Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-03-28, 21:00:29

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Spacedust

Pages: [1] 2 3 ... 73
1
Kloxo-MR Technical Helps / How to configure nginx geoIP logs
« on: 2021-07-15, 21:54:47 »
Install nginx-module-geoip:

Code: [Select]
yum -y install nginx-module-geoip
Download GeoIP files:

Code: [Select]
mkdir /etc/nginx/geoip;
cd /etc/nginx/geoip;
wget https://mailfud.org/geoip-legacy/GeoIP.dat.gz
wget https://mailfud.org/geoip-legacy/GeoIPCity.dat.gz
gunzip GeoIP.dat.gz;
gunzip GeoIPCity.dat.gz

Add script to update GeoIP files:

Code: [Select]
cd ~;
wget https://mailfud.org/geoip-legacy/geoip_update.sh;

Change lines:

Code: [Select]
DBDIR=/usr/share/GeoIP
FILES="GeoIP GeoIPv6"

to:

Code: [Select]
DBDIR=/etc/nginx/geoip
FILES="GeoIP GeoIPCity"

Add a line to /var/spool/cron/root:

Code: [Select]
* 3 * * * sh /root/geoip_update.sh
You can run the script manually to check if all is working fine:

Code: [Select]
sh /root/geoip_update.sh
It should respond with something like this:

Code: [Select]
2021-07-15 22:36:59 URL:https://mailfud.org/geoip-legacy/GeoIP.dat.gz [1076511/1076511] -> "GeoIP.dat.gz" [1]
GeoIP.dat is up to date
2021-07-15 22:37:00 URL:https://mailfud.org/geoip-legacy/GeoIPCity.dat.gz [17027045/17027045] -> "GeoIPCity.dat.gz" [1]
GeoIPCity.dat is up to date

Add in /etc/nginx/nginx.conf line on top and copy the file to /opt/configs/nginx/etc/conf/custom.nginx.conf:

Code: [Select]
load_module "modules/ngx_http_geoip_module.so";
and also at the end before "include" these lines:

Code: [Select]
geoip_country /etc/nginx/geoip/GeoIP.dat; # the country IP database
geoip_city /etc/nginx/geoip/GeoIPCity.dat; # the city IP database

Add the following lines to /etc/nginx/fastcgi_params and copy the file to /opt/configs/nginx/etc/conf/custom.fastcgi_params before # PHP only line:

Code: [Select]
### SET GEOIP Variables ###
fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;

fastcgi_param GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
fastcgi_param GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
fastcgi_param GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
fastcgi_param GEOIP_REGION $geoip_region;
fastcgi_param GEOIP_CITY $geoip_city;
fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
fastcgi_param GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
fastcgi_param GEOIP_LATITUDE $geoip_latitude;
fastcgi_param GEOIP_LONGITUDE $geoip_longitude;

Change the following lines in /etc/nginx/conf.d/~lxcenter.conf and copy the file to /opt/configs/nginx/etc/conf.d:

Code: [Select]
   log_format main '$remote_addr - $remote_user [$time_local] "$request" '
        '$status $body_bytes_sent "$http_referer" '
        '"$http_user_agent" "$http_x_forwarded_for"';

to

Code: [Select]
  log_format main '$remote_addr - $remote_user [$time_local] "$request" '
        '$status $body_bytes_sent "$http_referer" '
        '"$http_user_agent" "$http_x_forwarded_for" '
        '"$geoip_country_name" "$geoip_country_code" ';

Finally restart nginx with:

Code: [Select]
service nginx restart
Now you can try checking your logs and you will something like this. At the end you will notice country and country code is listed e.g. "United Kingdom" "GB":

Code: [Select]
80.1.2.62 - - [15/Jul/2021:21:49:15 +0200] "GET /p3700/Clipboard02.jpg HTTP/1.1" 200 71231 "https://vi.vipr.ebaydesc.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" "-" "United Kingdom" "GB"
If you use IPv6 on your server you need to also use GeoIPv6 and GeoIPCityv6.

2
1. Logon to Kloxo.

2. Choose Domains -> yourdomainname.com -> Web Features -> change exisiting HTTPS header to:

Code: [Select]
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always
click Update

3. Then Choose Domains -> yourdomainname.com -> Web Basics -> select Force Redirect 'domain.com' To 'www.domain.com'  and Force Redirect 'http' To 'https' then click Update.

4. Edit /opt/configs/nginx/conf/domains/yourdomainname.com and change line (only the first occurence, leave the second one untouched):
 
Change:

Code: [Select]
  if ($host ~* ^(yourdomainname.com)$) {
                rewrite ^/(.*) 'http://www.yourdomainname.com/$1' permanent;
        }

to

Code: [Select]
  if ($host ~* ^(yourdomainname.com)$) {
                rewrite ^/(.*) 'https://yourdomainname.com/$1' permanent;
        }

and save the file.

5. Restart nginx with:

Code: [Select]
service nginx restart
6. Go to: https://hstspreload.org/

Enter your domain and click the button under domain field.

7. Check both checkboxes "I am the site owner..." and "I understand that preloading...". and click "Submit..." button.

3
1. Make sure to have pdns server selected in Kloxo -> Switch Program -> DNS -> pdns from the list

2. Run
Code: [Select]
sh /script/fixdns in SSH shell

3. Type in SSH shell:

Code: [Select]
yum -y install epel-release yum-plugin-priorities
curl -o /etc/yum.repos.d/powerdns-auth-44.repo https://repo.powerdns.com/repo-files/centos-auth-44.repo
curl -o /etc/yum.repos.d/powerdns-rec-45.repo https://repo.powerdns.com/repo-files/centos-rec-45.repo
yum -y update pdns*
yum -y install pdns-recursor
yum -y install dnsdist

3. Add a line
Code: [Select]
nameserver 127.0.0.1 to your /etc/resolv.conf file at the beginning:

Code: [Select]
; generated by /usr/sbin/dhclient-script
nameserver 127.0.0.1
nameserver 1.1.1.1
nameserver 8.8.8.8
nameserver 8.8.4.4

4. Your /etc/pdns/pdns.conf should look like this:

Code: [Select]
setuid=pdns
setgid=pdns

launch=gmysql

gmysql-dnssec=yes
gmysql-host=127.0.0.1
gmysql-user=powerdns
gmysql-password=somepassword
gmysql-dbname=powerdns

#launch=bind
#bind-config=/etc/named.conf
#bind-check-interval=300

master=no
slave=no

version-string=anonymous

local-port=5300
local-address=127.0.0.1

5. Your /etc/pdns-recursor/recursor.conf should look like this - replace yourdomain.com with your domain name:

Code: [Select]
local-address=127.0.0.1
allow-from=127.0.0.1
forward-zones=yourdomain.com=127.0.0.1:5300
local-port=5301
setgid=pdns-recursor
setuid=pdns-recursor
version-string=none

6. Your /etc/dnsdist/dnsdist.conf file should look like this:

Code: [Select]
setLocal('0.0.0.0')
setACL({'0.0.0.0/0', '::/0'}) -- Allow all IPs access

newServer({address='127.0.0.1:5300', pool='auth'})
newServer({address='127.0.0.1:5301', pool='recursor'})

recursive_ips = newNMG()
recursive_ips:addMask('127.0.0.1') -- These network masks are the ones from allow-recursion in the Authoritative Server

addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
addAction(AllRule(), PoolAction('auth'))

7. Restart everything:

Code: [Select]
service pdns restart
service pdns-recursor restart
service dnsdist restart

8. Check if your local or Internet domains are working well from your local DNS server:

Code: [Select]
nslookup google.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   google.com
Address: 172.217.20.174

9. Verify if DNS server is working fine on https://intodns.com/

Done !

4
Kloxo-MR Technical Helps / How to add DMARC to Kloxo-MR
« on: 2021-06-09, 17:36:15 »
1. Logon to Kloxo.

2. Choose DNS templates.

3. Click your DNS template.

4. Click ADD TXT.

5. Type _dmarc in hostname

and

v=DMARC1; p=quarantine; rua=mailto:postmaster@yourdomainname.com
in value

6. Click Add.

7. Go to Domains -> click your domain name -> Manage DNS -> Rebuild -> choose DNS template and click Update for this specific domain or Updateall for all domains on admin account.

8. Verify DMARC at https://dmarcian.com/dmarc-inspector/

or you can send an e-mail to gmail account and go to Inbox, click a message you've sent, click on dots -> Show original and you will see DMARC:   'PASS'.

5
1. Logon to Kloxo-MR panel.

2. Go to Domains -> yourdomain.com -> Pointer domains -> Click Add Redirected tab

3. In Pointer Domain type mta-sts in Destination Directory type anything like contact (this is just technical domain and will show 404 error). Leave Map Mail untouched.

4. Go to Mail accounts and add these e-mails tlsrpt@yourdomain.com and mta-sts@yourdomain.com. You can redirect them by clicking on them and choosing Mail forwards and typing Mail Forward Address.

5. Go to Domains -> yourdomain.com -> Manage DNS -> Add TXT:

_mta-sts as hostname and Value v=STSv1; id=20210806155900

Then again Add TXT:

_smtp._tls as hostname and Value  v=TLSRPTv1; rua=mailto:tlsrpt@yourdomain.com

6. Go to Domains -> yourdomain.com -> SSL Certificates. If you have your SSL already remove it. Click Add Let's Encrypt, leave default Key Bits 2048 and add mta-sts.yourdomain.com to Subject Alternative Name (SAN) list, then click Add.

7. Logon via SSH and create /var/run/letsencrypt/.well-known/mta-sts.txt with such content:

version: STSv1
mode: enforce
mx: mail.yourdomain.com
mx: *.yourdomain.com
max_age: 31557600

8. Check if all is working properly here: https://aykevl.nl/apps/mta-sts/

6
Download latest nginx and OpenSSL:

Code: [Select]
cd /
wget -4 http://nginx.org/download/nginx-1.21.0.tar.gz
wget -4 https://www.openssl.org/source/openssl-1.1.1k.tar.gz

Unpack them:

Code: [Select]
tar -xzvf nginx-1.21.0.tar.gz
tar -xzvf openssl-1.1.1k.tar.gz

Then compile them:

Code: [Select]
cd nginx*
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-openssl=/openssl-1.1.1k --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

Now just:

Code: [Select]
make
and

Code: [Select]
make install
Just restart nginx to finish:

Code: [Select]
service nginx restart

7
Make sure you have selected default php version:

PHP Used must be set to --PHP Branch--

Code: [Select]
php -v
should show something like this

Code: [Select]
PHP 5.6.40 (cli) (built: Jan 11 2019 10:27:04)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies

Install remi repo:

Code: [Select]
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
wget https://rpms.remirepo.net/enterprise/remi-release-7.rpm
rpm -Uvh remi-release-7.rpm epel-release-latest-7.noarch.rpm

Enable PHP 8.0 repo by changing 0 to 1 in enabled line in /etc/yum.repos.d/remi-php80:

Code: [Select]
[remi-php80]
name=Remi's PHP 8.0 RPM repository for Enterprise Linux 7 - $basearch
#baseurl=http://rpms.remirepo.net/enterprise/7/php80/$basearch/
#mirrorlist=https://rpms.remirepo.net/enterprise/7/php80/httpsmirror
mirrorlist=http://cdn.remirepo.net/enterprise/7/php80/mirror
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi

Change a following line in /etc/yum.conf file from:

Code: [Select]
exclude= mysql5*
to

Code: [Select]
exclude=mysql5 php52* php53* php54* php55* php56* php70* php71* php72* php73* php74* php80*
Now remove old php56 by running this command, this will also remove hiawatha and mod24u_suphp, but we will bring it back in a while:

Code: [Select]
yum -y remove php56*
Now we can install PHP 8.0.x:

Code: [Select]
yum install php-pecl-memcached php-pecl-mongodb php-pecl-redis5 php-pecl-geoip php-pecl-igbinary-devel php-pecl-igbinary php-pecl-apcu-devel php-pecl-apcu php-pecl-oauth php-pecl-krb5-devel php-pecl-krb5 php-devel php-pecl-rrd php-pecl-gearman php-pecl-yaml php-pecl-xdebug3 php-pecl-lzf php-pecl-memcache php-pecl-ssh2 php-mbstring php-embedded php-tidy php-fpm php-pecl-xmlrpc php-dbg php-pgsql php-imap php-pecl-mcrypt php-mysqlnd php-odbc php-gmp php-intl php-snmp php-bcmath php-ldap php-enchant php-soap php-pspell php-pdo-dblib php-pdo php-dba php-litespeed php-gd mod24u_suphp hiawatha php-cli php-process php-xml php-common php-pear
Press y twice when asked "Is this ok"

Run:

Code: [Select]
service php-fpm restart
Done. Now you've got PHP 8.0:

Code: [Select]
php -v
PHP 8.0.6 (cli) (built: May  4 2021 17:26:18) ( NTS gcc x86_64 )
Copyright (c) The PHP Group
Zend Engine v4.0.6, Copyright (c) Zend Technologies
    with Xdebug v3.0.4, Copyright (c) 2002-2021, by Derick Rethans

8
1. Add such line to /etc/pdns/pdns.conf:

Code: [Select]
gmysql-dnssec=yes
2. Restart PowerDNS with service pdns restart.

3. Open phpMyAdmin under https://YOUR_IP:7777/thirdparty/phpMyAdmin/index.php and login as root.

4. Select powerdns database and click SQL tab.

5. Enter:

Code: [Select]
ALTER table cryptokeys add column published BOOL DEFAULT 1 after active;
If you have powerdns 4.7 run this too:

Code: [Select]
ALTER TABLE domains ADD options VARCHAR(64000) DEFAULT NULL;
ALTER TABLE domains ADD catalog VARCHAR(255) DEFAULT NULL;
ALTER TABLE domains MODIFY type VARCHAR(8) NOT NULL;
CREATE INDEX catalog_idx ON domains(catalog);

6. Go back to SSH terminal and type:

Code: [Select]
pdnsutil secure-zone yourdomain.com
7. Show DS keys:

Code: [Select]
pdnsutil show-zone yourdomain.com | grep CSK
Key ID is the number right after IN DNSKEY

Public key is the large string after 13 in a second line

8. Now go to your domain register e.g. online.net and in domain settings DNSSEC tab use such settings:

Quote
Key ID: 257 (or other as noted above)

Quote
Algorithm: 13/ ECDSAP256SHA256

Quote
Public key: copy the whole key (long string) after 13 and before ; from second line

You can verify on https://www.hardenize.com just enter domain name and hit ENTER

It should respond with:

Test passed
Everything seems to be well configured. Well done.

in DNSSEC section.

9. If you have subdomains with their own zones (e.g. extra subdomains via Kloxo) secure them too with:

Code: [Select]
pdnsutil secure-zone subdomain.yourdomain.com
10. Then list the subdomain zone with:

pdnsutil show-zone subdomain.yourdomain.com | grep DS

11. This will give you something like this, copy last 4 lines:

Code: [Select]
ID = 6 (CSK), flags = 257, tag = 20164, algo = 13, bits = 256     Active         Published  ( ECDSAP256SHA256 )
CSK DNSKEY = subdomain.yourdomain.com 777600 IN DNSKEY 257 3 13 lnOLSuqVqvCUVDgBHjxz5yhXlcX0kbbZ8sSdpBrb1bUAlAqelea47b36+YGrn4HHKE/fqk6tH0MNQdWNBZOtPg== ; ( ECDSAP256SHA256 )
DS = subdomain.yourdomain.com 777600 IN DS 20164 13 1 225e6a7160c9ce428c6212a122aa3d3d91af67c3 ; ( SHA1 digest )
DS = subdomain.yourdomain.com 777600 IN DS 20164 13 2 9f182e93515314797a310d574b681010b473830d8e7772993ee373353bb5cc01 ; ( SHA256 digest )
DS = subdomain.yourdomain.com 777600 IN DS 20164 13 4 649df82cb4d9049730fe554fdf44ccd3de97a486fb7fad526208ca92be3460eb98db55463d44e1712c8f352fcb32f8ce ; ( SHA-384 digest )

12. Now run this:

Code: [Select]
export EDITOR=vim
13. Finally run editor on main domain with:

Code: [Select]
pdnsutil edit-zone yourdomain.com
14. Press Insert and paste all DS records at the bottom, but in a form like this:

Code: [Select]
subdomain.yourdomain.com 777600 IN DNSKEY 257 3 13 lnOLSuqVqvCUVDgBHjxz5yhXlcX0kbbZ8sSdpBrb1bUAlAqelea47b36+YGrn4HHKE/fqk6tH0MNQdWNBZOtPg==
subdomain.yourdomain.com 777600 IN DS 20164 13 1 225e6a7160c9ce428c6212a122aa3d3d91af67c3
subdomain.yourdomain.com 777600 IN DS 20164 13 2 9f182e93515314797a310d574b681010b473830d8e7772993ee373353bb5cc01
subdomain.yourdomain.com 777600 IN DS 20164 13 4 649df82cb4d9049730fe554fdf44ccd3de97a486fb7fad526208ca92be3460eb98db55463d44e1712c8f352fcb32f8ce

15. Save the file with Esc and then :wq!

16. Press y to update serial, then a to apply.

17. If you multiple domains you need to paste all their keys to master domain.

18. Check if everything for your subdomain is working well here: https://dnssec-analyzer.verisignlabs.com/ (make sure no red or yellow warnings here) and here https://dns.google/

9
Kloxo-MR Bugs and Requests / Add CentOS 8 support
« on: 2019-12-01, 16:50:25 »
It's released so it's worth adding support for it.

10
It shows something like this:

Quote
Phase 1/7: Checking and upgrading mysql database
Processing databases
mysql
mysql.column_stats                                 OK
mysql.columns_priv                                 OK
mysql.db                                           OK
mysql.event                                        OK
mysql.func                                         OK
mysql.gtid_slave_pos                               OK
mysql.help_category                                OK
mysql.help_keyword                                 OK
mysql.help_relation                                OK
mysql.help_topic                                   OK
mysql.host                                         OK
mysql.index_stats                                  OK
mysql.innodb_index_stats                           OK
mysql.innodb_table_stats                           OK
mysql.plugin                                       OK
mysql.proc                                         OK
mysql.procs_priv                                   OK
mysql.proxies_priv                                 OK
mysql.roles_mapping                                OK
mysql.servers                                      OK
mysql.table_stats                                  OK
mysql.tables_priv                                  OK
mysql.time_zone                                    OK
mysql.time_zone_leap_second                        OK
mysql.time_zone_name                               OK
mysql.time_zone_transition                         OK
mysql.time_zone_transition_type                    OK
mysql.user                                         OK
Phase 2/7: Installing used storage engines... Skipped
Phase 3/7: Fixing views
Phase 4/7: Running 'mysql_fix_privilege_tables'
ERROR 1071 (42000) at line 603: Specified key was too long; max key length is 1000 bytes
FATAL ERROR: Upgrade failed

11
It shows something like this, then tries on IPv4:

spamc[27821]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused
spamd: Jul 15 11:23:32.168 [20583] info: spamd: connection from 127.0.0.1 [127.0.0.1]:60286 to port 783, fd 4

Solution is here: https://support.plesk.com/hc/en-us/articles/115000468845-SpamAssassin-does-not-work-Connection-refused

12
YADIFA 2.2.5 is from 2017-04-20 while current is YADIFA 2.3.9 (2019-02-11)

https://www.yadifa.eu/download

13
Probably impossible on CentOS 6.10 but please check: http://www.squid-cache.org/Versions/

14
Seems some newer release is out: https://www.sqlite.org/download.html

Pages: [1] 2 3 ... 73

Top 4 Global Search Engines:    Google    Bing    Baidu    Yahoo
Click Here

Page created in 0.065 seconds with 15 queries.

web stats analysis