Migrating a cPanel account to a base CentOS/nginx/php-fpm/mysql server

Mar 012013

Today, we’ll be setting up a base CentOS 5.9 server with nginx, php-fpm, mySQL, and extracting a cPanel account into it. This is useful if you have a single website you need to migrate from one provider into a dedicated environment, and you need it to run as predictably as possible with as little RAM as possible. Let’s get started by updating the operating system. Then we’ll proceed to setting up each individual service before extracting the backup into them all at once.

1. Update the Operating System

The first thing to do is make sure you’re running your latest-and-greatest before you open yourself up to the public.
yum update -y
Review the packages you just installed. If you see a kernel, reboot the system before continuing.

Next, let’s add the nginx repo. That just makes things easier, we probably don’t need to manually compile nginx.
rpm -Uvh http://nginx.org/packages/centos/5/noarch/RPMS/nginx-release-centos-5-0.el5.ngx.noarch.rpm
We also need the EPEL and IUS repositories in order to get some more updated PHP binaries as well as php-fpm.
rpm -Uvh http://mirrors.servercentral.net/fedora/epel/5/i386/epel-release-5-4.noarch.rpm rpm -Uvh http://dl.iuscommunity.org/pub/ius/stable/Redhat/5/x86_64/ius-release-1.0-10.ius.el5.noarch.rpm

2. Install and Configure nginx

And now, let’s install (and start) nginx.
yum -y install nginx /etc/init.d/nginx start
At this point, you should be able to go to your server’s main IP address and see the nginx default page.

3. Install mySQL

Let’s install mySQL next, so we have the client and server set up before we try to install PHP to connect to it.
yum install mysql-server
Once you’ve installed the package, you still need to configure the mysql server:
/etc/init.d/mysqld start mysql_secure_installation
Answer some questions, and then create the file /root/.my.cnf in your favorite text editor. Add the following lines:
[client] user=root pass=Your new root password
This will allow you to connect to mySQL from the root user command line without specifying the mySQL root password.

4. Install PHP/php-fpm

Time to install PHP! At a minimum, you need the following packages:
yum install php53u php53u-mysql php53u-fpm
A more complete installation that would more closely mirror a typical cPanel server will look something like this:
yum install php53u php53u-fpm php53u-mysql php53u-gd php53u-mbstring php53u-devel php53u-mcrypt php53u-imap php53u-pear php53u-pdo php53u-xml php53u-soap php53u-ioncube-loader
And finally, start the php-fpm listener:
/etc/init.d/php-fpm start

5. Configure nginx to use php-fpm

Now it’s time to configure your nginx configuration file to (securely!) pass PHP files to nginx. This information comes via this blog entry, which contains some nifty information on why other blog entries on how to set up nginx and php-fpm leave you open for a really nasty attack. I’ve made a lot of modifications to the code though, so don’t copy directly from that blog, as it may not work. I found that I needed to set “root” under the PHP location as well to get the path info working.
First, open your /etc/nginx/conf.d/default.conf file in your favorite text editor. You’ll likely see the following:
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #}
I like to leave the default configuration example/comments intact in these files so I have something to refer back to if I break my server, so just add some empty lines below those comments and add the following:
# Pass all .php files onto a php-fpm/php-fcgi server. location ~ \.php$ { root /home/user/public_html;

fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; # fastcgi_intercept_errors on; add_header request $request_filename; if (-f $request_filename) { fastcgi_pass 127.0.0.1:9000; } }
You’re also going to want to uncomment the lines below that in the default file:
location ~ /\.ht { deny all; }
At this point you can make any other changes you want, including changing the “root” location (your document root; I recommend setting the same location you had in cPanel), your listen IP/port, your server_name, your error_pages, your “index” (you probably want to add “index.php” here), etc. At this point, you should also review /etc/php-fpm.conf and /etc/php-fpm.d/www.conf. The latter file especially impacts your permissions, as you will set the user PHP runs as on this. It might be a good idea to create a system user named the same thing as your cPanel user, and make sure your files are chowned and chmoded appropriately.

6. Extract your cPanel backup

You’re halfway there! It’s time to start picking apart the elements of a cPanel backup file. Let’s look at an extracted cpmove backup file.
addons homedir.tar mysql/ resellerpackages/ userconfig/ bandwidth/ httpfiles/ mysql.sql sds userdata/ counters/ interchange/ mysql-timestamps/ sds2 va/ cp/ locale/ nobodyfiles shadow vad/ cron/ logaholic/ pds shell version dnszones/ logs/ proftpdpasswd sslcerts/ vf/ domainkeys/ meta/ psql/ ssldomain/ fp/ mm/ quota sslkeys/ homedir/ mma/ resellerconfig/ suspended/ homedir_paths mms/ resellerfeatures/ suspendinfo/
Ouch! Okay, let’s just mess with what’s absolutely essential to get this up and running.
mv homedir.tar homedir/ cd homedir/ tar -xf homedir.tar ls
Now this looks a little more familiar, right?
bin/ cpmove.psql/ homedir.tar php/ tmp/ cpanel3-skel/ cpmove.psql.1339066964/ mail/ public_ftp/ www/ cpbackup-exclude.conf etc/ perl5/ public_html/
Your directory structure may vary somewhat. The most important thing to us here is that public_html directory. Move it to wherever you want your document_root to be and set the ownership properly.
mv public_html /home/user/ chown -R user:user /home/user/public_html
Now it’s time to import the mySQL databases and users. Users are stored in the “mysql.sql” file at the root of the backup; individual databases are stored in the mysql directory.
cd ../ mysql < mysql.sql for i in `ls | grep .sql | grep -v horde | grep -v roundcube | cut -d\. -f1`; do mysql < $i.create; mysql $i < $i.sql;done

6. Manual configs

Okay, now we're into some more dicey stuff this tutorial won't cover. You should check your backup file for things like PostgreSQL, cron jobs, SSL certificates, restoring log files/webalizer information, DNS, and e-mail. We might cover that in a later tutorial. At this point, however, you should have a fully-functional website! Just host DNS elsewhere, point it at your new server, and go!

Whitelisting mod_security rules

cPanel, Fixing Shit, Linux, Shell No Responses »

Aug 032012

Apache’s mod_security is a system that scans URL data and data POSTed to the server in forms for malicious attacks such as XSS, SQL injections, etc. It comes with a default ruleset that always trips up a number of standard AJAX functions in applications like WordPress and Joomla, necessitating that rules be removed from the mod_security configuration to allow the site to function properly. The method of removing these rules under Apache 2 is by whitelisting the individual rules in the VHost entry for the domain. Here’s how to do it in cPanel.

Is mod_security enabled?

root@server [~]# httpd -M | grep sec security2_module (shared)

Yep.

A typical mod_security error message

[Sun Jul 29 18:29:47 2012] [error] [client 1.2.3.4] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (?:/event\\\\.ng/|horde/services/go\\\\.php|tiki-view_cache\\\\.php|^/\\\\?out=http://|homecounter\\\\.php\\\\?offerid=.*ureferrer=http|__utm\\\\.gif\\\\?|/plugins/wpeditimage/editimage\\\\.html|/spc\\\\.php)" against "REQUEST_URI" required. [file "/usr/local/apache/conf/modsec/50_asl_rootkits.conf"] [line "53"] [id "390145"] [rev "10"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Rootkit attack: Generic Attempt to install rootkit"] [data "=http://www.hackers-web-site.com/what/e.txt?"] [severity "CRITICAL"] [hostname "www.domain.com"] [uri "/index.php"] [unique_id "UBVB02B-nBoACs9n0p4AAAAH"]

The error log for mod_security is /usr/local/apache/logs/error_log. There are 2 important pieces of information contained in this error:

[id "390145"]
This is the mod_security rule ID number. We will use this to tell mod_security which rule we want to whitelist.
[hostname "www.domain.com"]
This is the name of the VirtualHost under which the error was generated. This is important because whitelisting a mod_security rule for a domain doesn’t whitelist it for the whole account; subdomains, addon domains, etc all have separate whitelists.

Creating the userdata includes

mkdir -p /usr/local/apache/conf/userdata/std/2/user/domain.com
root@server [~]# mkdir -p /usr/local/apache/conf/userdata/std/2/user/domain.com

In the above example, we are setting up an Inside VHost include. The italic std indicates this is being done in a port 80 (standard/non-secure) VirtualHost, the bold user is the cPanel username of the account, and the bold and italic domain.com is the hostname from the error message above (we discard www because that’s just a ServerAlias under the same VHost). Once we create the userdata include directory, it’s time to set up the configuration file to include. We’ll use nano because it’s the best text editor.

nano -w /usr/local/apache/conf/userdata/std/2/user/domain.com/domain.com.conf
root@server [~]# /usr/local/apache/conf/userdata/std/2/user/domain.com/domain.com.conf

You can name the file anything as long as it ends in .conf; I prefer to use domain.com.conf for clarity and simplicity. Now let’s whitelist some mod_security rules.

SecRuleRemoveById 390145

Notice that we used 390145 from the error message above. If this site was generating errors from multiple IDs, we’d put in multiple SecRuleRemoveById lines.

Enabling the userdata includes in Apache conf

/scripts/ensure_vhost_includes --user=user

This uncomments a line in the VirtualHost entry in httpd.conf for this domain to include any .conf files in /usr/local/apache/conf/userdata/std/2/user/domain.com/

/usr/local/cpanel/bin/apache_conf_distiller --update /usr/local/cpanel/bin/build_apache_conf

These compile and distill the changes into Apache’s configuration.

Testing

The first thing to check is to ensure that the following line in the VirtualHost entry for domain.com is uncommented:

Include "/usr/local/apache/conf/userdata/std/2/user/domain.com/*.conf"

The only other way to test this is to reproduce the issue and tail the Apache error log. Make sure you have reproduction instructions available; many scripts will trigger more than one SecRule, but you’ll only see the first one due to the request being blocked.

Uninstall CloudLinux

cPanel, Installing Shit, Shell No Responses »

Jul 232012

Uninstalling CloudLinux is a fairly involved process, as the CloudLinux repos ship their own version of many software packages that need to be re-downgraded to CentOS defaults. I will be using this guide as a basis, with a few tweaks because uninstalling kernels with yum makes me nervous (dependency issues mean that you could be uninstalling the entire glibc system from your server…)

Run the CloudLinux uninstaller
/usr/local/cpanel/bin/cloudlinux_system_install -c

Update any packages available from your newly-default CentOS repos
yum upgrade -y

Recompile Apache to remove liblve and mod_hostinglimits
/scripts/easyapache --build

Install the CentOS kernel
yum --disableexcludes=all install kernel

Manually uninstall the CloudLinux kernel
rpm -qa |awk '/^kernel.*lve/ {print $1|"xargs rpm -e --nodeps"}'

Make sure the uninstaller updated grub
grep -r lve /boot/*
If this finds anything in menu.lst or any other GRUB config files, manually remove the entries for kernels with “lve” in the name.

Reinstall the packages CloudLinux supplied with CentOS defaults
rpm -qa --qf "[%{VENDOR} %{NAME}\n]"|awk '/CloudLinux/ {print $2|"xargs yum reinstall -y"}'

Downgrade any packages supplied by CloudLinux with CentOS versions
rpm -qa --qf "[%{VENDOR} %{NAME}\n]"|awk '/CloudLinux/ {print $2|"xargs yum downgrade -y"}'

Remove any packages supplied by CloudLinux not available in CentOS
rpm -qa --qf "[%{VENDOR} %{NAME}\n]"|awk '/CloudLinux/ {print $2|"xargs yum erase -y"}'

Final upgrade. Make sure kernel-headers and kernel-devel are installed.

yum upgrade -y

yum install kernel-headers kernel-devel

Reboot
shutdown -rf now

That should be it. If Apache fails to start, try another EasyApache build.

Latest ffmpeg on CentOS

Installing Shit, Linux, Shell No Responses »

Apr 282012

It’s been a long time coming, but here’s my guide to install the latest ffmpeg and associated packages for a video upload site on base CentOS, no cPanel required (if Google got you here and you have cPanel, try the cPanel ffmpeg guide). This article assumes you’ve already set up your HTTP daemon (Apache, nginx, lighttpd, litespeed, etc), scripting agent (PHP), and database provider (mySQL, PostgreSQL, etc). The commands in this guide assume you are running the latest CentOS 5.8 64-bit. Some modifications may be necessary for other architectures and versions of CentOS.

Make sure you’re up to date

Make sure you’re on the latest CentOS branch. We’re installing the latest version of ffmpeg, and if you’re not running the latest version of your CentOS branch, you may run into unexpected issues.
yum update
Install whatever is required, and compatible with your other software. If you update your kernel, reboot before continuing.

Extra Repositories

RPMForge is a useful, fully-compatible extra repository. We will use it for a number of packages that don’t need to be bleeding-edge. For more information, see the CentOS wiki.
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt rpm -K rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm rpm -i rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm

Development Tools

You must have the required packages to download and compile the source code.
yum groupinstall "Development Tools" yum install subversion git

Install RPM libraries

Some libraries don’t need to be bleeding-edge. We’ll install those now.
yum install gettext-devel expat-devel curl-devel zlib-devel openssl-devel libXext libXext-devel flvtool2

ldconfig

We need to make sure ldconfig is checking the correct directories for libraries.
echo /usr/local/lib >> /etc/ld.so.conf; ldconfig

Download libraries

Okay, here’s the big one. It’s probably a good idea to go ahead and copy+paste this whole code block into your terminal at once to save time. One note; the official distribution release of ffmpeg-php no longer compiles. The SVN version available here works, but the SVN tarball link here can’t easily be downloaded in a terminal session, so I’ve rehosted the file here on this server. This is not my file, I haven’t modified it, and I take no responsibility for it – it’s merely a copy of the file available from the above link.
cd /usr/local/src wget http://iweb.dl.sourceforge.net/project/lame/lame/3.99/lame-3.99.5.tar.gz tar zxf lame-3.99.5.tar.gz wget http://hasaninter.net/ffmpeg-php.tar.gz tar xzf ffmpeg-php.tar.gz wget http://downloads.xiph.org/releases/vorbis/libvorbis-1.3.3.tar.gz tar xzf libvorbis-1.3.3.tar.gz wget http://downloads.xiph.org/releases/ogg/libogg-1.3.0.tar.gz tar xzf libogg-1.3.0.tar.gz wget http://iweb.dl.sourceforge.net/project/opencore-amr/opencore-amr/opencore-amr-0.1.3.tar.gz tar xzf opencore-amr-0.1.3.tar.gz wget http://downloads.xiph.org/releases/theora/libtheora-1.1.1.tar.bz2 tar xjf libtheora-1.1.1.tar.bz2 wget http://downloads.xvid.org/downloads/xvidcore-1.3.2.tar.gz tar zxf xvidcore-1.3.2.tar.gz wget http://downloads.sourceforge.net/faac/faad2-2.7.tar.gz tar zxf faad2-2.7.tar.gz wget http://downloads.sourceforge.net/faac/faac-1.28.tar.gz tar zxf faac-1.28.tar.gz mkdir /usr/local/lib/codecs wget ftp://ftp.mplayerhq.hu/MPlayer/releases/codecs/all-20110131.tar.bz2 tar -jxf all-20110131.tar.bz2 wget http://www.tortall.net/projects/yasm/releases/yasm-1.2.0.tar.gz tar zxf yasm-1.2.0.tar.gz cp all-20110131/* /usr/local/lib/codecs/ chmod -R 755 /usr/local/lib/codecs/ mkdir /usr/local/src/tmp chmod 777 /usr/local/src/tmp export TMPDIR=/usr/local/src/tmp svn co https://gpac.svn.sourceforge.net/svnroot/gpac/trunk/gpac gpac git clone git://git.videolan.org/x264.git git clone git://git.videolan.org/ffmpeg.git ffmpeg svn checkout svn://svn.mplayerhq.hu/mplayer/trunk mplayer

Compile everything

Here we go! This is the hard part, where we compile bleeding-edge libraries. At the time this was posted, this all worked. If you run into any errors, try Googling them. If you still can’t figure it out (or more importantly, if you do!) please comment here and I’ll edit this post with the latest fixes.

Lame

cd /usr/local/src/lame-3.99.5/ ./configure make make install

Libogg

cd /usr/local/src/libogg-1.3.0 ./configure make make install

Libvorbis

cd /usr/local/src/libvorbis-1.3.3 ./configure make make install

yasm

cd /usr/local/src/yasm-1.2.0 ./configure make make install

Libxvid

cd /usr/local/src/xvidcore/build/generic ./configure make make install

Libx264

cd /usr/local/src/x264 ./configure --enable-shared make make install

Opencore-amr

cd /usr/local/src/opencore-amr-0.1.3 ./configure make make install

Libtheora

cd /usr/local/src/libtheora-1.1.1 ./configure make make install

Fadd2

cd /usr/local/src/faad2-2.7 ./configure make make install

Faac

cd /usr/local/src/faac-1.28 ./configure make make install

MP4Box

cd /usr/local/src/gpac ./configure make make install

mplayer

cd /usr/local/src/mplayer/ ./configure --enable-jpeg make make install

ffmpeg

cd /usr/local/src/ffmpeg ./configure --enable-libmp3lame --enable-libvorbis --enable-shared --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-nonfree --enable-libtheora --enable-version3 --enable-gpl --enable-libxvid make make install

ffpmeg-php

cd /usr/local/src/ffmpeg-php phpize ./configure make make install

php.ini

If you’re adding in the ffmpeg module to PHP (which this guide assumes you are), you need to add the extension to PHP. Again, this guide assumes you’re using PHP on Apache with CentOS 5.
echo "extension=ffmpeg.so" > /etc/php.d/ffmpeg.ini /etc/init.d/httpd restart

ldconfig

To ensure that all of the libraries are loaded and linkable by ffmpeg, etc, run:
ldconfig

That’s it! There are a few tests you can run to ensure that this is actually installed properly. Here are the two most important.

php -m | grep ffmpeg ffmpeg

RCS, or, oh my god how do I just get my old httpd.conf back

cPanel, Fixing Shit, Shell No Responses »

Apr 272012

So, you just did something that broke your entire everything. You’ve tried restoring backups, or you don’t have any. You’ve tried correcting the cPanel userdata files, but for some reason, httpd.conf just isn’t changing. And then you notice this file httpd.conf,v – this beautiful file, that contains all of the changes you’ve ever made to httpd.conf, and has exactly the information you need in it. But how do you convert httpd.conf,v to httpd.conf? Using RCS!

Make backups

You got into this situation because you didn’t make enough backups, you silly little lamb, so let’s not make that mistake again.
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.broken cp /usr/local/apache/conf/httpd.conf /root cp /usr/local/apache/conf/httpd.conf\,v /root

Find the revision you need

The file is formatted with revision numbers, dates, author information, etc. It’ll look something like this.
1.517 date 2012.04.11.10.27.03; author root; state Exp; branches; next 1.516;
Here’s an example of a revision with actual data. Let’s say you accidentally deleted this vhost and you need it back. We’ll be using the revision from this code block in the following examples.
1.365 log @"Modified by /usr/local/cpanel/scripts/killvhost After removing vhosts" @ text @a8725 32 <VirtualHost 1.2.3.4:80> ServerName test.com ServerAlias www.test.com DocumentRoot /home/test/public_html ServerAdmin webmaster@@test.com ## User test # Needed for Cpanel::ApacheConf <IfModule mod_suphp.c> suPHP_UserGroup test test </IfModule> <IfModule concurrent_php.c> php4_admin_value open_basedir "/home/test:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp" php5_admin_value open_basedir "/home/test:/usr/lib/php:/usr/local/lib/php:/tmp" </IfModule> <IfModule !concurrent_php.c> <IfModule mod_php4.c> php_admin_value open_basedir "/home/test:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp" </IfModule> <IfModule mod_php5.c> php_admin_value open_basedir "/home/test:/usr/lib/php:/usr/local/lib/php:/tmp" </IfModule> <IfModule sapi_apache2.c> php_admin_value open_basedir "/home/test:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp" </IfModule> <IfModule !mod_disable_suexec.c> SuexecUserGroup onst onst </IfModule> CustomLog /usr/local/apache/domlogs/test.com-bytes_log "%{%s}t %I .\n%{%s}t %O ." CustomLog /usr/local/apache/domlogs/test.com combined Options -ExecCGI -Includes RemoveHandler cgi-script .cgi .pl .plx .ppl .perl </VirtualHost> @
Let’s take this apart a bit.
1.365 – this is our revision number. This tells the RCS command to roll back to the version with this data. Location the correct revision to restore is the most important part of the process.

Revert

Now it’s time to go ahead and revert the files. Make sure you’re in /root and not overwriting your existing httpd.conf first.
cd /root co -l -r1.365 httpd.conf
This will ask you if you wish to replace the existing httpd.conf. Say yes. The /root/httpd.conf file will be overwritten with the RCS version from revision 1.356.

Restore httpd.conf

cp /root/httpd.conf /usr/local/apache/conf /etc/init.d/httpd restart
Overwrite your existing httpd.conf file and restart Apache. That’s it!

Final notes: since this is cPanel, the httpd.conf you just made will eventually get overwritten with the broken one from cPanel configs. This is just a stop-gap measure to get the sites up while you investigate the real problem. Good luck!

Enable SpamAssassin and Anti-Virus filtering on all domains (Plesk)

Plesk, Shell No Responses »

Apr 232012

Just a few quick commandlets. These will enable SpamAssassin on all existing e-mail accounts:
for i in `mysql -uadmin -p\`cat /etc/psa/.psa.shadow\` psa -Ns -e "select concat(mail.mail_name,\"@\",domains.name) as address from mail,domains,accounts where mail.dom_id=domains.id and mail.account_id=accounts.id order by address"`; do /usr/local/psa/bin/spamassassin -u $i -status true
And enable the anti-virus scanner for inbound and outbound mail on all existing e-mail accounts:
for i in `mysql -uadmin -p\`cat /etc/psa/.psa.shadow\` psa -Ns -e "select concat(mail.mail_name,\"@\",domains.name) as address from mail,domains,accounts where mail.dom_id=domains.id and mail.account_id=accounts.id order by address"`; do /usr/local/psa/bin/mail -u $i -antivirus inout; done
To delete all spam messages with a score of 5 or higher:
for i in `mysql -uadmin -p\`cat /etc/psa/.psa.shadow\` psa -Ns -e "select concat(mail.mail_name,\"@\",domains.name) as address from mail,domains,accounts where mail.dom_id=domains.id and mail.account_id=accounts.id order by address"`; do /usr/local/psa/bin/spamassassin -u $i -status true -hits 5 -action del; done
Enjoy!

Multiple/secondary memcached instance

Installing Shit, Linux, Shell No Responses »

Apr 132012

Need to run 2 versions of memcached? I have no idea why you’d need to do this, but I had a request for it tonight, and all of the Google results for it are terrible. Here’s what you need to know.

/etc/sysconfig/memcached2

PORT="11212" USER="memcached" MAXCONN="8000" CACHESIZE="1024" OPTIONS=""

/etc/init.d/memcached2

#! /bin/sh # # chkconfig: - 55 45 # description: The memcached daemon is a network memory cache service. # processname: memcached # config: /etc/sysconfig/memcached # pidfile: /var/run/memcached/memcached.pid


# Standard LSB functions

#. /lib/lsb/init-functions
# Source function library.

. /etc/init.d/functions
PORT=11212

USER=memcached

MAXCONN=1024

CACHESIZE=64

OPTIONS=""
if [ -f /etc/sysconfig/memcached2 ];then

        . /etc/sysconfig/memcached2

fi
# Check that networking is up.

. /etc/sysconfig/network
if [ "$NETWORKING" = "no" ]

then

        exit 0

fi
RETVAL=0

prog="memcached"
start () {

        echo -n $"Starting $prog: "

        # insure that /var/run/memcached has proper permissions

    if [ "`stat -c %U /var/run/memcached`" != "$USER" ]; then

        chown $USER /var/run/memcached

    fi
        daemon --pidfile /var/run/memcached/memcached2.pid memcached -d -p $PORT -u $USER  -m $CACHESIZE -c $MAXCONN -P /var/run/memcached/memcached2.pid $OPTIONS

        RETVAL=$?

        echo

        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/memcached2

}

stop () {

        echo -n $"Stopping $prog: "

        killproc -p /var/run/memcached/memcached2.pid /usr/bin/memcached

        RETVAL=$?

        echo

        if [ $RETVAL -eq 0 ] ; then

            rm -f /var/lock/subsys/memcached2

            rm -f /var/run/memcached2.pid

        fi

}
restart () {

        stop

        start

}
# See how we were called.

case "$1" in

  start)

        start

        ;;

  stop)

        stop

        ;;

  status)

        status memcached

        ;;

  restart|reload|force-reload)

        restart

        ;;

  condrestart)

        [ -f /var/lock/subsys/memcached2 ] && restart || :

        ;;

  *)

        echo $"Usage: $0 {start|stop|status|restart|reload|force-reload|condrestart}"

        exit 1

esac

exit $?

Configure the service to run on start-up

chmod +x /etc/init.d/memcached2 chkconfig memcached2 on /etc/init.d/memcached2
That’s it!

Installing mod_pagespeed on a cPanel/WHM server

cPanel, Installing Shit, Linux, Shell 5 Responses »

Apr 132012

Google’s mod_pagespeed is an Apache module for performance optimization. It can be used to increase the speed of pages served through Apache. This module is compatible with cPanel and WHM’s Apache setup, and it’s pretty easy to install.

Download the correct mod_pagespeed RPM for your architecture.

mod_pagespeed has RPMs available for 32-bit and 64-bit systems. First, let’s download the RPM files.
For 32-bit:
cd /usr/local/src mkdir mod_pagespeed cd mod_pagespeed wget https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-beta_current_i386.rpm
For 64-bit:
cd /usr/local/src/ mkdir mod_pagespeed wget https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-beta_current_x86_64.rpm

Extract the necessary files.

I’m going to assume a 64-bit system from here on out. If you’re on a 32-bit system, the extracted files exist in slightly different paths; adjust accordingly.
rpm2cpio mod-pagespeed-beta_current_x86_64.rpm | cpio -idmv cp usr/lib64/httpd/modules/mod_pagespeed.so /usr/local/apache/modules/ chmod 755 /usr/local/apache/modules/mod_pagespeed.so

Create pagespeed directories.

mkdir -p /var/mod_pagespeed/{cache,files} chown nobody:nobody /var/mod_pagespeed/*

Enable mod_deflate (required for mod_pagespeed).

The location of your httpd source directory will vary depending on the version of Apache you have installed. The quickest way to find the correct location is tab completion.
/usr/local/apache/bin/apxs -c -i /home/cpeasyapache/src/httpd-[tab]/modules/filters/mod_deflate.c

Set up your mod_pagespeed configuration.

Add the following to the Apache configuration files. The simplest way to do this is to create a new configuration file called /usr/local/apache/conf/pagespeed.conf and then include that using the cPanel include files. Place the following in pagespeed.conf:
LoadModule pagespeed_module modules/mod_pagespeed.so


# Only attempt to load mod_deflate if it hasn't been loaded already.

<IfModule !mod_deflate.c>

 LoadModule deflate_module modules/mod_deflate.so

</IfModule>

<IfModule pagespeed_module>

    # Turn on mod_pagespeed. To completely disable mod_pagespeed, you

    # can set this to "off".

    ModPagespeed on
    # Direct Apache to send all HTML output to the mod_pagespeed

    # output handler.

    AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER text/html
    # The ModPagespeedFileCachePath and

    # ModPagespeedGeneratedFilePrefix directories must exist and be

    # writable by the apache user (as specified by the User

    # directive).

    ModPagespeedFileCachePath            "/var/mod_pagespeed/cache/"

    ModPagespeedGeneratedFilePrefix      "/var/mod_pagespeed/files/"
    # Override the mod_pagespeed 'rewrite level'. The default level

    # "CoreFilters" uses a set of rewrite filters that are generally

    # safe for most web pages. Most sites should not need to change

    # this value and can instead fine-tune the configuration using the

    # ModPagespeedDisableFilters and ModPagespeedEnableFilters

    # directives, below. Valid values for ModPagespeedRewriteLevel are

    # PassThrough, CoreFilters and TestingCoreFilters.

    #

    # ModPagespeedRewriteLevel PassThrough
    # Explicitly disables specific filters. This is useful in

    # conjuction with ModPagespeedRewriteLevel. For instance, if one

    # of the filters in the CoreFilters needs to be disabled for a

    # site, that filter can be added to

    # ModPagespeedDisableFilters. This directive contains a

    # comma-separated list of filter names, and can be repeated.

    #

    # ModPagespeedDisableFilters rewrite_images
    # Explicitly enables specific filters. This is useful in

    # conjuction with ModPagespeedRewriteLevel. For instance, filters

    # not included in the CoreFilters may be enabled using this

    # directive. This directive contains a comma-separated list of

    # filter names, and can be repeated.

    #

    # ModPagespeedEnableFilters rewrite_javascript,rewrite_css

    # ModPagespeedEnableFilters collapse_whitespace,elide_attributes
    # ModPagespeedDomain

    # authorizes rewriting of JS, CSS, and Image files found in this

    # domain. By default only resources with the same origin as the

    # HTML file are rewritten. For example:

    #

    #   ModPagespeedDomain cdn.myhost.com

    #

    # This will allow resources found on http://cdn.myhost.com to be

    # rewritten in addition to those in the same domain as the HTML.

    #

    # Wildcards (* and ?) are allowed in the domain specification. Be

    # careful when using them as if you rewrite domains that do not

    # send you traffic, then the site receiving the traffic will not

    # know how to serve the rewritten content.
    # Other defaults (cache sizes and thresholds):

    #

    # ModPagespeedFileCacheSizeKb          102400

    # ModPagespeedFileCacheCleanIntervalMs 3600000

    # ModPagespeedLRUCacheKbPerProcess     1024

    # ModPagespeedLRUCacheByteLimit        16384

    # ModPagespeedCssInlineMaxBytes        2048

    # ModPagespeedImageInlineMaxBytes      2048

    # ModPagespeedCssImageInlineMaxBytes   2048

    # ModPagespeedJsInlineMaxBytes         2048

    # ModPagespeedCssOutlineMinBytes       3000

    # ModPagespeedJsOutlineMinBytes        3000
    # Bound the number of images that can be rewritten at any one time; this

    # avoids overloading the CPU.  Set this to 0 to remove the bound.

    #

    # ModPagespeedImageMaxRewritesAtOnce      8
    # Settings for image optimization:

    #

    # Jpeg recompression quality (0 to 100, -1 strips metadata):

    # ModPagespeedJpegRecompressionQuality -1

    #

    # Percent of original image size below which optimized images are retained:

    # ModPagespeedImageLimitOptimizedPercent 100

    #

    # Percent of original image area below which image resizing will be

    # attempted:

    # ModPagespeedImageLimitResizeAreaPercent 100
    # When Apache is set up as a browser proxy, mod_pagespeed can record

    # web-sites as they are requested, so that an image of the web is built up

    # in the directory of the proxy administrator's choosing.  When ReadOnly is

    # on, only files already present in the SlurpDirectory are served by the

    # proxy.

    #

    # ModPagespeedSlurpDirectory ...

    # ModPagespeedSlurpReadOnly on
    # The maximum URL size is generally limited to about 2k characters

    # due to IE: See http://support.microsoft.com/kb/208427/EN-US.

    # Apache servers by default impose a further limitation of about

    # 250 characters per URL segment (text between slashes).

    # mod_pagespeed circumvents this limitation, but if you employ

    # proxy servers in your path you may need to re-impose it by

    # overriding the setting here.  The default setting is 1024

    # characters.

    #

    # ModPagespeedMaxSegmentLength 250
    # Uncomment this if you want to prevent mod_pagespeed from combining files

    # (e.g. CSS files) across paths

    #

    # ModPagespeedCombineAcrossPaths off
    # Explicitly tell mod_pagespeed to load some resources from disk.

    # This will speed up load time and update frequency.

    #

    # This should only be used for static resources which do not need

    # specific headers set or other processing by Apache.

    #

    # Both URL and filesystem path should specify directories and

    # filesystem path must be absolute (for now).

    #

    # ModPagespeedLoadFromFile "http://example.com/static/" "/var/www/static/"
    # Enables server-side instrumentation and statistics.  If this rewriter is

    # enabled, then each rewritten HTML page will have instrumentation javacript

    # added that sends latency beacons to /mod_pagespeed_beacon.  These

    # statistics can be accessed at /mod_pagespeed_statistics.  You must also

    # enable the mod_pagespeed_statistics and mod_pagespeed_beacon handlers

    # below.

    #

    # ModPagespeedEnableFilters add_instrumentation
    # Uncomment the following line so that ModPagespeed will not cache or

    # rewrite resources with Vary: in the header, e.g. Vary: User-Agent.

    # ModPagespeedRespectVary on
    # This handles the client-side instrumentation callbacks which are injected

    # by the add_instrumentation filter.

    # You can use a different location by adding the ModPagespeedBeaconUrl

    # directive; see the documentation on add_instrumentation.

    <Location /mod_pagespeed_beacon>

          SetHandler mod_pagespeed_beacon

    </Location>
    # Uncomment the following line if you want to disable statistics entirely.

    #

    # ModPagespeedStatistics off
    # This page lets you view statistics about the mod_pagespeed module.

    <Location /mod_pagespeed_statistics>

        Order allow,deny

        # You may insert other "Allow from" lines to add hosts you want to

        # allow to look at generated statistics.  Another possibility is

        # to comment out the "Order" and "Allow" options from the config

        # file, to allow any client that can reach your server to examine

        # statistics.  This might be appropriate in an experimental setup or

        # if the Apache server is protected by a reverse proxy that will

        # filter URLs in some fashion.

        Allow from localhost

        Allow from 127.0.0.1

        SetHandler mod_pagespeed_statistics

    </Location>
    # Page /mod_pagespeed_message lets you view the latest messages from

    # mod_pagespeed, regardless of log-level in your httpd.conf

    # ModPagespeedMessageBufferSize is the maximum number of bytes you would

    # like to dump to your /mod_pagespeed_message page at one time,

    # its default value is 100k bytes.

    # Set it to 0 if you want to disable this feature.
    ModPagespeedMessageBufferSize 100000
    # mod_pagespeed has the ability to collect statistics about page visits as

    # well as page, resource, and div location (see div_structure_filter)

    # referrals.  These will eventually be used to speed up pages with at least

    # resource pre-fetch, if not Chrome's new pre-render, technology.  See

    # googlewebmastercentral.blogspot.com/2011/06/announcing-instant-pages.html

    #   We recommend enabling the div_structure filter if turning on statistics

    # collection below.  Enabling the div_structure filter will increase the

    # effectiveness of pre-rendering prediction, because it will take into

    # account both URLs and page locations when aggregating user click through

    # behavior.  To enable the div_structure filter, uncomment the appropriate

    # line below or add div_structure to the enabled filters at the top of this

    # configuration file.

    #   Page /mod_pagespeed_referer_statistics lets you view the accumulated

    # referral statistics.

    #   ModPagespeedCollectRefererStatistics on enables collection (default off)

    #   ModPagespeedHashRefererStatistics obscures collected info (default off)

    #   ModPagespeedRefererStatisticsOutputLevel can be changed if the page

    # /mod_pagespeed_referer_statistics is slow to load:

    #   - Organized (default) is the most readable and ordered logically, but

    #       involves computation

    #   - Simple is readable but unordered

    #   - Fast is the fastest and contains all necessary information, but is

    #       fairly unreadable
    # ModPagespeedCollectRefererStatistics on

    # ModPagespeedHashRefererStatistics on

    # ModPagespeedRefererStatisticsOutputLevel Simple

    # ModPagespeedEnableFilters div_structure

<Location /mod_pagespeed_message> Allow from localhost Allow from 127.0.0.1 SetHandler mod_pagespeed_message </Location> <Location /mod_pagespeed_referer_statistics> Allow from localhost Allow from 127.0.0.1 SetHandler mod_pagespeed_referer_statistics </Location> </IfModule>
And then open /usr/local/apache/conf/includes/pre_main_global.conf and add:
Include conf/pagespeed.conf

Rebuild Apache config and restart apache.

/scripts/buildhttpdconf /etc/init.d/httpd restart

That’s it!

Increasing cPanel /tmp size

cPanel, Fixing Shit, Linux, Shell No Responses »

May 072011

By default, cPanel sets up a paltry <512MB /tmp disk. This isn't nearly large enough for large file uploads or other disk-intensive purposes. While it's better to use RAM for temporary storage, sometimes you need a place to dump huge files (such as uploads). Luckily, raising the /tmp disk size has been fairly simple. cPanel's script to secure the /tmp partition against drop-in hacks by making it noexec can also resize the /tmp directory.

The file we'll be modifying is:

/scripts/securetmp

Until recently, modifying one variable was enough to change this, but it seems like there was a change recently that has caused that method to no longer remount /tmp properly. Luckily, the fix for this is two additional small changes to the file.

Let's open up /scripts/securetmp in your favorite editor:

nano /scripts/securetmp

First, we're going to modify line 49:

my $auto = 1

If this isn't already set to 1, set it. Just makes things easier. Next, let's set the /tmp size, line 148:

my $tmpdsksize = 2097152;

This size is in KB - 2GB aught to do it. Now, to fix the issue of mounting /tmp, line 289:

system 'mount', '-o', $mountkeyword . ',loop,noexec,nosuid', $tmpmnt, '/tmp';

We're adding "loop," to the options passed to the mount command to ensure that the system understands /tmp is a loopback device being created on /usr/tmpDSK. Save and exit your file.

Next, we need to shut off anything using /tmp:

/etc/init.d/mysql stop /etc/init.d/httpd stop

And unmount it and /var/tmp:

umount /tmp umount /var/tmp

If you get errors, retry a few times, it'll usually unmount after the 2nd or 3rd try. If you're still getting errors, make sure nothing is open in /tmp:

lsof | grep /tmp

Shut it down or delete it. Next, we need to remove the existing /tmp partition file:

rm -f /usr/tmpDSK

And finally, create the new device:

/scripts/securetmp

Depending on the size of your partition, this may take up to 15-20 minutes. After you're done, start everything back up and ensure /tmp is mounted and the right size with a simple:

df -h

Installing New Plesk Components on Linux

Fixing Shit, Installing Shit, Plesk, Shell No Responses »

Apr 092011

Installing New Components

Ever been in a Plesk box but can’t find certain components, like ASP support, or the backup manager? This is because Plesk installs whatever you tell it to at the initial install, and only whatever you tell it to. This leads to a lot of missing components that you might be used to having access to. Plesk won’t tell you anything in the GUI except that the component is not installed, so you must hunt down this binary:

/usr/local/psa/admin/bin/autoinstaller

This is the Plesk Autoinstaller, which will allow you, through its byzantine menu corridors, to find the gold that is the component you need. Navigating it is fairly simple, although you’ll probably want to read all of the text on the screen if this is your first time.

However, a more sinister condition awaits you – the fact that the Plesk autoinstaller apparently doesn’t know how to fucking resolve rpm dependencies. Why is it called an autoinstaller if it doesn’t automatically install anything extra? I don’t know.

Resolving Plesk Component Dependencies

Luckily, it’s not that difficult to resolve RPM dependency errors. Did you get an error message that looks something like this?

Retrieving information about the installed packages... File downloading PSA_9.3.0/dist-rpm-CentOS-5-x86_64/build-9.3.0-cos5-x86_64.hdr.gz: 10%..20%..30%..40%..50%..60%..70%..80%..90%..100% was finished. File downloading PSA_9.3.0/update-rpm-CentOS-5-x86_64/update-9.3.0-cos5-x86_64.hdr.gz: 10%..20%..30%..40%..50%..60%..70%..80%..90%..100% was finished. File downloading PSA_9.3.0/thirdparty-rpm-CentOS-5-x86_64/thirdparty-9.3.0-cos5-x86_64.hdr.gz: 13%..25%..31%..40%..54%..60%..72%..83%..95%..100% was finished. Determining the packages that need to be installed. ERROR: Unable to install the "psa-backup-manager-9.3.0-cos5.build93091230.06.x86_64" package. Not all packages were installed. Please, contact product technical support. [root@host2 plesk]#

Not to worry! First, try Google to find that RPM – Plesk allows their FTP server to be directory indexed, so it shouldn’t be hard to find the exact RPM it’s erroring out on. Try downloading the .rpm file and installing it manually using rpm -i:

wget http://autoinstall.swsoft.com.cn/PSA_9.3.0/dist-rpm-CentOS-5-x86_64/opt/backup/psa-backup-manager-9.3.0-cos5.build93091230.06.x86_64.rpm rpm -i psa-backup-manager-9.3.0-cos5.build93091230.06.x86_64.rpm

If all goes well, you’ll get output messages listing the failed dependencies. Ignore any Plesk-looking dependencies, the auto-installer actually fixes these. Use yum to install any other system packages you may need.

Older Entries