Enabling wildcard support in Cpanel shared hosting

My requirement is I need to enable wildcard sudomains on one of my add-on domain. My add-on domain is “test.com” and I want all the sub-domain requests to be managed my this domain like

test1.test.com --> test.com
test2.test.com --> test.com
xxx.test.com --> test.com

Click on sub-domain menu from the cpanel home. Then add the ‘Subdomain ” name is set to “*” and choose the domain name to which wildcards to be enabled. Pls do remember that “document root” is set to where the domains files were copied. Obviously it should be public_html.

Cheers.

how do I open a port in apf firewall and add my ip trusted.

Apf is a policy based iptable firewall which is very useful for blocking DDoS attack on heavily traffic servers. The issue is when we developrs/testers are using the same server which will deny all the traffic from their static Ip given. This is a major headache in most cases.

1. Opening port in apf firewall
Edit the file "/etc/apf/conf.apf" and find the entry of "IG_TCP_CPORTS" and added the ports to be opened in it.

A sample entry like this, I add the port ’9091″ in it
# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,2082,2083,2084,2086,2087,2095,2096,3306,6666,7786,9091,5222"
Then restart the firewall
[root@host.mydomain.com] ~ >> apf -r

2. Trusting our ip’s on Apf firewall
Add our ip information on ” /etc/apf/allow_hosts.rules“. A sample entry like this
# inbound to destination port 22 from 192.168.2.1
# tcp:in:d=22:s=192.168.2.1#
# outbound to destination port 23 to destination host 192.168.2.1
# out:d=23:d=192.168.2.1#
# inbound to destination port 3306 from 192.168.5.0/24
# d=3306:s=192.168.5.0/24
# my IP ranges
69.16.222.0/24
64.91.239.0/26
187.68.0.0/16
129.16.23.96

How do I install UCC SSL certificate on Cpanel servers

I have purchased a UCC ssl certificate from Godaddy which is support to used for 5 domains. I can installed my primary domain ssl easily by reading Godaddy’s cpanel installation instructions. But I couldn’t see they anywhere for ssl implemention of other domain.

I have tried to install this ssl from the WHM–> ssl manager. But every time the primary ssl domain name certificate is re-installing. There is no any errors showing up during the installation and it’s still using self-signed certificate on browsing. After spending with 30 minutes I feel there is noting we can do with cpanel.

Then I directly checked the http.conf settings and copy my primary domain ssl settings to the other virtualhost which is included on the SAN list of that SSL certificate.

SSLCertificateFile /etc/ssl/certs/www.sites.com.crt
SSLCertificateKeyFile /etc/ssl/private/www.sites.com.key
SSLCACertificateFile /etc/ssl/certs/www.sites.com.cabundle

Pls note that we can use the same certificate and private key for all the domains included on the UCC certificate. Then I restarted the Apache and found that it’s working correctly. I have verified it by viewing the certificate file also.

Now we need to fix the custom modification on httpd.conf saved on cpanel settings. for doing this,
root@server81-28-25-12 [~]# /usr/local/cpanel/bin/apache_conf_distiller --update

How do I disable Http authentication on WHM/Cpanel ?

The design of HTTP Authentication does not allow for logging out of an authenticated session. Once a HTTP Authentication
session is established, the credentials are cached by the browser until the browser application is terminated. Some
browsers allow a method to flush the credentials, but this method is not reliable nor available in all browsers. Because the
authetication credentials are cached they are a likely target for cross-site request forgery attacks, often known as XSRF
or CSRF.

Due to the inherit weaknesses of HTTP Authenitcation cPanel recommends disabling its use with the product. This is
done by checking the box of the Tweak Setting labeled. Disable Http Authentication for cPanel/WebMail/WHM Logins (forces cookie authentication.) This will help prevent certain types of XSRF attacks that rely on cached Http Auth credentials.

Login to your WHM/Cpanel server
Main >> Server Configuration >> Tweak Settings

You can find a entry ” Disable Http Authentication for cPanel/WebMail/WHM Logins (forces cookie authentication.) This will help prevent certain types of XSRF attacks that rely on cached Http Auth credentials” . under security settings.

Make sure the check box is ticked and save the settings. Eventhough it was shown ticked with my default WHM installation, but not worked. After I am saving the settings I got a messages like

” Updating “Skip HTTP Authentication” from “” to “1″.
“Skip HTTP Authentication” was updated.”

After that everything will showing up correctly.

Installing Nagios on WHM/Cpanel servers

How do I install nagios on WHM/Cpanel loaded with Centos ?

I spent about 5 hours to find a solution for viewing nagios web interface since cpanel is using SuPhp bind with Apache. I’ve done the nagios installation so quickly but cpanel apache config. didn’t allow to include “conf.d” folders in “include” list. obviously this command wont work.
#make install-webconf
When I’m trying to access the nagios after adding it on the include file which cpanel says, I got an error like this and page doesn’t visible.
root@server8-28-25-132 [~]# vi /usr/local/apache/logs/suphp_log

[Mon Mar 15 09:48:18 2010] [warn] File “/usr/local/nagios/share/index.php” is writeable by group
[Mon Mar 15 09:53:30 2010] [warn] Mismatch between target UID (99) and UID (32007) of file “/usr/local/nagios/share/index.php”

So neither of my attempts were note worked yet. It’s something caused suphp. After Googling I didn’t get a scenario exact same like this but causd me to have get some tweeks .

The idea is I create a new subdomain ( nagios.test.com) on Cpanel and modified the values written by the Cpanel on Apache.

My new value is,

ServerName nagios.test.com
ServerAlias www.nagios.test.com
DocumentRoot /home/test/public_html/nagios
ServerAdmin webmaster@test.com
UseCanonicalName On
CustomLog /usr/local/apache/domlogs/nagios.test.com combined
CustomLog /usr/local/apache/domlogs/nagios.test.com-bytes_log “%{%s}t %I .\n%{%s}t %O .”
## User test # Needed for Cpanel::ApacheConf

suPHP_UserGroup nagios nagios

SuexecUserGroup nagios nagios

ScriptAlias /nagios/cgi-bin “/usr/local/nagios/sbin”

Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName “Nagios Access”
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user

Alias /nagios “/usr/local/nagios/share”

Options None
AllowOverride None
Order allow,deny
Allow from all
AuthName “Nagios Access”
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user

Pls note the line ” suPHP_UserGroup nagios nagios”.

Then restart the webserver
#apachectl restart


Now I can see the Nagios web interface nicely at last. The url is http://nagios.test.com/nagios. That’s worked

I have tweaked my previous post again. There is another easier method to done. Basic idea is create a conf file and add the nagios Apache entries on and include it on Apache main file rather than editing that file itself.

For doing this first I made the “include” file entry on main config. file.
#vi /etc/httpd/conf/httpd.conf and include the line on my domain virtual host part.
Include “/home/myuser/conf/nagios.conf”

#vi /home/myuser/conf/nagios.conf and add the following line in it.
suPHP_UserGroup nagios nagios
SuexecUserGroup nagios nagios
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user

Alias /nagios "/usr/local/nagios/share"

Options None
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user

Then restart the apache
#apachectl restart

Making chages permently on httpd.conf in an WHM Apache server
#/usr/local/cpanel/bin/apache_conf_distiller -–update
root@server88-20-25-12 [~]# /usr/local/cpanel/bin/apache_conf_distiller –update
Distilled successfully
root@server88-20-25-12 [~]#

Installing CSF on WHM/Cpanel for Centos

CSF (ConfigServer Security & Firewall) is a excellent and easily configurable firewall solution for WHM/Cpanel servers. But I would recomend to use APF is possible but there is no any GUI to manage it.

Here are the quick steps to install it,
# mkdir /home/installation && cd /home/installation
#tar -zxvf csf.tgz
-bash-3.2# cd csf
-bash-3.2# iptables -L
-bash-3.2# service iptables stop
-bash-3.2# sh install.sh
-bash-3.2# csf -s
-bash-3.2# vi /etc/csf/csf.conf
Specify which ports you want to allow. Find the lines as shown below and add the port you want to open.

Here is showing standard Cpanel port list.

# Allow incoming TCP ports
TCP_IN = “20,21,22,25,53,80,110,143,443,465,953,993,995,2077,2078,2082,2083,2087″
# Allow outgoing TCP ports
TCP_OUT = “20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703″
# Allow incoming UDP ports
UDP_IN = “20,21,53,953″
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = “20,21,53,113,123,873,953,6277″

Now you need to make the CSF rule to become active rather than testing,
Disable the Testing Mode and Start the Firewall.
a. Edit csf config file /etc/csf/csf.conf and update the following lines.
TESTING = “0″

Now restart the CSF service,
-bash-3.2# csf -r
-bash-3.2# chkconfig iptables off

That’s it.

Now you can see and Option ” ConfigServer Security&Firewall ” enabled on the WHM under ‘plugins” tree at the bottom of the right side panel.

Feel free to make the changes/updates over web interface on whm

-njoy