We started using Virtualmin (webmin module to manage virtual hosts, domains etc) along with cPanel. There were few changes and bottlenecks we faced. This is a post to list down tips and tricks.
We will be using NGNIX for web server and MySQL for database. Fail2ban is used to secure the system along with few magical tools.
creating a domain – under a virtual server
Choose the create virtual server option from the menu & fill required details as above.
go for user names that will help to identify domains, but keep in mind that attackers will find it easy too. So this user name here is not the best !
In general we don’t support emails on our servers due to various issues and SSL is enabled by default. As of now virtualmin also supports LetsEncrypt with automatic renewals. So its very easy to manage SSL with virtualmin.
Select Relevant options & hit Create:
Look for message like the following (some important ones)
Creating MySQL database nicetalks ..
.. done
Creating SSL certificate and private key ..
.. done
Creating Nginx virtual host ..
.. done
Creating Nginx virtual host ..
.. done
Enabling SSL with LetsEncrypt
Select “Server Configuration” & then “Manage SSL Certificate”. Choose Let’s Encrypt from the screen. Further select auto renewal in say every 2 months.
Make sure that a A record is pointed to the server or else you will encounter the following error (or similar)
Requesting a certificate for nicetalks.org, www.nicetalks.org from Let's Encrypt ..
.. request failed : Failed to request certificate :
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying www.nicetalks.org...
Wrote file to /home/nicetalks/public_html/.well-known/acme-challenge/RZ1MOtn_FnfTxE91sxUZT_fQQ4nNtdgdqMYD2aG98BI, but couldn't download http://www.nicetalks.org/.well-known/acme-challenge/RZ1MOtn_FnfTxE91sxUZT_fQQ4nNtdgdqMYD2aG98BI
Traceback (most recent call last):
File "/usr/share/webmin/webmin/acme_tiny.py", line 203, in
main(sys.argv[1:])
File "/usr/share/webmin/webmin/acme_tiny.py", line 199, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
File "/usr/share/webmin/webmin/acme_tiny.py", line 154, in get_crt
domain, challenge_status))
ValueError: www.nicetalks.org challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'url': u'http://www.nicetalks.org/.well-known/acme-challenge/RZ1MOtn_FnfTxE91sxUZT_fQQ4nNtdgdqMYD2aG98BI', u'hostname': u'www.nicetalks.org', u'addressUsed': u'75.126.104.235', u'port': u'80', u'addressesResolved': [u'75.126.104.235']}], u'keyAuthorization': u'RZ1MOtn_FnfTxE91sxUZT_fQQ4nNtdgdqMYD2aG98BI.u0BzI9ghOPIcjfiNRcvTC_Hx8UX29XH9x0Ipe_poPdc', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/HljBagPU_mP3jDZ4pUAKzGad5V5TVE33Ba2t22d1PLY/558440290', u'token': u'RZ1MOtn_FnfTxE91sxUZT_fQQ4nNtdgdqMYD2aG98BI', u'error': {u'status': 403, u'type': u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://www.nicetalks.org/.well-known/acme-challenge/RZ1MOtn_FnfTxE91sxUZT_fQQ4nNtdgdqMYD2aG98BI: " \n \n "'}, u'type': u'http-01'}
Supporting wordpress under Nginx + Virtualmin + Linux (Ubuntu, Debian, CentOS)
Open the configuration file and look for the following pattern
fastcgi_param HTTPS $https;
And add following code JUST BELOW it and restart nginx (service nginx restart)
location / {
try_files $uri $uri/ /index.php?$args;
}
Once done, you can create MySQL databases and so on and install wordpress or other tools.
Restarting and debugging FCGI
look for a file like /etc/init.d/php-fcgi-agileblaze-com & you can start and stop fcgi using this. Additionally this file has information regarding fcgi UNIX socket etc.
Giving permissions to create databases
If you need to give virtual host users to allow various permissions. To do that, go under virtualmin tab, select the domain, go to Administration Options, go to Edit Owner Limits, go to Allowed capabilities and features in the right pane, under Edit capabilities for virtual servers enable the Can manage databases.
HTTP to HTTPS redirection with nginx
Its advisable to use HTTPS for the sites and nginx needs few tricks to make this happen. First is telling nginx to respond only for specific requests.
server_name_in_redirect off; #or folders will redirect to _
Further we can selective redirect all the HTTP traffic to HTTPS as follows. Variants for protecting HTTPS fields etc can also be done.
# global HTTP --> HTTPS handler
if ($scheme = http) {
return 301 https://$host$request_uri;
}
