You are here:Home»KB»Web Server»CWP Full setup in VirtualBox on Windows behind a NAT
Tuesday, 22 June 2021 06:55

CWP Full setup in VirtualBox on Windows behind a NAT

Written by

These instructions are for CWPpro but will work for the most part with the free version of Control Web Panel. For the yearly cost of the Pro version it is worth paying the $12 and trying the full software out from the start. This will also support the project.

For reference I used:

  • CentOS-7-x86_64-Minimal-2009
  • CWPpro v0.9.8.1074
  • VirtualBox v6.1.22-144080

Following these instructions will take around 5 Hours to complete and this assumes you have built your Windows 10 Pro PC.

I do not cover every aspect because I am not a professional but this should be a good baseline. But what it does cover is:

  • Setting up a Windows 10 Pro PC (not extensively).
  • Setting up a Oracle VirtualBoc Virtual Machine instance with all of the correct settings.
  • Setting up of CWP and all of those settings that most people want.
  • Configuring your local network with OpenWRT

Just follow the guide through from beginning to end and everything will work. I built the guide as I figured things out.

Prerequisites

It is easier to get these things together before you start.

 

Setup Windows 10 Pro PC

You can use your own Virtual Machine server if you have one. My preference is VirtualBox because it is free but VMWare should do just fine.

Check your RAID

Not everyone will use a RAID, but should. A few simple checks to make sure everything is correct is a good idea.

The information below is for standard RAIDs found on Desktop PCs and not ones on ZFS or anything funky like that.

  1. If you are using SSDs on your RAID check to make sure your RAID has presented the RAID as an SSD otherwise you might burnout your drives quicker. This should only be an issue on old RAIDS pre-SSD.
  2. Check your hardware RAID is recognise as 1 drive in Disk Management so you know you have configured it correctly.
  3. Install any RAID specific drivers/utilities that came with your motherboard or RAID card so you can do proper monitoring of the drives hardware.
  4. Configure and RAID utilities to send you email alerts.
  5. When SSDs are used in a RAID:
    • the 'Scheduled Optimisation' should be disabled (if not already) because you cannot trim a RAID as it is made up of more than one drive, and these commands are direct drive commands. Newer RAIDs will have this feature built into their utilities which can see the drives independantly and can make the appropriate adjustments.
    • 'Scheduled Optimisation' is found in the Windows defrag utility and this is where I can check these settings.
  6. Standard drives in a RAID can be defragged as normal because the commands will be handled correctly.

Create a VirtualBox VM

These are my settings for VirtualBox but you might want to modify them slightly which will be fine.

If a setting is not mentioned or is crossed out below, leave it as default.

Using the wizard create your VM with the following settings

Using the Guided or expert mode will give the same outcome.

  • Name and Operating System
    • Name: CWP
    • Machine Folder: C:\Users\{user}\VirtualBox VMs
    • Type: Linux
    • Version: Red Hat (64-bit)
  • Memory size: 4096MB
  • Hard Disk
    • Create a new virtual disk now
    • VDI (Virtual Disk Image)
    • Fixed Size
    • File location and size
      • 50GB
      • C:\Users\{user}\VirtualBox VMs\CWP\CWP.vdi
      • This will create a file that is 50GB so will add 50GB of wear to your SSD. But don’t worry this is ok and expected and is a one time deal.

 

Edit new VM Machine settings

There is currently a bug with rebooting a VM when running in EFI mode with more than 1 CPU. See notes below.

 

CWP/CentOS works with each type of VirtualBox Start Up. You should look into which one suits you best.

I use Normal until everything is setup and then use Headless when it goes into production.

We now need to finish configuring the VM so it performs better with CentOS Linux.

  • Only change settings mentioned, the rest should be left as default
  • General --> Description
  • Control Web Panel
  • System --> Motherboard --> Boot Order
  • Optical
  • Hard Disk
  • Eject ISO after OS setup
  • System --> Motherboard --> Chipset
  • System --> Motherboard --> Enable EFI
  • System --> Motherboard --> Hardware Clock in UTC Time = off. This keeps the time the same as the Host
  • System --> Motherboard --> Processors --> 2 CPUs (My Host has 6 cores)
  • System --> Acceleration --> Paravirtualization Interface --> KVM
  • System --> Acceleration --> VT-x/AMD-V --> Enabled (If present)
  • Display
    • Video Memory: 64MB (Default: 16mb / VMSVGA)
    • Graphics Controller: VBoxSVGA + no 3D acceleration
    • Enable 3D Acceleration: yes
  • Storage
    • SATA Controller
      • Name: SATA
      • Type: AHCI
      • Port Count: 2
      • Use Host I/O Cache: off
    • HDD/SSD
      • Solid-state Drive: Yes if you are using SSD
      • Hot-pluggable: off, leave this off
    • Add optical Drive to the SATA controller with the following:
      • Live CD/DVD: no
      • Hot-Pluggable: no
    • Remove the IDE Controller
    • NetworkAdapter 1
      • EnabledAttached to: Bridged Adapter
      • Promiscuous Mode: Deny

Notes

 

Install CentOS (Minimal)

I will install CentOS using EFI but pay attention to the reset bug

CentOS 7 (Minimal) is the recommended version of the OS to use when installing CWP. It should be also noted there is no uninstaller but you should never need one.

  • Read the Official Installation Instructions
  • Mount CentOS-7-x86_64-Minimal-2009.iso in the optical drive
  • Set the Optical drive to boot first. (for EFI bios this is currently ignored)
  • Power on the VM
  • If UEFI Interactive Shell appear instead of the CentOS DVD booting then follow the instructions below, else skip this section. This is a VirtualBox Bug.
    • Let the timeout finish or press Esc (both end up at the same place)
    • Type exit (and press return)
    • Select Boot Manager

    • Select UEFI VBOX CD-ROM VB1-1a2b3c4d
      • CentOS option does not work
      • This loads EFI/BOOT/BOOTX64.EFI
    • CentOS DVD will now boot
  • Select Install CentOS 7

  • Set your language and click `Continue`

    • The keyboard layout will change to your localization.
  • Installation Summary should now be shown:

    • Configure 'Installation Destination'

      • This needs to be set manually.
      • Go in and select the disk and leave everything on auto unless you want something different
      • Installation Destination: Just click into it and check the information. Do not change anything. Click `Done`
    • Configure 'Network and Host Name'

      • Configure Ethernet (enp0s3)Enable Ethernet (enp0s3)

        • General --> Automatically connect to this network when it is available: yes
        • General --> All users may connect to this network: yes
        • IPv4 Settings --> Method: Manual
        • IPv4 Settings --> Addresses --> Add
          • Address: 192.168.1.11
          • Netmask: 255.255.255.0
          • Gateway: 192.168.1.1
        • IPv4 Settings --> DNS servers: 192.168.1.1
        • IPv4 Settings --> Require IPv4 addressing for this connection to complete: Yes
        • IPv6 Settings --> Method: Ignore
        • Click `Save`
      • Enable Ethernet (enp0s3) (if not already)
      • Set Host name
        • Host name server.mydomain.com
        • Click `Apply`
      • Check setting are correct in the summary.
      • Click `Done`
    • All settings should now be correct.
    • Click `Begin Installation`
    • CentOS will now install the required files
    • Set a Root Password (Once the file installation has completed)

      You will now see
      • Do not create a user account here, we will do that later.
  • Click 'Finish Configuration' (CentOS is now sucessfully installed, but some configuration still needs to be done)

    You will now see
  • Click `Reboot`
  • CentOS Automatically ejects the DVD so you dont have to do anything
  • Remove the CentOS DVD
    • it might have already been ejected by CentOS installer
    • Login with your root credentials
    • enter the command shutdown (this will power CentOS off)
    • Eject the CentOS-7-x86_64-Minimal-2009.iso from the VM
    • Change the boot order by deselecting the Optical drive is no longer a boot device.
    • Power up the VM
  • The VM will now reboot
  • Login with your root credentials when the terminal appears
  • Configure the network card with the static IP you have selected for CWP (if not already done in the CentOS wizard)
    • use `NetworkManager Text User Interface`
      • Command 
        nmtui

or 

nmtui edit enp0s3 (might work)
      • IPv4 Configuratioin
        • Addresses: 192.168.1.11/24 (or 192.168.1.11)
        • Gateway: 192.168.1.1
        • DNS Servers 192.168.1.1
      • Search domains: leave empty
      • Routing: No custom routes
      • Never use this network for default route: leave unticked
      • Ignore automatically obtained routes: leave unticked
      • Ignore automatically obtained DNS parameters: leave unticked
      • Ignore IPv6 Configuration: Ignore
      • Automatically connect: Yes
      • Available to all users: Yes
    • Goto the command prompt
  • Setup Hostname (server.mydomain.com) (if not already done in the CentOS wizard)
    • Use either the nmtui utility or type the following into the terminal
      hostname server.mydomain.com
    • Default is localhost.localdomain

  • Preparing Server
    • Install required packages for CWP installation: 
      yum -y install wget
    • Update your server to the latest version (might take a while)
      yum -y update
    • Reboot the server
      reboot

Notes

 

Install CWP

Now your VM has CentOS insatlled we can proceed and install CWP.

CWP installer can run more than 30 minutes because it needs to compile Apache and php from source but might be a lot quicker on modern PCs.

  • Boot the VM to the CentOS terminal prompt or (optionally) this is a good time to start using PuTTY if you know what you are doing so you can copy and paste from the terminal.
    • You can use the local IP 192.168.1.11 and port 22
  • Login with root
  • Run the commands (the last one might take a while)
    cd /usr/local/src
wget http://centos-webpanel.com/cwp-el7-latest
sh cwp-el7-latest -restart yes --phpfpm 7.4
    The --phpfpm 7.4 switch did not work for me.
  • When the installer is finished, you will see your credentials displayed, copy them down safely. 
    #############################
#      CWP Installed        #
#############################

Go to CentOS WebPanel Admin GUI at http://SERVER_IP:2030/

http://13.13.13.13:2030
SSL: https://13.13.13.13:2031
---------------------
Username: root
Password: ssh server root password
MySQL root Password: xxxxxxxxxxxx

#########################################################
          CentOS Web Panel MailServer Installer
#########################################################
SSL Cert name (hostname): server.mydomain.com
SSL Cert file location /etc/pki/tls/ private|certs
#########################################################

Visit for help: www.centos-webpanel.com
Write down login details and press ENTER for server reboot!
Please reboot the server!
Reboot command: shutdown -r now
  • Reboot the server as requested
    shutdown -r now

Notes

Create Primary Domain User Account

Although you don't have to create an account for the Primary Domain on the server for it to work, it makes sense too unless you have a reason otherwise.

  • User Accounts --> New Account
  • Domain: mydomain.com
  • Username: mydomain
  • Package: default (we will change this later)
  • Reseller: Ticked
  • Leave the rest of the settings as they are

Configure CWP (Preliminary – Error Messages)

Now that CWP is installed we need to configure it

  • Log in to your CWP cpanel using the link provided by the installer on your server. You will need to use FireFox to get past the SSL issues.
    Control WebPanel Admin GUI at: http://13.13.13.13:2030/ or https://13.13.13.13:2031/
    • The local IP 192.168.1.11 will work if these don't at the minute
  • Username: root
  • Password: YOUR_ROOT_PASSWORD

Ypu will now see some errors as shown in the picture below (or similiar)

  • CWP Settings --> Edit Settings
    • (WARNING! Your root Email address for notifications isn't set.) (WARNING! Possible NAT networking detected, Please check the following settings.)
    • Shared IP: should be your public IP and does not need changing. (13.13.13.13)
    • Apache port: should be 80 and does not need changing
    • Set Admin email: no-reply@quantumwarp.com
      Forward server system emails: yes (for now)
    • CSF/LFD Alerts: no-reply@quantumwarp.com (for now)
    • NAT Local IP: should be 192.168.1.11 (what you set on the network in CentOS earlier)
      (If you see multiple IPs in the drop down see the notes below)
      Activate NAT-ed network configuration: Yes
      Read instructions by clicking the link
    • Default DNS Zone template, leave as default.tpl
    • CWP Updates: leave as Stable
    • Rebuild vHosts: yes
    • GoAccess Stats: Leave ticked (not sure why this setting is here)
    • Save changes
    • WebServer Settings --> Select Webservers --> Save & Rebuild Configuration (dont change anything on this page yet)
  • Enable Firewall
    • (CSF/LFD Firewall is NOT enabled on your server, click here to enable it.)
    • Security --> Firewall Manger
    • Enable Firewall (button at top)
  • Change SSH port for security
    • (on the Service and Firewall) (WARNING: Security vulnerability! Your server is using default SSH Port 22, to make your server more secure change SSH port in config file /etc/ssh/sshd_config and in CSF firewall !)
    • You dont have to do this if you are behind a NAT and you are never going to present SSH to the internet, but it is still recommended.
    • SSH Server
      • Services --> SSH Configuration
      • Change `#Port` --> `Port 8128`
      • Click Save
      • Goto Dashboard
      • Restart SSH Server
      • Click on SSH Server Status button to check it is now on the new port
    • CSF Firewall
      • Security --> CSF Firewall --> Firewall Configuration
      • Add the port 8128 to the end of the values + remove port 22:
        • # Allow incoming TCP ports
        • # Allow outgoing TCP ports
      • Save Changes
      • Security --> Firewall Manager
      • Restart the Firewall
      • Test SSH (with PuTTY)
    • Enable Mod Security
      • (Mod Security is NOT enabled on your server, click here to enable it.)
      • Security --> Mod Security
      • Click ‘Install Mod Security now’ button
      • Enable Comodo WAF rules (if not already) (are OSWASP better?)
      • Make sure Process the rules is selected
      • Click `Save Configurations` just to make sure.
      • Restart Apache Webserver: The button is at the top right.
    • Fix the following error shown on the page `Server Settings --> Change Hostname`
      Your Hostname is: server.mydomain.com and it resolves to IP: (ERROR: You don't have a valid hostname set!)
      • DNS Functions --> List DNS Zones --> mydomain.com.db --> Edit Records
      • Add a new record
        • Record Name: server
        • TTL: 14400
        • Direction IPv4 address: 13.13.13.13 (your public IP)
      • Goto the top right of the page and you will see the 'Info' box
      • Restart BIND DNS Server
      • Some times you have to wait and Flush your DNS on your PC as the domain did not immediately come on.
      • When it did not work straight away I deleted it and then added another subdomain to see if that worked and it did, i then added the server subdomain afain and it worked. (restarted BIND inbetween change)
      • Manage Hostname in CentOS Web Panel | Hostwinds
      • CWP DNS Part 1 : How to Configure DNS properly for CentOS WebPanel on CentOS 7.6 - This covers the server nameserver and hostname DNS, not very clear but it is the issue I am having and go through a bunch of things (if needed)
    • Hidden Processes – Security Issue (Hide system processes from users - Control WebPanel Wiki) (Hide all processes if not owned by the user is NOT activated on your server, click here to enable it.)
      • This requires at least one account to be setup and the error be resolved.
      • Security --> Secure Processes
      • Click ‘Enable Protection’
      • Test the protection is working
    • Reboot server
      • Server Settings --> Reboot Server --> Reboot Server Now

Notes

Configure CWP (in-depth)

In this section we will complete the setup of CWP now we have got rid of the errors.

Hostname

  • Refresh the Hostname
    • (Server Settings --> Change Hostname)
    • Keep all the settings the same and just click 'Change Hostname'
    • This will:
      • Refresh/Create all of the relevant settings
      • Trigger SSL creation
      • Generate the DNS zone for the server (i.e. server.mydomain.com.db). This is not created during the intial setup, either by design or is a bug.

Notes

  • No SSL on the servers hostname
    • This could be caused by the server no yet having polling Letsencrypt yet
    • Fixes (assumes hostname settings are correct)
      1. Access https://server.mydomain.com:2031/ which should trigger a lookup
      2. Refresh Hostname: Server Settings --> Change Hostname --> Change Hostname (this will not change anything but trigger lookups if needed)
  • Cannot Access Cpanel via hostname
    • You need to make sure that you have set up port forwarding.
    • If you are trying to access via the server hostname and you are local, then you need to make sure that the forwarding rules have NAT Loopback enabled (otherwise you will go made). I modified my rules so for these admin panels that NAT Loopback happens but the panels are not accessibly from the internet.
  • Changing Hostname (If you need to change your hostname in the future becasue CWP does not handle the removal of the old server name)
    • Use the process above
    • Delete the old DNS zone manually for the old hostname.
    • Make sure the server's name is not defined as a subdomain in your Primary Domain User Account DNS Zone.
    • Don't forget that the old name might still be cached in other places because of TTL so it might still ping for a while. If you are still setting up you could just power all of your equipment down to speed things up.
    • Delete DKIM entries in:
      • /etc/opendkim/TrustedHosts
      • /etc/opendkim/SigningTable
      • /etc/opendkim/KeyTable
      • /etc/opendkim/userkeys/[old server domain folder]

Nameservers

For this you need a real domain (mydomain.com) and your public static Ip (13.13.13.13) from earlier.

  • Register Nameservers at a registrar
    • Login to your account at the registrar for your domain
    • Register the following Child Name Servers under your domain:
      Child Name Servers are Name Servers which are registered under your Domain Name.
      Once registered, you can use these Child Name Servers in turn as Name Servers for registering other Domain Names
      • ns1.mydomain.com 13.13.13.13
      • ns2.mydomain.com 13.13.13.13
      • It is correct to have the same IP twice (for most people)
      • Now you might have to also register these as Parent Name Servers aswell under domains account.
  • Change CWP Name Servers
    • DNS Functions --> Edit Nameservers IPs
    • Changes name servers to:
      • Name Server 1: ns1.mydomain 13.13.13.13
      • Name Server 2: ns2.mydomain 13.13.13.13
    • Keep Options ‘Update DNS zone file’ and ‘Restart DNS Server’ ticked
    • Save changes
    • Dashboard --> Service Status --> BIND DNS Server --> Restart
    • Server Settings --> Reboot Server --> Reboot Server Now
    • Reboot your router (this is important to get rid of improper routing it might have stored)

Notes

  • The domain resolution test done when you save the nameservers, I think, is done by CWP servers (ie external to your internal server).
  • If you get the error: 
    ns1.mydomain.com resolves to ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> A ns1.mydomain +short @8.8.8.8 ;; global options: +cmd ;; connection timed out; no servers could be reached 
ns2.mydomain.com resolves to


    This is cause by one or both of these:

      1. The Nameservers DNS update has not propagated yet.
      2. The DNS port 53 is not open or properly forwarded on your NAT router.
  • If you get the error Nameserver is not authoritative when checking mydomain.com on leafdns then this is probably because you have not setup a hosting account to match your servers primary domain (mydomain.com).
  • How To setup Name servers
  • Original Nameservers for reference 
    ns1.centos-webpanel.com resolves to 54.36.136.192
ns2.centos-webpanel.com resolves to 198.27.104.41 

ns1.centos-webpanel.com 127.0.0.1
ns2.centos-webpanel.com 127.0.0.1

Correct DNS Zone on Primary Domain User Account

Now that the name servers have been changed, the Primary user account needs to be updated to reflect the change

  • (DNS Functions --> List DNS Zones --> mydomain.com.db --> Edit Records)
  • Change the following (text replace, might be in many records) (edit file is quicker)
    • The RNAME on your primary account should be postmaster.mydomain.com
      • the RNAME is an email address where the `@` is swapped with a `.`
      • I do not have an address postmaster@mydomain.com but when i rebuilt the Zone it uses the email from the mydomain.com user account.
    • centos-webpanel.com --> mydomain.com

Notes

  • Do not rebuild the zone, this will wipe out many Zone records
  • The primary user account some records in it that will not be re-added by rebuilding the domain so would need adding manually. 
    server 14400 IN A 31.125.252.137

ns1.mydomain.com. 14400 IN A 31.125.252.137

ns2.mydomain.com. 14400 IN A 31.125.252.137
  • I am not 100% the nameserver A records becasue the ns1.mydomain.com and ns2. mydomain.com have their own record files (ns1.mydomain.com.db / ns2.mydomain.com.db)
  • smtp, pop, pop3, imap, webmail, cpanel, cwp subdomains are missing, DKIM is not setup properly and the SPF record is missing.
  • See forum questions below for a full text comparison of an account before and after a rebuild.
  • Only the records that were created before changing your name server are corrupted.

Set rDNS and PTR

These must be changed at your ISP or IP provider. These records allow your server domain to be worked out from the IP address.

A good rDNS is better for your server reputation and will allow more successful delvery of email.

Plusnet/BT/UK ISPs: By default thier IPs from ISP are on the Spamhaus 'Policy Block List' because it should not be sending emails. So you might need to contact your ISP to have the Ip removed from the list. I did manage to remove myself from the SPAMHaus PBL list byt looking up my IP and then expanding the message at the bottom, fill in the required information and soon after I was removed for the list. This might not be the case for all ISPs.

Port Forwarding

CentOS Mostly Used Ports - Control WebPanel Wiki

  • Only open the ports you require.
  • These are the ports I have forwarded to allow the basic functionality of the server on the internet but keeps all admin functions (such as control panel) restricted to my local network. You dont even need the email ones if you are not running email and some people dont use Port 25 as standard
    • 25 - SMTP/EMAIL
    • 26 - SMTP (this port is not enabled in the firewall by default)
    • 53 - BIND/DNS
    • 80 - HTTP / Apache Web server
    • 110 - POP3/EMAIL
    • 143 - IMAP
    • 443 - HTTPS / Apache Web server SSL
    • 465 - SMTP/EMAIL SSL/TLS
    • 993 - IMAP/EMAIL SSL
    • 995 - POP3/EMAIL SSL
    • 2030 - CWP Admin
    • 2031 - CWP Admin SSL
    • 2082 - CWP User Panel
    • 2083 - CWP User Panel SSL
    • 2086 - CWP Admin (same as 2030)
    • 2087 - CWP Admin SSL (same as 2031)

 

  • OpenWRT Router Port Forwarding including Local Access
    • OpenWRT Port Forward Rules
      I use a seperate rule for local traffic because you want all ports available on your server to the local network for admin purposes but only the specified ones present to the internet. All ports are available via 192.168.1.0/24 anyway, but we want to use server.mydomain.com locally.

      You need to create the Local Traffic Rule once but a Standard Port Forward Rule for each port you want to forward to the interent.

      • Local Traffic Rule
        • Name: CWP (All Ports / LAN Only)
        • Protocol: TCP+UDP
        • Source Zone: wan/wan6
        • Source MAC Address:
        • Source IP address: 192.168.1.0/24 (this is an IP range)
        • Source port:
        • External IP address: 13.13.13.13
        • External port:
        • Internal zone: lan
        • Internal IP address: 192.168.1.11
        • Internal port:
        • Enable NAT Loopback: Ticked
        • Extra arguments:
      • Standard Port Forward Rule (change the port numbers for the required port)
        • Name: CWP (BIND/DNS)
        • Protocol: TCP+UDP
        • Source Zone: wan/wan6
        • Source MAC Address:
        • Source IP address:
        • Source port:
        • External IP address: 13.13.13.13
        • External port: 53
        • Internal zone: lan
        • Internal IP address: 192.168.1.11
        • Internal port: 53
        • Enable NAT Loopback: NOT ticked
        • Extra arguments:

Notes

  • OpenWRT
    • How to configure totally open DMZ with OpenWRT? - Server Fault - The easy way. Do not leave this on as it is just for testing. This method also routes all local traffic to the to the CWP server without using the Hostnames method below.
      • If you have another rule for Portforwarding you can use this method to allow specific IP address locally to use you server nd keep the DMZ for external traffic only except for a specified IP by add this addition rule. Basically create rule using the above but then edit the rule and specify the following:
        • External IP address: 13.13.13.13
        • The CWP server needs to be connected to the outside world properly for this to work as your laptop will do DNS lookups starting at your authorative DNS servers at your registrar.
    • Network --> Hostnames - This can be used to tell OpenWRT to route all internal calls to a domain to a local address. This is not the same as DMZ. This will allow you to use CWP without it being on the internet or using the hosts trick. This causes the loading of the website to be slow becasue of this extra routing, this might also just also be my low power router.
    • I removed NAT Loopback from the standard port forward rules. This will reduce the CPU overhead by a little and when I disable the (All Ports/LAN Only) rule then all ports locally routed will stop working preventing confusion.
    • If the rules dont behave as expected and you have double checked them, you should restart all network kit so you flush all of their DNS and prebuilt traffic routes.
    • OpenWRT, once a route is established that route will have a TTL similiar to DNS.
    • FlushDNS can be used on your PC but will not change IP routing on other devices.
  • NAT Loopback
    • NAT loopback enables a user on the trusted or optional networks to connect to a public server with the public IP address or domain name of the server, if the server is on the same physical OpenWRT network.
    • Disable NAT loopback for guest network - Network and Wireless Configuration - OpenWrt Forum - You can use hostnames for local routing. I found this to be slow and you might nto add an entry for every subdomain.
    • iptables - How does NAT reflection (NAT loopback) work? - Unix & Linux Stack Exchange - in-depth explanation
    • My notes: NAT loopback is where the router inspects the target IP of the request/packet and if it sees that the target is its public IP it will loop the request back into the network to the defined local IP (as per the rule) as if it has come from the outside in the first place. This options just says to the router perform this check and then do the looping.
    • NAT Loopback allows traffic sent to public IPs to be routed back to the local network if the IP/Server is present on the local network. This is perfect when you are running a server on your LAN that is connected to the internet by port forwarding. Normally you would get a failed message: 
      Forbidden
Rejected request from RFC1918 IP to public server address
    • If you disable the CWP (All Ports / LAN Only) which has NAT Loopback enabled, you will also get the RFC1918IP error when you try and lookup server.mydomain.com:

 

The CWP server is now present on the internet.

Cgroups

Cgroups allow you to limit resources per user — such as CPU %, system memory, network bandwidth, or combinations of these resources. You have to create a Cgroup and then assign it in the package. This is good for preventing server abuse byt the user or a hacker. You have to create a Cgroup before it can be assigned to a package or user so we will do this before creating our packages.

  • Security --> Cgroups Resource Limits
  • Click `Install service`
  • On the same page, got to the `Enable limit resources` and select the following
    • CPU - Limit CPU usage
    • Memory - Limit Memory usage
    • Disk I/O - Limit Disk I/O read/write
  • Click `Save`
  • Add these policies
    • Internal
      • Name: Internal
      • cpu % (min 1 max 200): 150
      • rmem: 1G
      • vmem: 2G
      • read: 10000
      • write: 10000
      • Update user's config files?: Ticked
    • Client
      • Name: Client
      • cpu % (min 1 max 200): 50
      • rmem: 512M
      • vmem: 1G
      • read: 1000
      • write: 1000
      • Update user's config files?: Ticked
    • Click `Restart service` (not sure if I need to do this to apply the new policies)

Notes

Packages

Setup the following packages. These are not mandatory but are a good baseline for you to start from and make managing your server easier. If you are migrating from cPanel I think the packages might be created automatically.

Packages are found at: Packages --> Packages

  • Create Primary package (Primary Domain Account)
    • Name: Primary
    • Disk Quota MB: 5000
    • FTP: 1
    • Email Lists: -1
    • Sub Domains: -1
    • Addon Domains: -1
    • cgroups: Internal
    • apache_nproc: 40
    • nofile: 150
    • Type: Reseller

    • Bandwidth MB: -1
    • Email Accounts: -1
    • DB: -1
    • Parked Domains: -1
    • Hourly Emails: 200
    • nproc: 40
    • inode: 0
    • NodeJs App: 0
    • Accounts: 500

    • Update Quota: [unticked]
  • Create Internal Package (Company Accounts)
    • Name: Internal
    • Disk Quota MB: 5000
    • FTP: 1
    • Email Lists: -1
    • Sub Domains: -1
    • Addon Domains: -1
    • cgroups: Internal
    • apache_nproc: 40
    • nofile: 150
    • Type: General

    • Bandwidth MB: -1
    • Email Accounts: -1
    • DB: -1
    • Parked Domains: -1
    • Hourly Emails: 200
    • nproc: 40
    • inode: 0
    • NodeJs App: 0

    • Update Quota: [unticked]
  • Create Bronze package (for clients)
    • Name: Bronze
    • Disk Quota MB: 500
    • FTP: 1
    • Email Lists: 5
    • Sub Domains: 5
    • Addon Domains: 5
    • cgroups: Client
    • apache_nproc: 40
    • nofile: 150
    • Type: General

    • Bandwidth MB: -1
    • Email Accounts: 5
    • DB: 1
    • Parked Domains: 5
    • Hourly Emails: 100
    • nproc: 40
    • inode: 100000
    • NodeJs App: 0

    • Update Quota: [unticked]
  • Create Silver package (for clients)
    • Name: Silver
    • Disk Quota MB: 1000
    • FTP: 1
    • Email Lists: 10
    • Sub Domains: 5
    • Addon Domains: 5
    • cgroups: Client
    • apache_nproc: 40
    • nofile: 150
    • Type: General

    • Bandwidth MB: -1
    • Email Accounts: 10
    • DB: 5
    • Parked Domains: 5
    • Hourly Emails: 150
    • nproc: 40
    • inode: 125000
    • NodeJs App: 0

    • Update Quota: [unticked]
  • Create Gold package (for clients)
    • Name: Gold
    • Disk Quota MB: 1500
    • FTP: 1
    • Email Lists: 15
    • Sub Domains: 10
    • Addon Domains: 10
    • cgroups: Client
    • apache_nproc: 40
    • nofile: 150
    • Type: General

    • Bandwidth MB: -1
    • Email Accounts: 15
    • DB: 5
    • Parked Domains: 10
    • Hourly Emails: 200
    • nproc: 40
    • inode: 150000
    • NodeJs App: 0

    • Update Quota: [unticked]
  • Set your Primary Domain User Account (acc: mydomain / mydomain.com) to have the package of Primary. It is best not to use the default package.
    • User Accounts --> List Accounts --> mydomain --> edit
    • Account Type: Reseller
    • Package: Primary
    • Leave the rest of the options
      • `Backup user account` = add the account into the backup routine when it is run.
    • Click `Update`

You now have seperate packages for your company and client accounts.

Notes

  • Create/delete hosting packages in CWP - PlotHost
  • Cgroups
    • Cgroups allow you to limit resources per user — such as CPU %, system memory, network bandwidth, or combinations of these resources.
    • Just installed above.
  • apache_nproc
    • It is the process number limit for a certain user, but specifically for Apache.
  • nofile
    • It is the number of open files limit for a certain user. 150 is the recommended, too high and the server will slow and too low and things like IMAP will stop working.
    • The number of files allowed to be read/executed at the same time.
  • Type
    • General - This is a standard client account.
    • Reseller - This tags the account as a reseller and obviously gives it reseller functionality and permissions. when this option is checked a new input box appears called `Accounts` which allows you to set a limit on the number of client accounts this reseller can own. `Accounts` has to be an integer.
  • nproc
    • It is the process number limit for a certain user.
  • inode
    • It Indicates the inode limit for a certain user.
    • It is ok to leave this as 0 as there are usually other limits set in a package.
    • Innodes are used by the file system to store data block locations and metadata because the innode size is relatively small and predictable there usually is no problem with allowing unlimited inodes.
    • If a user is filling up all available inodes possibly with zero byte file data then you do have the ability to restrict their inode limit forcing them to free up used inodes in order to create new ones.
    • Inode is a data structure that stores the information about all files created on your hosting account. The number of inodes indicates number of files, folders, email or anything you store on your web hosting account. Each file on your web hosting account is identified by an inode number in the file system. Inodes store the important data about files such as user, group ownership, access mode and file type.
    • Suggestions for Inode, No of Files, Process Limits - Cloud - Good discussion with suggestions.
  • NodeJs App
    • Number of NodeJS apps a user can create. This will require NodeJS Manager to be installed.
    • CWP - Admin Panel: NodeJS Manager - YouTube - Goes into a little about nodejs and Apps.
    • I am leaving this of on all of my accounts until i find a need for it.
  • process limit
    • (0 = no processes allowed)
    • This limits the number of processes for an account. This setting prevents the user from exceeding the limited number of PHP web processes. Its generally recommended to allow at least 30 to 50, however using this limit is particulary good when using PHP CGI to prevent users with high traffic from overloading the server, the downside is that since this limit is userwide it can also have restrictions on IMAP connections if the number is set to low and the user has many IMAP connections.

Features

The feature manager allows you to filter / block modules for use in the user module.

Feature Manager | Control-WebPanel Documentation

User Accounts --> Features,Themes,Languages --> Feature Manager

I think the accounts have all features available until you assign a feature set.

You can assign these features to an account or package. I will always choose to do these things by packages because it is the way I have done it in cPanel.

When you select these options you might not currently have all of the servers or things installed. Select your options as if they were so they match up when you later add the required features.

  • Create Internal feature list (this is for all company accounts) and assign it to the Primary and Internal packages
    • Name: Internal
    • Type: Package
    • Accounts: Primary, Internal
    • Click `Mark all`
    • Click `Create and Save this rule >>`
  • Create Client feature list (this is for all client accounts)
    • Name: Client
    • Type: Package
    • Accounts: Bronse, Silver, Gold
    • Click `Mark all`(You can come back to edit this feature list later or do it now if you are familiar with CWP)
    • Click `Create and Save this rule >>`

You now have seperate feature sets for your company and client accounts.

Notes

  • The menu items for the features will be present in the users control panel even if the service is not installed but it is enabled in the feature set.

Create a User Test Account

This is a very useful thing to have. It is just a simple account you can use to see what clients see.

  • User Accounts --> New Account
  • This is just an example (but will work)
  • Domain Name: test.acc
  • Username: testacc
  • Password: xxxxxx
  • Admin email: no-reply@test.acc
  • Server IPs: 13.13.13.13
  • Package: Bronze
  • Additional Options: Select:
    • Backup user account
    • AutoSSL: Domain must be pointed to the server

Apache

  • Set Web Server Type
    • WebServer Settings --> Select WebServers --> Setup default Web Servers --> Apache Only (this is default)
    • Dont make any changes to the page
    • Click `Save & Rebuild Configuration` (this might not be needed here but does not harm)
  • Update Apache to the latest version
    • Check you have terminal access via SSH first using putty (for saftey)
    • Check the new version you are going to install is newer than the current version.
    • You should also be aware that if you have installed the TLS1.3/HTTP2 upgrade from MysterData then this might fail. (see notes below)
    • WebServer Settings --> Apache Re-Build --> Select NEW Apache version
    • Select the latest version
    • Click `Next`
    • Leave all options as there are unless you know what you are doing.
    • Click `Start Compiler in Background`
  • HTTP2 + TLS1.3 (select the correct version for your Apache build)

Notes

  • These settings here do not affect the apache daemon for the CWP panel. It has its own Apache for this (I think). It is running PHP 7.1 so cannot be broken by people reconfiguring their server. I got this location by look at the cron jobs that are run by the root.
    /usr/local/cwp/php71
  • CWP WebServers Config | SaadHost very in depth article
  • Apache vs Nginx: Practical Considerations | DigitalOcean
  • Select Server Type
    • don't really understand the other technologies so I will leave the default Apache only setup because there is less to go wrong and I am use to Apache because I have been using Xampp which is Apache based. Apache on its own is proabbly good for development and low traffic sites.
    • Nginx & Varnish & Apache is the best performance option and good for high traffic sites. This seems to be the recommended option by professionals and I will change to it once I have got use to the server.
      • Force Apache to use PHP-FPM Selector
      • WebServer Settings --> Select WebServers --> Setup default Web Servers --> Select Default Apache PHP-FPM version
      • WebServer Settings --> Select WebServers --> Setup default Web Servers --> Select Default Nginx PHP-FPM version
      • I have not choosen this option at this time.
      • This will disable PHP Selector 2 and PHP Version Switcher.
      • If you choose this option, you would have to select a default Apache PHP-FPM and Nginx PHP-FPM version on this page. I am not sure if it would continue to use the server's default php.ini file.
  • What are these? (add Nginx and Varnish add extra hurdles when developing web sites)
    • Apache
      • Your basic Web Server
      • The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.
    • Nginx
      • NGINX is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.
      • NGINX accelerates content and application delivery, improves security, facilitates availability and scalability for the busiest web sites on the Internet.
      • NGINX is open source software for web serving, reverse proxying, caching, load balancing, media streaming, and more. It started out as a web server designed for maximum performance and stability.
      • Nginx excels at serving static content quickly and is designed to pass dynamic requests off to other software that is better suited for those purposes.
    • Varnish
      • This is a cache based in RAM.
      • Varnish Cache is a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 - 1000x, depending on your architecture.
      • What is Varnish cache and how it works? - Interserver Tips
    • LightSpeed
      • A commercial webserver dedicated to speed.
  • Other HTTP2 / TLS1.3 articles (older or untested)
  • Rebuilding Apache broke CWP
    I did this and my server broke. It was running extremely slowly on the terminal and the websites would not load. The CWP panel might of come up if left long enough

FTP

This is mostly setup but for a couple of settings in the FTP manager

  • Set the following settings in FTP Manager (File Management --> FTP Manager V2 --> Edit Configuration)
    • TLS: 2 (This allows only encrypted connections)
    • TLSCipherSuite: HIGH (default HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3)
    • Click on `Update` not reset.
  • You need to create a user as non are created by default like in cPanel (optional)
    • File Management --> FTP Manager V2 --> Add User
    • Fill in the details
    • Click `Submit`
  • TLS1.2+ is now required.

Notes pure-ftpd Setup Passive FTP Ports - Control WebPanel Wiki

PHP

Configuring the PHP service is good for security and performance.

  • Set the Server's default Global PHP version
    • PHP Settings --> PHP Version Switcher --> PHP Version = 7.4.20 (or your preference. php 8.0 is not mainstream yet)
    • Select Options/Modules/Extensions (These are PHP extensions that are added into PHP when it is compileds or it compiles them and attaches them)
      • Check them over but the ones that come up should be fine (if you have not changed them). You can always recompile later with different options.
      • Click `Save & Build` (CWP will now compile PHP from source in the background)
  • PHP Selector 2
    • Standard PHP Parser (PHP-CGI)
    • This feature lets you install additional PHP versions in the CWP. This is the selector for the legacy CGI-based PHP method like SuPHP. You can use a different PHP-CGI version per account/domain rather than the server default one.
    • I am not going to use any on this page because I want to use the faster PHP-FPM.
    • Installation will be similiar to setting the servers default PHP version except you might select several versions and you can select options and other things specific to the particular version before you Compile
    • I am not sure what happens if you select the same version as the servers default version.
    • I think this is the same PHP parser type that the server default is running.
  • PHP-FPM Selector
    • This lets you also install and use additional PHP versions. The difference is that it selects PHP Fast CGI Manager (PHP-FPM) versions instead of traditional CGI.
    • Select:
      • PHP-FPM 7.4.20
        • with default options
        • same as the server default PHP version
      • PHP-FPM 8.0.7
        • with default options
        • for testing
    • Click `Start Compiler (build & install)` (it does take a while to compile, especially if you have chosen a few PHP versions)
    • Enable auto update for the PHP version you have just installed.
      • The servers version might autoupdate anyway when the server updates, other than that there is no option for it.
  • Apply the relevant PHP version to any accounts that already exist that you wish to upgrade/change. They should all currently be on the default legacy CGI PHP parser (server default)
    • So far I can only change this in the user's control panel, not on mass. I will add the command or instructions here when I find one.
  • Configure all of your php.ini files to your taste
    • Dont forget about the multiple versions of the php.ini , one for each version of PHP installed for each enging type (PHP-FPM / Apache Module)
      • (PHP Settings --> PHP.ini Configuration) - This is the servers main/default version of php.ini
      • (PHP Settings --> PHP Selector--> PHP x.x --> Edit php.ini) - When you use multiple versions of PHP as an Apache Module you need to edit these.
      • (PHP Settings --> PHP-FPM Selector --> PHP x.x --> Edit php.ini) - When you use PHP-FPM you need to edit the different version of the php.ini here. Save and then restart that particular version. There is no need to rebuild.
    • Before making changes to the file, always click on the `Create File Backup` button
      • The default server on gets stored at /usr/local/php/php.ini - CWP might do an automatic backup upon save.
    • Once you have configured all of your php.ini files I would recommend you download them and store them as a reference just incase they get wiped out in an upgrade or something else unpredicted especially if you have a complicated chages you have made.
    • Once you have made the changes make sure you restart the relevant services or just restart the server for quickness.
    • Changes I have made to the default file (these might be a bit generous for a standard webhost, so the ones where I have increase values, ignore them)
      disable_functions = "" --> "system,passthru,popen,exec,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,highlight_file,escapeshellcmd,define_syslog_variables,posix_uname,posix_getpwuid,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellarg,posix_uname,ftp_exec,ftp_connect,ftp_login,ftp_get,ftp_put,ftp_nb_fput,ftp_raw,ftp_rawlist,ini_alter,ini_restore,inject_code,syslog,openlog,define_syslog_variables,apache_setenv,mysql_pconnect,eval,phpAds_XmlRpc,phpAds_remoteInfo,phpAds_xmlrpcEncode,phpAds_xmlrpcDecode,xmlrpc_entity_decode,fp,fput,shell_exec,apache_get_modulesi"
expose_php = On --> Off
max_execution_time = 30 --> 180
max_input_time = 60 --> 180
max_input_vars = 4000
memory_limit = 128M --> 256M
post_max_size = 8M --> 64M
upload_max_filesize = 2M --> 64M
date.timezone = "Europe/London"
      • A lot of companies disable mail() to prevent spam. Just add 'mail' to the end of disable_functions. I use mail function because there is onyl my stuff on the server and it prevents me from having to setup sMTP on every CMS or PHP script I want to use. If you have customers on your server then definately disable the mail function.
    • changes of note, but I have not changed them (might do) 
      zlib.output_compression = Off
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT --> E_ALL & ~E_NOTICE

; http://php.net/track-errors
;track_errors = Off

; http://php.net/html-errors
;html_errors = On

; http://php.net/register-argc-argv
register_argc_argv = Off

; http://php.net/allow-url-fopen  (I have this on all the time, but should it be off by default)
allow_url_fopen = On
  • Force Apache to use PHP-FPM Selector
    • I am only going to use PHP-FPM so i need this option.
    • WebServer Settings --> Select WebServers (This will be quick becasue we are not re-compiling anything)
      • Select Default Apache PHP-FPM version: 7.4
      • Select Default Nginx PHP-FPM version: 7.4 (I do not have NginX installed at this time, but does not harm to apply this setting now so I can forget about it)
      • Force Apache to use PHP-FPM Selector: Ticked
      • Click `Save & Rebuild Configuration`
      • The switch will be almost instant and this is normal.

Notes

  • Each PHP version for each type of PHP parser (Selector) has its own php.ini
  • If you are using Snuffleupagus (see in the security section below) you will need to manually add it again to any new versions of PHP you install, PHP version upgrades should maintain the software.
  • PHP-FPM
    • This create helpers per account so is more resource intensive but does allow for much quicker parsing of PHP becasue the workers are already spooled up. I would not recommend this for all of your accounts on your server if you have a lot of them.
    • When you have made changes to the PHP-FPM version specific php.ini you need to relaod the service, restarting Apache will not reolad the config file becasue it is not an Apache moduel.
  • AutoUpdate - This enables/disables auto update of the PHP Version ie 7.4, 8.0, so the PHP is always on the latest Patch version (security release)
  • How to disable php/php-fpm selector - Control WebPanel Wiki
  • allow_url_fopen is considered dangerous?
  • The 8.0.7 php.ini is slightly different to the 7.4.20 php.ini but the normal PHP and PHP-FPM version are the same even though there are in different places on the server.
    • the PHP-FPM and normal php have different settings for this
    • PHP Standard ;cgi.fix_pathinfo=1
    • PHP-FPM: cgi.fix_pathinfo=1
  • Disable Dangerous PHP functions.
  • Force Apache to use PHP-FPM Selector
    • After you have enabled this:
      • The menu items for PHP Version Switcher and PHP Selector 2 (NEW) are still present but with a warnings at the top of each of the pages.
      • In PHP Selector 2 (NEW), The PHP versions are obviously just disabled but all compile and delete functions still work which is why the switch is so quick no re-compiling takes place.
  • Divi Recommendations -

Database / MySQL / phpMyAdmin

  • Set default database collations to utf8mb4_unicode_ci (this collation is the modern standard now)
    • (SQL Services --> MySQL Configuration --> Contents of File: /etc/my.cnf)
    • The default my.cnf file is shown below and is for reference. The file is a lot more empty that I expect and I have reported this ont he CWP forum here. 
      #
# This group is read both by the client and the server
# use it for options that affect everything
#
[client-server]

#
# include *.cnf from the config directory
#
!includedir /etc/my.cnf.d
    • Click `Create File Backup` (at the bottom)
    • Add the following code at the end of the file 
      [client]

default-character-set = utf8mb4

[mysql]

default-character-set = utf8mb4

[mysqld]

collation-server = utf8mb4_unicode_ci
init-connect = 'SET NAMES utf8mb4'
character-set-server = utf8mb4
    • Click `Save`
    • Goto the Dashboard
    • Reboot the MySQL Database Server

Notes

  • MariaDB Defaults of note:
    • The database package is MariaDB
    • innodb-file-per-table: True
    • default-storage-engine: InnoDB
  • General
    • After changing the collation as noted above, in phpMyAdmin --> Variables, all collations show correct but collation database shows a (Session value) of latin1_swedish_ci and i dont know why or how to fix it. I would like it to match.
    • Changes made in phpMyAdmin --> Variables are not persistent. When the server is rebooted the changes made there will be lost.
    • Unknown/unsupported storage engine: InnoDB | MySQL Ubuntu - Server Fault
      • The ibdata file contains the data (unless you have file-per-table). The ib_logfile files are the replay logs that contain the data for database-altering transactions that may have been in process when/if the database crashed. If you were able to shutdown the server successfully, deleting these log files won't hurt you. If it crashed, then you need them.
    • Can't read my.cnf file bug | CWP Forum
      • the problem here is that my.cnf needs to be saved with the new line at the end of the file. Some editors, e.g. vim do it automatically and they put a "new line" character at the end of each file - without having the user to actually see it - so it appears that the file ends with the very last character.
      • However if you open this file up with with a different editor, e.g. Mousepad, you will find out that tere is an extra line - a new line - at the end of the file. If there is not - that is the problem - because MySQL fails to process that kind of configuration.
      • Apparently there is a standard for having files end with a new line. Some software upholds it strictly (e.g. MySQL) and that's why we can find this error in MySQL explicitely.
      • Details: https://stackoverflow.com/questions/729692/why-should-text-files-end-with-a-newline
  • Manually Upgrading MariaDB
  • Get the MariaDB variables
    • MariaDB default my.cnf in sources - Stack Overflow
      • No, MariaDB does not have a configuration file which would list all available options and their default values. Different MariaDB packages might provide some configuration files, but those are different, they only contain a small subset of options, and the values are different from default ones.
      • You can output the default MariaDB variables and settings by running:
        Default configuration and explanation of the settings
mysqld --no-defaults --verbose --help

or, on a running 10.1+ server, by executing
SELECT variable_name, default_value FROM information_schema.system_variables ORDER BY variable_name
    • You can output the current MariabDB variables:
  • Removing unwanted Users
    • After importing user accounts from cPanel I found i have a lot of unwanted MySQL users
    • I clicked on the delete icon for the relevant user and got the standard warning message
    • but could not use the CWP GUI to remove them because whern I clicked 'Continue' I got the following error message, Error Invalid System User.
    • The solution is simple to delete the users as the CWP GUI clearly has a bug:
      • Goto (CWP Admin --> SQL Services --> phpMyAdmin --> Users Tab)
      • Select the users you don't want
      • Scroll down to 'Remove selected user accounts'
      • Click 'Go'
      • This will delete the users with no issue. Doing this by the SSH will have the same outcome.
    • How to Show Users in MySQL using a Linux Terminal - via SSH and this is a great tut
    • MySQL “show users”: How to list the users in a MySQL database | alvinalexander.com
      • There might be duplicate users. This is because MySQL filters access to a server according to the IP address it comes from. So you can also add a host column.

Email Server

  • Postfix is an MTA
  • Dovecot is a message store Accessor/Provider, POP3/IMAP Server.

Postfix and Dovecot are both required for a full email system and should already be running and this is why you are already (if configured) getting server notification emails.

  • Start disabled services (you will see they have an error, just ignore these) (Service Recovery FAILED!! I'm reporting this issue to main CWP artificial intelligence system!)

    • Dashboard --> Services Status --> Mail Services
    • ClamAV
    • AMaViS (A Mail Virus Scanner)
    • OpenDKIM
    • SpamAssassin
  • DKIM
    • Email --> DKIM Manager
    • Nothing to do already setup
  • SPF make ~all --> -all
    • Email --> SPF Manager
    • Edit DNS Zone
      • Custom DNS Zone Template - Control WebPanel Wiki
      • Open file manager and navigate to: 
        /usr/local/cwpsrv/htdocs/resources/conf/dns/bind/zones/
      • Copy the file default.tpl --> custom.tpl so it is in the same directory. (You will have to copy it to another folder, rename it, move back to the zones folder)
      • Edit the custom.tpl
      • Change the following 
        @	14400	IN	TXT	"v=spf1 +a +mx +ip4:%ip% ~all"

-->

@	14400	IN	TXT	"v=spf1 +a +mx +ip4:%ip% -all"
      • CWP Settings --> Edit Settings -->Default DNS Zone template = custom.tpl
      • Click `Save Changes`
      • This will not change accounts that have already been created including the Primary account. so either manually edit the DNS zones or use a script to change many. But go through and change all of the relevant zones.
        DNS Functions --> List DNS Zones --> mydomain.com --> Edit File/Edit Records
  • DMARC
    • This appears to be configured and running.
    • If you want to change the DMARC defaults then edit the custom.tpl zone file: 
      /usr/local/cwpsrv/htdocs/resources/conf/dns/bind/zones/custom.tpl
      • NB: This will not change accounts that have already been created including the Primary account. So either manually edit the DNS zones or use a script to change many.
        (DNS Functions --> List DNS Zones --> mydomain.com --> Edit File/Edit Records)
    • Tutorials
      • Creating DMARC Record to Protect Your Domain Name From Email Spoofing
        • This is really easy to read and explains everything well including testing and processing reports.
        • Why I’m still using p=none policy?
          • Firstly, it’s because of Microsoft. mails forwarded from Microsoft Outlook Mailbox can fail DKIM check, which is bad. For this reason, I cannot set my DMARC policy to quarantine or reject.
          • Another reason is that I’m using MailChimp to send newsletters to my email subscribers. MailChimp uses its own domain in the Return-Path header and its own DKIM signature for the signup confirmation email, which causes DMARC failure.
        • Having a p=none policy is better than having no DMARC record. Although p=none cannot prevent email spoofing, at least my legitimate emails have a better chance to be placed in inbox.
      • How to Setup DMARC records in cPanel | InMotion Hosting
      • Does anyone have DMARC working? - DMARC Example.
  • Antispam
    • Install Spamhaus:
      • Email --> AntiSpam --> Install Spamhaus
    • SpamExperts: This is a commercial professional antispam service.
  • Webmail
    • Email --> Roundcube Webmail
    • Nothing to do already setup
  • Configure Postfix
    • Email --> MailServer Manager
    • When the functions are enabled then they have a tick in their box when the page loads. You need to rebuild the Mail Server to allow the Domain name to be updated correctly.
    • Select the following:
      • ClamAV, Amavis & Spamassassin, Requires 2Gb+ RAM
      • Drop all emails if no rDNS/PTR
      • Installs DKIM & SPF, enables DKIM for New Accounts and Domains
      • Installs Policyd, enables hourly email limit per domain.
      • Resource Usage - These use a lot of resources
        • ClamAV (CPU 5%-20%, RAM 1.2GB-2.0GB+)
        • Amavis (CPU 5%-20%, RAM 1.2GB-2.0GB+)
        • Spamassassin (CPU?,RAM?)
    • Hostname: server.mydomain.com
    • Domain: mydomain.com
    • Click `Rebuild Mail Server`
    • Click `Update ClamAV Database`
    • Click `Restart All Mail Server Services`

Notes

Remove 'cwp' subdomain from the Default DNS Zone (optional)

This has to be done here so all of your new accounts dont get this vestigial subdomain.

It is my opinion this is not really used by anything anymore and that is why this is optional.

 

  • Edit the following file (you should of created the file custom.tpl earlier)
    /usr/local/cwpsrv/htdocs/resources/conf/dns/bind/zones/custom.tpl
  • Remove the line 
    cwp 14400 IN A %ip%
  • This will not change accounts that have already been created including the Primary account. So either manually edit the DNS zones or use a script to change many.

 

Firewall

  • Country Blocking / IP to Country Lookups / GeoIP / Geolocation
    • If you are running a network firewall such as pfSense, then do the Country Blocking in that device, so all network devices can benefit from that single ruleset but keep the lookup service enabled here to allow for IP to country lookups
    • Security --> CSF Firewall --> Firewall Configuration
    • Set your provider (MaxMind is preferred)
      • MaxMind
        • Get a MaxMind license Key: GeoLite2 Sign Up | MaxMind (I created a proper MaxMind account first)
        • CC_SRC = "1"
        • MM_LICENSE_KEY = "" (fill in your license key)
      • DB-IP, ipdeny.com, iptoasn.com
        • CC_SRC = "1"
    • (optional) Set the countries to block
      • Search for CC_DENY = ""
      • Change to CC_DENY = "CN,RU"
    • (optional) block all countries except those specified:
      • Search for CC_ALLOW_FILTER = ""
      • Change to CC_ALLOW_FILTER = "CN,RU"
    • Click `Save Changes` (at the bottom)
    • Restart the firewall (Security --> Firewall Manager --> Restart)
  • Check all of the ports, close ones not used - even if the port is not forwarded (i.e. just on LAN).
  • SSH restriction rule

Notes

SSL / HTTPS / AutoSSL / LetsEncrypt

  • Set autorenew
    • WebServer Settings --> SSL Certificates --> Configure
    • Auto Renewals
      • Active: yes
      • Auto renew AutoSSL: yes + Renew all SAN
      • Autorenew every: 60 days
    • Automatic SSL generation:
      • Active: yes + Admin and User
      • Generate SAN automatically: mail, webmail, ftp, cpanel = yes
    • The automatic generation task will be executed every day at: 01:00 (less traffic at this time)
  • Generate SSL for mydomain.com
    • WebServer Settings --> SSL Certificates --> AutoSSL [FREE]
    • User: mydomain
    • Domain: mydomain.com (main)
    • Additional Servers: mail, webmail, ftp, cpanel

Notes

 

Security

The more resources you install the more resources you use. I dont know if you need to install each one of these.

  • Connect via SSH with PuTTY and make the root password complex and create a user as they might not be the strongest ones set earlier because you could not copy and paste.
  • Install PHP Defender (Snuffleupagus)
    • Dont Install this
      • First time I enabled it all of my wordpress installs were broken
      • You must restart the whole server to unload it, just deleting the instances from the security centre and restarting Apache is not enough. I am running PHP-FPM.
      • You might also need to reboot the server for the modules to become live.
      • If you don want to install make sure you have a full server backup
      • Here are some example errors: 
        Apache Error Log (sitea)
[Thu Dec 23 19:47:52.977523 2021] [proxy_fcgi:error] [pid 4659:tid 139985935795968] [client 192.168.1.1:58256] AH01071: Got error 'PHP message: PHP Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'ini_set', because its argument '$varname' content (display_errors) matched a rule in /home/mydomain/public_html/sitea/wp-includes/load.php on line 465'
[Thu Dec 23 19:47:53.157871 2021] [proxy_fcgi:error] [pid 4659:tid 139985935795968] [client 192.168.1.1:58256] AH01071: Got error 'PHP message: PHP Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'ini_set', because its argument '$varname' content (display_errors) matched a rule in /home/mydomain/public_html/sitea/wp-includes/load.php on line 465', referer: https://sitea.mydomain.com/
[Thu Dec 23 19:47:54.155940 2021] [proxy_fcgi:error] [pid 4659:tid 139985935795968] [client 192.168.1.1:58256] AH01071: Got error 'PHP message: PHP Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'ini_set', because its argument '$varname' content (display_errors) matched a rule in /home/mydomain/public_html/sitea/wp-includes/load.php on line 465'

Apache Error Log (siteb)
[Thu Dec 23 19:26:46.802401 2021] [proxy_fcgi:error] [pid 1642:tid 140310124496640] [client 192.168.1.1:49326] AH01071: Got error 'PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762'
[Thu Dec 23 19:26:53.844567 2021] [proxy_fcgi:error] [pid 1696:tid 140310174852864] [client 192.168.1.1:49334] AH01071: Got error 'PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762'
[Thu Dec 23 19:27:27.416398 2021] [proxy_fcgi:error] [pid 1696:tid 140310174852864] [client 192.168.1.1:49349] AH01071: Got error 'PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 0 parameter's name: 'arg' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 1 parameter's name: 'extract_type' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] - 2 parameter's name: 'prefix' in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762'
[Thu Dec 23 19:27:58.554425 2021] [proxy_fcgi:error] [pid 1696:tid 140310174852864] [client 192.168.1.1:49350] AH01071: Got error 'PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log] It seems that you are filtering on a parameter 'var_array' of the function 'extract', but the parameter does not exists. in /home/mydomain/public_html/siteb/wp-includes/template.php on line 762PHP message: PHP Warning: [snuffleupagus][0.0.0.0][config][log]
    • (Security --> Security Center --> PHP Defender)
    • If you click on 'View details' you get
    • Standard installation (Only change this if you know why)
    • Defender mode: Basic (Only change this if you know why)
    • Click 'Install now'
    • Click 'Accept'. This will install Snuffleupagus for all of your PHP versions, there is no option to select individual version yet.
    • You can now configure the Snuffleupagus settings individual for each version
  • Scan all accounts for Malware (optional)
    • Security --> Security Center --> Malware Scan --> Accounts Scan (All accounts)
  • Install Maldet : Linux Malware Detect (LMD)
    • A malware scanner for Linux. It is particularly effective for the detection of php backdoors, darkmailers and many other malicious files that can be uploaded on a compromised website.
    • Security --> Security Maldet Scan --> Install Maldet
    • Update and scan for malware
  • Install Rkhunter
    • rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux.
    • Security RKHunter Scan --> Install Rkhunter
    • Update and scan for malware
    • Configure rkhunter (RooktKit Hunter)
      • Correct the email address (bug) to send the rkhunter cron emails to
        • Edit the file /etc/cron.daily/rkhunter or /etc/sysconfig/rkhunter
        • Change the file as follows: 
          MAILTO=root@localhost

to

MAILTO=root
      • Run the following commands from the terminal and they will fix the errors in the rkhunter email (as shown below)
        ---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Checking for prerequisites               [ Warning ]
         The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in 'rkhunter --propupd'.
Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
         is used, all the files on their system are known to be genuine, and installed from a
         reliable source. The rkhunter '--check' option will compare the current file properties
         against previously stored values, and report if any values differ. However, rkhunter
         cannot determine what has caused the change, that is for the user to do.
Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable

----------------------- End Rootkit Hunter Scan -----------------------
        • sudo rkhunter --propupd
          • This above command lets the scanner know about the current state of specific files. This process helps to avoid false alarms during scanning.
          • the result will look like 
            [root@cwpserver /]# rkhunter --propupd
[ Rootkit Hunter version 1.4.6 ]
File created: searched for 176 files, found 131
[root@cwpserver /]#
          • This will not harm your server.
        • sudo rkhunter --checkall
          • After updating the file properties, run the following command to scan CentOS to detect any vulnerabilities or rootkits.
          • This scanner runs through the system commands, network settings, localhost settings, and files to check for actual rootkits, malware, and vulnerabilities. The findings of the scan get recorded on to a log file.
          • This is the summary from the end and is only a small part of what was reported on screen
            System checks summary
=====================

File properties checks...
    Files checked: 131
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 492
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 3 minutes and 11 seconds

All results have been written to the log file: /var/log/rkhunter/rkhunter.log

No warnings were found while checking the system.

[root@cwpserver /]#
          • This will not harm your server.
          • This does not generate an email like the cronjob does.
        • (optional) sudo cat /var/log/rkhunter/rkhunter.log | grep -i warning
          • This command will show a condensed look at the scan log.
  • Install Lynis Scan
    • Lynis is a battle-tested security tool for systems running Linux. It performs an extensive health scan of your systems to support system hardening and compliance testing.
    • Security Lynis Scan --> Install Lynis
    • Scan and read the log
  • Symlink Scan
    • A symbolic link, also termed a soft link, is a special kind of file that points to another file, much like a shortcut in Windows. In many cases, this is used by hackers to get access to other users files. This module will help you to locate all symlinks.
    • Security --> Security Symlink Scan --> Scan User
  • Restrict SSH to local network
    • Even though my server is on a NAT'ed network and I have not port forwarded the 8128 port for SSH it is a good practise to add a rule which can be altered later.
    • Edit file /etc/hosts.allow and add the line: 
      sshd: 192.168.1.0/24
    • Edit file /etc/hosts.deny and add the line: 
      sshd: ALL
    • Goto the dashboard
    • Restart SSH Server
  • Restrict FTP to local network
    • Even though my server is on a NAT'ed network and I have not port forwarded the 21 port for FTP it is a good practise to add a rule which can be altered later.
    • Edit file /etc/hosts.allow and add the line: 
      ftpd: 192.168.1.0/24
    • Edit file /etc/hosts.deny and add the line: 
      ftpd: ALL
    • Goto the dashboard
    • Restart SSH Server
  • Change SSH to use keys and not passwords (optional)
  • Enforce HTTPS on Webmail and User Cpanel
    • Cpanel and Webmail (no ports)
      • cant figure it out
    • Webmail (port 2095)
      • Edit the file 
        /usr/local/cwpsrv/conf.d/webmail.conf
      • Uncomment the following section (not the title though)
        # Disabled forced ssl, uncomment if you want to force ssl
#if ($host != "localhost"){
#    return 301 https://$host:2096$request_uri;
#}
      • Save the file
      • Goto the dashboard
      • Restart the Server (because this is the CWP Apache server, not the client facing one)
  • Login Brute Force Protection
    • Security --> User Login Security --> Configurations --> Configuration and settings for blocking and user session initiation
    • Active: Yes
    • Failed Attempts: 3
    • Suspend for: 5 Min.
    • Blocking by firewall: Ticked
  • Make MySQL stronger
    • Current password length is 12 characters and I want 16 charaters
    • Open terminal with root permissions
    • Run 
      sh /scripts/mysql_pwd_reset
    • Enter a new root password only using 'a-zA-Z0-9' to prevent script issues.
    • check the root password has changed with 
      grep password /root/.my.cnf
  • If the CWP panel is open you will now get this error and MySQL permmissions will need fixing in the next step.
    Warning: mysqli_connect(): (HY000/1045): Access denied for user 'root'@'localhost' (using password: YES) in /usr/local/cwpsrv/htdocs/resources/admin/include/functions.php on line 0

Warning: mysqli_connect(): (HY000/1045): Access denied for user 'root'@'localhost' (using password: YES) in /usr/local/cwpsrv/htdocs/admin/admin/index.php on line 0


Trying to start mysql server, please wait!
Try to restart CentOS Web Panel with command: sh /scripts/restart_cwpsrv

**Check your MySQL root password in: /usr/local/cwpsrv/htdocs/resources/admin/include/db_conn.php and /root/.my.cnf


Warning: mysqli_error() expects exactly 1 parameter, 0 given in /usr/local/cwpsrv/htdocs/admin/admin/index.php on line 0
Could not connect:
  • To Fix the error above open up a terminal with root privilages (taken from here How to Reset and Recover MySQL or MariaDB Root Password on SystemD Linux | Mystery Data 
    • systemctl stop mysqld
systemctl set-environment MYSQLD_OPTS="--skip-grant-tables"
systemctl start mysqld
mysql -u root
    • Run these MySQL commands - change MyNewPassword with the password from earlier
      mysql> UPDATE mysql.user SET authentication_string = PASSWORD('MyNewPassword') WHERE User = 'root' AND Host = 'localhost';
mysql> FLUSH PRIVILEGES;
mysql> quit
    • Run these final commands 
      systemctl stop mysqld
systemctl unset-environment MYSQLD_OPTS
systemctl start mysqld
    • Test your password works with 
      mysql -u root -p

Notes

Create a secondary user

This is a safety measure so if the root account gets comprimised you can still get in with this account.

  • Open up the CWPpro terminal (or SSH)
  • Run the command 
    adduser backupuser
  • Now assign a password to the user by using the command 
    passwd backupuser

Notes

 

 

Monitoring (Watchdog)

  • Services Monitoring (for initd services)
    • Services Monitor will automatically restart off-line services and send an email notification.
    • Services Monitoring (systemd services) is required for this to work.
    • Services Config --> ServicesMonitor (init)
    • Enable: Yes
    • Email notifications to: youradmin@mydomain.com
    • Check every: 15 mins (some people might want this to be set to 5 mins, you can change it later if you want)
    • network / Exit status: 0 :: I dont know what this is so I will leave it unticked.
  • Services Monitoring (for systemd services)
    • Services Monitor will automatically restart off-line services and send an email notification.
    • This is good becasue failed services will get restarted automatically.
    • Services Config --> ServicesMonitor (systemd)
    • Enable: Yes
    • Email notifications to: youradmin@mydomain.com
    • Just use the list below or your prefered selection:
      • amavisd.service    (If you enable the option AntiSpam/AntiVirus in Postfix, this setting is irrelevant)
      • clamd.service    (If you enable the option AntiSpam/AntiVirus in Postfix, this setting is irrelevant)
      • crond.service
      • csf.service
      • dovecot.service
      • httpd.service
      • lfd.service
      • mariadb.service
      • opendkim.service
      • php-fpm74.service
      • php-fpm80.service
      • postfix.service
      • pure-ftpd.service
      • spamassassin.service    (If you enable the option AntiSpam/AntiVirus in Postfix, this setting is irrelevant)
      • sshd.service
  • Monitoring via Monit
  • Netdata Service Monitor (5-20% CPU, RAM? not sure)
    • (Graphs --> Netdata)
    • Please note that Netdata is high resource demanding for low-performance servers, we recommend installing only on the servers with multiple CPUs and memory 4GB+
    • Don't install this on low power servers. It is not a monster but does need feeding.
    • Netadata does take a while to install.
    • It is run outside of the cpanel so is like a seperate Website.
    • Designed by system administrators, DevOps engineers, and developers to collect everything, help you visualize metrics, troubleshoot complex performance problems, and make data interoperable with the rest of your monitoring stack.
    • Netdata’s distributed, real-time monitoring Agent collects thousands of metrics from systems, hardware, containers, and applications with zero configuration. It runs permanently on all your physical/virtual servers, containers, cloud deployments, and edge/IoT devices, and is perfectly safe to install on your systems mid-incident without any preparation.
    • How to update Netdata In CWP Control WebPanel Centos/RHEL/Ubuntu/Debian | Mystery Data
    • Not sure what most of the metrics are so I will probably uninstall this until I do.
    • You can potentially measure these metrics from the Netdata Cloud which also seems to be free.
    • If your server is not running this then potentially it might be more responsive.

Branding

  • Upload a logo
    • (User Accounts --> Features,Themes,Languages --> Branding)
    • Browse and upload your logo.
    • The logo will appear on dark and light backgrounds and this can be seen on the client login page (light background) and then once in the clients cpanel (dark background).
    • The logo will be automatically renamed.
  • Set Servers default website to a blank page
    • server.mydomain.com actually has a website and the files are located at /usr/local/apache/htdocs/ 
    • This default site is possibly used for other things on the server and might get refreshed during an update wiping any of your changes.
    • The reason we do this is because we want to brand our default templates to look more professional and a few technical people will always go and have a look what is running.
    • You can use a completely branded HTML page but I thing for the server a blank one is better and quicker to do.
    • Backup the file /usr/local/apache/htdocs/index.html (rename it orig-index.html)
    • Edit /usr/local/apache/htdocs/index.html and replace the content with the following code 
      <html><body bgcolor="#FFFFFF"></body></html>
    • NB: The default apache web server IP is set here /usr/local/apache/conf/sharedip.conf
  • Custom Account Templates
    • Custom Account Templates - Control WebPanel Wiki
    • Suspended Account Template - The default template is ok and can be left.
    • New Account Template - I will replace this with a fully branded holding page.
    • New Domain Template - I dont know what this is for.

      I will replace this will a blank index.html
      <html><body bgcolor="#FFFFFF"></body></html>
    • New SubDomain Template

      I will replace this will a blank index.html - A subdomain does not need a fully branded holding page.
      <html><body bgcolor="#FFFFFF"></body></html>

Updates

  • CWP
    • CWP updates itself automatically but you can force this by clicking on the `CWP Update` button on the dashboard.
  • Dependencies (Yum/rpm)
    • I dont think these update automatically but you are warned stuff is out of date.
    • Server Settings --> Yum Manager --> Updates List --> Update All

Configure CWP (Notifications and Alerts)

We need to configure CWP to send error notifications and unless you know where to click this can be hidden.

  • Click on the Bell icon
  • This will now take you to the 'Notifications and Alerts' page with some messages, ignore these for now.
  • Click on 'Click here to Edit Settings and Email Alerts.' (at the top of the messages.) to take you to the 'Notification Settings' page.
  • Configure and save the following settings
    • Email for Alerts = send@theemailhere.com
    • Sender email (server name recommended) = notification@server.mydomain.com
    • Info = Checked
    • Warning = Checked
    • Danger = Checked
    • Notification Template = 
      You've received a new %level% notification: %subject%

Here are the details:

%message%

%url%
  • Now we get to the messages that you saw just before.
  • The blue ones are just notifcation messages pointing you to look at the logs and unless you really want to just click on the cross for each of them and dismiss the message.
  • The orange messages
    • are warnings and you should read each message, click on the link and correct the error as advised. Once you have corrected the error, dismiss the message.
    • Depending on when you process these messages you might find that you have more messages to process or for each warning you have already corrected but just not yet dimissed the message which you can do now.
    • The default orange error messages shown above should all of been corrected during this tutorial.

Client Backups

It should be noted that currently CWP does not manage backup retentions (i.e. it does not delete any backups so they will keep growing in number). See the notes below for solution.

  • Disable the Old Backup system
    • This is now a legacy script but is stable. It appears only to do User Accounts.
    • CWP Settings --> Backup Confifguration --> Manage Backups --> Enable Backup: No
    • Click `Save Changes`
    • Delete files and folders in /backup
  • Enable the new backup System (You can setup multiple backup jobs all with different options.)
    • CWP Settings --> NEW Backup (beta)
    • Start filling in the settings below to create new Backup job.
    • User Accounts
      • Packages: Select all of the packages (easier to manage)
    • Features and settings
      • Select all options
    • Destination:
      • I recommend you set up an external SFTP/FTP/SSH File server to deposit the backups on. It must be a seperate computer/NAS/Device otherwise it is pointless.
      • FTP Server or SSH server
        • Fill the details in of you remote server (this assumes you have built one, but is not covered here)
        • Select Compress Backup
      • Local file or directory
        • Will only be good for restoring individual client data and not disaster recovery.
        • Backup Destination: /newbackup/
      • Temporary Directory: /home/tmp_bak/
      • Backup Level: Compressed
    • Frequency and Execution
      • Execution Schedule: Daily Backup
      • Frequency Details: Everyday
      • Notifications: When you finish homework, To the Server Administrator
      • These are my initial settings so you know that the server backup is working correctly. Reduce/change the frequency later if you wish.
  • Set the backup schedule
    • CWP Settings --> NEW Backup (beta) --> Scheduled --> Scheduling the Execution of your Backup --> Hour: 02, Minutes: 00
    • Most of the servers crons will of finished by now and the traffic and load on the server will be low.
  • Enable the backup jobs
    • CWP Settings --> NEW Backup (beta) -->Backup Settings
    • Click on the `Off` button to enable each backup job you want

Notes

  • Old Backup System / Backup Configuration / Manage Backups
    • it backs up all of the user account's public html and settings in one folder /backup/daily/[username]/
    • All MySQL (not sure about MongoDB and PostgreSQL) are dumped to /backup/mysql/daily/
    • These (I think) are replaced by the next run of the backup script.
    • The backups are just of the user account Home directory and all MySQL databases on the server.
  • Backing up Locally
    • only good if a user breaks their site. if the server fails thene these local backusp will be usefless
    • increased wear on your SSD
    • fills up your HDD on the server quick
    • You need to monitor it
  • New Backup / New Backup (beta) Backup Tool
  • Full Server Backup
    • Occasionally you should shut the server down and do a full backup of the VM. You cannot just backup the server when it is on because of the live services within it might get corrupted (Virtual Machine Quintencence)
    • I use Veeam Agent to do a full host server backup. All VM machines must be powered down when running this
  • New and Old Backup system do not have backup retention management
  • Backup and Restore | Control-WebPanel Documentation
  • Create/restore backups in CentOS Web Panel - PlotHost - For end users

Cron / Anacron /  Cronjobs

This is Linux's version of scheduled tasks (for us Windows users) and there are 2 pages that currently allow you to configure them throught the GUI. They both work on the same dataset which is confusing and hopefully these pages will get merged.

  • (CWP Admin --> Server Settings --> Crontab for root)
  • (CWP Admin --> Server Settings --> Crontab for users)

Check the time they run

I would have my crons run late at night probably after my backups. You check the time fit in with how you run your server and if you ar enot sure just leave themas they are for now.

You dont want you SSL certificates to be getting updated while your backups are running. You server wont die, but why cross the streams :) when you dont have too.

Silence is Golden (optional)

I prefer to make all of the cronjobs quite, they will email me if there is an issue but generally you dont need an email saying they have been run. To fix this you add > /dev/null at the end which sends the output to a null device where it dies.

/usr/local/cwp/php71/bin/php -d max_execution_time=18000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron_autossl_all_domains.php

to

/usr/local/cwp/php71/bin/php -d max_execution_time=18000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron_autossl_all_domains.php  > /dev/null

Do this for all of the cron jobs yopu want to be quiet. This will not them stop them sending emails if that is what the script does, just the notfication of them running.

Editing Default Cronjobs (in the GUI)

After setting up the server these should be the only cronjobs present. You will find that sometimes after an upgrade or installing a plugin you will get more cronjobs, sometimes duplicates and in which case you should remove the appropriate one.

Notes

Backup Server Settings

CWP does not have a specific mechanisim for backing up the server settings so I will add what I find here and wil post a feature request with CWP.

Please note this section is not complete.

  • Custom Account Templates
    • /usr/local/cwpsrv/htdocs/resources/admin/tpl/ 
  • Company Logo
  • CWP Databases:
    • (CWP Admin --> SQL Services --> phpMyAdmin)
    • root_cpmigrations
    • root_cwp databases
  • DNS Zone Templates
    • /usr/local/cwpsrv/htdocs/resources/conf/dns/bind/zones/default.tpl
    • /usr/local/cwpsrv/htdocs/resources/conf/dns/bind/zones/custom.tpl
    • /usr/local/cwpsrv/htdocs/resources/conf/dns/bind/zones/
  • DNS Zone File Backups (these are created manually and are not the live ones)
    • /usr/local/cwp/.conf/backups/var/named/
  • php.ini (all versions)
  • my.cnf
  • Doevecot/Postfix/Spam assassin and other email stuff
  • Crons (only custom crons)
    • /var/spool/cron/
    • /var/spool/cron/root    These are in the CWP GUI.
    • /var/spool/cron/[other users]   ? Are they stored in the clients accounts when they backup? These are in the CWP GUI.
    • /etc/crons.d/   
    • /etc/cron.hourly/
    • /etc/cron.daily/
    • /etc/cron.weekly/
    • /etc/cron.monthly/
  • CentOS Web Panel Mailserver Installer
    • SSL Cert file location /etc/pki/tls/ private¦certs

Backup the Virtual Machine

This is an additional step I do and is one of the reasons I like windows.

  • Get an external USB HDD (you can use a network location if you want)
  • Shutdown all running VMs
  • Install Veeam Agent for Microsoft Windows FREE
  • Create/Edit a backup job (I will leave the exact options to you)
  • Run the backup.

Notes

  • This backup method will not work correctly if the VMs are running
  • Only changes are backed up so the process can be quite fix after the initial run.
  • If using a USN drive I highly recommend you look at the settings
    • When backup target is connected
    • Eject removable storage once backup is completed
  • The Veeam software is great for doing a backup of your Windows computer.

Create a Test VM

Create another VM with the exact same settings except different name, different credentials, different NAT IP and use a Dynamic Disk as you dont need performance. You can then use this for testing and playing with settings that you dont understand (like me) without harming you main server.

  • Power down your Production/Live CWP server VM.
  • Do a Full Clone of the VM
  • Boot the new development VM
  • Change the IP address
    • Follow the instructions above, search for  'Change Server NAT Local IP after the initial installation'
    • If you dont this will cause conflicts with your real CWP server (see change NAT ip after ... above)
  • Change the server's hostname
    • (Server Settings --> Change Hostname) = testserver.mydomain.com
  • Delete the old servers DNS zone which is probably =  server.mydomain.com.db
    • (DNS Functions --> List DNS Zones --> Delete Zone)
  • Change the password of the root account
    • (Server Settings --> Change Root Password)
  • Change the MySQL root password
    • Open up the CWPpro terminal and run the following command 
      sh /scripts/mysql_pwd_reset
  • Change any Emergency user accounts you have created.
    •  From the terminal as root, run the command for each account (these are not the website accounts)
      passwd <username>
  • Delete any client accounts in this development site as you dont need to be running these except on the live site.
    • Except the leave the user account that has your domain 'mydomain.com' as you might need this for testing.
  • Change name servers to 192.168.1.11 your NAT Local IP
    • (DNS Functions --> Edit Nameservers IPs)
    • Not sure this is right but the server cannot talk to the outside world anyway.
  • Power down the testserver
  • (optionaly) Convert the VDI to a Dynamic Disk to save space.
  • You can now power up both VMs up at the same time.
  • In testing, Snapshots are your friend and prevent hours of work trying to fix something you broke. On a test server I would always use these to test changes but I am not sure if they are safe on a Production/Live server.
  • Dynamic disks will continue to grow over time but can easily have the space recovered by running a VirtualBox command.
  • Changing passwords so they dont match the old server is to prevent you from accidentally logging in to the wrong account on the wrong server.
  • You might want to turn off all the admin emails off if you are leaving the test VM on for a while

Final Thoughts

The initial configuration is completeand I wish you well. As I learn more I will update this article. Keep reading to the bottom as you might find answer to common issues.

These instructions have taken me a long time to put together and I am not a Linux professional so pleases bear that in mind when reading this. If you notice any issues or mistakes please let me know and at some point I will tidy it up.

 

Other Configurations

These settings, configurations and notes have not made it into the main tutorial but are worth a read.

Things not installed or started

  • Team Speak 3 Manager
    • It is no longer supported.
    • It is removed from the menu system.
  • NodeJs
    • An open-source, cross-platform, back-end JavaScript runtime environment that runs on the V8 engine and executes JavaScript code outside a web browser
    • WebServer Settings --> Node.js Manager
  • Apache Tomcat
    • A free and open-source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and WebSocket technologies. Tomcat provides a "pure Java" HTTP web server environment in which Java code can run.
    • WebServer Settings --> Tomcat Manager
  • Ioncube
    • This is for the user account facing Apache, not CWP.
    • PHP Settings --> PHP Addons --> Install IonCube Loader --> Install
  • PHP PECL extensions
    • PECL stands for PHP Extension Community Library, it has extensions written in C, that can be loaded into PHP to provide additional functionality.
    • PHP Settings --> PHP PECL extensions
  • FFMPEG
    • For Video streaming websites. A free and open-source software project consisting of a large suite of libraries and programs for handling video, audio, and other multimedia files and streams.
    • PHP Settings --> FFMPEG Installer
  • PostgreSQL
    • A free and open-source relational database management system emphasizing extensibility and SQL compliance.
    • SQL Services --> PosgreSQL Installer
  • MongoDB
    • A source-available cross-platform document-oriented database program. Classified as a NoSQL database program, MongoDB uses JSON-like documents with optional schemas.
    • SQL Services --> MongoDB Manager
  • ShoutCast Manager
    • By installing Shoutcast server you will create a linux shoutcast user which will be used to run shoutcast servers.
    • Plugins --> ShoutCast Manager
  • Site.pro
    • A Paid for website builder.
    • Plugins --> Site.pro
  • Softaculous
    • A commercial script library that automates the installation of commercial and open source web applications to a website.
    • Script Installers --> Scripts Manager
  • Sitepad
    • A drag and drop website builder (from Softaculous)
    • Script Installers --> Scripts Manager
  • WHMCS Integration

User Email Accounts

When setting up an email account in an app uses these settings (Based/Tested in Outlook 2019)

  • My outgoing server (SMTP) requires authentication: ticked
    • Use same settings as my incoming mail server: selected

You should always use a secure port for your SMTP. Each port has different options it will accept

  • 465 (Preferred)
    • None = Does not work
    • SSL/TLS = Works
    • STARTTLS = Does not work
    • Auto: Does not work
  • 25, 587
    • None = Works
    • SSL/TLS = Does not work
    • STARTTLS = Works
    • Auto: Works
  • 26
    • Not enabled by default but should be the same as (25, 587)

cPanel Account Import / Migration

  • cPanel Compatibility - Control WebPanel Wiki - This has links to everything you need to know from using the new CWP and migrastion cPanel accounts.
  • cPanel Account import
  • Single cPanel account import
    • How To Migrate a User From cPanel To Centos Web Panel - Worth a look.
    • Created a full backup on my cPanel server which I downloaded to my desktop.
    • I uploaded the cPanel backup to my CWP server /home using SFTP over SSH
    • User Accounts --> cPanel Account Restore
      • Account Import: The file you just uploaded
      • Associated Package: Choose something relevant
      • Tick all boxes (except the fast import one if on a slow server)
      • Click `Import`
    • The password is maintained.
  • Why my sites did not work after importing from a cPanel backup or I a warning, Forbidden: You don't have permission to access this resource.

    • Cause(s)
      • Mod Security need to be configured correctly.
      • Name Servers are wrong
      • DNS Zones need to be setup correctly.
      • SSL Issue
        • My demo sites on cPanel had the HSTS header added by the W3 Total Cache which is then cached by the browser.
        • CWP did not automatically create the SSL certificates
        • Google chrome will not allow you to load sites with mis-configured SSL certificates and there is no override option.
      • php.ini and .user.ini issues
      • CWP or something else got mixed up.
    • Solution(s)
      • Mod Security
        • Check you are using Comodo rules (not OWASP)
        • Check the Mod Security logs for blocks.
          • Mod Security (per domain logs, replace DOMAIN.COM) 
            /usr/local/apache/domlogs/DOMAIN.COM.error.log
          • I found the lack of a favicon.ico was causing things to get blocked.
      • Name Servers
        • Check they are pointed to server.mydomain.com (You don't have to do this if you change the A records properly)
      • Check the DNS zones for the account
        • DNS Functions --> List DNS Zones --> Check All Zones
        • CWP wiil then show the relevant IP which the zone point to.
        • The domains zones must be pointing at your server correctly.
      • Manually install the SSL certificates from Letsencrypt
        • WebServer Settings --> SSL Certificates
          • Add CWP service subdomains onto the primary domain
          • Do the other domains/subdomains
      • Run the permissions tool:
        • User Accounts --> Fix Permissions
        • Select the imported cPanel account
        • Tick the following
          • Fix Permissions
          • Internal Server Error
          • Remove AddHandler
        • Click `Fix Selected Issues`
      • php.ini and .user.ini
        • You might have erroneous php.ini and .user.ini files from the old server that have not been modified or deleted as needed that need deleting or editing in the user account's files.

How to use the PHP selector

  • add notes here
  • Cane be done either in the user panel or admin
  • if default is it using the seerver default with no-fpm,
  • how do i remove the selection, just delete the htaccess

Notes

  • PHP-FPM
    • PHP-FPM selector changes it for the whole domain/subdomain
    • PHP handler is not set in htaccess file (only for php-fpm and default cgi)
  • PHP-CGI (standard)
    • is on a per folder basis unless not specified and the server default version is used
    • AddHandler (in htacces) is for PHP-CGI only
  • default option is shown perhaps becasue I do not have a php-cgi verion installed and I have not forced php-fpm (see video)
  • Default Version
    • once you have selected a PHP version you cannot go back to server default
  • If you have lots of clients I dont think forcing PHP-FPM is the best. Only choose this option if you are doing your own stuff. You can always manually PHP-FPM for specific user accounts.
  • PHP Selector | Control-WebPanel Documentation - Instructions for users and their control panel.
  • How many php versions I can run on the single server - Control WebPanel Wiki - The admin side of the selector. This includes setting options and rebuilding.

Configure Network Devices to be on the same Local Domain (OpenWRT) (optional)

I want all of my local devices to be registered on the same local domain (mydomain.com) as my CWP server (server.mydomain.com) so I can ping and connect to devices on my network using FQDN (eg: device.mydomain.com). This can make my network administration a lot easier and I can pretend that my network is a full domain of computers on the internet. This is not the same as Microsoft Active Directory / Windows Domain but will do for me.

My Choice

Because I am running a webserver which controls DNS zones it is best to leave it doing that role. This setup will prevent duplicate entries in the mydomain.com DNS zone and the OpenWRT hosts file.

  • Change the Local domain to mydomain.com
  • Leave Local server as /lan/ which allows OpenWRT to poll my mydomain.com DNS zone.
  • I will add my public facing servers and devices into the mydomain.com DNS zone so they can be access via a FQDN both remotely and locally.
  • For devices I need to access via a FQDN locally(private) I will use the Hostnames feature in OpenWRT.

Configure the Device Domain Suffix (Local domain)

I am running OpenWRT on my router and it currently adds the configured DNS suffix (.lan) on to the end of each registered device's hostname (device.lan). Device hostnames are automatically registered with DHCP in the Active DHCP Leases and can be manually added via Static Leases. Both these lists combine to make single list of FQDN that the router uses for routing traffic.

The instructions below will change the registered hostnames to belong to .mydomain.com giving the format device.mydomain.com when registered instead of device.lan

  • Login to your OpenWRT router
  • (Network --> DHCP and DNS --> General Settings --> Local domain) = mydomain.com
  • Restart your router

Notes

  • Local domain = suffix appended to DHCP names and hosts file entries
  • default = lan
  • This does not make any changes on the device such as the device's name and is purely for OpenWRT and it's routing.
  • When you ping a device by FQDN you request the IP of the FQDN from the configured DNS server, in this case OpenWRT, which will send back the registred IP address of the device just as if you were looking up www.bbc.co.uk and doing an external DNS lookup to a remote DNS server.
  • You can use Static Leases to manually assign a DHCP address but for what I am doing, this is not needed and I prefer all of my static devices to have an IP so when they are away from my network I can still access them over temporary networks etc.. for diagnostics and other such things.
  • You will notice in the lists only the hostname is shown which is normal.
  • A fully qualified domain name (FQDN) is the complete domain name for a specific computer, or host, on the internet. The FQDN consists of two parts: the hostname and the domain name. For example, an FQDN for a server might be device.mydomain.com , The hostname is device and the host is located within the domain mydomain.com.
  • When a device does a DHCP request it only sends it's hostname unless the FDQN option is specified which is probably never going to be enabled in a default setup.
  • Difference between Hostnames and DHCP hostnames - Installing and Using OpenWrt - OpenWrt Forum
  • IPv4 and IPv6 Advanced DNS Tab - This explains all the options in the Windows Network Adapter IPv4 and IPv6 Advanced DNS Tab.
  • Don't put local IP address in you mydomain.com DNS Zone as this could be a security risk.

Devices with Static IPs need adding to OpenWRT hosts

OpenWRT has no information or interaction with devices that have static IP addresses because it simple does not know about them.

To remedy this there are 2 ways of doing this:

Hostnames (preferred)

  • Goto (Network --> Hostnames)
  • Add a Hostname
    • Hostname =  device (hostname) or device.mydomain.com (FQDN)
      • If there is not domain, only a hostname then OpenWRT will append the DNS Suffix .mydomain.com
    • IP address = 192.168.1.x (Local IP address)
    • You can also use public IP addresses and they will also route as appropriate.
    • If you pick your WAN IP (and assuming the forwarding rules are inplace as shown above) then that traffic will be subject to NAT lookback and be forwarded to your webserver.
    • OpenWRT will not append a DNS Suffix to these entries.
    • Hostnames are stored in /etc/config/dhcp and look like:
      config domain
	option name 'device'
	option ip '192.168.1.99'
      or 
      config domain
	option name 'device.mydomain.com'
	option ip '192.168.1.99'

Static Leases

Static Leases are the ability to use the DHCP system to give the same IP address to the same machine which effectively makes them statics with less configuration at the clients end and more control by the admin, however it does requires some setup work.

  • Goto (Network --> DHCP and DNS --> Static Leases)
  • Click Add
  • Fill in these fields only

    • Hostname = device
    • IPv4 = 192.168.1.x
    • We only use the devices hostname (device) not it's FQDN (device.mydomain.com) because OpenWRT will append the domain suffix for us.

Some of you will be saying how does OpenWRT know which device to assign the IP too because I have not set it, well it doesn't. What I have here is just created a host entry that will allow the correct routing but the IP will never be dished out over DHCP. This is more of a hack I discovered. You can use the Static Lease as it was intended by just adding in the following further information (assuming IPv4 only) into the entry.

  • MAC-Address
  • Lease time

Route all traffic locally (Local server) (optional)

This option tells OpenWRT that hostnames belonging to this domain (.lan) are never forwarded and are resolved from DHCP or hosts files only. So this means unless your device is on DHCP, has a Static Lease configured or an entry in OpenWRT Hostnames then no traffic will be routed to it because OpenWRT will not do any external DNS requests and when I say external I mean outside of the router itself, it will purley use these 3 sources for lookups.

The purpose of this option is to prevent unnecessary traffic going upstream and reduce the load on your infrastructure.

These instructions will change the Local server from .lan to .mydomain.com

  • (Network --> DHCP and DNS --> General Settings --> Local server) = /mydomain.com/
  • Restart your router

Notes

  • Local domain = Names matching this domain are never forwarded and are resolved from DHCP or hosts files only.
  • default = /lan/
  • If server.mydomain.com stops resolving after changing this option, it is probably because you only had the device/server configured in the mydomain.com DNS zone which is no longer queried when the domain DNS lookup matches mydomain.com
    1. Add a static Lease for server.mydomain.com
    2. Revert the option back to /lan/ so your domain traffic it handled by NAT Loopback which is part of the CWP (All Ports / LAN Only) rule.
  • If you are running your own webserver that handles the .mydomain.com DNS zone such as CWP server then you should not use this feature. If you do use this you will have to manually enter all hostnames found in your CWP .mydomain.com DNS zone (mail.mydomain.com/cpanel.mydomain.com/www.mydomain.com/etc...) into the OpenWRT Hostnames which is duplication and extra hassle. The NAT Loopback rules employed earlier on will stop the traffic going upstream anyway (it will go into the WAN zone and straight back for you nerds out there).

Change a Windows PC's 'Primary DNS Suffix' (optional)

Do not do this on laptops etc.. if you are going to move above between sites.

As mention above OpenWRT will add DNS suffixes on to the DNS Hostnames to give a FQDN but will not change the computers actual name.

What we are going to do here is a add a Primary Domain Suffix to our Windows PC but this is also not changing the PCs name. Windows has a normal computer name (NetBIOS) that we can add a domain suffix onto it. If you want to change the computer name on your Windows PC it is just as normal (not discussed here)

I cannot think of a reason why I would want to do this on a Windows PC except so SSL/TLS certificates could be issued and then when you use Remote Desktop the computer names match. However for reference I am going to add the instructions here just incase I change my mind.

  • On your Windows PC goto (Control Panel --> System --> Advanced System Settings --> Computer Name --> Change --> More)
  • 'Primary DNS suffix of this computer' = mydomain.com

    • 'Change primary DNS suffix when domain membership changes' - This is already checked and I think it is more to do with Active Directory so can be left as is.
    • Adding a suffix here does not break DHCP registration. OpenWRT still sees this device as device.mydomain.com because only the hostname is sent with the DHCP request.
    • If you choose a different suffix on the Windows PC to that of your OpenWRT/CWP domain (mydomain.com) then the Windows PC will seen 2 FQDN. One defined by OpenWRT and one defined manually on th Windows PC, so my advice is don't bother doing this, keep the domains the same.
    • Windows original just ran on NETBIOS and so a lot of its stuff is based around that. This is why you have to add 'Primary DNS Suffix' in this way rather than just changing the computer name whereas as in linux your computer name can just be a hostname or a FQDN.

Change Linux computer name (optional)

Do not do this on laptops etc.. if you are going to move above between sites.

I am not an expert on linux but you when you sent the computers name you can either set device or device.mydomain.com and I assume that it will only send the host name in a DHCP request as Windows does above. So you again have the option to set just a hostname or a full FQDN.

Same FQDN for Local and Internet Access (optional)

One of the major benefits of this is that I can use the same FQDN to connect to my devices on my local network as I can when I am in the office at work. Great for CCTV and media servers.

Do NOT add non-public devices to DNS zone for security. Only use Static Leases.

You need to do the following for this to work:

  • Add an A record in to your domain (mydomain.com) pointing to your public IP (13.13.13.13).
  • Configure port forwarding to send the traffic from the WAN to the selected local device's IP address (192.168.1.x).

Default URLs

Useful Notes

 

Questions/Bugs/Features for the Forum

Links

Questions

  • what is the CWP subdomain for? is this a fault?
    • WebServerSettings --> Apache Redirects
    • Redirects info: http://any-domain.com/cwp will be redirected to the CWP control panel login.
  • The CWP forum does not have a HTTPS cert
  • Do other subdomains (not mail, cpanel, mail, webmail)?
  • centos cwp shows a swap file monitor but this system does not have one. do i need one or is it all in ram becasue it shows 4GB?
  • how do i change the PHP version on mass for all user accounts?
  • how can i edit eveyones zone template to make changes (GREP ?)
  • a script to edit everyones htaccess file (GREP ?)
  • did i need to create the user 'user' when setting up CentOS, should I have just left root? delete the shoulders account if not needed.
  • When you click on CWPPro terminal for the first time it installs the terminal. I dont know what the difference is between the terminals. the pro one might have Root privilages and be just like a normal terminal.
    I need a description
  • is cgroups still faulty? (asked here Cgroup In Package Creation Question)
  • does port 26 need to be opend up. = nope
  • how to force https on cpanel and webmail
  • Enforce SSL/HTPPS/TLS for all postfix connections, how to?
  • Enforce SSL/HTPPS/TLS for all Dovecot connections, how to?
  • in the CentOS install wizard, should i keep KDUMP enabled?
  • how do i add aditional SANS to my sub domains SSL?
  • how do i change my primary domain on a client account?
  • how do i update centOS? is this needed?
  • is cwp multicore aware? - i think i looked into this and it is because of centOS
  • how do i configure amavis + clamav? where are the configuration files, they are not accessible via the GUI.
  • my CWP server has many different boot options in the boot loader when it turns on. they seem to be different versions.
    • how do i get rid of them?
    • is this a bug? in CWP or CentOS?
  • my.cnf is empty? is this a bug?
  • ClamnAV
  • SELinux
  • Monit
    • I need more information on what tasks/actions should be installed and what they do.
    • Is there a list of what these scripts do somewhere? documentation?
    • i need to update my notes when i find out more info
    • feature: in the configuration files the ability to read the script files that have not been installed. i appreciate they have to be readonly until installed
    • the configuration files included with cwp should have some documentation about what they do
    • recommendations on what configuration files to install
  • InnoDB/Database
  • Cannot enforce HTTPS on cpanel.mydomain.com - this should be done in the GUI
  • i dont always have to put in the root/password in the CWPPro terminal. Where is it storing the root info? is this safe? this should not be persistent between server reboots or Browser sessions. Can this be clarified as safe or bug?
  • Cron
    • Are CRONs stored in the clients accounts when they backup?
    • Where is the cron for the freshclam update? probably in anacron
    • Why are the autossl crons in the GUI and not in a file in /etc/cron.d/ do you want these to be user editable?
    • freshclam is still updating when clamav is disabled, these should be linked?
    • Duplicate CWP root CRONs - My quetion abput the duplicate crons I have
  • Where dos the (MySQL Manager --> Settings) store these configurations because it is not in the my.cnf file? Are they persistent or just stored in RAM?

 

Feature Requests - CWP Suggestions (Forum)

  • SPF and DMARC should have an edit tool (feature request)
  • MySQL terminal
  • easier way to reset MySQL root password becasue the default password is too short.
    • is this doen by script?
  • have monday as the first day in the week
  • be able to add a custom name to backup jobs (in the new manager)
  • in the file manager I would like to freetype the file location to speed navigation up
  • currently the default setting for letsencrypt renewal time is 28 days, letsecyrpt recommends 60 days
  • filemanager on copy files, folders and files should have separate icons or a way of knowing what the asset is, currently you cannot tell the difference between files and folders
  • filemanager - no refresh button - useful when working with ftp aswell
  • download account backups, i should be able to download the backup by clicking the link like cpanel.
  • easy button to backup CWP server settings
  • Cannot remove ClamAV, Amavis & Spamassassin individually. should be able to select these seperately
    • ClamAV is used as the account sanner in the 'sEcurity Center'
    • ClamAV does the mail and the home directory. However if you uninstall it in the postfix rebuild then ClamAV is not available to scan client home directories.
    • ClamAV: this should not be an option in Postfix becasue it scans homedir aswell
    • the virus scan page is still avaiable in the client panel but just causes an error
    • How to free space like uninstall ClamAV, AMaViS, etc.
      • also you can check more detailed your disk usage by using cwp disk_details module, it has per folder usage. 
        IP:2030/admin/index.php?module=disk_details
    • 'ClamAV, Amavis & Spamassassin, Requires 2Gb+ RAM'
      • It installs ClamAV and AmaVis if not present and will possibly update them aswell.
      • This option stops/starts  the related servicesthem on install/uninstall
      • I am sure does some PostFix configurations.
      • This script does not uninstall ClamAV or Amavis.
      • If this option is enabled then the services amavisd.service, clamd.service, spamassassin.service are started when the server boots and if you manually stop them they will restart irrespective of their configuration in systemd. So they must be defined dependicies of some process this option invokes.
  • CWP changelog feed in the cwp control panel
  • All Admin pages should have a breadcrumb. This allows people to use shortcuts and newbies to find the same area at a later date easier.
  • Cannot edit root crons only add and delete via the GUI. Editing these should be allowed
  • RAM usage does not update like the cpu and diskl i/o only on a page refesh.
  • need a nice utility to look at memory usage easily
    • i have seen TOP
    • i.e AmaVis is using 200mb
    • ClamAV is using 500MB
  • an indicator after the reboot button has bee pressed so you know you have clicked it. like cpanel with a spinning thing and then when the server has reloaded the page can refresh seeing as CWP Admin session are persistent through reboots.
  • No easy backup method to backup the server settings i.e:
    • Skeleton Templates: /usr/local/cwpsrv/htdocs/resources/admin/tpl/ 
    • CWP Databases:
      • (CWP Admin --> SQL Services --> phpMyAdmin)
      • root_cpmigrations
      • root_cwp databases
    • This should be added to the Backups 2
  • account backups should have the account name in it like cpanel
  • cpanel database backups, remove the word dump from the file name
  • root_cpmigrations and root_cwp databases are using latin1_swedish_ci for their collations, this should be changed to utf8_unicode_ci or even better utf8mb4_unicode_ci.
  • CWP should have the ability to back the server settings up using the backup jobs.
  • enable HTTP2 by default
  • enable TLSv13 by default
  • Logo preview should show both light and dark previews for contect
    • (User Accounts --> Features,Themes,Languages --> Branding)
  • Remove 'cwp' subdomain from the Default DNS Zone (section above)
    • This has to be done here so all of your new accounts dont get this vestigial subdomain.
  • GreyListing feature, where is it? is it part of Postfix?
  • Ability to edit default DNS Zone templates from the GUI
    • /usr/local/cwpsrv/htdocs/resources/conf/dns/bind/zones/default.tpl
    • /usr/local/cwpsrv/htdocs/resources/conf/dns/bind/zones/custom.tpl
  • On the article Custom Account Templates - Control WebPanel Wiki
    • the templates need explaining when they will be called on i.e. when you create new account
  • At the top left what is the load monitoring becasue there is no units and why can it be toggled?
  • When you change the hostname of the server CWP should handle the deleting of the old hostname in all appropriate records (DKIM, DNS Zones) and give a summary of the changes plud do backups of these file where needed.
  • Add a link on all pages to a proper wiki page. these could all be place holders for now
  • put the server name / domain name in big letters at the top of the dashboard so I know which server i am working on.
  • Random password generator passwords are too short and dont have any special characters in them. A way to set the parameters of the generator would be great.

 

Bugs - CWP Bug Tracking / CentOS-WebPanel Bugs (Forum, old?)

  • They says setup port26 but it is not open by default in the firewall - add this when i do email server
  • AutoSSL is not renewing CWP subdomain, bug?
  • once you have selected a PHP version you cannot go back to server default?
  • the menu collapse is inconsitent - when you click on some items the whole menu collapses which is annoying
  • The MySQL Root password changing script is broken
  • Bug: New account create and Rebuild Zone use different templates
    • New Account Zone(test.acc.db) 
      ; Generated by CWP
; Zone file for test.acc
$TTL 14400
@    86400        IN      SOA     ns1.mydomain.com. postmaster.test.acc. (
				2021070154 ; serial, todays date+todays
				3600            ; refresh, seconds
				7200            ; retry, seconds
				1209600         ; expire, seconds
				86400 )         ; minimum, seconds

@	86400	IN	NS		ns1.mydomain.com.
@	86400	IN	NS		ns2.mydomain.com.
@ IN A 13.13.13.13
localhost.test.acc. IN A 127.0.0.1
@ IN MX 0 test.acc.
mail 14400 IN CNAME test.acc.
smtp 14400 IN CNAME test.acc.
pop  14400 IN CNAME test.acc.
pop3 14400 IN CNAME test.acc.
imap 14400 IN CNAME test.acc.
webmail 14400 IN A 13.13.13.13
cpanel 14400 IN A 13.13.13.13
cwp 14400 IN A 13.13.13.13
www 14400 IN CNAME test.acc.
ftp 14400 IN CNAME test.acc.
_dmarc	14400	IN	TXT	"v=DMARC1; p=none"
@	14400	IN	TXT	"v=spf1 +a +mx +ip4:13.13.13.13 -all"
default._domainkey 14400 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCviXG9SqprOjF3qvN+Xo2KpXp54Fgx6CX42wLxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    • Rebuilt Account Zone (test.acc.db) 
      ; Generated by CWP
; Zone file for test.acc
$TTL 14400
test.acc.      86400        IN      SOA     ns1.mydomain.com. noreply.quantumwarp.com. (
				2013071600      ; serial, todays date+todays
				86400           ; refresh, seconds
				7200            ; retry, seconds
				3600000         ; expire, seconds
				86400 )         ; minimum, seconds

test.acc. 86400 IN NS ns1.mydomain.com.
test.acc. 86400 IN NS ns2.mydomain.com.

test.acc. IN A 13.13.13.13

localhost.test.acc. IN A 127.0.0.1

test.acc. IN MX 0 test.acc.

mail IN CNAME test.acc.
www IN CNAME test.acc.
ftp IN CNAME test.acc.
; Add additional settings below this line
_dmarc	14400	IN	TXT	"v=DMARC1; p=none"
    • Bug: Zone creation is inconsitent. There appears to be many templates but are out of sync to which data they use to build their templates with, in particular the email address that is declared on them in the SOA.
  • why is my usage in my cpanel not working. it alswyas shows 0.00 MB / 5000 MB - do i need to start something for htis?
    • another time it showed 36mb used and the account backup was 200mb+ on its own
    • client account: disk usage is not updated
  • sometimes if you let a ftp session expire, you cannot reconnect with FTP until you have killed the session via CWP
    • cannot kill session in cpanel (could be i need to add permissions)
  • view trash does not work. see themes.qwdemos.com , certainly not in firefox - double check this, i think it just shows the .trash folder but htis cannot be accessed normally and might be temproary during the filemamanger session.
         make a note of this + is there an article on trash.
  • (Email --> rDNS Checker) checks the NAT IP not the public IP
  • Every new user account creates a mysql user, even if there are no databases. this seems pointless.
  • The intial setup for cwp does not create the DNS zone for the server, it only happens after you have refreshed the server hostname. This is either a bug or by design.
  • when i logged into my secure https://cpanel.mydomain.com/  it redirected to non-secure  http://cpanel.mydomain.com/
  • The only way to removed 'Admin services' from a domains SSL is to delete the certificate. You can add additional 'Admin services' easy by clicking on the button, selecting the additional options and clicking 'Apply changes'
    • The SSL handling is a bit flaky, it is not easy to re-configure an SSL. you can add additional SAN but not seem to remove them except delete the whole thing admin services
  • Cannot delete some MySQL users via the CWP GUI but there is not issue deleting them via the SSH or phpMyAdmin
  • breadcrumbs dont work 'you are here' looks like whwere is should be at the top right but it does not work
  • Menu
    • Most pages titles on the pages do not match up with their menu name and this is confusing. give one example and say i will do the rest if it is of use
    • menus collapse inconsisten -eg: (SQL Services --> MySQL Configuration) is a great example, the mnu just collapses aafter you click, it does not stay on the same  'menu'
  • Bug/Question: do the developers look at these bugs here or is it just ofr us end users?
  • (WebServer Settigns --> SSL Certificates) the multiple actions dropdown has pre-expanded and the options below have leaked (do picture)
  • Custom Account Templates - Control WebPanel Wiki (branding)
    • This is not well written
    • The english does not make sense.
    • what does rsync -av do?
  • The logo preview does not work.
    • (User Accounts --> Features,Themes,Languages --> Branding)
  • http://wiki.centos-webpanel.com/ - needs to have https enforced but currently the https version just redirects to the http version (crazy)
  • Cron
    • The following pages need to be merge becasue it is confusing, almost like one page is a half finished project. They both load the same data. This is more a bug than a feature becasue of how confusing it is.
      • (CWP Admin --> Server Settings --> Crontab for root)
      • (CWP Admin --> Server Settings --> Crontab for users)
    • /etc/cron.d/clamav-update has MAILTO=root rather than a proper email address that I can set in the GUI
    • error: 'PHP Notice:  Undefined index: O in /usr/local/cwpsrv/htdocs/resources/admin/include/alertandautorenewssl.php on line 0'
  • on the dashboard the RAM usage never seems to refresh unless I refresh the page
  • the rkhunter daily cronjob does not send the email to the correct address and you need to
    • edit Daily cronjob /etc/cron.daily/rkhunter or /etc/sysconfig/rkhunter
    • MAILTO=root@localhost  -->  MAILTO=root
  • nameservers do not have TrustedHosts or KeyTable
    • they do get DKIM and SPF records
    • This might be normal because they will never be required to send emails
    • Add this note somewhere above in the relevant email section
  • (Email --> DKIM & SPF Manager) always shows v=DKIM1 and v=spf1 present even if they are not.
  • There is a file that should not be in the default apache template /usr/local/apache/htdocs/autoconfig.php - there should be no PHP in this place.
Read 7578 times Last modified on Saturday, 04 November 2023 10:45
Published in Web Server
back to top