Sysadmin: PHP-FPM modular config

Posted by on 10/06/2017 No comments


When you have multilple PHP-FPM pools configured on the server you usually store the configurations under /etc/php-fpm.d. When you have a lot of sites this directory starts looking pretty crowded.
Although when you look inside the typical PHP-FPM pool configuration file you can easily notice that there about only 4 lines that make a difference – everything else is absolutely identical.
Read more »

Sysadmin: How to configure PXE server on VMware workstation

Posted by on 09/20/2017 No comments

Vmware Workstation is the perfect candidate for configuring local PXE server for testing and development – it contains independent DHCP server that is an equivalent to ISC DHCP v2. All you need is to have your own VM that will be serving as TFTP server for network boot images, there are plenty of instruction on how to do that on Linux (.
I decided to configure my Vmware workstation for windows (windows 7 in that case) DHCP as PXE server using vmNAT network adapter, since I already have Linux VM in vmNAT network which I can configure for TFTP server.
The config file is %SYSTEMDRIVE%\Users\All Users\vmnetdhcp.conf, in order to enable PXE you will need to add 4 lines.

  1. 2 Lines at the top right after comments
  2. And another 2 lines inside the subnet block that is related to your VmNAT adapter network

    You will need to assign static IP to your Linux TFTP server so that network booted VMs will be able to access it.
  3. Now you can go to Administrative tools->Services and restart Vmware DHCP server – if everything correct then it will restart without complains.
  4. In order to configure your TFTP server use this, or this instruction

Sysadmin: How to install Letsencrypt on CentOS

Posted by on 09/18/2017 No comments


Since Letsencrypt started their services life became much easier (or less). You can get free valid and secure SSL certificates that are recognized by majority of browsers, but for that you need to do some initial configuration and keep in mind that if you don’t renew all these nice certificates will turn into pumpkin after 2 month.
Here is the one liner command to install certbot-auto in CentOS 6 (requires additional Python 2.7 from EPEL repo)

Almost, the same for the CentOS 7 just without Python.

Here is how quickly request/retrieve certificate for your website on domain.com that is hosted under /home/domain/public_html from command line (presuming that the site is answering on this server already e.g. DNS and web server configured properly)

If the request was successful your new certificates could be accessible from /etc/letsencrypt/live/domain.com, where
privkey.pem – is the certificate key, cert.pem – bare certificate fullchain.pem – certificate along with the whole CA chain.
Don’t forget that these are valid for 2 month only. You’ll need to run

after that to get valid certificates.

Sysadmin: how to test your web site before switching DNS

Posted by on 04/25/2017 No comments

How to test your web site after moving it to the new location, before switching DNS and “going live” there? This situation happens every day, even multiple times a day with single page placeholder sites and huge complicated web portals. I thought I’ll just put together simple instruction to refer people to it instead of explaining it over and over every time.
So, in order to test your web site on the new server, before switching DNS settings to the new location you will need to fool your desktop browser to look into new IP location. Here is how to do it.
Read more »

Sysadmin: check massive list of urls for HTTP status code reply in single line

Posted by on 03/01/2017 No comments

As I mentioned in previous post I did a few upgrades to EasyApache4 on couple of WHM/cPanel servers recently. While providing with an impressive list of advantages this upgrade could render some of the hosted sites offline because of missing PHP modules and incompatible PHP versions. In order to minimize the downtime all hosted sites has to be verified for availability. There could be easily hundreds of web sites hosted on single WHM/cPanel server and checking all of them manually will take a lot of time. In Linux almost anything could be automated.
Read more »

cPanel: Upgrade to EasyApache4 important points to consider

Posted by on 03/01/2017 No comments


So, you also decided to take a leap? It’s about time – a lot of new features are coming with EasyApache4 but in order to reduce downtime one has to be careful in the process.
I’ve done a couple upgrades of a company cPanel servers to EasyApache4 recently – not so easy procedure after all although definitely an improvement to the whole cPanel/WHM ecosystem.
Read more »

SSL protocol error 525 for nginx solved

Posted by on 02/28/2017 No comments


I’ve hit an unusual error the other day – I had to configure couple of SSL virtual hosts on Nginx web server. I didn’t expect to see any problems with that – it’s really simple and very well documented. The purpose was to switch Cloudflare CDN crypto option from “Flexible” to “Full”, to avoid unencrypted connection between Cloudflare and the server itself. The tricky part is that you have to have SSL virtual host configured on the server side before doing redirection otherwise you will get redirect loop.
I configured both of the SSL virtual hosts (thought second virtual host with ssl_certificate and ssl_certificate_key commented out) and tried to modify Cloudflare configuration – and then I’ve got 525 protocol error. I turned off the caching and tried to investigate.

I tried to use OpenSSL to troubleshoot SSL connection with “s_client” option, trying to connect to each SSL virtual host directly, bypassing Cloudflare and I saw an interesting picture

and more verbosely

And then it hit me – I’ve turned on SSL mode on the virtual host and not specified nor certificate no key, then I’ve configured another SSL virtual host with valid certificate and key configured but the SSL is running on the single IP so it’s in SNI mode, sends me an EMPTY SSL SNI negotiation start. In order to avoid the problem I need to have valid certificates for ALL my SNI SSL virtual hosts. After I altered my configuration the problem was fixed.

Centos: How to fine tune your Apache SSL server

Posted by on 12/14/2016 No comments


The fine tuning of the SSL server side configuration is slow and tedious but necessary procedure. It’s always good to have your SSL site to conform the most latest security standards. It boosts ego and makes customer happy too. It turns out that all you need for that is already at your disposal the point is to properly configure it.
Read more »

Sysadmin: Brute force detection – custom rule for SMTP and SSH

Posted by on 12/13/2016 No comments

I wrote before about excellent tool BFD that allows to block brute force password guessing attempts on different network services.
I prefer it to Fail2ban because of portability (bash script) system resource consumption (bash script!) and extendĐ°bility (true “unix way” modularity).
I also wrote before a brief instruction on how to extend BFD with your own rule to fight with apache/Wordpress DOS attack.
In this post I will show you how to write custom rules to block SMTP password guessing brute force attempts and SSSHD

Read more »

Centos: recover MySQL users access after upgrade to MySQL-5.5

Posted by on 12/06/2016 No comments

I had one of my customers asking me for the MySQL server version upgrade (OS provided MySQL 5.1.73 to something above MySQL 5.5) for one of his dedicated servers. Neither of us expected any problems from that, but we’ve ran into some that we had to resolve quickly because of production web sites running on the same server.
For more modern software versions I usually use excellent IUS reposity which in combination with EPEL repository serves about 87% of my needs in 3rd party packages and updates.
Read more »