Blogs

Comodo / PositiveSSL / InstantSSL Multi-domain SSL certificate installation on Plesk

If you're short of IP addresses and hosting multiple domains on a single IP requiring SSL connection to all domains, then a good solution would be to get the Multi-Domain certificate from Comodo, which is a single certificate containing more than one domain name, and that certificate is for a single server installation.

However, the use of Host Headers (which is how you can use a single IP for more than one SSL enabled domain) is not recommended for E-Commerce sites.

The multi-domain certificate can only be purchased from one of the Comodo resellers, or can apply to become one yourself.

To order the certs, you will need to first generate a Certificate Signing Request Key. This is easily done via Plesk admin UI.

  1. Login to the Plesk Control Panel.
  2. From the left hand menu, select 'Server'.
  3. Click on 'Certificates'.
  4. Click on the 'Add New Certificate' item.
  5. Fill out the information on the page. All items noted by red asterisks must be filled in
  6. Press the 'Request' button.
  7. You will then be returned to the Certificates menu. From the list at the bottom of the page, click on the certificate name that you just created. Mid-way down the page, there is a box. Copy the content of this box labelled 'CSR'.
  8. Paste the CSR into the order screen when purchasing the SSL certificate.

Shortly after ordering, the SSL certificate is emailed to you zipped along with the below CA certs:

  1. AddTrustExternalCARoot.crt
  2. PositiveSSLCA.crt
  3. UTNAddTrustServerCA.crt

The CA certs need to be concatenated and uploaded to Plesk as one single certificate and should follow the same order.

$ cat PositiveSSLCA.crt > CA.crt
$ cat UTNAddTrustServerCA.crt >> CA.crt
$ cat AddTrustExternalCARoot.crt >> CA.crt

Those files are available for download from Comodo's support site as well.

The order you place the contents of those files into a new file is important, and should be followed as outlined above. No blank lines should be added between the certificate contents when you copy the contents of the existing CA certs into a new file. You then provide this new file to Plesk when it asks for the CA Certificate.

In order to install the certificate, go back to the Certificate area in Plesk and upload or copy/paste the certs into the relevant areas.

Return to the Server Page and go to the IP address section. Click on the relevant IP address and apply the newly installed certificate.

Tuning TCP - sysctl.conf

Recent versions of Linux (version 2.6.17 and later) have full autotuning with 4 MB maximum buffer sizes. Except in some rare cases, manual tuning is unlikely to substantially improve the performance of these kernels over most network paths, and is not generally recommended

Since autotuning and large default buffer sizes were released progressively over a succession of different kernel versions, it is best to inspect and only adjust the tuning as needed. When you upgrade kernels, you may want to consider removing any local tuning.

Patching gpans' ensim squirrelmail

Here's is how I updated gpans' squirrelmail package with the current version (1.4.13).

# cd /usr/share
# wget 'http://superb-west.dl.sourceforge.net/sourceforge/squirrelmail/squirrelmail-1.4.13.tar.gz'
# tar -xvzf squirrelmail-1.4.13.tar.gz
# rm squirrelmail-1.4.13.tar.gz
# rm squirrelmail-1.4.13/config/config.php
# rm squirrelmail-1.4.13/config/config_local.php
# ln -s /etc/squirrelmail/config.php squirrelmail-1.4.13/config/config.php
# ln -s /etc/squirrelmail/config_local.php squirrelmail-1.4.13/config/config_local.php

Then changed the below files to include the Ensim virtualization hack (See attached diff patch):

squirrelmail-1.4.13/functions/prefs.php
squirrelmail-1.4.13/functions/global.php
squirrelmail-1.4.13/src/redirect.php
squirrelmail-1.4.13/src/login.php

Finally, I moved the old squirrelmail folder and symlinked to the new one.

# mv squirrelmail squirrelmail-1.4.8-1.1.ensim.ct
# ln -s squirrelmail-1.4.13 squirrelmail

Automatically reboot server after a kernel panic

Add panic=10 to the kernel command line to reboot with 10 seconds of a kernel error. Be careful with this when setting up new kernels.

It’s possible to change it later with sysctl, or by writing to /proc:

# echo 10 > /proc/sys/kernel/panic

To make it permanent, edit /etc/sysctl.conf and add the below line:

kernel.panic = 10

`sysctl -p` to load the conf file and make permanent.

Kernel compile from source

1) cd /usr/src
2) unlink linux
3) rm -rfv linux-oldversion
4) wget http://kernel.org/pub/linux/kernel/v2.6/li...version.tar.bz2 (see www.kernel.org)
5) tar -jxvf linux-newversion.tar.bz2
6) ln -s linux-newversion linux
7) cd linux
8) make mrproper
9) make oldconfig (you may have to select new options available that wasn't on the old kernel. Generally, you're safe to just keep presseing enter for it to select the default for those new options.)
10) make menuconfig (ONLY if you want to edit kernel configuration)
11) make (go make some coffee)
12) make modules_install

SSH Chroot in ISPConfig Centos-4.6

Below is reference of how I have setup chroot SSH jail for users in CentOS-4.6 with ISPConfig installed replacing the openssh rpm with the one from chrootssh.sourceforge.net .

It's easy on ISPConfig as support for chroot SSH is now built in with the control panel, you simply need to get chrootSSH installed and then enable the ssh option located in the config file at "/home/admispconfig/ispconfig/lib/config.inc.php":

$go_info["server"]["ssh_chroot"] = 1;

If you need for the ssh chroot to access additional application, the file "/root/ispconfig/scripts/shell/create_chroot_env.sh" which builds the chroot needs to be edited. Also, check and edit the location of mysql socket file.

custom procmail rules on ispconfig

Edit "/root/ispconfig/isp/conf/procmailrc.master" and add the below ".custom.rc" line.

{MAILDIR_COMMENT}MAILDIR=$HOME/Maildir/
{MAILDIR_COMMENT}DEFAULT=$MAILDIR
{MAILDIR_COMMENT}ORGMAIL=$MAILDIR
{QUOTA}
INCLUDERC={PMDIR}/.mailsize.rc
{QUOTA_COMMENT}INCLUDERC={PMDIR}/.quota.rc
{ANTIVIRUS_COMMENT}INCLUDERC={PMDIR}/.antivirus.rc
{MAILSCAN_COMMENT}INCLUDERC={PMDIR}/.local-rules.rc
{MAILSCAN_COMMENT}INCLUDERC={PMDIR}/.html-trap.rc
{SPAMASSASSIN_COMMENT}INCLUDERC={PMDIR}/.spamassassin.rcr />{AUTORESPONDER_COMMENT}INCLUDERC={PMDIR}/.autoresponder.rc
INCLUDERC={PMDIR}/.custom.rc

Now include any custom rules that you may have to the ".custom.rc" file in the users home directory.

Custom webalizer.conf for each ISPConfig site

I needed custom configuration for each site to exclude the domain which would otherwise show up in the webalizer referrer report.

I patched "/root/ispconfig/scripts/shell/webalizer.php" with the below diff for ispconfig-2.2.21.

--- webalizer.php.orig  2008-02-27 13:39:38.000000000 -0600
+++ webalizer.php   ;    2008-02-27 14:26:03.000000000 -0600
@@ -86,6 +86,9 @@
               $web_path = $web_home . "/$webname/web";
               $stats_path = $web_path . "/stats";
               $logfile = $web_home . "/$webname/log/web.log";
+             // Begin: addition by wizap
+             $webalizer_conf = $web_home."/".$webname."/webalizer.conf";
+             // End: by wizap
               $web_user = fileowner($web_path);
               $web_group = filegroup($web_path);

@@ -144,7 +147,14 @@
                   } else {
                     $web_real_name = $web_data["web_domain"];
                   }
-                  $message .= exec("webalizer -n $web_real_name -s $web_real_name -r $web_real_name -q -T -o $stats_path -c /root/ispconfig/scripts/shell/webalizer.conf $logfile")."\n";
+                 // Begin: addition by wizap
+                 if(@is_file($webalizer_conf)) {
+                       $message .= exec("webalizer -n $web_real_name -s $web_real_name -r $web_real_name -q -T -o $stats_path -c $webalizer_conf $logfile")."\n";
+                 }
+                 else {
+                       $message .= exec("webalizer -n $web_real_name -s $web_real_name -r $web_real_name -q -T -o $stats_path -c /root/ispconfig/scripts/shell/webalizer.conf $logfile")."\n";
+                 }
+                 // End: by wizap
               }

               exec("chown -R $web_user:$web_group $stats_path &> /dev/null");
@@ -249,4 +259,4 @@
   }
}
//////////////// LOGSIZE ENDE ////////////////
\ No newline at end of file
+?>

So, now it will detect if there is a custom webalizer.conf file in the sites root directory and include it instead of the default. You can simply copy over the default webalizer.conf file to the site root and add the site name to the HideReferrer section:

HideReferrer        <domain.tld>

Static compile of openssl, apache, mod_ssl and php

As of this writing, the latest versions were:

  • apache_1.3.41
  • php-4.4.8
  • openssl-0.9.8g
  • mod_ssl-2.8.31-1.3.41

Once the files are downloaded and extracted; config, compile and install in the below order:

  1. Install openssl:
    $ ./config --prefix=/usr/local --openssldir=/usr/local/openssl
    $ make
    # make install
  2. mod_ssl patch:
    $ ./configure \
    --with-ssl=../openssl-0.9.8g \
    --with-apache=../apache_1.3.41
  3. Pre-configure apache:
    $ ./configure
  4. Install php:
    $ ./configure \
    --with-gd \
    --with-jpeg-dir \
    --with-png-dir \
    --with-zlib-dir \
    --with-freetype \
    --with-freetype-dir=/usr/lib \
    --enable-gd-native-ttf \
    --enable-memory-limit \
    --with-ldap \
    --with-mysql \
    --with-apache=../apache_1.3.41
    $ make
    # make install
  5. Install apache
    $ SSL_BASE=../openssl-0.9.8g \
    ./configure \
    --prefix=/usr/local/apache \
    --enable-module=rewrite \
    --enable-module=so \
    --activate-module=src/modules/php4/libphp4.a \
    --enable-module=ssl

Force ProFTPD to listen on only one IP

It's not quite as clean as the socket binding under Apache but the principle works something like this.

  1. In Standalone mode, to listen on the primary IP of a host use the SocketBindTight directive.

    In "/etc/proftpd.conf":

    SocketBindTight                 on
    
  2. To listen on a interfaces which are not the primary host interface, use the SocketBindTight directive, place your server configuration in a block and use "Port 0" for the main host configuration and and "Port 21" inside the VirtualHost block.

    Port    &nbsp;    &nbsp;    &nbsp;    &nbsp;    &nbsp;   0
    SocketBindTight  &nbsp;    &nbsp;    &nbsp;    on
    <VirtualHost xxx.xxx.xxx.xxx>
        &nbsp;   Port 21
        &nbsp;   DefaultRoot   &nbsp;    &nbsp;    ~
        &nbsp;   AllowOverwrite  &nbsp;    &nbsp;  on
        &nbsp;   Umask    &nbsp;    &nbsp;    &nbsp;    002
    </VirtualHost>

Comment