Jump to content



Photo

[Howto] Easy-Wi Webserver


  • Please log in to reply
No replies to this topic

#1 Arctic

Arctic

    Haphost Staff

  • Moderators
  • 341 posts
  • LocationGermany

Posted 02 April 2015 - 02:45 PM

Webserver

 

Easy-wi requires PHP 5.x with PDO support. In addition, perform a database and the PHP option in the console.

The status of scripts can be called periodically by PHP-CLI through the console using cron. The PHP scripts on the web space must therefore have no access to files outside of the web space and do not require the critical PHP functions such as system (); and exec () ;.

By using PDO any common database server should be used. PDO is in any reasonably modern version of PHP and must not be installed normally.

To find out what the webspace supports and present their version and PHP extensions, it is recommended to create a info.php and enter this in the browser. The content of the info.php should look like the following example:

<?php
echo phpinfo();
?>

Webserver Module/Extensions

 

PHP und PHP CLI

 

Status updates and directions for backups and restarts work with the help of cron jobs and using in part the program "Quakestat".

To enable the competent scripts can be called directly on the console from a cron job and Serverqueries work, you need also the php5-cli package and qstat:

apt-get install php5-cli qstat

Limitations of PHP

 

so that The panel works must be taken when configuring the php.ini to the following:

The panel requires the function "fopen ();" to access the server logs can. Therefore, this must be allowed. Similarly, the superfluous Safe Mode must be disabled.

; NOTE: this is considered a "broken" security measure.
;       Applications relying on this feature will not recieve full
;       support by the security team.  For more information please
;       see /usr/share/doc/php5-common/README.Debian.security
;
safe_mode = Off
 
; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = On

The only file to "/ usr / bin / quakestat" accesses the statuscheck.php. This is not accessed via the web server, but on the php5-cli package. For php5-cli any restrictions from php.ini the Vhosts not apply.

For this reason, the Panel does not have access to files outside of the web space folder. open_basedir restriction which can therefore fairly strict set. One has for each vhost own entry could look like this:

open_basedir = /var/www/yourdomain.tld/httpd/:/var/www/yourdomain.tld/temp/

If you have a vserver, its main IP is the loopback device instead of the external IP, one must recall the status script wget. In this case open_basedir to the "/ usr / bin /" folder to be extended:

open_basedir = /var/www/yourdomain.tld/httpd/:/var/www/yourdomain.tld/temp/:/usr/bin/

Easy-wi upload and install

After the webspace was prepared to Load up the files. The easy-wi archive contains more files than you need for the webspace.

From the "page" must be uploaded all the files. If you PHP 5.3, or later uses, invites you the content of "php / 53", otherwise the contents of "php / 5" high.

If you have not yet created a database, it is now time for it. Is best to use an extra user who exclusively to this database has a database access.

If a user including database created, you call after uploading it to the install script in the browser. It is located in the "install" folder. It does this by one following, adapted to webspace enters:

http://yourdomain.tld/install/install.php

In the first step, the file permissions and web space are reviewed. If the check is successful you will be prompted its SQL data as a passphrase to encrypt the database specified.

It is advisable to use a long string for security reasons. If this key is lost large parts of the database are lost as a 128-bit AES encryption is used. Access to the web part of easy-wi is however not affected, since the corresponding passwords are stored as a hash with salt.

After you've done your settings, click on "Step 2". Now the tables should be created and the second input mask are displayed after.

First of all you are to the standard language. This is the login and if the user uses an unavailable in the panel language. If the user is logged only once, it can of course select a different language.

The email address that you indicate here is used by the panel as sender. It is, for example, used when a backup is successfully created, or the installation of a virtual server is complete.

If a user exceeds the allowable number of errors in a row, the IP address is blocked for 15 minutes.

The Servertag plays a role only for game servers. Is defined and set the game server that a day must be used that day, both the admin and the user will be locked or admonished that a Servertag to be used in the name.

 

The last area is one of the access for the first admin user. Unfortunately, it must be stressed that this is a long password to be used, that should at least contain uppercase and lowercase letters and numbers and is used under any circumstances with another account.

 

After having completed entries, click on "step 3".

Now, so just entered data should be entered into the database and you will be asked in connection to the "install" to delete folders.

After deleting the panel is always ready for use.

As a final step, the ioncube license file must be uploaded to the licence.php still stuff / folder.

 

Cronjobs

 

To use all features of this website, you have to do is to register and start the new cron cron jobs for the restart and backup scheduler. The cron job for jobs.php is only needed if the API is used. An agency of the cronjobs you can use the jobs.php on the console as a daemon:

php ./jobs.php deamon 30

In this case, every 30 seconds, looked for a new job and executes it if necessary.

Cron to wear in the / etc / crontab usually.

nano /etc/crontab

There adapted enter the following on your installation:

11 */1 * * * phpusername cd /var/www/yourdomain.tld/httpd/ && timeout 300 php ./reboot.php >/dev/null 2>&1
*/5 * * * * phpusername cd /var/www/yourdomain.tld/httpd/ && timeout 290 php ./statuscheck.php >/dev/null 2>&1
*/1 * * * * phpusername cd /var/www/yourdomain.tld/httpd/ && timeout 290 php ./startupdates.php >/dev/null 2>&1
*/5 * * * * phpusername cd /var/www/yourdomain.tld/httpd/ && timeout 290 php ./jobs.php >/dev/null 2>&1
*/10 * * * * phpusername cd /var/www/yourdomain.tld/httpd/ && timeout 290 php ./cloud.php >/dev/null 2>&1

It can cause performance problems for TS3 page the status check if a TS3 many virtual instance contains.

for this reason, a Colldown can be set. This causes the script to N nanoseconds between the individual queries sleep:

*/5 * * * * phpusername cd /var/www/yourdomain.tld/httpd/ && timeout 290 php ./statuscheck.php coolDown:2 >/dev/null 2>&1

On some vServers the first Netztwerk Device is absolutely the loopback device. In such a case, the virtualization software does not allow that the IP license is the main IP.

However, this is necessary so that you can use the encrypted files with php5-cli. The same can happen on Dedicated Servers, if multiple IPs are used.

The error message provided in such a case is:

The license file /var/www/yourdomain.tld/httpd/stuff/license.php
for /var/www/yourdomain.tld/httpd/reboot.php
is not valid for this server.
in Unknown on line 0

In a Dedicated Server you should try to fix the problem by Systemconfig.

In vServers this is not usually possible. Can not be achieved by means of config changes the problem, you can set up a cron job to a user, then using wget calls the files on the server:

11 */1 * * * deincronjobuser wget -q --no-check-certificate -O - https://yourdomain.tld/reboot.php >/dev/null 2>&1
*/5 * * * * deincronjobuser wget -q --no-check-certificate -O - https://yourdomain.tld/statuscheck.php >/dev/null 2>&1
*/5 * * * * deincronjobuser wget -q --no-check-certificate -O - https://yourdomain.tld/startupdates.php >/dev/null 2>&1
*/5 * * * * deincronjobuser wget -q --no-check-certificate -O - https://yourdomain.tld/jobs.php >/dev/null 2>&1
*/10 * * * * deincronjobuser wget -q --no-check-certificate -O - https://yourdomain.tld/cloud.php >/dev/null 2>&1

If you have the chance, you should always prefer the first option, especially during long operations can not occur terminations by the run-time limit of PHP here.

The first entry is for the restart and backup scheduler and may only be performed once an hour. Offer it to yourself to put the time in the hour on a crooked number, as many admins on the hour drive updates and backups.

The second entry is responsible for the server status. The data obtained here are shown in the interface as server status. The lower is the interval, the more accurate the server status. In the example, the status check is performed every 5 minutes. The smallest interval is one minute.

If the status check only server checks its users and they themselves were activated activated by the admin and the user has not stopped. If it is determined the status check that the server is offline, it will automatically restart.

By default is used to query the statuscheck.php voice and game servers. On the console, you can call them with the additional parameters 'gs' and 'vs'. In this case, either voice or gaming servers are checked. Such separation makes sense if you have very many servers.

Once you have made the two entries, saves and it includes nano with the key combination "Ctrl + x" and "y". After you start cron new:

/etc/init.d/cron restart

Htaccess, Directory and Filesmatch

In your browser, you should only have access to a few PHP, JS, CSS and graphic files have. In all PHP files that are only includiert, you need eg no direct access. On the config.php and keyphrasefile.php access should be prevented from the browser under all circumstances. The same applies to the contents of the "keys" folder.

Access can be prevented by extending the rules in the .htaccess, or directly in the vhost. If you have a choice, then you can put them directly into the vhost, since, in contrast to the .htaccess entry does not need to be parsed on every page request here.

The following rules in the vhost should restrict access sufficient:

<Directory "/var/www/yourdomain.tld/httpd/keys">
       Order deny,allow
       deny from all
    </Directory>
    <Directory "/var/www/yourdomain.tld/httpd/stuff">
       Order deny,allow
       deny from all
    </Directory>
    <Directory "/var/www/yourdomain.tld/httpd/template">
       Order deny,allow
       deny from all
    </Directory>
    <Directory "/var/www/yourdomain.tld/httpd/languages">
       Order deny,allow
       deny from all
    </Directory>
    <Files .htaccess>
        Order deny,allow
        deny from all
    </Files>
    <Files id_rsa>
        Order deny,allow
        deny from all
    </Files>
    <FilesMatch "\.pub$">
        Order deny,allow
        deny from all
    </FilesMatch>
    <FilesMatch "\.php$">
        Order deny,allow
        deny from all
    </FilesMatch>
    <FilesMatch "^(admin|api|cloud|get_password|images|index|install|jobs|login|protectioncheck|reboot|serverallocation|serverlog|statuscheck|switch|update|userpanel|lend)\.php$">
        Order allow,deny
        allow from all
    </FilesMatch>

Once you have made the rules, the Apache has to be restarted

/etc/init.d/apache2 restart

When working with the .htaccess file, all rain can not be used. The use of Directory and Location directives lead to an "internal server error", which has the status code 500. A .htaccess file might look like this, where you should enter all the names of his keys used:

<Files .htaccess>
	Order deny,allow
	deny from all
</Files>
<FilesMatch "\.php$">
	Order deny,allow
	deny from all
</FilesMatch>
<FilesMatch "\.tpl$">
	Order deny,allow
	deny from all
</FilesMatch>
<FilesMatch "\.xml$">
	Order deny,allow
	deny from all
</FilesMatch>
<FilesMatch "^(index|login|switch|userpanel|admin|serverallocation|serverlog|captcha|get_password|install|update|protectioncheck|traffic|reboot|statuscheck|serverstats)\.php$">
	Order allow,deny
	allow from all
</FilesMatch>

To use the .htaccess file, it is enough to change it, or to upload. A restart of the web server is not required.

 

SSL

 

As a rule, the panel will be installed on a web space that under the port 80, so at http: //yourdomain.tld is reached. Transmissions over this connection running from unencrypted, so that the data can be intercepted and monitored. This has lately been used in public Wlans to capture as many account.

For this reason, it is recommended to encrypt the access with SSL. It is available for purchase a certificate that is accepted by all browsers without notification, or to subscribe yourself now before the election. The latter is just as safe, but will trigger an alert message in the browser.

Who it is only on security, but want to spend any money, it draws itself:

mkdir -p /etc/apache2/sslkeys
cd /etc/apache2/sslkeys
openssl genrsa -des3 -out server.key 1024

You will be prompted for a passphrase. This is later used several times.

openssl req -new -key server.key -out server.csr

Here you must now enter your data. The main entry is <b> "Common Name (eg, YOUR name) []:" </ b>. Here enter the domain to which the panel is running. If you want to use the certificate for different subdomains, then you can also use wildcards here.

For a domain to wear e.g. yourdomain.tld and if you want to use the certificate for all subdomains, for example, * a .yourdomain.tld.

Now execute the following commands:

cp server.key server.key.temp
openssl rsa -in server.key.temp -out server.key
openssl x509 -req -days 1460 -in server.csr -signkey server.key -out server.crt

and the keys are ready for use.

The newly created keys you have to do is to register in the vhost:

<VirtualHost *:443>
    ServerAdmin info@yourdomain.tld
    ServerName yourdomain.tld
    SSLEngine on
    SSLCertificateKeyFile /etc/apache2/sslkeys/yourdomain.tld/server.key
    SSLCertificateFile /etc/apache2/sslkeys/yourdomain.tld/server.crt
    (...)
</VirtualHost>

Now just restart Apache:

/etc/init.d/apache2 restart

If you did everything correctly, the page should be the one now at can reach https//yourdomain.tld

 

 

best Regards

 

 

Arctic

 


any support PM's be Ignored please use the Support section for it

 

Support





1 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


    Google (1)