Sysadmin: check massive list of urls for HTTP status code reply in single line

As I mentioned in previous post I did a few upgrades to EasyApache4 on couple of WHM/cPanel servers recently. While providing with an impressive list of advantages this upgrade could render some of the hosted sites offline because of missing PHP modules and incompatible PHP versions. In order to minimize the downtime all hosted sites has to be verified for availability. There could be easily hundreds of web sites hosted on single WHM/cPanel server and checking all of them manually will take a lot of time. In Linux almost anything could be automated.
Read more »

cPanel: Upgrade to EasyApache4 important points to consider

cPanel: Upgrade to EasyApache4 important points to consider 1
So, you also decided to take a leap? It’s about time – a lot of new features are coming with EasyApache4 but in order to reduce downtime one has to be careful in the process.
I’ve done a couple upgrades of a company cPanel servers to EasyApache4 recently – not so easy procedure after all although definitely an improvement to the whole cPanel/WHM ecosystem.
Read more »

SSL protocol error 525 for nginx solved

SSL protocol error 525 for nginx solved 2
I’ve hit an unusual error the other day – I had to configure couple of SSL virtual hosts on Nginx web server. I didn’t expect to see any problems with that – it’s really simple and very well documented. The purpose was to switch Cloudflare CDN crypto option from “Flexible” to “Full”, to avoid unencrypted connection between Cloudflare and the server itself. The tricky part is that you have to have SSL virtual host configured on the server side before doing redirection otherwise you will get redirect loop.
I configured both of the SSL virtual hosts (thought second virtual host with ssl_certificate and ssl_certificate_key commented out) and tried to modify Cloudflare configuration – and then I’ve got 525 protocol error. I turned off the caching and tried to investigate.
SSL protocol error 525 for nginx solved 3

I tried to use OpenSSL to troubleshoot SSL connection with “s_client” option, trying to connect to each SSL virtual host directly, bypassing Cloudflare and I saw an interesting picture

and more verbosely

And then it hit me – I’ve turned on SSL mode on the virtual host and not specified nor certificate no key, then I’ve configured another SSL virtual host with valid certificate and key configured but the SSL is running on the single IP so it’s in SNI mode, sends me an EMPTY SSL SNI negotiation start. In order to avoid the problem I need to have valid certificates for ALL my SNI SSL virtual hosts. After I altered my configuration the problem was fixed.

Centos: How to fine tune your Apache SSL server

Centos: How to fine tune your Apache SSL server 4
The fine tuning of the SSL server side configuration is slow and tedious but necessary procedure. It’s always good to have your SSL site to conform the most latest security standards. It boosts ego and makes customer happy too. It turns out that all you need for that is already at your disposal the point is to properly configure it.
Read more »

Sysadmin: Brute force detection – custom rule for SMTP and SSH

I wrote before about excellent tool BFD that allows to block brute force password guessing attempts on different network services.
I prefer it to Fail2ban because of portability (bash script) system resource consumption (bash script!) and extendĐ°bility (true “unix way” modularity).
I also wrote before a brief instruction on how to extend BFD with your own rule to fight with apache/Wordpress DOS attack.
In this post I will show you how to write custom rules to block SMTP password guessing brute force attempts and SSSHD

Read more »

Centos: recover MySQL users access after upgrade to MySQL-5.5

I had one of my customers asking me for the MySQL server version upgrade (OS provided MySQL 5.1.73 to something above MySQL 5.5) for one of his dedicated servers. Neither of us expected any problems from that, but we’ve ran into some that we had to resolve quickly because of production web sites running on the same server.
For more modern software versions I usually use excellent IUS reposity which in combination with EPEL repository serves about 87% of my needs in 3rd party packages and updates.
Read more »

I have to say it: Debian package management beats it all

Yes, I need to get it out of my system, once and for all.
With all due respect to the selfless efforts of all Debian developers I have to admit that in the course of my professional career I’ve never dealt with such an confusing, obscure and downright inconvenient package management tools. You guys even left Sun far behind.
And I’ve see it all.
Here, I’ve said it, now you can hate me because you can’t allow yourselves to admit that I’m right.

Wordpress: Database access error of doom

wp-db-error Usually it happens after migration. When there is absolutely nothing that could possibly go wrong:
Read more »

sysadmin: cPanel installation script detected MySQL and failed

While trying to install cPanel control panel on just reimaged server I’ve got an interesting error, I’ve never seen before:

Read more »

sysadmin: Apache, FastCGI and PHP-FPM working config

apache-php-fpm
I was looking for working config for the combination of apache mod_fastcgi and PHP-FPM and could not find any. I mean there were plenty of examples and discussions but none of them were operational. The closest was the article on server-world.info site.
Based on that information I was able to put together working configuration for multiple virtual hosts.
Read more »