Disable Mod-security2 for a Domain in cPanel

First of all   we can’t block mod_security2 via .htaccess on domain basis . So never put .htaccess  mod-security rules. You have to disable it in the vhost configuration in apache.

In cpanel server  it  will be as  follows,

1) Create a custom vhost configuration file  called mod-security.conf in the following location.

# mkdir -pv  /usr/local/apache/conf/userdata/std/2/CPUSER/DOMAINNAME/
# touch  /usr/local/apache/conf/userdata/std/2/CPUSER/DOMAINNAME/mod-security.conf

2) Now add the following lines to this file

#################################
<IfModule mod_security2.c>

SecRuleEngine Off

</IfModule>
################################

The above will disable the modsecurity  rule for a particulr domain name . If you only need to disable the rules for a particlur folder , please add the  rules as follows,

######################
<LocationMatch specify_the_path_here>

  <IfModule mod_security2.c>

    SecRuleEngine Off

    </IfModule>

</LocationMatch>
#######################

If you only need to disable a particular rule , the create the file with the following ,

#########################3
<IfModule mod_security2.c>

SecRuleRemoveById give_ruleID_here

</IfModule>
##########################

3) Now as the final step please ensure this custom vhost using the following command in cpanel servers,

# /scripts/ensure_vhost_includes –user=CPUSERNAME

This script will uncomment the following line in apache configuration. It will customize the virtual host to use the particular include file and will restart apache.

##############
Include “/usr/local/apache/conf/userdata/std/2/CPUSER/DOMAINNAME/*.conf”
#################

Install JAVA in Ubuntu or debian manually

The following steps will help you to install java in ubuntu / debian  manually

Download the jdk 7 tar  file  http://www.oracle.com/technetwork/java/javase/downloads/index.html

mkdir -pv /usr/lib/jvm
cd /usr/lib/jvm
wget -c http://downloads-url-of-jdk/java/jdk-7u10-linux-x64.tar.gz
tar -xzf jdk-7u10-linux-x64.tar.gz
cd /usr/lib/jvm/jdk1.7.0_10

Now set the alternatives path

update-alternatives –install “/usr/bin/java” “java” “/usr/lib/jvm/jdk1.7.0_10/bin/java” 1
update-alternatives –install “/usr/bin/javac” “javac” “/usr/lib/jvm/jdk1.7.0_10/bin/javac” 1
update-alternatives –install “/usr/bin/javaws” “javaws” “/usr/lib/jvm/jdk1.7.0_10/bin/javaws” 1

Now edit the bashrc file and set teh following environment variables

export JAVA_HOME=/usr/lib/jvm/jdk1.7.0_10
export CLASSPATH=.:$JAVA_HOME/lib/
export PATH=$JAVA_HOME/bin:$PATH

Now you can test the java version using the following command,

# javac -version

PS: If you have multiple alternative , please configure it using   update-alternatives –config java

cPremote version 6.4 released

Hello,

A bug fixed version of cpremote  is available , the latest version is 6.4 , it have the following updates.

Change Logs:

  •   Fixed the footer url link in whm page
  •   Fixed the cpanel page  footer link
  •   Fixed some speling and punctuations.

Prestashope Admin And Nginx Plugin

The prestashope  software need big header size to pass http. So please do the folowing to fix this issue,

1)  Edit  the vhost.conf   ( under /etc/cpnginx or /etc/danginx )  have the following too

client_max_body_size    100m;
client_body_buffer_size 512k;
proxy_send_timeout   90;
proxy_read_timeout   90;
proxy_buffer_size    32k;
proxy_buffers     16 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_connect_timeout 60s;

2) You may need to add the following two lines to the Main Nginx configuration file

client_header_buffer_size 16k;
large_client_header_buffers 16 16k;

So after that the nginx configuration may look like the following,


# cPanel Nginx Master configuration
user nobody;
error_log logs/error.log;
#Number of worker you need
worker_processes 1;
# How many connections a worker can handle maximum.
events {
worker_connections 50000;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
server_names_hash_max_size 5000;
server_names_hash_bucket_size 128;
#Prestashope need the following two lines

client_header_buffer_size 16k;
large_client_header_buffers 16 16k;

tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 0;
gzip on;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_types text/plain application/x-javascript text/xml text/css;
ignore_invalid_headers on;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
include “/usr/local/nginx/conf/vhost.conf”;
include “/etc/cpnginx/cpanelproxy.conf”;
}

After modifying this , you may need to restart the Nginx server.

Nginx And DDOS Protection

cPnginx and Danginx can use  to protect the HTTP DDOS as follows,
Edit the file   /etc/sysctl.conf  and increase the openfile limits. Add the following line,

fs.file-max = 700000

Edit  /etc/security/limits.conf  and add the following  lines,

nobody       soft    nofile  100000
nobody       hard    nofile  500000

Now apply the sysctl configuration using the following command .

# sysctl -p

Now edit the  /usr/local/nginx/conf/nginx.conf  file  and add the following line.

worker_rlimit_nofile 50000;

1)  Add the following sysctl parameters,

net.ipv4.tcp_syncookies = 1
# source validation / reversed path
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
kernel.pid_max = 65536
net.ipv4.ip_local_port_range = 9000 65000

2) Use the  RateLimit module ,   http://wiki.nginx.org/HttpLimitZoneModule   It must be placed inside http block

limit_zone slimits $binary_remote_addr 10m;
limit_conn slimits 10;

3) You can also use the following too,

limit_req_zone $binary_remote_addr zone=slimitss:10m rate=1r/s;
limit_req zone=slimitss  burst=10;

Enable Cache in cPnginx Servers

You can enable cache in cPnginx. This will decrease the server load. But enabling cache will show the  website updates slowly only. To enable cache please do the following,

1) Modify the file /etc/cpnginx/vhost.conf as follows,
  • client_max_body_size 10m;
  • client_body_buffer_size 128k;
  • proxy_send_timeout   90;
  • proxy_read_timeout   90;
  • proxy_buffer_size    4k;
  • proxy_buffers     16 32k;
  • proxy_busy_buffers_size 64k;
  • proxy_temp_file_write_size 64k;
  • proxy_connect_timeout 30s;
  • proxy_cache my-cache;
  • proxy_cache_valid  200 302  60m;
  • proxy_cache_valid  404      1m;
  • proxy_cache_key “$scheme$host$request_uri”;
2) Edit nginx.conf as follows,
  • # cPanel Nginx Master configuration
  • user  nobody;
  • error_log  logs/error.log;
  • #Number of worker you need
  • worker_processes  5;
  • # How many connections a worker can handle maximum.
  • events {
  • worker_connections  1024;
  • }
  • http {
  • include    mime.types;
  • default_type  application/octet-stream;
  • sendfile on;
  • server_names_hash_max_size 5000;
  • server_names_hash_bucket_size 128;
  • client_header_buffer_size 16k;
  • large_client_header_buffers 16 16k;
  • tcp_nopush on;
  • tcp_nodelay on;
  • keepalive_timeout  0;
  • gzip on;
  • gzip_min_length  1100;
  • gzip_buffers  4 32k;
  • gzip_types    text/plain  application/x-javascript text/xml text/css;
  • ignore_invalid_headers on;
  • client_header_timeout  3m;
  • client_body_timeout 3m;
  • send_timeout     3m;
  • proxy_cache_path   /usr/local/nginx/proxy_cache   levels=1:2 keys_zone=my-cache:8m max_size=1000m inactive=600m;
  • proxy_temp_path    /usr/local/nginx/proxy_temp ;
  • include “/usr/local/nginx/conf/vhost.conf”;
  • include “/etc/cpnginx/cpanelproxy.conf”;
  • }
3)  Now rebuild the nginx vhosts and restart it

Nginx And HttpRealIpModule

This module is already  enabled by default in cPnginx version 6.0 or  higher . You may simply need to add the   module setting in nginx.conf as follows,

set_real_ip_from   $firewall_ip1;
set_real_ip_from   $firewall_ip2;
real_ip_header     X-Real-IP;

You  may also edit  /usr/local/apache/conf/mod_rpaf.conf with the following

RPAFheader X-Real-IP
RPAFheader X-Forwarded-For

These sttings are required for cloudflare clients.