Category: Linux – ServerOK

Configure Nginx Reverse Proxy behind Cloudflare

March 22, 2020

by ServerOk with No Comment Linux

On reverse proxy server, lets install some basic utilities.

apt install -y wget
wget https://raw.githubusercontent.com/serverok/server-setup/master/debian/1-basic-tools.sh
bash 1-basic-tools.sh

apt install -y wget

wget https://raw.githubusercontent.com/serverok/server-setup/master/debian/1-basic-tools.sh

bash 1-basic-tools.sh

Install nginx

apt install nginx -y

1	apt install nginx -y

Now create a config file

vi /etc/nginx/sites-enabled/proxy.conf

1	vi /etc/nginx/sites-enabled/proxy.conf

Add following to the file and save

server {
    server_name  YOUR-DOMAIN.COM www.YOUR-DOMAIN.COM;
    listen *:80;
    client_max_body_size 100M;
    proxy_read_timeout 600s;
    proxy_buffers 16 4k;
    proxy_buffer_size 2k;
    location / {
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_pass http://BACKEND-SERVER-IP:80;
    }
}

server {

    server_name  YOUR-DOMAIN.COM www.YOUR-DOMAIN.COM;

    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/12;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 131.0.72.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2405:8100::/32;
    set_real_ip_from 2c0f:f248::/32;
    set_real_ip_from 2a06:98c0::/29;

    # use any of the following two
    real_ip_header CF-Connecting-IP;
    #real_ip_header X-Forwarded-For;


    listen 443 ssl http2;
    ssl on;
    ssl_certificate /etc/nginx/ssl/YOUR-DOMAIN.COM.crt;
    ssl_certificate_key /etc/nginx/ssl/YOUR-DOMAIN.COM.key;

    client_max_body_size 100M;
    proxy_read_timeout 600s;
    proxy_buffers 16 4k;
    proxy_buffer_size 2k;
    location / {
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_pass https://BACKEND-SERVER-IP:443;
    }
}

server {

server_name YOUR-DOMAIN.COM www.YOUR-DOMAIN.COM;

listen *:80;

client_max_body_size 100M;

proxy_read_timeout 600s;

proxy_buffers 16 4k;

proxy_buffer_size 2k;

location / {

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header Host $host;

proxy_pass http://BACKEND-SERVER-IP:80;

}

server {

server_name YOUR-DOMAIN.COM www.YOUR-DOMAIN.COM;

set_real_ip_from 103.21.244.0/22;

set_real_ip_from 103.22.200.0/22;

set_real_ip_from 103.31.4.0/22;

set_real_ip_from 104.16.0.0/12;

set_real_ip_from 108.162.192.0/18;

set_real_ip_from 131.0.72.0/22;

set_real_ip_from 141.101.64.0/18;

set_real_ip_from 162.158.0.0/15;

set_real_ip_from 172.64.0.0/13;

set_real_ip_from 173.245.48.0/20;

set_real_ip_from 188.114.96.0/20;

set_real_ip_from 190.93.240.0/20;

set_real_ip_from 197.234.240.0/22;

set_real_ip_from 198.41.128.0/17;

set_real_ip_from 2400:cb00::/32;

set_real_ip_from 2606:4700::/32;

set_real_ip_from 2803:f800::/32;

set_real_ip_from 2405:b500::/32;

set_real_ip_from 2405:8100::/32;

set_real_ip_from 2c0f:f248::/32;

set_real_ip_from 2a06:98c0::/29;

# use any of the following two

real_ip_header CF-Connecting-IP;

#real_ip_header X-Forwarded-For;

listen 443 ssl http2;

ssl on;

ssl_certificate /etc/nginx/ssl/YOUR-DOMAIN.COM.crt;

ssl_certificate_key /etc/nginx/ssl/YOUR-DOMAIN.COM.key;

client_max_body_size 100M;

proxy_read_timeout 600s;

proxy_buffers 16 4k;

proxy_buffer_size 2k;

location / {

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header Host $host;

proxy_pass https://BACKEND-SERVER-IP:443;

}

In above replce following

YOUR-DOMAIN.COM = replace with your actual domain name
BACKEND-SERVER-IP = replace with IP of the web server where your web site is running.

1 2	YOUR-DOMAIN.COM = replace with your actual domain name BACKEND-SERVER-IP = replace with IP of the web server where your web site is running.

Next create a self signed SSL certificate for the web site

mkdir /etc/nginx/ssl
cd /etc/nginx/ssl
openssl genrsa -out YOUR-DOMAIN.COM.key 2048
openssl req -new -x509 -key YOUR-DOMAIN.COM.key -out YOUR-DOMAIN.COM.crt -days 3650 -subj /CN="YOUR-DOMAIN.COM www.YOUR-DOMAIN.COM"

mkdir /etc/nginx/ssl

cd /etc/nginx/ssl

openssl genrsa -out YOUR-DOMAIN.COM.key 2048

openssl req -new -x509 -key YOUR-DOMAIN.COM.key -out YOUR-DOMAIN.COM.crt -days 3650 -subj /CN="YOUR-DOMAIN.COM www.YOUR-DOMAIN.COM"

Restart nginx

nginx -s reload

1	nginx -s reload

At this stage, you can login to cloudflare, point IP of the web site to reverse proxy server IP address.

Show real IP address

When running a site behind reverse proxy, by default, web server shows IP of the revese proxy server instead of real visitor IP. To fix this, you need to configure remoteip module.

On Cpanel server, edit file

vi /etc/apache2/conf.modules.d/370_mod_remoteip.conf

1	vi /etc/apache2/conf.modules.d/370_mod_remoteip.conf

Find

RemoteIPTrustedProxy 127.0.0.1

1	RemoteIPTrustedProxy 127.0.0.1

Add your proxy server IP after.

Example

root@lh34134 [~]# cat /etc/apache2/conf.modules.d/370_mod_remoteip.conf
# Enable mod_remoteip
LoadModule remoteip_module modules/mod_remoteip.so

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 127.0.0.1 94.242.55.132 104.238.213.205 185.193.126.66 207.246.98.251

root@lh34134 [~]#

root@lh34134 [~]# cat /etc/apache2/conf.modules.d/370_mod_remoteip.conf

# Enable mod_remoteip

LoadModule remoteip_module modules/mod_remoteip.so

RemoteIPHeader X-Forwarded-For

RemoteIPTrustedProxy 127.0.0.1 94.242.55.132 104.238.213.205 185.193.126.66 207.246.98.251

root@lh34134 [~]#

VestaCP Update

March 21, 2020

by ServerOk with No Comment Linux

To update VestaCP server, run

v-list-sys-vesta-updates
v-update-sys-vesta-all

1 2	v-list-sys-vesta-updates v-update-sys-vesta-all

Example

[root@backendz ~]# v-list-sys-vesta-updates
PKG          VER    REL  ARCH    UPDT  DATE
---          ---    ---  ----    ----  ----
vesta        0.9.8  26   x86_64  yes   2019-09-30
vesta-php    0.9.8  26   x86_64  yes   2019-09-30
vesta-nginx  0.9.8  26   x86_64  yes   2019-09-30
[root@backendz ~]# v-update-sys-vesta-all
[root@backendz ~]#

[root@backendz ~]# v-list-sys-vesta-updates

PKG VER REL ARCH UPDT DATE

--- --- --- ---- ---- ----

vesta 0.9.8 26 x86_64 yes 2019-09-30

vesta-php 0.9.8 26 x86_64 yes 2019-09-30

vesta-nginx 0.9.8 26 x86_64 yes 2019-09-30

[root@backendz ~]# v-update-sys-vesta-all

[root@backendz ~]#

EasyEngine Renew SSL

March 11, 2020

by ServerOk with No Comment Linux

To renew SSL for site hosted in EasyEngine, run

ee site ssl-renew --all

1	ee site ssl-renew --all

You can set a cronjob to run every month to auto renew the SSL certificates.

OpenLiteSpeed Binary Installation

March 3, 2020

by ServerOk with No Comment Linux

You can download latest version of OpenLiteSpeed web server from

https://openlitespeed.org/downloads/

There are 2 download links for each version of OpenLiteSpeed, here we use the binary download. To install verison 1.6.9, run

cd /usr/local/src
rm -rf openlitespeed*
wget https://openlitespeed.org/packages/openlitespeed-1.6.9.tgz
tar -zxvf openlitespeed-*.tgz
cd openlitespeed
./install.sh

cd /usr/local/src

rm -rf openlitespeed*

wget https://openlitespeed.org/packages/openlitespeed-1.6.9.tgz

tar -zxvf openlitespeed-*.tgz

cd openlitespeed

./install.sh

To start/stop OpenLiteSpeed, use following commands

/usr/local/lsws/bin/lswsctrl start
/usr/local/lsws/bin/lswsctrl stop
/usr/local/lsws/bin/lswsctrl status

/usr/local/lsws/bin/lswsctrl start

/usr/local/lsws/bin/lswsctrl stop

/usr/local/lsws/bin/lswsctrl status

OpenLiteSpeed control panel available at

https://SERVER-IP-ADDR:7080/
User = admin
PW = 123456

https://SERVER-IP-ADDR:7080/

User = admin

PW = 123456

Default password for admin user is 123456.

Upgrade EasyEngine

February 6, 2020

by ServerOk with No Comment Linux

To upgrade EasyEngine, run

ee cli update

1	ee cli update

It is recommended you run this in tmux or screen to avoid disconnection while upgrading.

Example

root@ip-172-26-9-39:~# ee cli update
Note: It is recommended to run EasyEngine update in tmux/screen. Update at times may take some time.
To view progress, tail logs in a different window using `tail -f /opt/easyengine/logs/ee.log`.
You have version 4.0.14. Would you like to update to 4.0.17? [y/n] y
Downloading from https://github.com/EasyEngine/easyengine/releases/download/v4.0.17/easyengine.phar...
md5 hash verified: cb9041faecdae54e51aafdc9adccc4e5
Updating EasyEngine to new version. This might take some time.
New version works. Proceeding to replace.
Success: Updated EE to 4.0.17.
root@ip-172-26-9-39:~#

root@ip-172-26-9-39:~# ee cli update

Note: It is recommended to run EasyEngine update in tmux/screen. Update at times may take some time.

To view progress, tail logs in a different window using `tail -f /opt/easyengine/logs/ee.log`.

You have version 4.0.14. Would you like to update to 4.0.17? [y/n] y

Downloading from https://github.com/EasyEngine/easyengine/releases/download/v4.0.17/easyengine.phar...

md5 hash verified: cb9041faecdae54e51aafdc9adccc4e5

Updating EasyEngine to new version. This might take some time.

New version works. Proceeding to replace.

Success: Updated EE to 4.0.17.

root@ip-172-26-9-39:~#

Related Posts

EasyEngine

VirtualBox Ubuntu Shared Folder

January 26, 2020

by ServerOk with No Comment Linux

Once you shared a folder in VirtualBox with Ubuntu Guest, you need to install VirtualBox Guest additions, this can be done from menu.

Devices > Insert Guest Additions CD image

1	Devices > Insert Guest Additions CD image

Once this is done, in your Guest OS, you will see a CD rom, install the provided software.

Before you can use shared folder, you need to add the user you use to group vboxsf, to do this, run following command in terminal.

sudo usermod -G vboxsf -a $USER

1	sudo usermod -G vboxsf -a $USER

$USER is user name of the user you will be using. You can replace it with any user you will be using to access the shared folder.

Ubuntu pure-ftpd reply with unroutable address

January 26, 2020

by ServerOk with No Comment Linux

On AWS Ubuntu server running pure-ftpd, when i try connecting, i get error

Status:	Server sent passive reply with unroutable address. Using server address instead.

1	Status: Server sent passive reply with unroutable address. Using server address instead.

To fix this, run

echo "30000 50000" > /etc/pure-ftpd/conf/PassivePortRange
echo "YOUR_PUBLIC_IP_HERE" > /etc/pure-ftpd/conf/ForcePassiveIP

1 2	echo "30000 50000" > /etc/pure-ftpd/conf/PassivePortRange echo "YOUR_PUBLIC_IP_HERE" > /etc/pure-ftpd/conf/ForcePassiveIP

YOUR_PUBLIC_IP_HERE = Replace with your Elastic IP or Public IP (if you don’t have an Elastic IP).

Restart pure-ftpd

systemctl stop pure-ftpd
systemctl start pure-ftpd

1 2	systemctl stop pure-ftpd systemctl start pure-ftpd

On AWS security groups, you need to open following ports

TCP 21
TCP 30000-50000

1 2	TCP 21 TCP 30000-50000

ISPConfig reset admin password

January 21, 2020

by ServerOk with No Comment Linux

To reset password for ISPConfig, login to MySQL as root.

mysql -u root -p

1	mysql -u root -p

if you don’t have MySQL root password, see ISPConfig Find MySQL root password.

Switch to ISPConfig database

use dbispconfig;

1	use dbispconfig;

To change password, run

UPDATE sys_user SET passwort = md5('NEW_PASSWORD_HERE') WHERE username = 'admin';

1	UPDATE sys_user SET passwort = md5('NEW_PASSWORD_HERE') WHERE username = 'admin';

Replace NEW_PASSWORD_HERE with your new password.

ISPConfig Find MySQL root password

January 21, 2020

by ServerOk with No Comment Linux

To find MySQL root password on ISPConfig server, run

/usr/local/ispconfig/server/lib/mysql_clientdb.conf

1	/usr/local/ispconfig/server/lib/mysql_clientdb.conf

Git Ignore file Permission (chmod)

January 18, 2020

by ServerOk with No Comment Linux

Some times when you transfer file to web server, you may need a differnt file permission for files to run in web server, if your code is in git, this make the files marked as modified eventhough file contents are the same. To avoid git checking for file permission (chmod), run following command

git config core.filemode false

1	git config core.filemode false