - CWP Admin
    • 2031 - CWP Admin SSL
    • 2082 - CWP User Panel
    • 2083 - CWP User Panel SSL
    • 2086 - CWP Admin (same as 2030)
    • 2087 - CWP Admin SSL (same as 2031)

 

  • OpenWRT Router Port Forwarding including Local Access
    • OpenWRT Port Forward Rules
      I use a seperate rule for local traffic because you want all ports available on your server to the local network for admin purposes but only the specified ones present to the internet. All ports are available via 192.168.1.0/24 anyway, but we want to use server.mydomain.com locally.

      You need to create the Local Traffic Rule once but a Standard Port Forward Rule for each port you want to forward to the interent.

      • Local Traffic Rule
        • Name: CWP (All Ports / LAN Only)
        • Protocol: TCP+UDP
        • Source Zone: wan/wan6
        • Source MAC Address:
        • Source IP address: 192.168.1.0/24 (this is an IP range)
        • Source port:
        • External IP address: 13.13.13.13
        • External port:
        • Internal zone: lan
        • Internal IP address: 192.168.1.11
        • Internal port:
        • Enable NAT Loopback: Ticked
        • Extra arguments:
      • Standard Port Forward Rule (change the port numbers for the required port)
        • Name: CWP (BIND/DNS)
        • Protocol: TCP+UDP
        • Source Zone: wan/wan6
        • Source MAC Address:
        • Source IP address:
        • Source port:
        • External IP address: 13.13.13.13
        • External port: 53
        • Internal zone: lan
        • Internal IP address: 192.168.1.11
        • Internal port: 53
        • Enable NAT Loopback: NOT ticked
        • Extra arguments:

Notes

  • OpenWRT
    • How to configure totally open DMZ with OpenWRT? - Server Fault - The easy way. Do not leave this on as it is just for testing. This method also routes all local traffic to the to the CWP server without using the Hostnames method below.
      • If you have another rule for Portforwarding you can use this method to allow specific IP address locally to use you server nd keep the DMZ for external traffic only except for a specified IP by add this addition rule. Basically create rule using the above but then edit the rule and specify the following:
        • External IP address: 13.13.13.13
        • The CWP server needs to be connected to the outside world properly for this to work as your laptop will do DNS lookups starting at your authorative DNS servers at your registrar.
    • Network --> Hostnames - This can be used to tell OpenWRT to route all internal calls to a domain to a local address. This is not the same as DMZ. This will allow you to use CWP without it being on the internet or using the hosts trick. This causes the loading of the website to be slow becasue of this extra routing, this might also just also be my low power router.
    • I removed NAT Loopback from the standard port forward rules. This will reduce the CPU overhead by a little and when I disable the (All Ports/LAN Only) rule then all ports locally routed will stop working preventing confusion.
    • If the rules dont behave as expected and you have double checked them, you should restart all network kit so you flush all of their DNS and prebuilt traffic routes.
    • OpenWRT, once a route is established that route will have a TTL similiar to DNS.
    • FlushDNS can be used on your PC but will not change IP routing on other devices.
  • NAT Loopback
    • NAT loopback enables a user on the trusted or optional networks to connect to a public server with the public IP address or domain name of the server, if the server is on the same physical OpenWRT network.
    • Disable NAT loopback for guest network - Network and Wireless Configuration - OpenWrt Forum - You can use hostnames for local routing. I found this to be slow and you might nto add an entry for every subdomain.
    • iptables - How does NAT reflection (NAT loopback) work? - Unix & Linux Stack Exchange - in-depth explanation
    • My notes: NAT loopback is where the router inspects the target IP of the request/packet and if it sees that the target is its public IP it will loop the request back into the network to the defined local IP (as per the rule) as if it has come from the outside in the first place. This options just says to the router perform this check and then do the looping.
    • NAT Loopback allows traffic sent to public IPs to be routed back to the local network if the IP/Server is present on the local network. This is perfect when you are running a server on your LAN that is connected to the internet by port forwarding. Normally you would get a failed message: 
      Forbidden
Rejected request from RFC1918 IP to public server address
    • If you disable the CWP (All Ports / LAN Only) which has NAT Loopback enabled, you will also get the RFC1918IP error when you try and lookup server.mydomain.com:

 

The CWP server is now present on the internet.

Cgroups

Cgroups allow you to limit resources per user — such as CPU %, system memory, network bandwidth, or combinations of these resources. You have to create a Cgroup and then assign it in the package. This is good for preventing server abuse byt the user or a hacker. You have to create a Cgroup before it can be assigned to a package or user so we will do this before creating our packages.

  • Security --> Cgroups Resource Limits
  • Click `Install service`
  • On the same page, got to the `Enable limit resources` and select the following
    • CPU - Limit CPU usage
    • Memory - Limit Memory usage
    • Disk I/O - Limit Disk I/O read/write
  • Click `Save`
  • Add these policies
    • Internal
      • Name: Internal
      • cpu % (min 1 max 200): 150
      • rmem: 1G
      • vmem: 2G
      • read: 10000
      • write: 10000
      • Update user's config files?: Ticked
    • Client
      • Name: Client
      • cpu % (min 1 max 200): 50
      • rmem: 512M
      • vmem: 1G
      • read: 1000
      • write: 1000
      • Update user's config files?: Ticked
    • Click `Restart service` (not sure if I need to do this to apply the new policies)

Notes

Packages

Setup the following packages. These are not mandatory but are a good baseline for you to start from and make managing your server easier. If you are migrating from cPanel I think the packages might be created automatically.

Packages are found at: Packages --> Packages

  • Create Primary package (Primary Domain Account)
    • Name: Primary
    • Disk Quota MB: 5000
    • FTP: 1
    • Email Lists: -1
    • Sub Domains: -1
    • Addon Domains: -1
    • cgroups: Internal
    • apache_nproc: 40
    • nofile: 150
    • Type: Reseller

    • Bandwidth MB: -1
    • Email Accounts: -1
    • DB: -1
    • Parked Domains: -1
    • Hourly Emails: 200
    • nproc: 40
    • inode: 0
    • NodeJs App: 0
    • Accounts: 500

    • Update Quota: [unticked]
  • Create Internal Package (Company Accounts)
    • Name: Internal
    • Disk Quota MB: 5000
    • FTP: 1
    • Email Lists: -1
    • Sub Domains: -1
    • Addon Domains: -1
    • cgroups: Internal
    • apache_nproc: 40
    • nofile: 150
    • Type: General

    • Bandwidth MB: -1
    • Email Accounts: -1
    • DB: -1
    • Parked Domains: -1
    • Hourly Emails: 200
    • nproc: 40
    • inode: 0
    • NodeJs App: 0

    • Update Quota: [unticked]
  • Create Bronze package (for clients)
    • Name: Bronze
    • Disk Quota MB: 500
    • FTP: 1
    • Email Lists: 5
    • Sub Domains: 5
    • Addon Domains: 5
    • cgroups: Client
    • apache_nproc: 40
    • nofile: 150
    • Type: General

    • Bandwidth MB: -1
    • Email Accounts: 5
    • DB: 1
    • Parked Domains: 5
    • Hourly Emails: 100
    • nproc: 40
    • inode: 100000
    • NodeJs App: 0

    • Update Quota: [unticked]
  • Create Silver package (for clients)
    • Name: Silver
    • Disk Quota MB: 1000
    • FTP: 1
    • Email Lists: 10
    • Sub Domains: 5
    • Addon Domains: 5
    • cgroups: Client
    • apache_nproc: 40
    • nofile: 150
    • Type: General

    • Bandwidth MB: -1
    • Email Accounts: 10
    • DB: 5
    • Parked Domains: 5
    • Hourly Emails: 150
    • nproc: 40
    • inode: 125000
    • NodeJs App: 0

    • Update Quota: [unticked]
  • Create Gold package (for clients)
    • Name: Gold
    • Disk Quota MB: 1500
    • FTP: 1
    • Email Lists: 15
    • Sub Domains: 10
    • Addon Domains: 10
    • cgroups: Client
    • apache_nproc: 40
    • nofile: 150
    • Type: General

    • Bandwidth MB: -1
    • Email Accounts: 15
    • DB: 5
    • Parked Domains: 10
    • Hourly Emails: 200
    • nproc: 40
    • inode: 150000
    • NodeJs App: 0

    • Update Quota: [unticked]
  • Set your Primary Domain User Account (acc: mydomain / mydomain.com) to have the package of Primary. It is best not to use the default package.
    • User Accounts --> List Accounts --> mydomain --> edit
    • Account Type: Reseller
    • Package: Primary
    • Leave the rest of the options
      • `Backup user account` = add the account into the backup routine when it is run.
    • Click `Update`

You now have seperate packages for your company and client accounts.

Notes

  • Create/delete hosting packages in CWP - PlotHost
  • Cgroups
    • Cgroups allow you to limit resources per user — such as CPU %, system memory, network bandwidth, or combinations of these resources.
    • Just installed above.
  • apache_nproc
    • It is the process number limit for a certain user, but specifically for Apache.
  • nofile
    • It is the number of open files limit for a certain user. 150 is the recommended, too high and the server will slow and too low and things like IMAP will stop working.
    • The number of files allowed to be read/executed at the same time.
  • Type
    • General - This is a standard client account.
    • Reseller - This tags the account as a reseller and obviously gives it reseller functionality and permissions. when this option is checked a new input box appears called `Accounts` which allows you to set a limit on the number of client accounts this reseller can own. `Accounts` has to be an integer.
  • nproc
    • It is the process number limit for a certain user.
  • inode
    • It Indicates the inode limit for a certain user.
    • It is ok to leave this as 0 as there are usually other limits set in a package.
    • Innodes are used by the file system to store data block locations and metadata because the innode size is relatively small and predictable there usually is no problem with allowing unlimited inodes.
    • If a user is filling up all available inodes possibly with zero byte file data then you do have the ability to restrict their inode limit forcing them to free up used inodes in order to create new ones.
    • Inode is a data structure that stores the information about all files created on your hosting account. The number of inodes indicates number of files, folders, email or anything you store on your web hosting account. Each file on your web hosting account is identified by an inode number in the file system. Inodes store the important data about files such as user, group ownership, access mode and file type.
    • Suggestions for Inode, No of Files, Process Limits - Cloud - Good discussion with suggestions.
  • NodeJs App
    • Number of NodeJS apps a user can create. This will require NodeJS Manager to be installed.
    • CWP - Admin Panel: NodeJS Manager - YouTube - Goes into a little about nodejs and Apps.
    • I am leaving this of on all of my accounts until i find a need for it.
  • process limit
    • (0 = no processes allowed)
    • This limits the number of processes for an account. This setting prevents the user from exceeding the limited number of PHP web processes. Its generally recommended to allow at least 30 to 50, however using this limit is particulary good when using PHP CGI to prevent users with high traffic from overloading the server, the downside is that since this limit is userwide it can also have restrictions on IMAP connections if the number is set to low and the user has many IMAP connections.

Features

The feature manager allows you to filter / block modules for use in the user module.

Feature Manager | Control-WebPanel Documentation

User Accounts --> Features,Themes,Languages --> Feature Manager

I think the accounts have all features available until you assign a feature set.

You can assign these features to an account or package. I will always choose to do these things by packages because it is the way I have done it in cPanel.

When you select these options you might not currently have all of the servers or things installed. Select your options as if they were so they match up when you later add the required features.

  • Create Internal feature list (this is for all company accounts) and assign it to the Primary and Internal packages
    • Name: Internal
    • Type: Package
    • Accounts: Primary, Internal
    • Click `Mark all`
    • Click `Create and Save this rule >>`
  • Create Client feature list (this is for all client accounts)
    • Name: Client
    • Type: Package
    • Accounts: Bronse, Silver, Gold
    • Click `Mark all`(You can come back to edit this feature list later or do it now if you are familiar with CWP)
    • Click `Create and Save this rule >>`

You now have seperate feature sets for your company and client accounts.

Notes

  • The menu items for the features will be present in the users control panel even if the service is not installed but it is enabled in the feature set.

Create a User Test Account

This is a very useful thing to have. It is just a simple account you can use to see what clients see.

  • User Accounts --> New Account
  • This is just an example (but will work)
  • Domain Name: test.acc
  • Username: testacc
  • Password: xxxxxx
  • Admin email: no-reply@test.acc
  • Server IPs: 13.13.13.13
  • Package: Bronze
  • Additional Options: Select:
    • Backup user account
    • AutoSSL: Domain must be pointed to the server

Apache

  • Set Web Server Type
    • WebServer Settings --> Select WebServers --> Setup default Web Servers --> Apache Only (this is default)
    • Dont make any changes to the page
    • Click `Save & Rebuild Configuration` (this might not be needed here but does not harm)
  • Update Apache to the latest version
    • Check you have terminal access via SSH first using putty (for saftey)
    • Check the new version you are going to install is newer than the current version.
    • You should also be aware that if you have installed the TLS1.3/HTTP2 upgrade from MysterData then this might fail. (see notes below)
    • WebServer Settings --> Apache Re-Build --> Select NEW Apache version
    • Select the latest version
    • Click `Next`
    • Leave all options as there are unless you know what you are doing.
    • Click `Start Compiler in Background`
  • HTTP2 + TLS1.3 (select the correct version for your Apache build)

Notes

  • These settings here do not affect the apache daemon for the CWP panel. It has its own Apache for this (I think). It is running PHP 7.1 so cannot be broken by people reconfiguring their server. I got this location by look at the cron jobs that are run by the root.
    /usr/local/cwp/php71
  • CWP WebServers Config | SaadHost very in depth article
  • Apache vs Nginx: Practical Considerations | DigitalOcean
  • Select Server Type
    • don't really understand the other technologies so I will leave the default Apache only setup because there is less to go wrong and I am use to Apache because I have been using Xampp which is Apache based. Apache on its own is proabbly good for development and low traffic sites.
    • Nginx & Varnish & Apache is the best performance option and good for high traffic sites. This seems to be the recommended option by professionals and I will change to it once I have got use to the server.
      • Force Apache to use PHP-FPM Selector
      • WebServer Settings --> Select WebServers --> Setup default Web Servers --> Select Default Apache PHP-FPM version
      • WebServer Settings --> Select WebServers --> Setup default Web Servers --> Select Default Nginx PHP-FPM version
      • I have not choosen this option at this time.
      • This will disable PHP Selector 2 and PHP Version Switcher.
      • If you choose this option, you would have to select a default Apache PHP-FPM and Nginx PHP-FPM version on this page. I am not sure if it would continue to use the server's default php.ini file.
  • What are these? (add Nginx and Varnish add extra hurdles when developing web sites)
    • Apache
      • Your basic Web Server
      • The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.
    • Nginx
      • NGINX is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.
      • NGINX accelerates content and application delivery, improves security, facilitates availability and scalability for the busiest web sites on the Internet.
      • NGINX is open source software for web serving, reverse proxying, caching, load balancing, media streaming, and more. It started out as a web server designed for maximum performance and stability.
      • Nginx excels at serving static content quickly and is designed to pass dynamic requests off to other software that is better suited for those purposes.
    • Varnish
      • This is a cache based in RAM.
      • Varnish Cache is a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 - 1000x, depending on your architecture.
      • What is Varnish cache and how it works? - Interserver Tips
    • LightSpeed
      • A commercial webserver dedicated to speed.
  • Other HTTP2 / TLS1.3 articles (older or untested)
  • Rebuilding Apache broke CWP
    I did this and my server broke. It was running extremely slowly on the terminal and the websites would not load. The CWP panel might of come up if left long enough

FTP

This is mostly setup but for a couple of settings in the FTP manager

  • Set the following settings in FTP Manager (File Management --> FTP Manager V2 --> Edit Configuration)
    • TLS: 2 (This allows only encrypted connections)
    • TLSCipherSuite: HIGH (default HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3)
    • Click on `Update` not reset.
  • You need to create a user as non are created by default like in cPanel (optional)
    • File Management --> FTP Manager V2 --> Add User
    • Fill in the details
    • Click `Submit`
  • TLS1.2+ is now required.

Notes pure-ftpd Setup Passive FTP Ports - Control WebPanel Wiki

PHP

Configuring the PHP service is good for security and performance.

  • Set the Server's default Global PHP version
    • PHP Settings --> PHP Version Switcher --> PHP Version = 7.4.20 (or your preference. php 8.0 is not mainstream yet)
    • Select Options/Modules/Extensions (These are PHP extensions that are added into PHP when it is compileds or it compiles them and attaches them)
      • Check them over but the ones that come up should be fine (if you have not changed them). You can always recompile later with different options.
      • Click `Save & Build` (CWP will now compile PHP from source in the background)
  • PHP Selector 2
    • Standard PHP Parser (PHP-CGI)
    • This feature lets you install additional PHP versions in the CWP. This is the selector for the legacy CGI-based PHP method like SuPHP. You can use a different PHP-CGI version per account/domain rather than the server default one.
    • I am not going to use any on this page because I want to use the faster PHP-FPM.
    • Installation will be similiar to setting the servers default PHP version except you might select several versions and you can select options and other things specific to the particular version before you Compile
    • I am not sure what happens if you select the same version as the servers default version.
    • I think this is the same PHP parser type that the server default is running.
  • PHP-FPM Selector
    • This lets you also install and use additional PHP versions. The difference is that it selects PHP Fast CGI Manager (PHP-FPM) versions instead of traditional CGI.
    • Select:
      • PHP-FPM 7.4.20
        • with default options
        • same as the server default PHP version
      • PHP-FPM 8.0.7
        • with default options
        • for testing
    • Click `Start Compiler (build & install)` (it does take a while to compile, especially if you have chosen a few PHP versions)
    • Enable auto update for the PHP version you have just installed.
      • The servers version might autoupdate anyway when the server updates, other than that there is no option for it.
  • Apply the relevant PHP version to any accounts that already exist that you wish to upgrade/change. They should all currently be on the default legacy CGI PHP parser (server default)
    • So far I can only change this in the user's control panel, not on mass. I will add the command or instructions here when I find one.
  • Configure all of your php.ini files to your taste
    • Dont forget about the multiple versions of the php.ini , one for each version of PHP installed for each enging type (PHP-FPM / Apache Module)
      • (PHP Settings --> PHP.ini Configuration) - This is the servers main/default version of php.ini
      • (PHP Settings --> PHP Selector--> PHP x.x --> Edit php.ini) - When you use multiple versions of PHP as an Apache Module you need to edit these.
      • (PHP Settings --> PHP-FPM Selector --> PHP x.x --> Edit php.ini) - When you use PHP-FPM you need to edit the different version of the php.ini here. Save and then restart that particular version. There is no need to rebuild.
    • Before making changes to the file, always click on the `Create File Backup` button
      • The default server on gets stored at /usr/local/php/php.ini - CWP might do an automatic backup upon save.
    • Once you have configured all of your php.ini files I would recommend you download them and store them as a reference just incase they get wiped out in an upgrade or something else unpredicted especially if you have a complicated chages you have made.
    • Once you have made the changes make sure you restart the relevant services or just restart the server for quickness.
    • Changes I have made to the default file (these might be a bit generous for a standard webhost, so the ones where I have increase values, ignore them)
      disable_functions = "" --> "system,passthru,popen,exec,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,highlight_file,escapeshellcmd,define_syslog_variables,posix_uname,posix_getpwuid,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellarg,posix_uname,ftp_exec,ftp_connect,ftp_login,ftp_get,ftp_put,ftp_nb_fput,ftp_raw,ftp_rawlist,ini_alter,ini_restore,inject_code,syslog,openlog,define_syslog_variables,apache_setenv,mysql_pconnect,eval,phpAds_XmlRpc,phpAds_remoteInfo,phpAds_xmlrpcEncode,phpAds_xmlrpcDecode,xmlrpc_entity_decode,fp,fput,shell_exec,apache_get_modulesi"
expose_php = On --> Off
max_execution_time = 30 --> 180
max_input_time = 60 --> 180
max_input_vars = 4000
memory_limit = 128M --> 256M
post_max_size = 8M --> 64M
upload_max_filesize = 2M --> 64M
date.timezone = "Europe/London"
      • A lot of companies disable mail() to prevent spam. Just add 'mail' to the end of disable_functions. I use mail function because there is onyl my stuff on the server and it prevents me from having to setup sMTP on every CMS or PHP script I want to use. If you have customers on your server then definately disable the mail function.
    • changes of note, but I have not changed them (might do) 
      zlib.output_compression = Off
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT --> E_ALL & ~E_NOTICE

; http://php.net/track-errors
;track_errors = Off

; http://php.net/html-errors
;html_errors = On

; http://php.net/register-argc-argv
register_argc_argv = Off

; http://php.net/allow-url-fopen  (I have this on all the time, but should it be off by default)
allow_url_fopen = On
  • Force Apache to use PHP-FPM Selector
    • I am only going to use PHP-FPM so i need this option.
    • WebServer Settings --> Select WebServers (This will be quick becasue we are not re-compiling anything)
      • Select Default Apache PHP-FPM version: 7.4
      • Select Default Nginx PHP-FPM version: 7.4 (I do not have NginX installed at this time, but does not harm to apply this setting now so I can forget about it)
      • Force Apache to use PHP-FPM Selector: Ticked
      • Click `Save & Rebuild Configuration`
      • The switch will be almost instant and this is normal.

Notes

  • Each PHP version for each type of PHP parser (Selector) has its own php.ini
  • If you are using Snuffleupagus (see in the security section below) you will need to manually add it again to any new versions of PHP you install, PHP version upgrades should maintain the software.
  • PHP-FPM
    • This create helpers per account so is more resource intensive but does allow for much quicker parsing of PHP becasue the workers are already spooled up. I would not recommend this for all of your accounts on your server if you have a lot of them.
    • When you have made changes to the PHP-FPM version specific php.ini you need to relaod the service, restarting Apache will not reolad the config file becasue it is not an Apache moduel.
  • AutoUpdate - This enables/disables auto update of the PHP Version ie 7.4, 8.0, so the PHP is always on the latest Patch version (security release)
  • How to disable php/php-fpm selector - Control WebPanel Wiki
  • allow_url_fopen is considered dangerous?
  • The 8.0.7 php.ini is slightly different to the 7.4.20 php.ini but the normal PHP and PHP-FPM version are the same even though there are in different places on the server.
    • the PHP-FPM and normal php have different settings for this
    • PHP Standard ;cgi.fix_pathinfo=1
    • PHP-FPM: cgi.fix_pathinfo=1
  • Disable Dangerous PHP functions.
  • Force Apache to use PHP-FPM Selector
    • After you have enabled this:
      • The menu items for PHP Version Switcher and PHP Selector 2 (NEW) are still present but with a warnings at the top of each of the pages.
      • In PHP Selector 2 (NEW), The PHP versions are obviously just disabled but all compile and delete functions still work which is why the switch is so quick no re-compiling takes place.
  • Divi Recommendations -

Database / MySQL / phpMyAdmin

  • Set default database collations to utf8mb4_unicode_ci (this collation is the modern standard now)
    • (SQL Services --> MySQL Configuration --> Contents of File: /etc/my.cnf)
    • The default my.cnf file is shown below and is for reference. The file is a lot more empty that I expect and I have reported this ont he CWP forum here. 
      #
# This group is read both by the client and the server
# use it for options that affect everything
#
[client-server]

#
# include *.cnf from the config directory
#
!includedir /etc/my.cnf.d
    • Click `Create File Backup` (at the bottom)
    • Add the following code at the end of the file 
      [client]

default-character-set = utf8mb4

[mysql]

default-character-set = utf8mb4

[mysqld]

collation-server = utf8mb4_unicode_ci
init-connect = 'SET NAMES utf8mb4'
character-set-server = utf8mb4
    • Click `Save`
    • Goto the Dashboard
    • Reboot the MySQL Database Server

Notes

  • MariaDB Defaults of note:
    • The database package is MariaDB
    • innodb-file-per-table: True
    • default-storage-engine: InnoDB
  • General
    • After changing the collation as noted above, in phpMyAdmin --> Variables, all collations show correct but collation database shows a (Session value) of latin1_swedish_ci and i dont know why or how to fix it. I would like it to match.
    • Changes made in phpMyAdmin --> Variables are not persistent. When the server is rebooted the changes made there will be lost.
    • Unknown/unsupported storage engine: InnoDB | MySQL Ubuntu - Server Fault
      • The ibdata file contains the data (unless you have file-per-table). The ib_logfile files are the replay logs that contain the data for database-altering transactions that may have been in process when/if the database crashed. If you were able to shutdown the server successfully, deleting these log files won't hurt you. If it crashed, then you need them.
    • Can't read my.cnf file bug | CWP Forum
      • the problem here is that my.cnf needs to be saved with the new line at the end of the file. Some editors, e.g. vim do it automatically and they put a "new line" character at the end of each file - without having the user to actually see it - so it appears that the file ends with the very last character.
      • However if you open this file up with with a different editor, e.g. Mousepad, you will find out that tere is an extra line - a new line - at the end of the file. If there is not - that is the problem - because MySQL fails to process that kind of configuration.
      • Apparently there is a standard for having files end with a new line. Some software upholds it strictly (e.g. MySQL) and that's why we can find this error in MySQL explicitely.
      • Details: https://stackoverflow.com/questions/729692/why-should-text-files-end-with-a-newline
  • Manually Upgrading MariaDB
  • Get the MariaDB variables
    • MariaDB default my.cnf in sources - Stack Overflow
      • No, MariaDB does not have a configuration file which would list all available options and their default values. Different MariaDB packages might provide some configuration files, but those are different, they only contain a small subset of options, and the values are different from default ones.
      • You can output the default MariaDB variables and settings by running:
        Default configuration and explanation of the settings
mysqld --no-defaults --verbose --help

or, on a running 10.1+ server, by executing
SELECT variable_name, default_value FROM information_schema.system_variables ORDER BY variable_name
    • You can output the current MariabDB variables:
  • Removing unwanted Users
    • After importing user accounts from cPanel I found i have a lot of unwanted MySQL users
    • I clicked on the delete icon for the relevant user and got the standard warning message
    • but could not use the CWP GUI to remove them because whern I clicked 'Continue' I got the following error message, Error Invalid System User.
    • The solution is simple to delete the users as the CWP GUI clearly has a bug:
      • Goto (CWP Admin --> SQL Services --> phpMyAdmin --> Users Tab)
      • Select the users you don't want
      • Scroll down to 'Remove selected user accounts'
      • Click 'Go'
      • This will delete the users with no issue. Doing this by the SSH will have the same outcome.
    • How to Show Users in MySQL using a Linux Terminal - via SSH and this is a great tut
    • MySQL “show users”: How to list the users in a MySQL database | alvinalexander.com
      • There might be duplicate users. This is because MySQL filters access to a server according to the IP address it comes from. So you can also add a host column.

Email Server

  • Postfix is an MTA
  • Dovecot is a message store Accessor/Provider, POP3/IMAP Server.

Postfix and Dovecot are both required for a full email system and should already be running and this is why you are already (if configured) getting server notification emails.

  • Start disabled services (you will see they have an error, just ignore these) (Service Recovery FAILED!! I'm reporting this issue to main CWP artificial intelligence system!)

    • Dashboard --> Services Status --> Mail Services
    • ClamAV
    • AMaViS (A Mail Virus Scanner)
    • OpenDKIM
    • SpamAssassin
  • DKIM
    • Email --> DKIM Manager
    • Nothing to do already setup
  • SPF make ~all --> -all
    • Email --> SPF Manager
    • Edit DNS Zone
      • Custom DNS Zone Template - Control WebPanel Wiki
      • Open file manager and navigate to: 
        /usr/local/cwpsrv/htdocs/resources/conf/dns/bind/zones/
      • Copy the file default.tpl --> custom.tpl so it is in the same directory. (You will have to copy it to another folder, rename it, move back to the zones folder)
      • Edit the custom.tpl
      • Change the following 
        @	14400	IN	TXT	"v=spf1 +a +mx +ip4:%ip% ~all"

-->

@	14400	IN	TXT	"v=spf1 +a +mx +ip4:%ip% -all"
      • CWP Settings --> Edit Settings -->Default DNS Zone template = custom.tpl
      • Click `Save Changes`
      • This will not change accounts that have already been created including the Primary account. so either manually edit the DNS zones or use a script to change many. But go through and change all of the relevant zones.
        DNS Functions --> List DNS Zones --> mydomain.com --> Edit File/Edit Records
  • DMARC
    • This appears to be configured and running.
    • If you want to change the DMARC defaults then edit the custom.tpl zone file: 
      /usr/local/cwpsrv/htdocs/resources/conf/dns/bind/zones/custom.tpl
      • NB: This will not change accounts that have already been created including the Primary account. So either manually edit the DNS zones or use a script to change many.
        (DNS Functions --> List DNS Zones --> mydomain.com --> Edit File/Edit Records)
    • Tutorials
      • Creating DMARC Record to Protect Your Domain Name From Email Spoofing
        • This is really easy to read and explains everything well including testing and processing reports.
        • Why I’m still using p=none policy?
          • Firstly, it’s because of Microsoft. mails forwarded from Microsoft Outlook Mailbox can fail DKIM check, which is bad. For this reason, I cannot set my DMARC policy to quarantine or reject.
          • Another reason is that I’m using MailChimp to send newsletters to my email subscribers. MailChimp uses its own domain in the Return-Path header and its own DKIM signature for the signup confirmation email, which causes DMARC failure.
        • Having a p=none policy is better than having no DMARC record. Although p=none cannot prevent email spoofing, at least my legitimate emails have a better chance to be placed in inbox.
      • How to Setup DMARC records in cPanel | InMotion Hosting
      • Does anyone have DMARC working? - DMARC Example.
  • Antispam
    • Install Spamhaus:
      • Email --> AntiSpam --> Install Spamhaus
    • SpamExperts: This is a commercial professional antispam service.
  • Webmail
    • Email --> Roundcube Webmail
    • Nothing to do already setup
  • Configure Postfix
    • Email --> MailServer Manager
    • When the functions are enabled then they have a tick in their box when the page loads. You need to rebuild the Mail Server to allow the Domain name to be updated correctly.
    • Select the following:
      • ClamAV, Amavis & Spamassassin, Requires 2Gb+ RAM
      • Drop all emails if no rDNS/PTR
      • Installs DKIM & SPF, enables DKIM for New Accounts and Domains
      • Installs Policyd, enables hourly email limit per domain.
      • Resource Usage - These use a lot of resources
        • ClamAV (CPU 5%-20%, RAM 1.2GB-2.0GB+)
        • Amavis (CPU 5%-20%, RAM 1.2GB-2.0GB+)
        • Spamassassin (CPU?,RAM?)
    • Hostname: server.mydomain.com
    • Domain: mydomain.com
    • Click `Rebuild Mail Server`
    • Click `Update ClamAV Database`
    • Click `Restart All Mail Server Services`

Notes

Remove 'cwp' subdomain from the Default DNS Zone (optional)

This has to be done here so all of your new accounts dont get this vestigial subdomain.

It is my opinion this is not really used by anything anymore and that is why this is optional.

 

  • Edit the following file (you should of created the file custom.tpl earlier)
    /usr/local/cwpsrv/htdocs/resources/conf/dns/bind/zones/custom.tpl
  • Remove the line 
    cwp 14400 IN A %ip%
  • This will not change accounts that have already been created including the Primary account. So either manually edit the DNS zones or use a script to change many.

 

Firewall

  • Country Blocking / IP to Country Lookups / GeoIP / Geolocation
    • If you are running a network firewall such as pfSense, then do the Country Blocking in that device, so all network devices can benefit from that single ruleset but keep the lookup service enabled here to allow for IP to country lookups
    • Security --> CSF Firewall --> Firewall Configuration
    • Set your provider (MaxMind is preferred)
      • MaxMind
        • Get a MaxMind license Key: GeoLite2 Sign Up | MaxMind (I created a proper MaxMind account first)
        • CC_SRC = "1"
        • MM_LICENSE_KEY = "" (fill in your license key)
      • DB-IP, ipdeny.com, iptoasn.com
        • CC_SRC = "1"
    • (optional) Set the countries to block
      • Search for CC_DENY = ""
      • Change to CC_DENY = "CN,RU"
    • (optional) block all countries except those specified:
      • Search for CC_ALLOW_FILTER = ""
      • Change to CC_ALLOW_FILTER = "CN,RU"
    • Click `Save Changes` (at the bottom)
    • Restart the firewall (Security --> Firewall Manager --> Restart)
  • Check all of the ports, close ones not used - even if the port is not forwarded (i.e. just on LAN).
  • SSH restriction rule

Notes

SSL / HTTPS / AutoSSL / LetsEncrypt

  • Set autorenew
    • WebServer Settings --> SSL Certificates --> Configure
    • Auto Renewals
      • Active: yes
      • Auto renew AutoSSL: yes + Renew all SAN
      • Autorenew every: 60 days
    • Automatic SSL generation:
      • Active: yes + Admin and User
      • Generate SAN automatically: mail, webmail, ftp, cpanel = yes
    • The automatic generation task will be executed every day at: 01:00 (less traffic at this time)
  • Generate SSL for mydomain.com
    • WebServer Settings --> SSL Certificates --> AutoSSL [FREE]
    • User: mydomain
    • Domain: mydomain.com (main)
    • Additional Servers: mail, webmail, ftp, cpanel

Notes

 

Security

The more resources you install the more resources you use. I dont know if you need to install each one of these.

  • Connect via SSH with PuTTY and make the root password complex and create a user as they might not be the strongest ones set earlier because you could not copy and paste.
  • Install PHP Defender (Snuffleupagus)
    • Dont Install this
      • First time I enabled it all of my wordpress installs were broken
      • You must restart the whole server to unload it, just deleting the instances from the security centre and restarting Apache is not enough. I am running PHP-FPM.
      • You might also need to reboot the server for the modules to become live.
      • If you don want to install make sure you have a full server backup
      • Here are some example errors: 
        Apache Error Log (sitea)
[Thu Dec 23 19:47:52.977523 2021] [proxy_fcgi:error] [pid 4659:tid 139985935795968] [client 192.168.1.1:58256] AH01071: Got error 'PHP message: PHP Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'ini_set', because its argument '$varname' content (display_errors) matched a rule in /home/mydomain/public_html/sitea/wp-includes/load.php on line 465'
[Thu Dec 23 19:47:53.157871 2021] [proxy_fcgi:error] [pid 4659:tid 139985935795968] [client 192.168.1.1:58256] AH01071: Got error 'PHP message: PHP Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'ini_set', because its argument '$varname' content (display_errors) matched a rule in /home/mydomain/public_html/sitea/wp-includes/load.php on line 465', referer: https://sitea.mydomain.com/
[Thu Dec 23 19:47:54.155940 2021] [proxy_fcgi:error] [pid 4659:tid 139985935795968] [client 192.168.1.1:58256] AH01071: Got error 'PHP message: PHP Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'ini_set', because its argument '$varname' content (display_errors) matched a rule in /home/mydomain/public_html/sitea/wp-includes/load.php on line 465'

Apache Error Log (siteb)
[Thu Dec 23 19:26:46.802401 2021] [proxy_fcgi:error] [pid 1642:tid 140310124496640] [client 192.168.1.1:49326] AH01071: Got error 'PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762'
[Thu Dec 23 19:26:53.844567 2021] [proxy_fcgi:error] [pid 1696:tid 140310174852864] [client 192.168.1.1:49334] AH01071: Got error 'PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762'
[Thu Dec 23 19:27:27.416398 2021] [proxy_fcgi:error] [pid 1696:tid 140310174852864] [client 192.168.1.1:49349] AH01071: Got error 'PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762'
[Thu Dec 23 19:27:58.554425 2021] [proxy_fcgi:error] [pid 1696:tid 140310174852864] [client 192.168.1.1:49350] AH01071: Got error 'PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log]
    • (Security --> Security Center --> PHP Defender)
    • If you click on 'View details' you get
    • Standard installation (Only change this if you know why)
    • Defender mode: Basic (Only change this if you know why)
    • Click 'Install now'
    • Click 'Accept'. This will install Snuffleupagus for all of your PHP versions, there is no option to select individual version yet.
    • You can now configure the Snuffleupagus settings individual for each version
  • Scan all accounts for Malware (optional)
    • Security --> Security Center --> Malware Scan --> Accounts Scan (All accounts)
  • Install Maldet : Linux Malware Detect (LMD)
    • A malware scanner for Linux. It is particularly effective for the detection of php backdoors, darkmailers and many other malicious files that can be uploaded on a compromised website.
    • Security --> Security Maldet Scan --> Install Maldet
    • Update and scan for malware
  • Install Rkhunter
    • rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux.
    • Security RKHunter Scan --> Install Rkhunter
    • Update and scan for malware
    • Configure rkhunter (RooktKit Hunter)
      • Correct the email address (bug) to send the rkhunter cron emails to
        • Edit the file /etc/cron.daily/rkhunter or /etc/sysconfig/rkhunter
        • Change the file as follows: 
          MAILTO=root@localhost

to

MAILTO=root
      • Run the following commands from the terminal and they will fix the errors in the rkhunter email (as shown below)
        ---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Checking for prerequisites               [ Warning ]
         The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in 'rkhunter --propupd'.
Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
         is used, all the files on their system are known to be genuine, and installed from a
         reliable source. The rkhunter '--check' option will compare the current file properties
         against previously stored values, and report if any values differ. However, rkhunter
         cannot determine what has caused the change, that is for the user to do.
Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable

----------------------- End Rootkit Hunter Scan -----------------------
        • sudo rkhunter --propupd
          • This above command lets the scanner know about the current state of specific files. This process helps to avoid false alarms during scanning.
          • the result will look like 
            [root@cwpserver /]# rkhunter --propupd
[ Rootkit Hunter version 1.4.6 ]
File created: searched for 176 files, found 131
[root@cwpserver /]#
          • This will not harm your server.
        • sudo rkhunter --checkall
          • After updating the file properties, run the following command to scan CentOS to detect any vulnerabilities or rootkits.
          • This scanner runs through the system commands, network settings, localhost settings, and files to check for actual rootkits, malware, and vulnerabilities. The findings of the scan get recorded on to a log file.
          • This is the summary from the end and is only a small part of what was reported on screen
            System checks summary
=====================

File properties checks...
    Files checked: 131
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 492
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 3 minutes and 11 seconds

All results have been written to the log file: /var/log/rkhunter/rkhunter.log

No warnings were found while checking the system.

[root@cwpserver /]#
          • This will not harm your server.
          • This does not generate an email like the cronjob does.
        • (optional) sudo cat /var/log/rkhunter/rkhunter.log | grep -i warning
          • This command will show a condensed look at the scan log.
  • Install Lynis Scan
    • Lynis is a battle-tested security tool for systems running Linux. It performs an extensive health scan of your systems to support system hardening and compliance testing.
    • Security Lynis Scan --> Install Lynis
    • Scan and read the log
  • Symlink Scan
    • A symbolic link, also termed a soft link, is a special kind of file that points to another file, much like a shortcut in Windows. In many cases, this is used by hackers to get access to other users files. This module will help you to locate all symlinks.
    • Security --> Security Symlink Scan --> Scan User
  • Restrict SSH to local network
    • Even though my server is on a NAT'ed network and I have not port forwarded the 8128 port for SSH it is a good practise to add a rule which can be altered later.
    • Edit file /etc/hosts.allow and add the line: 
      sshd: 192.168.1.0/24
    • Edit file /etc/hosts.deny and add the line: 
      sshd: ALL
    • Goto the dashboard
    • Restart SSH Server
  • Restrict FTP to local network
    • Even though my server is on a NAT'ed network and I have not port forwarded the 21 port for FTP it is a good practise to add a rule which can be altered later.
    • Edit file /etc/hosts.allow and add the line: 
      ftpd: 192.168.1.0/24
    • Edit file /etc/hosts.deny and add the line: 
      ftpd: ALL
    • Goto the dashboard
    • Restart SSH Server
  • Change SSH to use keys and not passwords (optional)
  • Enforce HTTPS on Webmail and User Cpanel
    • Cpanel and Webmail (no ports)
      • cant figure it out
    • Webmail (port 2095)
      • Edit the file 
        /usr/local/cwpsrv/conf.d/webmail.conf
      • Uncomment the following section (not the title though)
        # Disabled forced ssl, uncomment if you want to force ssl
#if ($host != "localhost"){
#    return 301 https://$host:2096$request_uri;
#}
      • Save the file
      • Goto the dashboard
      • Restart the Server (because this is the CWP Apache server, not the client facing one)
  • Login Brute Force Protection
    • Security --> User Login Security --> Configurations --> Configuration and settings for blocking and user session initiation
    • Active: Yes
    • Failed Attempts: 3
    • Suspend for: 5 Min.
    • Blocking by firewall: Ticked
  • Make MySQL stronger
    • Current password length is 12 characters and I want 16 charaters
    • Open terminal with root permissions
    • Run 
      sh /scripts/mysql_pwd_reset
    • Enter a new root password only using 'a-zA-Z0-9' to prevent script issues.
    • check the root password has changed with 
      grep password /root/.my.cnf
  • If the CWP panel is open you will now get this error and MySQL permmissions will need fixing in the next step.
    Warning: mysqli_connect(): (HY000/1045): Access denied for user 'root'@'localhost' (using password: YES) in /usr/local/cwpsrv/htdocs/resources/admin/include/functions.php on line 0

Warning: mysqli_connect(): (HY000/1045): Access denied for user 'root'@'localhost' (using password: YES) in /usr/local/cwpsrv/htdocs/admin/admin/index.php on line 0


Trying to start mysql server, please wait!
Try to restart CentOS Web Panel with command: sh /scripts/restart_cwpsrv

**Check your MySQL root password in: /usr/local/cwpsrv/htdocs/resources/admin/include/db_conn.php and /root/.my.cnf


Warning: mysqli_error() expects exactly 1 parameter, 0 given in /usr/local/cwpsrv/htdocs/admin/admin/index.php on line 0
Could not connect:
  • To Fix the error above open up a terminal with root privilages (taken from here How to Reset and Recover MySQL or MariaDB Root Password on SystemD Linux | Mystery Data 
    • systemctl stop mysqld
systemctl set-environment MYSQLD_OPTS="--skip-grant-tables"
systemctl start mysqld
mysql -u root
    • Run these MySQL commands - change MyNewPassword with the password from earlier
      mysql> UPDATE mysql.user SET authentication_string = PASSWORD('MyNewPassword') WHERE User = 'root' AND Host = 'localhost';
mysql> FLUSH PRIVILEGES;
mysql> quit
    • Run these final commands 
      systemctl stop mysqld
systemctl unset-environment MYSQLD_OPTS
systemctl start mysqld
    • Test your password works with 
      mysql -u root -p

Notes

Create a secondary user

This is a safety measure so if the root account gets comprimised you can still get in with this account.

  • Open up the CWPpro terminal (or SSH)
  • Run the command 
    adduser backupuser
  • Now assign a password to the user by using the command 
    passwd backupuser

Notes

 

 

Monitoring (Watchdog)

  • Services Monitoring (for initd services)
    • Services Monitor will automatically restart off-line services and send an email notification.
    • Services Monitoring (systemd services) is required for this to work.
    • Services Config --> ServicesMonitor (init)
    • Enable: Yes
    • Email notifications to: youradmin@mydomain.com
    • Check every: 15 mins (some people might want this to be set to 5 mins, you can change it later if you want)
    • network / Exit status: 0 :: I dont know what this is so I will leave it unticked.
  • Services Monitoring (for systemd services)
    • Services Monitor will automatically restart off-line services and send an email notification.
    • This is good becasue failed services will get restarted automatically.
    • Services Config --> ServicesMonitor (systemd)
    • Enable: Yes
    • Email notifications to: youradmin@mydomain.com
    • Just use the list below or your prefered selection:
      • amavisd.service    (If you enable the option AntiSpam/AntiVirus in Postfix, this setting is irrelevant)
      • clamd.service    (If you enable the option AntiSpam/AntiVirus in Postfix, this setting is irrelevant)
      • crond.service
      • csf.service
      • dovecot.service
      • httpd.service
      • lfd.service
      • mariadb.service
      • opendkim.service
      • php-fpm74.service
      • php-fpm80.service
      • postfix.service
      • pure-ftpd.service
      • spamassassin.service    (If you enable the option AntiSpam/AntiVirus in Postfix, this setting is irrelevant)
      • sshd.service
  • Monitoring via Monit
  • Netdata Service Monitor (5-20% CPU, RAM? not sure)
    • (Graphs --> Netdata)
    • Please note that Netdata is high resource demanding for low-performance servers, we recommend installing only on the servers with multiple CPUs and memory 4GB+
    • Don't install this on low power servers. It is not a monster but does need feeding.
    • Netadata does take a while to install.
    • It is run outside of the cpanel so is like a seperate Website.
    • Designed by system administrators, DevOps engineers, and developers to collect everything, help you visualize metrics, troubleshoot complex performance problems, and make data interoperable with the rest of your monitoring stack.
    • Netdata’s distributed, real-time monitoring Agent collects thousands of metrics from systems, hardware, containers, and applications with zero configuration. It runs permanently on all your physical/virtual servers, containers, cloud deployments, and edge/IoT devices, and is perfectly safe to install on your systems mid-incident without any preparation.
    • How to update Netdata In CWP Control WebPanel Centos/RHEL/Ubuntu/Debian | Mystery Data
    • Not sure what most of the metrics are so I will probably uninstall this until I do.
    • You can potentially measure these metrics from the Netdata Cloud which also seems to be free.
    • If your server is not running this then potentially it might be more responsive.

Branding

  • Upload a logo
    • (User Accounts --> Features,Themes,Languages --> Branding)
    • Browse and upload your logo.
    • The logo will appear on dark and light backgrounds and this can be seen on the client login page (light background) and then once in the clients cpanel (dark background).
    • The logo will be automatically renamed.
  • Set Servers default website to a blank page
    • server.mydomain.com actually has a website and the files are located at /usr/local/apache/htdocs/ 
    • This default site is possibly used for other things on the server and might get refreshed during an update wiping any of your changes.
    • The reason we do this is because we want to brand our default templates to look more professional and a few technical people will always go and have a look what is running.
    • You can use a completely branded HTML page but I thing for the server a blank one is better and quicker to do.
    • Backup the file /usr/local/apache/htdocs/index.html (rename it orig-index.html)
    • Edit /usr/local/apache/htdocs/index.html and replace the content with the following code 
      <html><body bgcolor="#FFFFFF"></body></html>
    • NB: The default apache web server IP is set here /usr/local/apache/conf/sharedip.conf
  • Custom Account Templates
    • Custom Account Templates - Control WebPanel Wiki
    • Suspended Account Template - The default template is ok and can be left.
    • New Account Template - I will replace this with a fully branded holding page.
    • New Domain Template - I dont know what this is for.

      I will replace this will a blank index.html
      <html><body bgcolor="#FFFFFF"></body></html>
    • New SubDomain Template

      I will replace this will a blank index.html - A subdomain does not need a fully branded holding page.
      <html><body bgcolor="#FFFFFF"></body></html>

Updates

  • CWP
    • CWP updates itself automatically but you can force this by clicking on the `CWP Update` button on the dashboard.
  • Dependencies (Yum/rpm)
    • I dont think these update automatically but you are warned stuff is out of date.
    • Server Settings --> Yum Manager --> Updates List --> Update All

Configure CWP (Notifications and Alerts)

We need to configure CWP to send error notifications and unless you know where to click this can be hidden.

  • Click on the Bell icon
  • This will now take you to the 'Notifications and Alerts' page with some messages, ignore these for now.
  • Click on 'Click here to Edit Settings and Email Alerts.' (at the top of the messages.) to take you to the 'Notification Settings' page.
  • Configure and save the following settings
    • Email for Alerts = send@theemailhere.com
    • Sender email (server name recommended) = notification@server.mydomain.com
    • Info = Checked
    • Warning = Checked
    • Danger = Checked
    • Notification Template = 
      You've received a new %level% notification: %subject%

Here are the details:

%message%

%url%
  • Now we get to the messages that you saw just before.
  • The blue ones are just notifcation messages pointing you to look at the logs and unless you really want to just click on the cross for each of them and dismiss the message.
  • The orange messages
    • are warnings and you should read each message, click on the link and correct the error as advised. Once you have corrected the error, dismiss the message.
    • Depending on when you process these messages you might find that you have more messages to process or for each warning you have already corrected but just not yet dimissed the message which you can do now.
    • The default orange error messages shown above should all of been corrected during this tutorial.

Client Backups

It should be noted that currently CWP does not manage backup retentions (i.e. it does not delete any backups so they will keep growing in number). See the notes below for solution.

  • Disable the Old Backup system
    • This is now a legacy script but is stable. It appears only to do User Accounts.
    • CWP Settings --> Backup Confifguration --> Manage Backups --> Enable Backup: No
    • Click `Save Changes`
    • Delete files and folders in /backup
  • Enable the new backup System (You can setup multiple backup jobs all with different options.)
    • CWP Settings --> NEW Backup (beta)
    • Start filling in the settings below to create new Backup job.
    • User Accounts
      • Packages: Select all of the packages (easier to manage)
    • Features and settings
      • Select all options
    • Destination:
      • I recommend you set up an external SFTP/FTP/SSH File server to deposit the backups on. It must be a seperate computer/NAS/Device otherwise it is pointless.
      • FTP Server or SSH server
        • Fill the details in of you remote server (this assumes you have built one, but is not covered here)
        • Select Compress Backup
      • Local file or directory
        • Will only be good for restoring individual client data and not disaster recovery.
        • Backup Destination: /newbackup/
      • Temporary Directory: /home/tmp_bak/
      • Backup Level: Compressed
    • Frequency and Execution
      • Execution Schedule: Daily Backup
      • Frequency Details: Everyday
      • Notifications: When you finish homework, To the Server Administrator
      • These are my initial settings so you know that the server backup is working correctly. Reduce/change the frequency later if you wish.
  • Set the backup schedule
    • CWP Settings --> NEW Backup (beta) --> Scheduled --> Scheduling the Execution of your Backup --> Hour: 02, Minutes: 00
    • Most of the servers crons will of finished by now and the traffic and load on the server will be low.
  • Enable the backup jobs
    • CWP Settings --> NEW Backup (beta) -->Backup Settings
    • Click on the `Off` button to enable each backup job you want

Notes

  • Old Backup System / Backup Configuration / Manage Backups
    • it backs up all of the user account's public html and settings in one folder /backup/daily/[username]/
    • All MySQL (not sure about MongoDB and PostgreSQL) are dumped to /backup/mysql/daily/
    • These (I think) are replaced by the next run of the backup script.
    • The backups are just of the user account Home directory and all MySQL databases on the server.
  • Backing up Locally
    • only good if a user breaks their site. if the server fails thene these local backusp will be usefless
    • increased wear on your SSD
    • fills up your HDD on the server quick
    • You need to monitor it
  • New Backup / New Backup (beta) Backup Tool
  • Full Server Backup
    • Occasionally you should shut the server down and do a full backup of the VM. You cannot just backup the server when it is on because of the live services within it might get corrupted (Virtual Machine Quintencence)
    • I use Veeam Agent to do a full host server backup. All VM machines must be powered down when running this
  • New and Old Backup system do not have backup retention management
  • Backup and Restore | Control-WebPanel Documentation
  • Create/restore backups in CentOS Web Panel - PlotHost - For end users

Cron / Anacron /  Cronjobs

This is Linux's version of scheduled tasks (for us Windows users) and there are 2 pages that currently allow you to configure them throught the GUI. They both work on the same dataset which is confusing and hopefully these pages will get merged.

  • (CWP Admin --> Server Settings --> Crontab for root)
  • (CWP Admin --> Server Settings --> Crontab for users)

Check the time they run

I would have my crons run late at night probably after my backups. You check the time fit in with how you run your server and if you ar enot sure just leave themas they are for now.

You dont want you SSL certificates to be getting updated while your backups are running. You server wont die, but why cross the streams :) when you dont have too.

Silence is Golden (optional)

I prefer to make all of the cronjobs quite, they will email me if there is an issue but generally you dont need an email saying they have been run. To fix this you add > /dev/null at the end which sends the output to a null device where it dies.

/usr/local/cwp/php71/bin/php -d max_execution_time=18000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron_autossl_all_domains.php

to

/usr/local/cwp/php71/bin/php -d max_execution_time=18000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron_autossl_all_domains.php  > /dev/null

Do this for all of the cron jobs yopu want to be quiet. This will not them stop them sending emails if that is what the script does, just the notfication of them running.

Editing Default Cronjobs (in the GUI)

After setting up the server these should be the only cronjobs present. You will find that sometimes after an upgrade or installing a plugin you will get more cronjobs, sometimes duplicates and in which case you should remove the appropriate one.

Notes

Backup Server Settings

CWP does not have a specific mechanisim for backing up the server settings so I will add what I find here and wil post a feature request with CWP.

Please note this section is not complete.

  • Custom Account Templates
    • /usr/local/cwpsrv/htdocs/resources/admin/tpl/ 
  • Company Logo
  • CWP Databases:
    • (CWP Admin --> SQL Services --> phpMyAdmin)
    • root_cpmigrations
    • root_cwp databases
  • DNS Zone Templates
    • /usr/local/cwpsrv/htdocs/resources/conf/dns/bind/zones/default.tpl
    • /usr/local/cwpsrv/htdocs/resources/conf/dns/bind/zones/custom.tpl
    • /usr/local/cwpsrv/htdocs/resources/conf/dns/bind/zones/
  • DNS Zone File Backups (these are created manually and are not the live ones)
    • /usr/local/cwp/.conf/backups/var/named/
  • php.ini (all versions)
  • my.cnf
  • Doevecot/Postfix/Spam assassin and other email stuff
  • Crons (only custom crons)
    • /var/spool/cron/
    • /var/spool/cron/root    These are in the CWP GUI.
    • /var/spool/cron/[other users]   ? Are they stored in the clients accounts when they backup? These are in the CWP GUI.
    • /etc/crons.d/   
    • /etc/cron.hourly/
    • /etc/cron.daily/
    • /etc/cron.weekly/
    • /etc/cron.monthly/
  • CentOS Web Panel Mailserver Installer
    • SSL Cert file location /etc/pki/tls/ private¦certs

Backup the Virtual Machine

This is an additional step I do and is one of the reasons I like windows.

  • Get an external USB HDD (you can use a network location if you want)
  • Shutdown all running VMs
  • Install Veeam Agent for Microsoft Windows FREE
  • Create/Edit a backup job (I will leave the exact options to you)
  • Run the backup.

Notes

  • This backup method will not work correctly if the VMs are running
  • Only changes are backed up so the process can be quite fix after the initial run.
  • If using a USN drive I highly recommend you look at the settings
    • When backup target is connected
    • Eject removable storage once backup is completed
  • The Veeam software is great for doing a backup of your Windows computer.

Create a Test VM

Create another VM with the exact same settings except different name, different credentials, different NAT IP and use a Dynamic Disk as you dont need performance. You can then use this for testing and playing with settings that you dont understand (like me) without harming you main server.

  • Power down your Production/Live CWP server VM.
  • Do a Full Clone of the VM
  • Boot the new development VM
  • Change the IP address
    • Follow the instructions above, search for  'Change Server NAT Local IP after the initial installation'
    • If you dont this will cause conflicts with your real CWP server (see change NAT ip after ... above)
  • Change the server's hostname
    • (Server Settings --> Change Hostname) = testserver.mydomain.com
  • Delete the old servers DNS zone which is probably =  server.mydomain.com.db
    • (DNS Functions --> List DNS Zones --> Delete Zone)
  • Change the password of the root account
    • (Server Settings --> Change Root Password)
  • Change the MySQL root password
    • Open up the CWPpro terminal and run the following command 
      sh /scripts/mysql_pwd_reset
  • Change any Emergency user accounts you have created.
    •  From the terminal as root, run the command for each account (these are not the website accounts)
      passwd <username>
  • Delete any client accounts in this development site as you dont need to be running these except on the live site.
    • Except the leave the user account that has your domain 'mydomain.com' as you might need this for testing.
  • Change name servers to 192.168.1.11 your NAT Local IP
    • (DNS Functions --> Edit Nameservers IPs)
    • Not sure this is right but the server cannot talk to the outside world anyway.
  • Power down the testserver
  • (optionaly) Convert the VDI to a Dynamic Disk to save space.
  • You can now power up both VMs up at the same time.
  • In testing, Snapshots are your friend and prevent hours of work trying to fix something you broke. On a test server I would always use these to test changes but I am not sure if they are safe on a Production/Live server.
  • Dynamic disks will continue to grow over time but can easily have the space recovered by running a VirtualBox command.
  • Changing passwords so they dont match the old server is to prevent you from accidentally logging in to the wrong account on the wrong server.
  • You might want to turn off all the admin emails off if you are leaving the test VM on for a while

Final Thoughts

The initial configuration is completeand I wish you well. As I learn more I will update this article. Keep reading to the bottom as you might find answer to common issues.

These instructions have taken me a long time to put together and I am not a Linux professional so pleases bear that in mind when reading this. If you notice any issues or mistakes please let me know and at some point I will tidy it up.

 

Other Configurations

These settings, configurations and notes have not made it into the main tutorial but are worth a read.

Things not installed or started

  • Team Speak 3 Manager
    • It is no longer supported.
    • It is removed from the menu system.
  • NodeJs
    • An open-source, cross-platform, back-end JavaScript runtime environment that runs on the V8 engine and executes JavaScript code outside a web browser
    • WebServer Settings --> Node.js Manager
  • Apache Tomcat
    • A free and open-source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and WebSocket technologies. Tomcat provides a "pure Java" HTTP web server environment in which Java code can run.
    • WebServer Settings --> Tomcat Manager
  • Ioncube
    • This is for the user account facing Apache, not CWP.
    • PHP Settings --> PHP Addons --> Install IonCube Loader --> Install
  • PHP PECL extensions
    • PECL stands for PHP Extension Community Library, it has extensions written in C, that can be loaded into PHP to provide additional functionality.
    • PHP Settings --> PHP PECL extensions
  • FFMPEG
    • For Video streaming websites. A free and open-source software project consisting of a large suite of libraries and programs for handling video, audio, and other multimedia files and streams.
    • PHP Settings --> FFMPEG Installer
  • PostgreSQL
    • A free and open-source relational database management system emphasizing extensibility and SQL compliance.
    • SQL Services --> PosgreSQL Installer
  • MongoDB
    • A source-available cross-platform document-oriented database program. Classified as a NoSQL database program, MongoDB uses JSON-like documents with optional schemas.
    • SQL Services --> MongoDB Manager
  • ShoutCast Manager
    • By installing Shoutcast server you will create a linux shoutcast user which will be used to run shoutcast servers.
    • Plugins --> ShoutCast Manager
  • Site.pro
    • A Paid for website builder.
    • Plugins --> Site.pro
  • Softaculous
    • A commercial script library that automates the installation of commercial and open source web applications to a website.
    • Script Installers --> Scripts Manager
  • Sitepad
    • A drag and drop website builder (from Softaculous)
    • Script Installers --> Scripts Manager
  • WHMCS Integration

User Email Accounts

When setting up an email account in an app uses these settings (Based/Tested in Outlook 2019)

  • My outgoing server (SMTP) requires authentication: ticked
    • Use same settings as my incoming mail server: selected

You should always use a secure port for your SMTP. Each port has different options it will accept

  • 465 (Preferred)
    • None = Does not work
    • SSL/TLS = Works
    • STARTTLS = Does not work
    • Auto: Does not work
  • 25, 587
    • None = Works
    • SSL/TLS = Does not work
    • STARTTLS = Works
    • Auto: Works
  • 26
    • Not enabled by default but should be the same as (25, 587)

cPanel Account Import / Migration

  • cPanel Compatibility - Control WebPanel Wiki - This has links to everything you need to know from using the new CWP and migrastion cPanel accounts.
  • cPanel Account import
  • Single cPanel account import
    • How To Migrate a User From cPanel To Centos Web Panel - Worth a look.
    • Created a full backup on my cPanel server which I downloaded to my desktop.
    • I uploaded the cPanel backup to my CWP server /home using SFTP over SSH
    • User Accounts --> cPanel Account Restore
      • Account Import: The file you just uploaded
      • Associated Package: Choose something relevant
      • Tick all boxes (except the fast import one if on a slow server)
      • Click `Import`
    • The password is maintained.
  • Why my sites did not work after importing from a cPanel backup or I a warning, Forbidden: You don't have permission to access this resource.

    • Cause(s)
      • Mod Security need to be configured correctly.
      • Name Servers are wrong
      • DNS Zones need to be setup correctly.
      • SSL Issue
        • My demo sites on cPanel had the HSTS header added by the W3 Total Cache which is then cached by the browser.
        • CWP did not automatically create the SSL certificates
        • Google chrome will not allow you to load sites with mis-configured SSL certificates and there is no override option.
      • php.ini and .user.ini issues
      • CWP or something else got mixed up.
    • Solution(s)
      • Mod Security
        • Check you are using Comodo rules (not OWASP)
        • Check the Mod Security logs for blocks.
          • Mod Security (per domain logs, replace DOMAIN.COM) 
            /usr/local/apache/domlogs/DOMAIN.COM.error.log
          • I found the lack of a favicon.ico was causing things to get blocked.
      • Name Servers
        • Check they are pointed to server.mydomain.com (You don't have to do this if you change the A records properly)
      • Check the DNS zones for the account
        • DNS Functions --> List DNS Zones --> Check All Zones
        • CWP wiil then show the relevant IP which the zone point to.
        • The domains zones must be pointing at your server correctly.
      • Manually install the SSL certificates from Letsencrypt
        • WebServer Settings --> SSL Certificates
          • Add CWP service subdomains onto the primary domain
          • Do the other domains/subdomains
      • Run the permissions tool:
        • User Accounts --> Fix Permissions
        • Select the imported cPanel account
        • Tick the following
          • Fix Permissions
          • Internal Server Error
          • Remove AddHandler
        • Click `Fix Selected Issues`
      • php.ini and .user.ini
        • You might have erroneous php.ini and .user.ini files from the old server that have not been modified or deleted as needed that need deleting or editing in the user account's files.

How to use the PHP selector

  • add notes here
  • Cane be done either in the user panel or admin
  • if default is it using the seerver default with no-fpm,
  • how do i remove the selection, just delete the htaccess

Notes

  • PHP-FPM
    • PHP-FPM selector changes it for the whole domain/subdomain
    • PHP handler is not set in htaccess file (only for php-fpm and default cgi)
  • PHP-CGI (standard)
    • is on a per folder basis unless not specified and the server default version is used
    • AddHandler (in htacces) is for PHP-CGI only
  • default option is shown perhaps becasue I do not have a php-cgi verion installed and I have not forced php-fpm (see video)
  • Default Version
    • once you have selected a PHP version you cannot go back to server default
  • If you have lots of clients I dont think forcing PHP-FPM is the best. Only choose this option if you are doing your own stuff. You can always manually PHP-FPM for specific user accounts.
  • PHP Selector | Control-WebPanel Documentation - Instructions for users and their control panel.
  • How many php versions I can run on the single server - Control WebPanel Wiki - The admin side of the selector. This includes setting options and rebuilding.

Configure Network Devices to be on the same Local Domain (OpenWRT) (optional)

I want all of my local devices to be registered on the same local domain (mydomain.com) as my CWP server (server.mydomain.com) so I can ping and connect to devices on my network using FQDN (eg: device.mydomain.com). This can make my network administration a lot easier and I can pretend that my network is a full domain of computers on the internet. This is not the same as Microsoft Active Directory / Windows Domain but will do for me.

My Choice

Because I am running a webserver which controls DNS zones it is best to leave it doing that role. This setup will prevent duplicate entries in the mydomain.com DNS zone and the OpenWRT hosts file.

  • Change the Local domain to mydomain.com
  • Leave Local server as /lan/ which allows OpenWRT to poll my mydomain.com DNS zone.
  • I will add my public facing servers and devices into the mydomain.com DNS zone so they can be access via a FQDN both remotely and locally.
  • For devices I need to access via a FQDN locally(private) I will use the Hostnames feature in OpenWRT.

Configure the Device Domain Suffix (Local domain)

I am running OpenWRT on my router and it currently adds the configured DNS suffix (.lan) on to the end of each registered device's hostname (device.lan). Device hostnames are automatically registered with DHCP in the Active DHCP Leases and can be manually added via Static Leases. Both these lists combine to make single list of FQDN that the router uses for routing traffic.

The instructions below will change the registered hostnames to belong to .mydomain.com giving the format device.mydomain.com when registered instead of device.lan

  • Login to your OpenWRT router
  • (Network --> DHCP and DNS --> General Settings --> Local domain) = mydomain.com
  • Restart your router

Notes

  • Local domain = suffix appended to DHCP names and hosts file entries
  • default = lan
  • This does not make any changes on the device such as the device's name and is purely for OpenWRT and it's routing.
  • When you ping a device by FQDN you request the IP of the FQDN from the configured DNS server, in this case OpenWRT, which will send back the registred IP address of the device just as if you were looking up www.bbc.co.uk and doing an external DNS lookup to a remote DNS server.
  • You can use Static Leases to manually assign a DHCP address but for what I am doing, this is not needed and I prefer all of my static devices to have an IP so when they are away from my network I can still access them over temporary networks etc.. for diagnostics and other such things.
  • You will notice in the lists only the hostname is shown which is normal.
  • A fully qualified domain name (FQDN) is the complete domain name for a specific computer, or host, on the internet. The FQDN consists of two parts: the hostname and the domain name. For example, an FQDN for a server might be device.mydomain.com , The hostname is device and the host is located within the domain mydomain.com.
  • When a device does a DHCP request it only sends it's hostname unless the FDQN option is specified which is probably never going to be enabled in a default setup.
  • Difference between Hostnames and DHCP hostnames - Installing and Using OpenWrt - OpenWrt Forum
  • IPv4 and IPv6 Advanced DNS Tab - This explains all the options in the Windows Network Adapter IPv4 and IPv6 Advanced DNS Tab.
  • Don't put local IP address in you mydomain.com DNS Zone as this could be a security risk.

Devices with Static IPs need adding to OpenWRT hosts

OpenWRT has no information or interaction with devices that have static IP addresses because it simple does not know about them.

To remedy this there are 2 ways of doing this:

Hostnames (preferred)

  • Goto (Network --> Hostnames)
  • Add a Hostname
    • Hostname =  device (hostname) or device.mydomain.com (FQDN)
      • If there is not domain, only a hostname then OpenWRT will append the DNS Suffix .mydomain.com
    • IP address = 192.168.1.x (Local IP address)
    • You can also use public IP addresses and they will also route as appropriate.
    • If you pick your WAN IP (and assuming the forwarding rules are inplace as shown above) then that traffic will be subject to NAT lookback and be forwarded to your webserver.
    • OpenWRT will not append a DNS Suffix to these entries.
    • Hostnames are stored in /etc/config/dhcp and look like:
      config domain
	option name 'device'
	option ip '192.168.1.99'
      or 
      config domain
	option name 'device.mydomain.com'
	option ip '192.168.1.99'

Static Leases

Static Leases are the ability to use the DHCP system to give the same IP address to the same machine which effectively makes them statics with less configuration at the clients end and more control by the admin, however it does requires some setup work.

  • Goto (Network --> DHCP and DNS --> Static Leases)
  • Click Add
  • Fill in these fields only

    • Hostname = device
    • IPv4 = 192.168.1.x
    • We only use the devices hostname (device) not it's FQDN (device.mydomain.com) because OpenWRT will append the domain suffix for us.

Some of you will be saying how does OpenWRT know which device to assign the IP too because I have not set it, well it doesn't. What I have here is just created a host entry that will allow the correct routing but the IP will never be dished out over DHCP. This is more of a hack I discovered. You can use the Static Lease as it was intended by just adding in the following further information (assuming IPv4 only) into the entry.

  • MAC-Address
  • Lease time

Route all traffic locally (Local server) (optional)

This option tells OpenWRT that hostnames belonging to this domain (.lan) are never forwarded and are resolved from DHCP or hosts files only. So this means unless your device is on DHCP, has a Static Lease configured or an entry in OpenWRT Hostnames then no traffic will be routed to it because OpenWRT will not do any external DNS requests and when I say external I mean outside of the router itself, it will purley use these 3 sources for lookups.

The purpose of this option is to prevent unnecessary traffic going upstream and reduce the load on your infrastructure.

These instructions will change the Local server from .lan to .mydomain.com

  • (Network --> DHCP and DNS --> General Settings --> Local server) = /mydomain.com/
  • Restart your router

Notes

  • Local domain = Names matching this domain are never forwarded and are resolved from DHCP or hosts files only.
  • default = /lan/
  • If server.mydomain.com stops resolving after changing this option, it is probably because you only had the device/server configured in the mydomain.com DNS zone which is no longer queried when the domain DNS lookup matches mydomain.com
    1. Add a static Lease for server.mydomain.com
    2. Revert the option back to /lan/ so your domain traffic it handled by NAT Loopback which is part of the CWP (All Ports / LAN Only) rule.
  • If you are running your own webserver that handles the .mydomain.com DNS zone such as CWP server then you should not use this feature. If you do use this you will have to manually enter all hostnames found in your CWP .mydomain.com DNS zone (mail.mydomain.com/cpanel.mydomain.com/www.mydomain.com/etc...) into the OpenWRT Hostnames which is duplication and extra hassle. The NAT Loopback rules employed earlier on will stop the traffic going upstream anyway (it will go into the WAN zone and straight back for you nerds out there).

Change a Windows PC's 'Primary DNS Suffix' (optional)

Do not do this on laptops etc.. if you are going to move above between sites.

As mention above OpenWRT will add DNS suffixes on to the DNS Hostnames to give a FQDN but will not change the computers actual name.

What we are going to do here is a add a Primary Domain Suffix to our Windows PC but this is also not changing the PCs name. Windows has a normal computer name (NetBIOS) that we can add a domain suffix onto it. If you want to change the computer name on your Windows PC it is just as normal (not discussed here)

I cannot think of a reason why I would want to do this on a Windows PC except so SSL/TLS certificates could be issued and then when you use Remote Desktop the computer names match. However for reference I am going to add the instructions here just incase I change my mind.

  • On your Windows PC goto (Control Panel --> System --> Advanced System Settings --> Computer Name --> Change --> More)
  • 'Primary DNS suffix of this computer' = mydomain.com

    • 'Change primary DNS suffix when domain membership changes' - This is already checked and I think it is more to do with Active Directory so can be left as is.
    • Adding a suffix here does not break DHCP registration. OpenWRT still sees this device as device.mydomain.com because only the hostname is sent with the DHCP request.
    • If you choose a different suffix on the Windows PC to that of your OpenWRT/CWP domain (mydomain.com) then the Windows PC will seen 2 FQDN. One defined by OpenWRT and one defined manually on th Windows PC, so my advice is don't bother doing this, keep the domains the same.
    • Windows original just ran on NETBIOS and so a lot of its stuff is based around that. This is why you have to add 'Primary DNS Suffix' in this way rather than just changing the computer name whereas as in linux your computer name can just be a hostname or a FQDN.

Change Linux computer name (optional)

Do not do this on laptops etc.. if you are going to move above between sites.

I am not an expert on linux but you when you sent the computers name you can either set device or device.mydomain.com and I assume that it will only send the host name in a DHCP request as Windows does above. So you again have the option to set just a hostname or a full FQDN.

Same FQDN for Local and Internet Access (optional)

One of the major benefits of this is that I can use the same FQDN to connect to my devices on my local network as I can when I am in the office at work. Great for CCTV and media servers.

Do NOT add non-public devices to DNS zone for security. Only use Static Leases.

You need to do the following for this to work:

  • Add an A record in to your domain (mydomain.com) pointing to your public IP (13.13.13.13).
  • Configure port forwarding to send the traffic from the WAN to the selected local device's IP address (192.168.1.x).

Default URLs

Useful Notes

 

Questions/Bugs/Features for the Forum

Links

Questions

  • what is the CWP subdomain for? is this a fault?
    • WebServerSettings --> Apache Redirects
    • Redirects info: http://any-domain.com/cwp will be redirected to the CWP control panel login.
  • The CWP forum does not have a HTTPS cert
  • Do other subdomains (not mail, cpanel, mail, webmail)?
  • centos cwp shows a swap file monitor but this system does not have one. do i need one or is it all in ram becasue it shows 4GB?
  • how do i change the PHP version on mass for all user accounts?
  • how can i edit eveyones zone template to make changes (GREP ?)
  • a script to edit everyones htaccess file (GREP ?)
  • did i need to create the user 'user' when setting up CentOS, should I have just left root? delete the shoulders account if not needed.
  • When you click on CWPPro terminal for the first time it installs the terminal. I dont know what the difference is between the terminals. the pro one might have Root privilages and be just like a normal terminal.
    I need a description
  • is cgroups still faulty? (asked here Cgroup In Package Creation Question)
  • does port 26 need to be opend up. = nope
  • how to force https on cpanel and webmail
  • Enforce SSL/HTPPS/TLS for all postfix connections, how to?
  • Enforce SSL/HTPPS/TLS for all Dovecot connections, how to?
  • in the CentOS install wizard, should i keep KDUMP enabled?
  • how do i add aditional SANS to my sub domains SSL?
  • how do i change my primary domain on a client account?
  • how do i update centOS? is this needed?
  • is cwp multicore aware? - i think i looked into this and it is because of centOS
  • how do i configure amavis + clamav? where are the configuration files, they are not accessible via the GUI.
  • my CWP server has many different boot options in the boot loader when it turns on. they seem to be different versions.
    • how do i get rid of them?
    • is this a bug? in CWP or CentOS?
  • my.cnf is empty? is this a bug?
  • ClamnAV
  • SELinux
  • Monit
    • I need more information on what tasks/actions should be installed and what they do.
    • Is there a list of what these scripts do somewhere? documentation?
    • i need to update my notes when i find out more info
    • feature: in the configuration files the ability to read the script files that have not been installed. i appreciate they have to be readonly until installed
    • the configuration files included with cwp should have some documentation about what they do
    • recommendations on what configuration files to install
  • InnoDB/Database
  • Cannot enforce HTTPS on cpanel.mydomain.com - this should be done in the GUI
  • i dont always have to put in the root/password in the CWPPro terminal. Where is it storing the root info? is this safe? this should not be persistent between server reboots or Browser sessions. Can this be clarified as safe or bug?
  • Cron
    • Are CRONs stored in the clients accounts when they backup?
    • Where is the cron for the freshclam update? probably in anacron
    • Why are the autossl crons in the GUI and not in a file in /etc/cron.d/ do you want these to be user editable?
    • freshclam is still updating when clamav is disabled, these should be linked?
    • Duplicate CWP root CRONs - My quetion abput the duplicate crons I have
  • Where dos the (MySQL Manager --> Settings) store these configurations because it is not in the my.cnf file? Are they persistent or just stored in RAM?

 

Feature Requests - CWP Suggestions (Forum)

  • SPF and DMARC should have an edit tool (feature request)
  • MySQL terminal
  • easier way to reset MySQL root password becasue the default password is too short.
    • is this doen by script?
  • have monday as the first day in the week
  • be able to add a custom name to backup jobs (in the new manager)
  • in the file manager I would like to freetype the file location to speed navigation up
  • currently the default setting for letsencrypt renewal time is 28 days, letsecyrpt recommends 60 days
  • filemanager on copy files, folders and files should have separate icons or a way of knowing what the asset is, currently you cannot tell the difference between files and folders
  • filemanager - no refresh button - useful when working with ftp aswell
  • download account backups, i should be able to download the backup by clicking the link like cpanel.
  • easy button to backup CWP server settings
  • Cannot remove ClamAV, Amavis & Spamassassin individually. should be able to select these seperately
    • ClamAV is used as the account sanner in the 'sEcurity Center'
    • ClamAV does the mail and the home directory. However if you uninstall it in the postfix rebuild then ClamAV is not available to scan client home directories.
    • ClamAV: this should not be an option in Postfix becasue it scans homedir aswell
    • the virus scan page is still avaiable in the client panel but just causes an error
    • How to free space like uninstall ClamAV, AMaViS, etc.
      • also you can check more detailed your disk usage by using cwp disk_details module, it has per folder usage. 
        IP:2030/admin/index.php?module=disk_details
    • 'ClamAV, Amavis & Spamassassin, Requires 2Gb+ RAM'
      • It installs ClamAV and AmaVis if not present and will possibly update them aswell.
      • This option stops/starts  the related servicesthem on install/uninstall
      • I am sure does some PostFix configurations.
      • This script does not uninstall ClamAV or Amavis.
      • If this option is enabled then the services amavisd.service, clamd.service, spamassassin.service are started when the server boots and if you manually stop them they will restart irrespective of their configuration in systemd. So they must be defined dependicies of some process this option invokes.
  • CWP changelog feed in the cwp control panel
  • All Admin pages should have a breadcrumb. This allows people to use shortcuts and newbies to find the same area at a later date easier.
  • Cannot edit root crons only add and delete via the GUI. Editing these should be allowed
  • RAM usage does not update like the cpu and diskl i/o only on a page refesh.
  • need a nice utility to look at memory usage easily
    • i have seen TOP
    • i.e AmaVis is using 200mb
    • ClamAV is using 500MB
  • an indicator after the reboot button has bee pressed so you know you have clicked it. like cpanel with a spinning thing and then when the server has reloaded the page can refresh seeing as CWP Admin session are persistent through reboots.
  • No easy backup method to backup the server settings i.e:
    • Skeleton Templates: /usr/local/cwpsrv/htdocs/resources/admin/tpl/ 
    • CWP Databases:
      • (CWP Admin --> SQL Services --> phpMyAdmin)
      • root_cpmigrations
      • root_cwp databases
    • This should be added to the Backups 2
  • account backups should have the account name in it like cpanel
  • cpanel database backups, remove the word dump from the file name
  • root_cpmigrations and root_cwp databases are using latin1_swedish_ci for their collations, this should be changed to utf8_unicode_ci or even better utf8mb4_unicode_ci.
  • CWP should have the ability to back the server settings up using the backup jobs.
  • enable HTTP2 by default
  • enable TLSv13 by default
  • Logo preview should show both light and dark previews for contect
    • (User Accounts --> Features,Themes,Languages --> Branding)
  • Remove 'cwp' subdomain from the Default DNS Zone (section above)
    • This has to be done here so all of your new accounts dont get this vestigial subdomain.
  • GreyListing feature, where is it? is it part of Postfix?
  • Ability to edit default DNS Zone templates from the GUI
    • /usr/local/cwpsrv/htdocs/resources/conf/dns/bind/zones/default.tpl
    • /usr/local/cwpsrv/htdocs/resources/conf/dns/bind/zones/custom.tpl
  • On the article Custom Account Templates - Control WebPanel Wiki
    • the templates need explaining when they will be called on i.e. when you create new account
  • At the top left what is the load monitoring becasue there is no units and why can it be toggled?
  • When you change the hostname of the server CWP should handle the deleting of the old hostname in all appropriate records (DKIM, DNS Zones) and give a summary of the changes plud do backups of these file where needed.
  • Add a link on all pages to a proper wiki page. these could all be place holders for now
  • put the server name / domain name in big letters at the top of the dashboard so I know which server i am working on.
  • Random password generator passwords are too short and dont have any special characters in them. A way to set the parameters of the generator would be great.

 

Bugs - CWP Bug Tracking / CentOS-WebPanel Bugs (Forum, old?)

  • They says setup port26 but it is not open by default in the firewall - add this when i do email server
  • AutoSSL is not renewing CWP subdomain, bug?
  • once you have selected a PHP version you cannot go back to server default?
  • the menu collapse is inconsitent - when you click on some items the whole menu collapses which is annoying
  • The MySQL Root password changing script is broken
  • Bug: New account create and Rebuild Zone use different templates
    • New Account Zone(test.acc.db) 
      ; Generated by CWP
; Zone file for test.acc
$TTL 14400
@    86400        IN      SOA     ns1.mydomain.com. postmaster.test.acc. (
				2021070154 ; serial, todays date+todays
				3600            ; refresh, seconds
				7200            ; retry, seconds
				1209600         ; expire, seconds
				86400 )         ; minimum, seconds

@	86400	IN	NS		ns1.mydomain.com.
@	86400	IN	NS		ns2.mydomain.com.
@ IN A 13.13.13.13
localhost.test.acc. IN A 127.0.0.1
@ IN MX 0 test.acc.
mail 14400 IN CNAME test.acc.
smtp 14400 IN CNAME test.acc.
pop  14400 IN CNAME test.acc.
pop3 14400 IN CNAME test.acc.
imap 14400 IN CNAME test.acc.
webmail 14400 IN A 13.13.13.13
cpanel 14400 IN A 13.13.13.13
cwp 14400 IN A 13.13.13.13
www 14400 IN CNAME test.acc.
ftp 14400 IN CNAME test.acc.
_dmarc	14400	IN	TXT	"v=DMARC1; p=none"
@	14400	IN	TXT	"v=spf1 +a +mx +ip4:13.13.13.13 -all"
default._domainkey 14400 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCviXG9SqprOjF3qvN+Xo2KpXp54Fgx6CX42wLxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    • Rebuilt Account Zone (test.acc.db) 
      ; Generated by CWP
; Zone file for test.acc
$TTL 14400
test.acc.      86400        IN      SOA     ns1.mydomain.com. noreply.quantumwarp.com. (
				2013071600      ; serial, todays date+todays
				86400           ; refresh, seconds
				7200            ; retry, seconds
				3600000         ; expire, seconds
				86400 )         ; minimum, seconds

test.acc. 86400 IN NS ns1.mydomain.com.
test.acc. 86400 IN NS ns2.mydomain.com.

test.acc. IN A 13.13.13.13

localhost.test.acc. IN A 127.0.0.1

test.acc. IN MX 0 test.acc.

mail IN CNAME test.acc.
www IN CNAME test.acc.
ftp IN CNAME test.acc.
; Add additional settings below this line
_dmarc	14400	IN	TXT	"v=DMARC1; p=none"
    • Bug: Zone creation is inconsitent. There appears to be many templates but are out of sync to which data they use to build their templates with, in particular the email address that is declared on them in the SOA.
  • why is my usage in my cpanel not working. it alswyas shows 0.00 MB / 5000 MB - do i need to start something for htis?
    • another time it showed 36mb used and the account backup was 200mb+ on its own
    • client account: disk usage is not updated
  • sometimes if you let a ftp session expire, you cannot reconnect with FTP until you have killed the session via CWP
    • cannot kill session in cpanel (could be i need to add permissions)
  • view trash does not work. see themes.qwdemos.com , certainly not in firefox - double check this, i think it just shows the .trash folder but htis cannot be accessed normally and might be temproary during the filemamanger session.
         make a note of this + is there an article on trash.
  • (Email --> rDNS Checker) checks the NAT IP not the public IP
  • Every new user account creates a mysql user, even if there are no databases. this seems pointless.
  • The intial setup for cwp does not create the DNS zone for the server, it only happens after you have refreshed the server hostname. This is either a bug or by design.
  • when i logged into my secure https://cpanel.mydomain.com/  it redirected to non-secure  http://cpanel.mydomain.com/
  • The only way to removed 'Admin services' from a domains SSL is to delete the certificate. You can add additional 'Admin services' easy by clicking on the button, selecting the additional options and clicking 'Apply changes'
    • The SSL handling is a bit flaky, it is not easy to re-configure an SSL. you can add additional SAN but not seem to remove them except delete the whole thing admin services
  • Cannot delete some MySQL users via the CWP GUI but there is not issue deleting them via the SSH or phpMyAdmin
  • breadcrumbs dont work 'you are here' looks like whwere is should be at the top right but it does not work
  • Menu
    • Most pages titles on the pages do not match up with their menu name and this is confusing. give one example and say i will do the rest if it is of use
    • menus collapse inconsisten -eg: (SQL Services --> MySQL Configuration) is a great example, the mnu just collapses aafter you click, it does not stay on the same  'menu'
  • Bug/Question: do the developers look at these bugs here or is it just ofr us end users?
  • (WebServer Settigns --> SSL Certificates) the multiple actions dropdown has pre-expanded and the options below have leaked (do picture)
  • Custom Account Templates - Control WebPanel Wiki (branding)
    • This is not well written
    • The english does not make sense.
    • what does rsync -av do?
  • The logo preview does not work.
    • (User Accounts --> Features,Themes,Languages --> Branding)
  • http://wiki.centos-webpanel.com/ - needs to have https enforced but currently the https version just redirects to the http version (crazy)
  • Cron
    • The following pages need to be merge becasue it is confusing, almost like one page is a half finished project. They both load the same data. This is more a bug than a feature becasue of how confusing it is.
      • (CWP Admin --> Server Settings --> Crontab for root)
      • (CWP Admin --> Server Settings --> Crontab for users)
    • /etc/cron.d/clamav-update has MAILTO=root rather than a proper email address that I can set in the GUI
    • error: 'PHP Notice:  Undefined index: O in /usr/local/cwpsrv/htdocs/resources/admin/include/alertandautorenewssl.php on line 0'
  • on the dashboard the RAM usage never seems to refresh unless I refresh the page
  • the rkhunter daily cronjob does not send the email to the correct address and you need to
    • edit Daily cronjob /etc/cron.daily/rkhunter or /etc/sysconfig/rkhunter
    • MAILTO=root@localhost  -->  MAILTO=root
  • nameservers do not have TrustedHosts or KeyTable
    • they do get DKIM and SPF records
    • This might be normal because they will never be required to send emails
    • Add this note somewhere above in the relevant email section
  • (Email --> DKIM & SPF Manager) always shows v=DKIM1 and v=spf1 present even if they are not.
  • There is a file that should not be in the default apache template /usr/local/apache/htdocs/autoconfig.php - there should be no PHP in this place.
Published in Web Server
Read more...
Saturday, 14 November 2020 13:32

My Joomla Modern Router Notes

During my quest to understand the new Joomla Modern Router present in Joomla 3.8+ and Joomla 4.0 I found some good information and figured out the rest. These are the notes from that battle.

I will be using my reference component QWPeople which is based on com_contact from Joomla 3.9.22, my version has all of the class renamed to the latest standard so is a better place to learn from.

List of different routers available in Joomla (dont worry I will go through these later, it just makes it easier to write this document)

  • Original Joomla 3.x (dont use if making a new component)
  • Modern Router (Class Based)
    • RouterViewBase
    • RouterView
    • RouterView + Legacy Rule

Notes:

  • Variables can end up in the $query from $_GET requests, $_POST requests or just being put in there by Joomla itself.
  • These is a typical example of variables pass in the query used for routing 
    option=com_qwpeople
task=mytask or view=myview
language=en-GB
Itemid=101
view=category
layout=blog
id=9
lang=en

Modern Router

The router entry file is still present as [component]/router.php i.e. com_qwpeople/router.php

So how does this new router work. What is a class based router. Well I am not 100% but hopefully my notes will fill in the blanks that this Joomla doc creates: J3.x:Supporting SEF URLs in your component - Joomla! Documentation. Please read this Joomla Document before reading my article as it will make more sense. One other thing the component name part of the router class name should be in PascalCase and not all lowercase like it says, it does not affect operation but PascalCase follows the Joomla syntax rules.

The basic idea of the new router is to do most of the heavy lifting for the normal developer but allow for expansion when needed unlike the old router where you only had one parse() and build() and everything had to be done within this. The new router has definitely expanded on this. The router is broken down into 2 parts (as far as I am concerned)

The following instructions are utilising the RouterViews class.

Registering the Routes

Look at the following code:

// Categories route
$categories = new RouterViewConfiguration('categories');
$categories->setKey('id');
$this->registerView($categories);

// Category route
$category = new RouterViewConfiguration('category');
$category->setKey('id')->setParent($categories, 'catid')->setNestable();
$this->registerView($category);

// Contact route
$contact = new RouterViewConfiguration('contact');
$contact->setKey('id')->setParent($category, 'catid');
$this->registerView($contact);

// Featured route
$this->registerView(new RouterViewConfiguration('featured'));

What is happening here is that you are building a route (ultimately to your content) by using Joomla component views.

We will deal with featured first because this is the simple one. featured is not a category, is not in a category and therefore is a standalone page so it is very simple to route to this all that needs to be done is have the view set to featured which has already been set by the menu item so really there is no component routing required.

Now if we look at the contact view route because this is at the bottom of the tree, if we wanted the categories or category view they we we would just start earlier up the tree and ignore the rest.

  • Categories route
    • The routing key of categories is `id`
    • I don't think it is really necessary to have this route section but I think it just made it easier for the developers to implement a categories view. (I could be wrong)
  • Category route
    • The routing key of category is `id` 
    • It has a parent route of categories, whose routing key `id` is the same as category `catid` and these have now been associated together.
    • The category has a `id` which will match a categories with the same `catid`
    • setNestable() = that this routing section could be made of many segments because it is nestable
  • Contact route
    • The routing key of contact is `id`
    • It has a parent route of category, whose routing key `id` is the same as contact `catid` and these have now been associated together.
    • The contact has a `catid` which will match with a category with the same `id`
    • Now the connection is made to the category we can move up to the category route

Notes:

  • You should note that these rules work in both directions, building and parsing SEF URLs. For now I am concentrating on parsing the URLs as this is harder.
  • You can start a request any where in the view tree `Categories route/Category route/Contact route`, you do not have to start at either end.

Routing Rules

The best bit of the new router is the ability to use rules and Joomla comes with some premade ones that perform very common tasks, so again have a look at this code:

// Router rules
$this->attachRule(new MenuRules($this));		
if ($params->get('sef_advanced', 0))
{
    // Modern routing
    $this->attachRule(new StandardRules($this));
    $this->attachRule(new NomenuRules($this));
}
else
{
    // Legacy routing
    JLoader::register('QwpeopleRouterRulesLegacy', __DIR__ . '/helpers/legacyrouter.php');
    $this->attachRule(new QwpeopleRouterRulesLegacy($this));
}

Joomla Inbuilt Rules

This is a very brief explanation of the Joomla premade rules which should help:

  • MenuRules - Looks to see if the URL matches a known menu item, and ensures in multilingual sites that a language tag is present. This also strips the sgements that make up the path to the menu before passing them on but also adds the ItemId into the Query.
  • StandardRules - Uses your view configuration to build up a menu path. Including utilising the RouterViewConfiguration configurations, utilises segment and ID functions in the router for the particular view it is working on such as getCategoriesSegment() or getCategoriesId().
  • NomenuRules - Provides a fallback when there is no good match found for building or parsing the URL.

You will find all of these rules at /libraries/src/Component/Router/.

Custom Rules

Using a custom rule to allows the use of a legacy router:

  • which is a file containg a class called  class QwupdateserverRouterRulesLegacy implements RulesInterface
  • This is a old style router build()parse() and preprocess() functions wrapped in a class that implements the Joomla\CMS\Component\Router\Rules\RulesInterface interface.
  • So the legacy router can just be moved into a custom rule.
  • For those of you that are not upto date with these terms you will find it easier just to look at the file in QWPeople component and all shall be revealed.

Making your own custom rule

It is as simple as:

  • Copy the RulesInterface class file and use as a template
  • Rename the class name to something like 
    class QwpeopleRouterRulesLegacy implements RulesInterface
{
} 
  • Insert your code in the build()parse() and preprocess() functions as required
  • Register the rule in your router. You will probably need to use JLoader to register the rule class you have just made. After it is registered, you should then attach the rule. The process is outlined below but I would recommend putting your custom rules after the main Joomla ones unless you have a need to change the order and which case you probably know why. 
    // Legacy routing
JLoader::register('QwpeopleRouterRulesLegacy', __DIR__ . '/helpers/legacyrouter.php');
$this->attachRule(new QwpeopleRouterRulesLegacy($this));

Remember you can make as many rules as you want to handle different aspects of your router.

A little trick for custom rules you can use

You can just use return statement in the beginning of a function if you want this code only to work on a particular view or thing. This trick allows you to separate complex routing code into different rules if required.

public function parse(&$segments, &$vars)
{
    // Skip this functions code if not 'categories' view
    if(!isset($vars['view']) || $vars['view'] !== 'categories') { return; }
}

But how do the rules work

  • All rules extend the class Joomla\CMS\Component\Router\Rules\RulesInterface which means they must all have at least the functions parse(), build() and preprocess() even if they don't have any code in them.
    • parse() - If called it will process the segments to see if it can extract any information and then add that to the $query
    • build() - If called it will aid in building the SEF link from the query variables. when this function adds a SEF segment to $segment it will unset the related $query variables so Joomla does not get upset.
    • preprocess() - This function is run irrespective of whether Joomla is in SEF mode.
  • Each registered rule is cycled through in order they are registered so in my example just using modern routing.
    The next rule is only run if there are segments that have not been processed or the view has not been set.
    • MenuRules
      • This grabs the menu item ID, language settings and of course any other parameters configured in the menu item which it then loads into the $query.
      • This rule also removes the segments from the SEF leading upto and including the menu item.
      • This rule uses all of the getXxxSegment() functions in the router.php, I would also assume it uses all of the getXxxId() functions.
      • For every menu URL to be built from the joomla internal links (i.e. inde_.php?view=categories) each getXxxSegment() for a registered view is cycled through; looking for a match, this is my best guess.
      • Does not set any thing in to the $vars (The variables that result from the segments) but does set variables in the $query, like all of the parameters from the menu item.
    • StandardRules
      • Parses the remaining segments in the SEF using the `get ID` functions for the matching views in the in the router.php.
      • By now all the require variables should be in the $query and Joomla will know the correct view to load and in which case no further rule processing will happen and the page will be loaded.
      • This rule uses all of the getXxxSegment() functions in the router.php, I would also assume it uses all of the getXxxId() functions.
      • For every URL to be built from the joomla internal links (i.e. inde_.php?view=categories) each getXxxSegment() for a registered view is cycled through; looking for a match, this is my best guess.
      • sets the option='com_qwpeople' and view='catgories' into the $vars (The variables that result from the segments)
    • NoMenuRules
      • This is only triggered if no matching menu item has been found. A minimal cleanup of assets happens.
      • This does not run any getXxxSegment() functions in the router.php
    • Custom Rules
      • These would get activated now if we had one configured. We would have a custom rule here if we needed to do some complex work on the SEF to complete the routing like I have in QWUpdateServer.

Notes

  • if you add a blank custom rule and then use a debugger you can easily see what each of the rules set by adding a breakpoint in the relevant functions.

What are the different classes for

So of the keen people amongst you might of noticed the different class types that extended by the router. I will outline what they do.

  • class QwpeopleRouter extends RouterBase
    • This class is very much like the original router in Joomla 3.x which allows you to use 1 of each of the following functions parse()build() and preprocess() only.
    • parse()build() and preprocess() will be present in the router class QwpeopleRouter.
    • It does not use rules
    • The developer will need to write all of the routing logic instead of being able to use what Joomla provides for you. However this might be beneficial in some large projects.
    • You could add your legacy router code in the corresponding functions quite easily with maybe a few changes depending which version of Joomla 3.x they were written for.
  • class QwpeopleRouter extends RouterView
    • This allows rules to be registered and used.
    • parse()build() and preprocess() will be present in each of the rules files.
    • Most of the hardwork of routing has been done by Joomla in the pre-written Rules (MenuRules/StandardRules/NoMenuRules).
    • You can write and add your own custom rules.
    • By using a custom rule you can add your legacy router code in.
    • Rules can be turned on and off programmatically (see my trick above), this is especially useful if you only want a custom rule to run on a particular rule.

Conclusion

This is an easy one, use your router in the RouterView mode (by extending your component router with this class) and use custom rules to add any required extra routing logic.

If you have used all of the modern class names like in QWPeople, this router should also be ready for Joomla 4.x.

Links

Published in Joomla
Read more...
Friday, 02 October 2020 14:20

How to extract installed extensions from Joomla

I found the need to extract extensions from Joomla and these are my notes that I built up while doing that. You can also extract core extensions aswell with a little more effort with some compromises. The reasons for extraction:

  • Build a reference extension for future projects.
  • You no longer have the installation sources but need a copy of the extension.

It is far easier to use com_contacts for a reference extension if you are going to use one from the core. com_content is spread across Joomla becasue it is an integral part rather than a seperate component, this maybe better in joomla 4.

Some Notes

  • This will use com_content as an example which use en-GB
  • I am using Joomla 3.9.21 (using Joomla_3.9.21-Stable-Full_Package.zip)
  • I am only doing MySQL
  • The manifest file is in /joomla/administrator/components/com_content/content.xml
  • The manifest file tells you where all of the files are.
  • [zip] = the new extension location
  • [joomla] = Joomla Full installation zip package (makes surte files a virgin)
  • adding license and readme are optional and can be done as part of your own project
  • i will write an extension extractor (extracting the SQL data from the database might need to be done manually)
  • com_content and com_contact have
  • com_content (j3) is missing:
    • SQL files
    • SQL Manifest reference
    • Menu definitions in the manifiest
  • com_contact (j3) has everything present like a normal component
  • Use com_contact is a better extension to use for a reference component as not using dynamic menus like com_content and its manifest is complete.
  • Most core components have a reduced manfest and will need manual correction.
  • com_content admin menu items are programatically controlled and are set by presets in these files:
    • [joomla]/administrator/components/com_menus/presets/joomla.xml
    • [joomla]/administrator/components/com_menus/presets/modern.xml
  • About `Fields` and `Field Groups` menu items:
    • In com_content when you disable custom fields in `Articles --> Options --> Integration --> Select Yes in "Enable Custom Fields" option.`, these menus get disabled in both the main menu and the side menu of the component. the same also happens if you disable the com_fields component.
    • JDownloads has these menus and when i disable com_fields they disappear from the components side menu but not the JDownloads component menu. When i click on them while com_fields is off I get an error becasue the link no longer works correctly. This means that the componnent menus defined in the manifest are not dynamic but the ones defined in the presets (joomla.xml and modern.xml) are.
    • com_content side menus are controlled here: 
      [joomla]/administrator/components/com_content/helpers/content.php -->function addSubmenu()

       

  • You can only have 1 level of <submenu> when adding via manifest i.w. `Components --> QWDemoBar --> Products' (`Components --> <menu> --> <submenu>`)

Instructions for component extraction

These will work for Joomla core (with some issues) and 3rd party components with no issues.

  1. Create a target folder structure for extension
    [zip]/com_content/
[zip]/com_content/admin/
[zip]/com_content/admin/language/
[zip]/com_content/admin/language/en-GB/
[zip]/com_content/media/ 
[zip]/com_content/site/
[zip]/com_content/site/language/
[zip]/com_content/site/language/en-GB/
  2. Grab Files
    • copy [joomla]/administrator/language/en-GB/en-GB.com_content.ini to [zip]/com_content/admin/language/
    • copy [joomla]/administrator/language/en-GB/en-GB.com_content.sys.ini to [zip]/com_content/admin/language/
    • copy [joomla]/administrator/components/com_content/ to [zip]/com_content/admin/
    • copy [joomla]/media/com_content/ to [zip]/com_content/media/
    • copy [joomla]/language/en-GB/en-GB.com_content.ini to [zip]/com_content/site/language/
    • copy [joomla]/components/com_content/ to [zip]/com_content/site/
  3. Correct File Structure
    • move [zip]/com_content/admin/content.xml to [zip]/com_content/
  4. Add Database Files and manifest references if missing (This section applies only to some core components where they are missing)
    • create [zip]/com_content/admin/sql/
    • create [zip]/com_content/admin/sql/install.mysql.utf8.sql
    • create [zip]/com_content/admin/sql/uninstall.mysql.utf8.sql
    • create [zip]/com_content/admin/sql/updates/
    • create [zip]/com_content/admin/sql/1.0.0.sql with the content: 
      # Placeholder file for database changes for version 1.0.0
    • extract the installation SQL from [joomla]/installation/sql/mysql/joomla.sql
      • You will have to make a best guess about which SQL code to get and looking at the database with phpmyadmin will help.
      • Search for all #__content and this should show you all of the required tables, this should go in the install.mysql.utf8.sql
      • com_content the code you need is at lines 318 - 449
    • In the uninstall.mysql.utf8.sql add a drop statement for each of the tables you have just added to the install SQL code. (i.e. DROP TABLE IF EXISTS `#__content_categories`; )
    • Add the SQL references into the manifest file for install/uninstall
      [zip]/com_content/admin/content.xml
  5. Add Menu Links to the manifest (This section applies only to some core components where they are missing)
    • If you are extracting com_content add the following code immdiately after the <administration> tag or look at com_contact manifest file for examples of how to set your menu out:

      NB: the menu links below do not have index.php
      <menu link="option=com_com_content">MOD_MENU_COM_CONTENT</menu>
<submenu>
    <menu link="option=com_content">MOD_MENU_COM_CONTENT_ARTICLE_MANAGER</menu>
    <menu link="option=com_categories&amp;extension=com_content">MOD_MENU_COM_CONTENT_CATEGORY_MANAGER</menu>            
    <menu link="option=com_content&amp;view=featured">MOD_MENU_COM_CONTENT_FEATURED</menu>
    <menu link="option=com_fields&amp;context=com_content.article">MOD_MENU_FIELDS</menu>
    <menu link="option=com_fields&amp;view=groups&amp;context=com_content.article">MOD_MENU_FIELDS_GROUP</menu>            
</submenu>
    • Notes
      • `Add New Article` and `Add New Category` submenus cannot be re-created via the manifest menu creation. These are only shortcuts anyway so no functionality is lost.
      • The new <menu> and first <submenu> are the same. In the MOD_MENU the primary menu item is not a link
      • if you want to convert to a full separate extension you need to take the translations from the joomla.xml and add them in to your extension natively
  6. Correct Manifest File (You dont have to move the file for the installer to work - i dont thing, but you should for correctness)
    • After moving the manifest file you have to modify it to match new file/folder structure, in particular,
    • The manifest file itself does not need to be added in the <file> copy list because it will be copied automatically so remove it if the reference is present.
    • For com_content in <files folder="admin"> I removed <folder>elements</folder> because there was no matching folder in the admin filesystem. This must be a Joomla bug.
    • The method I would use is
      • Just open up for new component folder
      • Go into the site folder
      • and one by one make sure that the relevant commands to copy the files and folders in the site folder are present in the manifest.
      • Remember language files are dealt with seperately but the sql folder in admin must be copied.
      • Once done do the admin fodler
      • Lastly check the media folder reference
  7. Backup
    • You should backup your work before continuing
    • An example filename is: com_content - Extracted from J3.9.21 (All Native).zip
  8. Convert to normal extension (Some remedial work to finish up)
    • if you have extracted com_content you will need to rename the menu translations in the manifest as outlined below 
      MOD_MENU_COM_CONTENT --> COM_CONTENT : Ignore this line as COM_CONTENT already exists
MOD_MENU_COM_CONTENT_ARTICLE_MANAGER --> COM_CONTENT_ARTICLE_MANAGER
MOD_MENU_COM_CONTENT_CATEGORY_MANAGER --> COM_CONTENT_CATEGORY_MANAGER
MOD_MENU_COM_CONTENT_FEATURED --> COM_CONTENT_FEATURED_ARTICLES
MOD_MENU_FIELDS --> COM_CONTENT_FIELDS
MOD_MENU_FIELDS_GROUP --> COM_CONTENT_FIELD_GROUPS
      and then add the same translations as a block into the admin translations file [zip]/admin/language/en-GB/en-GB.com_content.sys.ini as show below. 
      ;Menu (previously handled by com_admin presets)
COM_CONTENT_ARTICLE_MANAGER="Articles"
COM_CONTENT_CATEGORY_MANAGER="Categories"
COM_CONTENT_FEATURED_ARTICLES="Featured Articles"
COM_CONTENT_FIELDS="Fields"
COM_CONTENT_FIELD_GROUPS="Field Groups"
      This is required to make the component a standalone verion of the core component.
    • (optional) add all missing information as per my boilerplate i.e. update server - The current manifest file will work but is not 100% complete
    • upgrade manifest file to my format (see boiler plate)
    • Add the following missing translations to admin/languages/en-GB/eb-GB.com_content.sys.ini 
      ;install/update/uninstall system
COM_CONTENT_NAME="Content (Component)" ;This might not be needed
COM_CONTENT_DESCRIPTION="A standalone verion of the Joomla core component, content."
    • (optional)(recommended) Install/Update/Uninstall Script File
      • Add manifest reference. This will also copy it into the admin section when installing the component or the root folder of the extention if not a component.
      • create file [zip]/com_content/script.php (core apps dont have this as it is not required for them) - this is just to make it like a normal extension 
        <!-- Script: Install, Update, Uninstall -->
<scriptfile>script.php</scriptfile>
      • add the following translations to admin/languages/en-GB/eb-GB.com_content.sys.ini 
        ; script.php (install/update/uninstall)
COM_CONTENT_INSTALL_TEXT="The component has been installed."
COM_CONTENT_UNINSTALL_TEXT="The component has been uninstalled."
COM_CONTENT_UPDATE_TEXT="The component has now been updated to version %s."

; script.php - Before Actions
COM_CONTENT_PREFLIGHT_DISCOVER_INSTALL_TEXT="Content preflight discover install script."
COM_CONTENT_PREFLIGHT_INSTALL_TEXT="Content preflight install script."
COM_CONTENT_PREFLIGHT_UNINSTALL_TEXT="Content preflight uninstall script."
COM_CONTENT_PREFLIGHT_UPDATE_TEXT="Content preflight update script."

; script.php - After Actions
COM_CONTENT_POSTFLIGHT_DISCOVER_INSTALL_TEXT="Content postflight discover install script."
COM_CONTENT_POSTFLIGHT_INSTALL_TEXT="Content postflight install script."
COM_CONTENT_POSTFLIGHT_UNINSTALL_TEXT="Content postflight uninstall script."
COM_CONTENT_POSTFLIGHT_UPDATE_TEXT="Content postflight update script."
    • (optional) add dummy css file
    • (optional) grab corresponding modules and plugins and make a package
    • zip/compress contents of [zip]/com_content/ to com_content - Extracted from J3.9.21 (Native Modified).zip

Renaming Extension / Refactoring Component

You cannot install the extension you have just made because it will break your joomla installation, so you must refector it to a new name such as com_qwhelloworld.

Make sure you have made another backup before proceededing example file name = com_content - Extracted from J3.9.21 (Native with manifest, script and translations upgraded).zip

Again these instructions will outlione how to refactor com_content to com_qwhelloworld.

I did an article Rename a Joomla plugin or create a second instance of it that might be of use.

Rename the following files:

You can also search for `content` with your favorite file search tool.

  • [zip]/content.xml --> qwhelloworld.xml + manifest reference
  • [zip]/admin/content.php --> qwhelloworld.php + manifest reference
  • [zip]/admin/en-GB/en-GB.com_content.sys --> en-GB.com_qwhelloworld.sys + manifest reference
  • [zip]/admin/en-GB/en-GB.com_content.ini -> en-GB.com_qwhelloworld.ini + manifest reference
  • [zip]/admin/helpers/content.php --> qwhelloworld.php
  • [zip]/admin/helpers/html/contentadministrator.php --> qwhelloworldadministrator.php
  • [zip]/site/content.php --> qwhelloworld.php + manifest reference
  • [zip]/site/en-GB/en-GB.com_content.ini -> en-GB.com_qwhelloworld.ini

Text Replacing

You have 2 ways of perfoming text replacing in your extension:

  • Use an IDE of your choice (Netbeans etc..)
  • Open all files with Notepad++

What i did

I did not just rename `Content -> QWHelloWorld`, because of the name of the component (com_content) there are a lot of similiar name functions using the word Content and those should not be changed.

Normally if you are doing a uniquely name extension this should not be an issue i.e. com_contact.

  1. com_contact --> com_qwhelloworld
  2. COM_CONTACT --> COM_QWHELLOWORLD
  3. Contact --> Qwhelloworld (Just ignore translations)

So I worked through the list below until I got too `Content -> QWHelloWorld`, again used the Find and replace option in Netbeans but this time I inspected every line/match that was found for issues and made notes of these, then now i performed `Content -> QWHelloWorld`so when the unwanted changed were made I could go through and correct only the errors becasue I had built up a list of changes to revert, This is how I got my corrections section.

Perform the following text renames

Now perform the following renames in the order they appear and they are case sensitive

  • Rename Extension
    • COM_QWHELLOWORLD="Articles" --> COM_QWHELLOWORLD="Qwhelloworld (Component)"
  • Database
    • #__content --> #__com_qwhelloworld
  • Functions
    • function content --> function qwhelloworld
  • Classes
    • JHelperQwhelloworld --> JHelperContent
  • File Reference
    • content.php --> qwhelloworld.php
  • Misc
    • contentadministrator --> qwhelloworldadministrator ??? not sure about this one, this might be a native joomla thing
  • General
    • com_content --> com_qwhelloworld
    • COM_CONTENT --> COM_QWHELLOWORLD
    • Content -> Qwhelloworld

Corrections

Now because of the name com_content which gives Content which in turn is not unique, you will find you need to do some corrections which I have outlined below. Please be aware this is not exhaustive as I might of missed stuff

  • Event Statements
    • onQWHelloWorldAfterSave --> onContentAfterSave
    • onQWHelloWorldPrepare --> onContentPrepare
    • onQWHelloWorldAfterTitle --> onContentAfterTitle
    • onQWHelloWorldBeforeDisplay --> onContentBeforeDisplay
    • onQWHelloWorldAfterDisplay --> onContentAfterDisplay 
    • beforeDisplayQWHelloWorld --> beforeDisplayContent
    • afterDisplayQWHelloWorld --> afterDisplayContent
    • Joomla 4 only
      • onQWHelloWorldBeforeChangeFeatured --> onContentBeforeChangeFeatured
      • onQWHelloWorldAfterChangeFeatured --> onContentAfterChangeFeatured
  • Functions
    • getQwhelloworldLanguages( --> getContentLanguages(
    • getQuickiconQwhelloworld( --> getQuickiconContent(
    • _buildQwhelloworldOrderBy( --> _buildContentOrderBy( ??? not sure about this one, maybe it needs leaving
  • Variable Names
  • JS
    • DOMQWHelloWorld --> DOMContent
  • Headers
  • Code Comments
    • // QWHelloWorld is generated  --> // Content is generated
    • Joomla 4 only
      • Joomla! QWHelloWorld Management System --> Joomla! Content Management System
  • DB Data
    • "type":"QWHelloWorld" --> "type":"Content" ??? not sure about this one
  • Translations
    • COM_QWHELLOWORLD_ARTICLE_CONTENT="QWHelloWorld" --> COM_QWHELLOWORLD_ARTICLE_CONTENT="Content"
    • QWHelloWorld Item Associations --> Content Item Associations
    • Table of QWHelloWorld --> Table of Contents
    • QWHelloWorld Settings -> Content Settings ??? not corrected this as I am not sure it needs changing
    • QWHelloWorld Dashboard --> Content Dashboard ??? not corrected this as I am not sure it needs changing
    • QWHelloWorld Filter Search --> Content Filter Search ??? not corrected this as I am not sure it needs changing

Corrections - com_content Table Management (JTable)

Because com_content is blended into the core we need to correct a few things so the correct table is found and used. This section should only be neded for com_content but this procedure can be adapted if needed.

Consider this code:

// I think calls the table instance for the component
$contentTable = JTable::getInstance('Qwhelloworld', 'JTable');

// controlling the Feature artciles which will help you work out what to change
// [zip]/admin/models/article.php
$table = $this->getTable('Featured', 'QwhelloworldTable');

// [zip]/admin/models/feature.php
public function getTable($type = 'Featured', $prefix = 'QwhelloworldTable', $config = array())

Instructions

  • Create missing JTable file
    • copy [zip]/admin/tables/featured.php --> [zip]/admin/tables/content.php
    • rename Featured to Content
    • alter '#__com_qwhelloworld_frontpage' --> '#__com_qwhelloworld'
    • alter 'content_id' is renamed to 'id'
    • in constructor rename  alter com_content --> com_qwhelloworld
  • examine [joomla]/libraries/src/Table/Content.php and you will see the construct class for Content
    • i do not know if i need all of this file, all of what is in the contructor here.
    • I will use all of what is in the constructor modified to the database style as shown in featured. i can always alter the remaing files ie.e com_conent to com_qwhelloworld later
    • the main thing to take from here is to see that 'content_id' is renamed to 'id'
  • We now have our table file created so now need to correct the JTable references
    NB: This is where I got upto and not further
    • These are examples of what you can try. Rememebr it is 'Qwhelloworld' that is the last text change to fix. 
      JTable::getInstance('Qwhelloworld', 'JTable'); --> JTable::getInstance('QwhelloworldContent', 'JTable')
getTable($type = 'Qwhelloworld', --> getTable($type = 'QwhelloworldContent',
    • https://docs.joomla.org/Using_the_JTable_class
    • https://docs.joomla.org/Creating_content_using_JTableContent
    • I dont think the class should be prefixed with JTable like in the core
    • I think 'Qwhelloworld' for JTable should be converted to 'QwhelloworldContent'

Install the Extension

Once you have done these changed you can see if you extension works and make any corrections as required. If there any unforseen issues try an fix them or you can just start again with your backup.

Most erros casued during the installation are probably caused by the manifest or files with the wrong names.

Joomla Debug is your friend

View the extension in site and admin for different errors to those during installation but this time with Joomla Debug on and you can then go through and fix the errors. I would also recommend making notes.

Make it reference extension (com_content)

This is for me really.

  • Add Files (referenced as needed in the manifest)
    • CSS file
    • CHANGELOG.md
    • LICENSE
    • README.md

Plugin, Module and Template Extraction

This is far simpler, just go to the relevant folder and zip the contents. You have now extracted your choosen extension.

Here are some example locations:

  • Plugin: [joomla]/plugins/content/qwhelloworld/
  • Module: [joomla]/modules/mod_qwhelloworld/
  • Template: [joomla]/templates/qwhelloworld/

 

Published in Extension Development
Read more...
Thursday, 21 November 2019 15:25

Add CSS and JS files to a Joomla Extension

These are my notes I made while researching this subject. There are many different ways to do the same thing.

Read this article first because it explains the different methods clearly: J3.x:Adding JavaScript and CSS to the page - Joomla!

Notes

  • For your extension CSS and JS files to be overriden in a template you must use JHtml::stylesheet() and JHtml::script(). These functions have extra code in them that checks the various locations for files that would be allowed to override your files, and if present they do. In the end these 2 functions load addScript() and addStyleSheet() appropriately just with a different URL.
  • As of Joomla 3.8, the majority of classes have been namespaced but with a fallback for when migrating to J4. So, you can still use JHtml::XXX, but the new approach is: 
    use Joomla\CMS\HTML\HTMLHelper;

HTMLHelper::_('script', 'path/to/file.js');
HTMLHelper::_('stylesheet', 'path/to/file.css');
  • Most of the Joomla core classes are all now in libraries/src.

Examples

Different Methods I have found. Some might be dated but at least you know I have seen the same things.

/* Add CSS and JS to the <head> */

// Method 1
$document = JFactory::getDocument();
$document->addStyleSheet( JUri::root() . 'modules/mod_helloworld/css/helloworld.css' );
$document->addScript( JUri::root() . 'modules/mod_helloworld/js/helloworld.js' );
$document->addStyleSheet( JURI::base()."components/com_jdownloads/assets/rating/css/ajaxvote.css", 'text/css', null, array() ); 
$modules->doc->addStyleSheet($url . '/modules/mod_easyblogticker/assets/styles/ticker-style.css');
$doc->addStyleSheet(JURI::base().'plugins/content/maogalleryview/css/maogalleryview.css', $type = 'text/css', $media = 'screen,projection');
$doc->addScript(JURI::base().'plugins/content/maogalleryview/js/slider.mini.js', 'text/javascript');

// Method 2
JFactory::getDocument()->addStyleSheet( ltrim($mtconf->get('relative_path_to_js'),'/') . 'jquery.typeahead.css');
JFactory::getDocument()->addScript( ltrim($mtconf->get('relative_path_to_js'),'/') . 'jquery.typeahead.min.js');

// Method 3 - This allows overriding
JHtml::stylesheet('mod_helloworld/css/helloworld.css', array(), true);
JHtml::script('mod_helloworld/js/helloworld.js', false, true);
JHtml::script('com_joomlaupdate/default.js', false, true, false);

/* Misc */

// Method 1 - I found this in a template default.php and have not tested it
echo JHtml::stylesheet('mod_mt_filter/mod_mt_filter.css',array(),true, false);

Use these in your extensions

// Add CSS and JS to the <head> - This method allows overriding
JHtml::stylesheet('mod_helloworld/css/helloworld.css', array(), true);
JHtml::script('mod_helloworld/js/helloworld.js', false, true);

References

Official Documentation

3rd Party Articles

 

Published in Joomla
Read more...
Sunday, 10 November 2019 10:25

Joomla Release System and Configuring an Update Server

NB: This document is not finished so if you are reading this please bear with me. Thes instructions are what i am using/will use for quantumwarp.com

The Joomla Update Enviroment Explained

This might of been done in the past but I want to explain in clear terms on how the Joomla Update Enviroment works, the implementations I have found and then how I implemented my own Joomla Update Server so i can get on with what I really wanted to do in the first place which is to develop joomla extensions. There is some documentation but no real practical gold standard setup where someone says do this, use this software. Akeeba Release System is what a lot of people use but this is a difficult program to master. At the bottom of this page you will see a whole raft of resources which i used to put this article together so if there is something I have missed you might find help in one of those links and then let me know. These instructions will serve as template for setting up your own Joomla Update Server from scratch, How to implement this in your extensions and will be what I use here on quantumwarp.com and my extensions. I might also use this for non-joomla extensions if possible.

This article will cover topics such as:

  • Overview of the Joomla Update Environment
  • Configure and update server on your website for your Joomla extensions.
  • Manage free and paid for extention updates.
  • Manage non-joomla updates
  • Setup your product pages witha good adapatable SEF structure
  • Publish your extensions to the JED

The Different Areas of the Joomla Update Environment

I will now break down the update enviroment into their different constituent parts that you might need. Your installation should do all or some of these depending on your configuration. Also you might have one piece of software do all of these or a combination of softwares acting as one. A Joomla Update Server can be a combination of the following items but a lot of people just think the server just hands out the XML update streams, end users dont, they expect the file aswell

  • Joomla Update Server
    • Joomla! XML extension update streams
      • XML file that informs Joomla of updates to the software that registered this stream in Joomla.
      • You can use two options for your server type; collection or extension.
      • The collection server type allows developers to define an extension's manifest to pull updates from a collection. This type of server can be used if the developer wants to define all of their extension's updates in a single file (not recommended) or if their extension has multiple sub-extensions which are not distributed or updated at the same time (such as a package extension type). Ideal if your extension is a package and you want to allow users to update the package components individually, also allows you to have different update XML files for different versions of Joomla.
      • The extension server type allows developers to define an extension's manifest to pull updates from a single extension's manifest. All collection manifests eventually point to this XML file. All updates in this file must be defined after an <updates> tag at the beginning of the file. The below example is the update definition for the Joomla! 3.9.6 release:
      • I have also seen where XML files still have the eupdate entires for olders version of the extension being downloaded.
      • Multiple servers can be defined within the <updateservers> tag.
      • Deploying an Update Server - Joomla! Documentation - This will explain in more detail about this file
    • JED Remote XML files
      • XML file for automatically updating an extension listing in the Joomla! Extensions Directory. This file is read every 24 hours by the JED. The information is not pushed to JED.
      • Setting up update streams · akeeba/release-system Wiki · GitHub - This is closest to official doucmentation for the JED update stream and information of the other stream types.
    • Master XML Update stream - This has a single XML that has the update streams for all of your extensions in one place. Not sure when to use this. Similiar to a Collection but different useage case.
    • Download Manager - JDownloads, PhocaDownload, Straight file download (not recommended)
    • Subscription Manager - PayPlans: Will have all of the license keys and payments for subscriptions. PayPlans might also offer its own update server for commerical apps.
  • Client Joomla Installation
    • Joomla Update Mechanism - This is the part of Joomla that handles getting the updates in your Joomla installation. The code is native to the platform.
    • Joomla Extension
      • Manifest XML - This hold all of your extensions configurations options. Either named updates.xml or named after the extension rsfirewall.xml, dont use any other name.
      • Defined Update Server - This setting must be configured in your extensions manifest XML file. It is possibel to list more than one update server in your XML file.
      • License key - This is needed if you need to authenticate the download rights of the license Key (optional)

Joomla Database Tables (Client) - What do they do?

These are the tables in the clients Joomla installation, not the update server.

  • jos_updates - This is the local cache for available updates. When you check for updates this table is populated with available updates and is probably why it sometimes seems slow to load after clicking the 'Find Updates' button, conversely when you empty the update cache by clicking on 'Clear Cache' this table gets emptied. You might not see all of them listed in the Joomla admin because some seem to be language specific and most people only use one language.
  • jos_update_sites - This table hold all of the register update streams which point to Joomla Update servers. these entries appear in the Joomla Admin Extension Update page (Admin --> Extensions --> Manage --> Update)
  • jos_update_sites_extensions - This table registers multiple extensions against a single update stream which allows multiple extensiosn to share a single update stream and a single update license when needed. i.e. RSFirewall might be a combination of a main component and separate plugins. The developer might want to only update the system plugin and not the component. these updates would appear as separate available updates in the joomla admin. This is particularily useful for joomla packages, why re-install everything if you only change one item. this saves bandwidth and things going wrong.

Methods for Commercial Extension Updates

So far I have discovered there are several methods so far for handling commercial software updating. These are an overview as there are probably different ways of implementing these.

  1. Standard update stream XML - Manipulated Update Stream
    • Use the function onInstallerBeforePackageDownload() to modify the URL of the download package in the udpate stream to added in host/hash/code to authorised the download.
    • This function runs everytime the update process is run and requires a seperate installer extension but this can also be part of the main extension. (RSFirewall)
    • This method was a way of sending API keys for Joomla versions less than 3.2 where the update streams needed to end in .xml , this now no longer a problem. It is also an alternative way to send host domain and other information but you could get the host information from the request header.
  2. Standard update stream XML - Update Stream With API Key
    • The API key is added into the update stream stored into the database when the API key is added in the extension. (EasyBlog)
    • This link (URL) which can be used with Joomla!'s "Install from URL" feature to install subscription-based extensions. (if multi domain installation allowed)
  3. Standard update stream XML - No download link
    • You can implement the Update Servers in a similar way to how Paid Extensions manage it - you can implement the Update Servers to inform the users about the available updates and display a message saying that the update is available through contacting them via your website. The key point here is to inform users about the updates - the decision to provide them automatically or not is your decision. This means the user has to login in to download the extension but can still be notified. The method does not need API keys etc..

You can use a different update stream for commercial and free extensions but you can potential use these methods to allow the supply of both types using the same update stream. The difference is just in the request, the commercial ones have extra variables being sent.

RSFirewall Commercial Extension Update Environment Example

NB: `jos_` is the fictional database prefix I am using.

In this worked example I follow how RSFirewall manages its licensing information. In particular this is an example of how the update url is manipulated upon 'update this extension' submission, this will make more sense after following this through.

Installing the extension and how the update server is registered in Joomla

  • After you install RSFirewall there will be a new entry added that has been added into the Joomla  Extension Update sites. This is the extension's update stream and has been read from the file rsfirewall.xml found in the root of the zip file you just used to install RSFirewall. The installation adds an entry into jos_update_sites to create this record.
  • After installation there will also be a record in jos_update_sites_extensions where the extension is registered against the update stream. In the case of RSFirewall there is only one entry becasue the developer manages the RSFirewall updates as a single extension.
  • The code in the rsfirewall.xml in particular that was used to add this Update Server is shown below. This is the Extension's Update Stream.
    <updateservers>
    <server type="extension" priority="1" name="RSFirewall!">https://www.rsjoomla.com/updates/com_rsfirewall/Component/com_rsfirewall.xml</server>
</updateservers>

What happens when you update this extension

I have not entered a license key as this is optional and because I am exploring this 'Shared XML/Manipulate Update Stream' method. i.e. you get a different version dependent on the license key or lack off. The different outcomes are explored later.

  • Goto (Admin --> Extensions --> Manage --> Update)
  • Click 'Find Updates'. Joomla will now dowload the com_update.xml file from RSJoomla. The code looks as shown below:
    <updates>
<update>
	<name>RSFirewall! 2.12.1</name>
	<description></description>
	<element>com_rsfirewall</element>
	<type>component</type>
	<folder></folder>
	<version>2.12.1</version>
	<infourl title="RSFirewall! 2.12.1">https://www.rsjoomla.com/support/documentation/rsfirewall-user-guide/changelog.html</infourl>
	<downloads>
		<downloadurl type="full" format="">https://www.rsjoomla.com/updates/com_rsfirewall/Component/com_rsfirewall.zip</downloadurl>
	</downloads>
	<tags>
		<tag>stable</tag>
	</tags>
	<maintainer>RSJoomla!</maintainer>
	<maintainerurl>https://www.rsjoomla.com/</maintainerurl>
	<section>Updates</section>
	<targetplatform name="joomla" version=".*" />
	<client>administrator</client>
</update>
</updates>
  • Joomla will parse the com_update.xml file, extract the latest version number and then compare this to the version number of installed RSFirewall extension to see if the one offered at RSJoomla is newer. When a new version is found you will see an entry like below shown in the Joomla admin
  • Joomla now checks to see if RSFirewall has registered any extra code to be run before the update package is downloaded. RSFirewall has, is in the file plugins/installer/rsfirewall/rsfirewall.php and is as follows :
    <?php
/**
* @package RSFirewall!
* @copyright (C) 2015 www.rsjoomla.com
* @license GPL, http://www.gnu.org/copyleft/gpl.html
*/

defined('_JEXEC') or die;

class plgInstallerRsfirewall extends JPlugin
{
	public function onInstallerBeforePackageDownload(&$url, &$headers)
	{
		$uri 	= JUri::getInstance($url);
		$parts 	= explode('/', $uri->getPath());
		
		if ($uri->getHost() == 'www.rsjoomla.com' && in_array('com_rsfirewall', $parts)) {
			if (!file_exists(JPATH_ADMINISTRATOR.'/components/com_rsfirewall/helpers/config.php')) {
				return;
			}
			
			if (!file_exists(JPATH_ADMINISTRATOR.'/components/com_rsfirewall/helpers/version.php')) {
				return;
			}
			
			// Load our config
			require_once JPATH_ADMINISTRATOR.'/components/com_rsfirewall/helpers/config.php';
			
			// Load our version
			require_once JPATH_ADMINISTRATOR.'/components/com_rsfirewall/helpers/version.php';
			
			// Load language
			JFactory::getLanguage()->load('plg_installer_rsfirewall');
			
			// Get the version
			$version = new RSFirewallVersion;
			
			// Get the update code
			$code = RSFirewallConfig::getInstance()->get('code');
			
			// No code added
			if (!strlen($code)) {
				JFactory::getApplication()->enqueueMessage(JText::_('PLG_INSTALLER_RSFIREWALL_MISSING_UPDATE_CODE'), 'warning');
				return;
			}
			
			// Code length is incorrect
			if (strlen($code) != 20) {
				JFactory::getApplication()->enqueueMessage(JText::_('PLG_INSTALLER_RSFIREWALL_INCORRECT_CODE'), 'warning');
				return;
			}
			
			// Compute the update hash			
			$uri->setVar('hash', md5($code.$version->key));
			$uri->setVar('domain', JUri::getInstance()->getHost());
			$uri->setVar('code', $code);
			$url = $uri->toString();
		}
	}
}
  • The class name plgInstallerRsFirewall indicates this is registered with the Joomla installer process and the extends JPlugin just means it can use Joomla functions related to plugins.
  • Once you understand what the function onInstallerBeforePackageDownload() does and why, it is quite useful. If you read the class name you can clearly see that this function (if exists for the respective extension) is run by Joomla before the download package is requested but after the update stream has been read out of the database. Remember the download package is the zip file defined in com_rsfirewall.xml, in this case:
    https://www.rsjoomla.com/updates/com_rsfirewall/Component/com_rsfirewall.zip
  • Reading the code of onInstallerBeforePackageDownload() I figured out that this function:
    • Is passed the download package URL which has been extracted from the update stream com_rsfirewall.xml earlier in the update process.
    • Loads various libraries and things from Joomla and RSFirewall (not going into that here)
    • It then checks if the license key is set. If it is not set then the code returns a warning saying no key set.
    • If there is a key, this code then checks to make sure it is the right length, if not returns an error message.
    • If the two tests above pass then the code builds some variables hash/domain/code and adds these to the download package URL as GET variables
    • This modfied URL is passed back
  • Joomla now grabs the download packge using the modified (or not) URL as if it was the original URL. The modified URL will look as follows: 
    "https://www.rsjoomla.com/updates/com_rsfirewall/Component/com_rsfirewall.zip?hash=f0588314d3680f6c15c71c7FF394129d&domain=localhost&code=xxxxxxxxxxxxxxxxxxxx"

    hash = a MD5 hash of the RSFirewall Version (local) and the license key
    domain = domain that RSFirewall is installed on
    code = license key

Notes on this process

  • Using onInstallerBeforePackageDownload() allows invisible manipulation of the update stream which facilitates:
    • Being able to check for updates without a license key. Clients can see how out of data their version is even if they dont have a valid key.
    • Being able to validate a subscription when a valid license key is installed and download a package if allowed.
    • This code can allow the sending of host and version information. This can be useful for statisictics for the vendor.
    • A single remote update stream (com_rsfirewall.xml) for both free and commercial software. It is only when you access the download URL specifed in the XML that the hash/domain/code supplied come into play.
    • This code might grab all download package and run the test on very URL to see if it is pointing at www.rsjoomla.com and has com_rsfirewall in the url.

Various Error Messages

The remote server responds with various error messages in text. I do not know if this is where Joomla gets the reponse messages, styles them as errors, and them displays them at the top of the updates page, it probably is, or if it is specific to RSFirewall becasue it has installed some extra code.

  • If you have the entered the wrong you get a failed message at the top of the update page 
    Failed to download package. Download it and install manually from https://www.rsjoomla.com/updates/com_rsfirewall/Component/com_rsfirewall.zip.
    The text response from the RSJoomla Update Server is "The update code was not found in our database."

  • if you click try and download directly from the download package URL. basic HTML (no body etc..)
    This extension cannot be downloaded directly; this is a commercial product and the only way to download it is either through your RSJoomla! account or automatically by Joomla! updates once you supply your license code in the extension's configuration.<br /> More info <a href='https://www.rsjoomla.com/support/documentation/general-faq/where-do-i-find-my-license-code-.html'>here</a>.

I found this code in action from RSFirewall by:

  • search for the error message that came up after I replace the update code with a dodgy one
    • Your update code appears to be incorrect. Please make sure you've copied it correctly.
  • which returned 
    PLG_INSTALLER_RSFIREWALL_INCORRECT_CODE="Your update code appears to be incorrect. Please make sure you've copied it correctly. <strong><a href="/_QQ_"https://www.rsjoomla.com/support/documentation/general-faq/where-do-i-find-my-license-code-.html"_QQ_" target="_QQ_"_blank"_QQ_">More information</a></strong>"
  • I then searched for 
    PLG_INSTALLER_RSFIREWALL_INCORRECT_CODE
  • which returned 
    D:\websites\htdocs\quantumwarp.com\plugins\installer\rsfirewall\rsfirewall.php
  • The function responsible is onInstallerBeforePackageDownload() is within plugins/installer/rsfirewall/rsfirewall.php, Not all extensions use this code and seems to of been added by a seperate exentions which is part of RSFirewall. If you want more information have a look in the RSFirewall Zip package.

 

 

Resources

These are articles that I have found that all relate to the Joomla Release System and will help me undertand how to implement and use it.

Official Documentation (JRS)

Other Documentation

Implementing Code Examples

  • Updating the update stream in the Database (Client)
    • How to add Joomla Updater to commercial component - So the purpose of this article is to explain to commercial extension developers how they can leverage the Joomla Updater in their components, but still limit updates only to customers who have a current subscription.
    • Joomla Update System requirement (From Scratch) | Smarty Blog - This article is written for those developers who face issues with update server requirements. Wont go deep into theory part but here is what I did to implement those features in my Free and paid extensions. i will cover some details that you wont find there.
  • Alter the update stream on the Update Server (Vendor)
    • Joomla Update System implementation for paid extensions - Digigreg -Implementing this feature for free extensions is very easy, instead Joomla Update System for paid extensions is a little bit complicated. As the official Joomla! site has not published a standard way to achieve this result, all developers use own method. This uses VirtueMart.
  • Add addtional data to #__update_sites_extensions (Client?/Vendor?)
  • Login with a Hash / API Key enabled downloads
    • How to Use a Hash in the URL to Authenticate Logins to a Joomla Website | itoctopus - This is a simple example to get me started
    • I might not need to login but rather construct database lookups to manually see if the user can download an update rather than relying on loging in and usr the native Joomla authorisation.
    • Suitable  code might be in Akeeba Subscriptions.
    • Create or Update a component to convert HASHes to login details. Does Joomla store all of a user's groups in one table?
    • I could hash the username with a secret key (not Joomla's becasue you could use the username to get the secret key) to make a hash and then this could be decodes to the user name and then could check what grousp the user belongs to, checks the clients domain, the required software and then provide the download if allowed.
    • Maybe a separate table with random keys against users
    • Make a separate helper plugin that works with Akeeba Release System
    • ARS does have a system similiar tot his but it is not verified agaist usergroups
    • ARS Download ID system warrants a look. It grabs the variables from the URL.
      • The answer to that question is the Download ID. The Download ID is an MD5 hash derived from a user's numeric ID,
        username, encrypted password and email address which uniquely identified the user to ARS. Appending the download
        URL with the dlid=download_id query string parameter will allow ARS to authenticate the user and, if he has
        access to the download, proceed with the download.

Release Systems

These are extensions that handle the XML and the actual download of the software. These systems dont have inbuilt subscription systems and the functionality varies.

Update Server (XML Only)

Create your XML files using a component rather than doing them manually.

Package Checking

This is related, you need to make sure your plugins are compliant with Joomla's coding practice including using 'Tabs' which I hate.

Update Notifiers

Again these are along the same line as this article, so where better to put them to complete the circle. These Joomla extensions will notfy you of updates to your Joomla installation and it's extensions with various options. The inbuilt Joomla update notification system plugin runs every couple of hours and is the first thing I turn off. When developing multiple websites you dont want mutiple emails from multiple websites weveryday telling you the same thing. The Joomla notification plugin only notfies you of a Joomla platform update and nto the extensions.

 

Current Work

List the basic mechanisim in my words

To Do list

  • update server (XML) for free ones: do i need to upgrade to modern standards? which component is good to go?, do i do this for free and paid?
  • subscription for paid extensions (and how this relates to nonppaid xml files)
  • product page: old versions displayed in a module, tabs, similiar to the joomla JED, should i use custom fields?
  • internal message system ie for kunena, can I refator the one already in joomla? is this message system present in joomla 4?
  • extension checker - needs updating
  • Should i use Akeeba Release system?
  • Should i use a combination of a Joomla article, JDownloads and a component to build the XML file
  • Using a component allows me to track the usage of my software.
  • Joomla uses Github RAW to serve its XML files
  • I could create the XML files manually
  • What SEF structure would i give to these different softawres, I have to consider I have joomla and non-joomla software that will use this system

My Update System

  • Potential names:  QWUpdateServer or QWUpdate  (but consider QWUpdateChecker) = camelcase the name and add QW at the beginning, no more than 2 words

com_updateserver Notes

  • update server has been archived.
  • outputted xml is all on one line
  • this only seem to create single XML file (i.e. master XML)
  • cannot use for non-joomla currently
  • not all fields are present
  • some fields are context sensitive (not a bad thing for joomla extensions, good for consistency)
  • an option to upload the file is there to be downloaded from the actually software
  • no option to manually put in your own url for the file

Update Server Options

  • Manually create XML files
    • Pro
      • Easy to do
      • Can handle Joomla and Non-Joomla easily
      • Repo Structure is easy to do
      • Free
    • Con
      • Cannot directly control download rates (could use JDownloads)
      • Cannot directly  log downloads (could use JDownloads)
      • Cannot apply subscriptions
  • Akeeba Release System
    • Pro
      • The component is already made
      • Free
      • Logs downloads
      • Basic dowload control
    • Con
      • Very difficult to use
      • Only made for Akeeba and not the end user.
      • Subscriptions are only available through Akeeba subscriptions
  • Update Server (by Igor Berdichevskiy)
    • Pro
      • Free
      • Easy to use
      • can control the repo layout with menus
    • Con
      • basic functionality
      • no longer updated
  • Make my own
    • Pro
      • Can make it handle only XML
      • I can add joomla usergroups
      • I control the software
      • Free
      • Can integrate it with JDownloads or other extension.
      • Can integrate with PayPlans.
    • Con
      • Will take time to make

Adding Subscription Integration

These are my basic notes I will use for reference:

Developing my own user authentication using a License Key in the update stream (added dynamically by onInstallerBeforePackageDownload() )

  • Use a hash to verify that the user exists and then load that user's object
    • The update stream request will have the key in it
      1. The key could be a secure hash of the username and 2 secret keys to prevent dercyption hash = md5($secretkey1.md5($secretkey2.md5($username)). This will allow simple verification.
      2. You can also have a table for my 'Update Component' that stores authorised domain information which will be check agast the request header.
    • The user has now been identified from the key
    • Without validation load the User Object
    • use the consequential 'Authenticated' user's usergroup rights to dowload assets, if permissions allow, download asset.
    • I am not sure how this will acutally play with jDownloads and ARS. An update stream error response is only text. Will ARS return this. JDownlaods and the relevant ARS Release must have the same usergroup configured for this to work otherwise the response might be from JDownloads mightbreak things?
  • Use a hash to verify that the user exists and then check the database for permissions
    • The update stream request will have the key in it
      1. The key could be a secure hash of the username and 2 secret keys to prevent dercyption hash = md5($secretkey1.md5($secretkey2.md5($username)). This will allow simple verification.
      2. You can also have a table for my 'Update Component' that stores authorised domain information which will be check agast the request header.
    • The user has now been identified from the key. The user is not be logged in.
    • get his usergroups he belongs to by loading them from the database directly.
    • validate he can download the requested asset by checking to see if he is a member of the correct group and response accordingly.

NB:

  • A license key generate by payplans would be better which would link to a particluar software/license from which this can then be checked either at payplans or by the groups the user belongs to
  • My component would have these 2 primary functions
    • A function to run through all users in a subscription group to make sure they have a unique ID. This can be used for automation.
    • A function to add an indiviual user with a unique ID. This will be used when a user is manually added.

Akeeba Modification Notes

  • Overrride a stream for QWcrm
  • Find out where the code is blocking me using XML for a Non-Joomla platform (add a bypass for the QWcrm) but make sure the JED and other streama are not affected.
  • I could modify the INI view to present an XML stream
  • Can I use the Download ID system for license keys?
  • Add another stream that is designed for QWcrm.

Building your own XML

  • https://docs.joomla.org/Deploying_an_Update_Server - The full spec for the update.xml is here and the documentation is easy to follow.
  • libraries/src/Updater/Update.php - The location for the Update class responsible for parsing the update.xml in Joomla 4.
  • libraries\src\Changelog\Changelog.php - The location for the Changelog class responsible for parsingthe changelog.xml in Joomla 4.
  • Different <targetplatform> version masks
    • version="3.[123456789]|10"
Published in Joomla
Read more...
Friday, 16 August 2019 16:27

cPanel - DNS Zone with SPF example

When you enable SPF either globally or on an indvidual cPanel account the default record uses a soft fail switch (~all) and this is not the best setting for prevent spam being sent from or on behalf of your server.

cPanel offers no options in WHM to change this default action, but there is a well known workaround which does seem to have official support and that is to alter the 'standard' Zone template.

If you do not know the syntax this will become a difficult thing to set up. So to make things easier below you will see the 'standard' Zone Template taken from cPanel v82.0.9 with the correct line added at the bottom for a 'Hard Fail' SPF record.

; cPanel %cpversion%
; Zone file for %domain%
$TTL %ttl%
@      %nsttl%	IN      SOA     %nameserver%. %rpemail%. (
		%serial%	; serial, todays date+todays
		3600		; refresh, seconds
		1800		; retry, seconds
		1209600		; expire, seconds
		86400 )		; minimum, seconds

%domain%. %nsttl% IN NS %nameserver%.
%domain%. %nsttl% IN NS %nameserver2%.
%domain%. %nsttl% IN NS %nameserver3%.
%domain%. %nsttl% IN NS %nameserver4%.

%nameserverentry%. IN A %nameservera%
%nameserverentry2%. IN A %nameservera2%
%nameserverentry3%. IN A %nameservera3%
%nameserverentry4%. IN A %nameservera4%

%domain%. IN A %ip%
%domain%. IN AAAA %ipv6%

%domain%. IN MX 0 %domain%.

mail IN CNAME %domain%.
www IN CNAME %domain%.
ftp IN CNAME %domain%.

%domain%. %ttl% IN TXT "v=spf1 +a +mx +ip4:%ip% -all"

This will generate a SPF record as follows:

v=spf1 +a +mx +ip4:xxx.xxx.xxx.xxx -all

Other Examples

%domain%. %ttl% IN TXT "v=spf1 +a +mx +ip4:xxx.xxx.xxx.xxx +include:relaydns.com -all"
%domain%. %ttl% IN TXT "v=spf1 +a +mx +ip4:xxx.xxx.xxx.xxx +include:%domain% -all"
%domain%. %ttl% IN TXT "v=spf1 +a +mx +ip4:%ip% +include:%domain% -all"
%domain%. %ttl% IN TXT "v=spf1 +a +mx +ip4:%ip% -all"

NB: Replace xxx.xxx.xxx.xxx with a real IPv4 IP

Notes

Published in cPanel
Read more...
Friday, 16 August 2019 15:42

cPanel - SFTP over SSH

Once you have got your server working, like most Windows users you want to be able to login to the root file system using your favourite FTP program so to that end there are a few hoops you have to jump through first.

Allow SSH Access

  • Host Access Control
    • Home »Security Center »Host Access Control
      • At the end of the ALLOW rules add the following
        • Daemon: sshd
        • Access List: [your IP]
        • Action: allow
        • Comment: My SSHD Allow rule
      • Click save
  • Firewall record

Remove SSH Access

  • Host Access Control
    • Home »Security Center »Host Access Control
    • Delete the information in the relevant row and click save. This will remove the record.
  • Firewall record
    • Home »Plugins »ConfigServer Security & Firewal »csf - ConfigServer Firewall » Firewall Allow IPs
    • Remove the line with your IP on it. It might be commented with 'Manually Added'
    • Click change
    • If prompted to reboot services then do so

Further Information

For reference this is the information I got from my support people while trying to fox this.

Your server is not IP restricted right now, with dynamic IP address we can not restrict server root access as every time your IP address changed you will need to contact us in order to allow new IP address.

Restricting server root access is completely different from server firewall, in order to restrict server root access we will need to add your static IP address for host access control, it can be done from WHM Home »Security Center »Host Access Control, here you will need to add entries like below,

sshd IP_from_which_you_want_to_access_server allow


Till the time you are using dynamic IP address [and root level restriction disabled], you can keep whitelisting IP address in firewall using option Home »Plugins »ConfigServer Security & Firewall

here you will just need to enter IP address just besides the button 'Quick allow'.


These might be the firewall rules added, but I don't know how they are entered.

  • filter ALLOWIN 1 14 786 ACCEPT all -- !lo * xxx.xxx.xxx.xxx 0.0.0.0/0
  • filter ALLOWOUT 1 10 635 ACCEPT all -- * !lo 0.0.0.0/0 xxx.xxx.xxx.xxx

Notes

Published in cPanel
Read more...
Friday, 16 August 2019 12:29

cPanel - enforcing secure URLs for Web Services causes redirect error

On my fresh cPanel server I configured the following settings to make things like cpanel.quantumwarp.com, webmail.quantumwarp.com require https, i.e. cPanel webservices access should be HTTPS enforced.

  • Home »Server Configuration »Tweak Settings »Redirection
    • Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” = On
    • Logout redirection URL = No Redirection

After I did this, I typed into my address bar cpanel.quantumwarp.com (note no protocol, which implies http://) I got the following error:

The page isn't redirecting properly

So  I contacted my server support people and got the following reply

We have tried to set the requiressl and always_redirect_to_ssl for the cPanel proxy domain like cpanel.quantumwarp.com in cPanel configuration, after setting up it cpanel.quantumwarp.com started redirecting to https://cpanel.quantumwarp.com but after that its started showing "Too Many Redirection" error.

Also we tried to force redirect the proxy subdomains to https in apache configuration but no success.
We have now forwarded it to cPanel support team and we will update you once we receive an update from them.

 And here is the response from the cPanel Team

We have received below response from cPanel support team.
=============
Thank you for your patience as I performed my investigation. The Apache headers module is not installed on your server:
-=-=-=-=-=-=-=-=-=-=-=
[19:11:24 xxxx root@88888888 ~]cPs# rpm -qa | grep mod_headers
[19:11:26 xxxx root@88888888 ~]cPs#
-=-=-=-=-=-=-=-=-=-=-=


The most common issue that occurs when the module is missing is infinite redirect loops when accessing service subdomains. However, it is likely the non-redirection issue is occurring due to the missing module.
==========

We have now installed the missing apache module and now below links are redirecting to https

Solution

Install mod_headers via EasyApache4

Published in cPanel
Read more...
Friday, 16 August 2019 10:00

cPanel Ciphers

The only difference to default is that I have restricted cpanel web services and webdisk by disabling TLSv1_1 (as pere zeros and one)

Default Ciphers for cPanel 82.0.9

  • I have used my fresh server install for this.
  • There might be slight differences becasue my server company might of used an old cPanel image.
  • This is a references list so if things stop working I can quickly revert back to defaults
  • These settings as they are score an A on SSL labs

Apache

  • Home »Service Configuration »Apache Configuration »Global Configuration » SSL Cipher Suite
    • Default: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    • Custom: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    • Default and custom are the same
  • Home »Service Configuration »Apache Configuration »Global Configuration » SSL/TLS Protocols
    • Default: TLSv1.2
    • Default: TLSv1.2
    • Default and custom are the same

cPanel Web Disk

  • Home »Service Configuration »cPanel Web Disk Configuration»TLS/SSL Cipher Suite
    • cPanel pre-installed: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
  • Home »Service Configuration »cPanel Web Disk Configuration»TLS/SSL Protocols
    • cPanel pre-installed: !SSLv23:!SSLv2:!SSLv3:!TLSv1

cPanel Web Services (cpanel/whm sub-domains etc..)

  • Home »Service Configuration »cPanel Web Services Configuration»TLS/SSL Cipher List
    • cPanel pre-installed: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
  • Home »Service Configuration »cPanel Web Services Configuration»TLS/SSL Protocols
    • cPanel pre-installed: SSLv23:!SSLv2:!SSLv3

Exim/Email

  • Home »Service Configuration »Exim Configuration Manager »Options for OpenSSL
    • Default: +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1
    • if the custom is the same as the default then the server selects default
  • Home »Service Configuration »Exim Configuration Manager »SSL/TLS Cipher Suite List
    • cPanel pre-installed: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

FTP

  • Home »Service Configuration »FTP Server Configuration »TLS Encryption Support
    • Default: Optional
    • Custom: Required (Command/Data)
  • Home »Service Configuration »FTP Server Configuration »TLS Cipher Suite
    • Default: HIGH
  • Home »Service Configuration »FTP Server Selection
    • Default: Pure-FTPD

Mailserver (Dovecot?)

  • Home »Service Configuration »Mailserver Configuration »Allow Plaintext Authentication (from remote clients)
    • Default: Yes
  • Home »Service Configuration »Mailserver Configuration »SSL Cipher List
    • cPanel pre-installed: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  • Home »Service Configuration »Mailserver Configuration »SSL Minimum Protocol
    • cPanel pre-installed: TLSv1.2

My Changes for a more secure server

These are the current changes I have made. The rest of the relevant cipher settings are left as default

cPanel Web Disk

  • Home »Service Configuration »cPanel Web Disk Configuration»TLS/SSL Protocols
    • zerosandones.co.uk: !SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv11

cPanel Web Services (cpanel/whm sub-domains etc..)

  • Home »Service Configuration »cPanel Web Services Configuration»TLS/SSL Protocols
    • Zerosandones.co.uk: SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv11

Mailserver (Dovecot?)

  • Home »Service Configuration »Mailserver Configuration »Allow Plaintext Authentication (from remote clients)
    • Default: No

Notes

Published in cPanel
Read more...
Page 9 of 95