nginx Updating, recompiling, VirtualHost templates, customizations, php safemode …CUSTOM HTTPD TEMPLATES: read order

Knowing the order in which all of the templates are being loaded in help determine when your tokens will be available.

1. Loaded once before each VirtualHost is added:

   CUSTOM_DOMAIN_ITEM_*

2. WEBSERVER, DOMAIN, HAVE_SAFE_MODE, SSL_TEMPLATE, SPACE_HTTP2, IP, PROXY_IP, HAVE_NGINX_PROXY, PORT_8080, PORT_8081, PROXY_BUFFERING,
   LISTENERS, IF_MODULE_LITESPEED_OPEN, IF_MODULE_LITESPEED_OPEN, IF_MODULE_LITESPEED_CLOSE, IP1|2.., MULTI_IP, HOME, USERHOME, PACKAGE,
   REALUSER, ADMIN, CERT, KEY, HOSTNAME, SAFE_MODE, OPEN_BASEDIR, OPEN_BASEDIR_ENABLED, PHP_MAIL_LOG_ENABLED, CREATOR, BANDWIDTH, QUOTA,
   PORT_80, PORT_443, APACHELOGDIR

3. CB_VERSION, PHP1_RELEASE, PHP2_RELEASE, LSPHP1_RELEASE, LSPHP2_RELEASE, HAVE_PHP1_FPM, HAVE_PHP2_FPM, HAVE_PHP1_FCGI, HAVE_PHP2_FCGI,
   HAVE_PHP_FCGI, HAVE_RUID2, HAVE_MOD_SECURITY, HAVE_USERDIR_ACCESS, RUID2_AND_MOD_SECURITY,
   (MODSEC_AUDIT_DIR, NGINX_MOD_SECURITY_ENABLE)|NGINX_MOD_SECURITY_ENABLE, USE_HOSTNAME_FOR_ALIAS, HAVE_SUEXEC_PER_DIR, SUSPENDED_REASON,
   CLI, HAVE_PHP1_CLI, HAVE_PHP2_CLI, SUPHP, HAVE_PHP1_SUPHP, HAVE_PHP2_SUPHP, USECANONICALNAME, CAROOT, SERVER_ALIASES

4. HANDLERS, MIMETYPES, USER, GROUP, SECURE_ACCESS_GROUP, (OLS)SSLPROTOCOL, SDOCROOT, SUSPENDED, CGI, PHP, SUB, FORCE_SSL_REDIRECT

5. Tokens TOK=value, not templates:

   /usr/local/directadmin/data/admin/global_httpd_tokens.conf
   /usr/local/directadmin/data/users/fred/user.httpd_tokens
   /usr/local/directadmin/data/users/fred/domains/domain.com.httpd_tokens
   /usr/local/directadmin/data/users/fred/domains/domain.com.sub.httpd_tokens

6. VirtualHost pre, where virtual_host2.conf would be whichever template file is used for this VH. Fully tokenized template.

   /usr/local/directadmin/data/templates/custom/virtual_host2.conf.pre

7. /usr/local/directadmin/data/templates/cust_httpd.CUSTOM.pre
   /usr/local/directadmin/data/templates/custom/virtual_host2.conf.CUSTOM.pre
   /usr/local/directadmin/data/users/fred/domains/domain.com.cust_httpd
   /usr/local/directadmin/data/templates/custom/virtual_host2.conf.CUSTOM.post
   /usr/local/directadmin/data/templates/cust_httpd.CUSTOM.post

   added to CUSTOM.

8. For each custom token, 1 through 8 (we’ll use 1 for the example):

   /usr/local/directadmin/data/templates/custom/virtual_host2.conf.CUSTOM.1.pre
   /usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.1.pre
   /usr/local/directadmin/data/users/fred/domains/domain.com.cust_httpd.CUSTOM.1
   /usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.1.post
   /usr/local/directadmin/data/templates/custom/virtual_host2.conf.CUSTOM.1.post

   added to CUSTOM1

9. PROTECTED_DIRECTORIES, CONTEXTS, REALMS, NGINX_REDIRECTS, OPENLITESPEED_REDIRECTS, HOTLINK_PROTECTION, EXTRA_LOCATIONS, LOCATION_INSERT, NGINX_PHP_CONF

10. if exists: /usr/local/directadmin/data/templates/custom/virtual_host2.conf
    else: /usr/local/directadmin/data/templates/custom/virtual_host2.conf

nginx [engine x] is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by Igor Sysoev.

For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VK, and Rambler. According to Netcraft, nginx served or proxied 25.65% busiest sites in March 2020. Here are some of the success stories: Dropbox, Netflix, WordPress.com, FastMail.FM.

The sources and documentation are distributed under the 2-clause BSD-like license.

Commercial support is available from Nginx, Inc.

[Mon Aug 07 23:56:18.309463 2017] [core:notice] [pid 17630] AH00052: child pid 18187 exit signal Aborted (6)

1. You can do  using debug it the gdb option, like this:

   service httpd stop
   gdb /usr/sbin/httpd

   and quickly (before the dataskq starts it up again), run:

   run -X -d /etc/httpd

   And which should let you trigger one request in the foreground, so do it quickly, before any other connections arrive to your server.

1. Hopefully this was triggering your segfault, in which case it might show:

   Thread 1 “httpd” receives signal SIGABRT, Aborting.

   along with other info about exactly where it crashes.

2. To see more details about it in the function tree uses to get to that point, call a backtrace like this:

   bt full

   which should give you the list of functions calling, where it starting lower down, and ending at the top of the output. Somewhere in there might show you which module triggering it.

3. To quit gdb, just run:

   quit

CUSTOM HTTPD TEMPLATES: Starting point

DirectAdmin offers a huge variety of ways to customize your User’s VirtualHost entries. This guide will help you pick which method is up to use depending on what you need it to do.
To aid in speeding up paths, should you know what you want it to use, enter the info here:

There are 3 major sections to consider when deciding which method to use:

1. Raw Templates

   These are located in

   /usr/local/directadmin/data/templates/

   and we typically discourage relying on custom versions of these in case that we make important changes to them, in which case you would not get them.  In some cases, there you will need to do use a custom copy, but only if none of the options below work for you.  The typically 4 template in question would be:

   

   #OpenLiteSpeed
   openlitespeed_vhost.conf #combined for all 4

   but varies if you’re using other server types.

2. Per-Domain with the CUSTOM tokens via “Custom Httpd Config”

   This Admin Level area will  lets you insert code into any CUSTOM or CUSTOM# token point for all VirtualHosts in that domain, including the http+https for both domains and subdomains.
   This method is using only when you want to change a setting just for this domain.
   This GUI tool saves files to disk (depening on the token name), eg:

   /usr/local/directadmin/data/users/fred/domains/fred.com.cust_httpd     #CUSTOM
   /usr/local/directadmin/data/users/fred/domains/fred.com.cust_httpd.1   #CUSTOM1
   … #CUSTOM2, etc.

3. Tokens for Global, Per-User, Per-Domain

   This tool is using to inset token variables where applicable.  You are not saving a file for each CUSTOM token name, but can create the mentioned file below to pre-load some tokens. This will then allow you to set tokens before anything other CUSTOM tokens that are set (it’s not for code itself, just setting variables).  See this guide on how to set a token with the |?TOKENNAME=value| syntax.  Token variables can be using within a value eg:

   |?TOKENNAME=value of `OTHERTOKEN`|

   The files will be available to load in your custom tokens of various levels:

   

   where “httpd_tokens” is the name using, regardless of server type (httpd/nginx/litespeed/openlitespeed).
   This is independent of the template of the name, so these tokens will be loading into all of the 4 virtual_host2*.conf templates mentioned above.

4. Global VirtualHost Pre/Post

   These template depends on the “Template Name” above, so preset that if you’re trying to sort out which to use.
   Using these files will be writting the given code into the User’s httpd.conf either before or after, outside of the VirtualHost tag, for any use of the given template file.
   Paths can be either as follows:

   

   This took will be might be handy if you want to insert a https://webmail.domain.com VH (eg: you would use the /usr/local/directadmin/data/templates/custom/virtual_host2_secure.conf.post, so it only gets added once per domain, only for https)

5. Global Token name per file, pre/post

   The Similar to the global CUSTOM tokens, this will let you control only which template it goes with.  Your code will be inserting either before or after any use of the given CUSTOM* tokens.   For example, if you use the pre variant, this code is inserting before say, per-domain CUSTOM inserted code.  Possible files might be as follows:

1. Global CUSTOM token, regardless of filename

   This one is relating to the global tokens, except you can use this for actual code, as it is injecting in a specific order. Applies to all template files.  Possible files include as follow:

   

   taking note how the number of tokens have a dot between CUSTOM and the number.

Note: for almost all areas, you can use if-then-else syntax and place variables which carry forward within that template

If you Trying to find a slowdown in your website and not sure where it is?
Example: WordPress loads slowly and you do not know why.
Use strace!

The idea is comes from that strace that can dump all binary calls to a log, so we will dump them to disk and sift through them later.
You can also use all this method for other processes, just swap “httpd” with some other process name in the command below.

Note: this is a fairly high-level debug method for advanced administrators. Root ssh access is requiring.

1. Run strace to log:

   cd /root
   mkdir straces
   cd straces
   ps ax | grep httpd | grep -v grep | awk ‘{ print “strace -f -s500 -o strace.”$1”.log -p “$1″&” }’ | sh

2. Trigger the slow case.  Load the website that is slowly, however you need to duplicate this issue.  Note, it might be best to highlight it in the URL bar and hit enter, instead of using F5. The reason is we only intend to load the site, and not the including images/css/js, etc.. and F5 or ctrl-F5 may reload everything, causing the logs to fill with more info, making the cause harder to find.
3. End the strace, open a 2nd console and run:
   

   killall -9 strace

   You will now have several strace.*.log files, one for each httpd process that was running.  Note, if you’re debugging a slowdown (or possibly socket timeout), hit ctrl-c before the timeout happens, but enough time where you can let it chew on things for a bit.  This way, is the last “chunks” of code that causes the slowdown and will be near the end of the log, making it easier to track.

4. You will need to find which PID is handling your request, so grep out your IP from the logs to figure that out. Change 1.2.3.4 with your actual IP address:
   

   grep 1.2.3.4 *.log

   This will dump some messy code, but on the far left should be which files that code came from.  Let’s say it shows the output in strace.29622.log (your PID number will be different from 29622). Also there could be multiple files, depending on how many requests were made and how apache handles them.  We are only concerning with the “slow” code, and not the other things like images, so you will need to go through each one to figure out which is which, to get at the important bits you are after.

5. From there, you can go through the logs, looking at what was happening, eg:
   

   less strace.29622.log

   This is going to be show you quite a lot of code, but you can also search with the / character.

   You can alternatively “grep” for things, eg:

   grep somethingspecific strace.29622.log

   which only shows the lines you’re looking for.

From this point, what you are looking for, how you find it, and what you do with it would be up to you.

We are getting this question quite a bit, but is not too sure why.  It’s always enabling in Apache by default.
To confirm, type:

/usr/sbin/httpd -l | grep mod_rewrite

and you should see

 mod_rewrite.c

in the output if it’s enabled.

If not, then it is possibly you’re not using one of our compiled binaries, in which case, recompile apache and php:

/usr/local/directadmin/custombuild
./build all d
./build rewrite_confs

and confirm the “Server built” date is current:

/usr/sbin/httpd -V

Which Apache mpm am I using?

Though You can ask the httpd binary which mpm is in use with your setup.
Type:

httpd -V | grep ‘Server MPM:’

Most systems will run “prefork” with mod_php, and “event” for php-fpm

Add mod_cloudflare to DirectAdmin

Relating to this guide, you can install the mod_cloudflare module into apache if you need it.

On a DirectAdmin box, we will use the httpd-includes.conf file, as it is not modifying by CustomBuild once it’s set.

1. Once apache is up and running, download and install the mod_cloudflare module:

   wget https://www.cloudflare.com/static/misc/mod_cloudflare/mod_cloudflare.c
   apxs -i -c mod_cloudflare.c

2. Next, add the module to the httpd-includes.conf:

   echo “LoadModule cloudflare_module  /usr/lib/apache/mod_cloudflare.so” >> /etc/httpd/conf/extra/httpd-includes.conf

3. and finally restart apache:

   service httpd restart

CageFS with awstats: Can’t open perl script “/usr/local/awstats/tools/awstats_buildstaticpages.pl”: No such file or directory

If your awstats that are not working with CageFS and you are getting an error like this when testing it manually:

[root@server scripts]# ./awstats_process.sh user domain.com
Conversion not required. Continuing normally
Can’t open perl script “/usr/local/awstats/tools/awstats_buildstaticpages.pl”: No such file or directory
Cleanup…

it likely means the data has not been copying over to the skeleton folder in

/usr/share/cagefs-skeleton/usr/local/

To get around that, edit:

/etc/cagefs/conf.d/directadmin.cfg

and add 2 values, so beginning of the line looks like this, assuming :

paths=/usr/local/awstats/, /usr/local/awstats-7.7/, /usr/local/awstats, /usr/local/php….

where the bold bits are new.

Then run:

/usr/sbin/cagefsctl –force-update

which should copy the everything over to the cagefs-skeleton/usr/local path.  Just confirm it:

[root@server scripts]# ll /usr/share/cagefs-skeleton/usr/local
total 40
lrwxrwxrwx 1 root   root     11 Jun 26 22:57 awstats -> awstats-7.7
drwxr-xr-x 5 root   root   4096 Mar  1  2016 awstats-7.7
…

We add

1. the literal awstats-7.7 directory
2. the literal path to the awtstats link (without trailing slash)

If not sure if there was a change in CageFS, and older version of CafeFS, they have fixed a bug to prevent us from doing it the old way

With the current ever evolving needs for security, good encryption cipher lists can be change regularly.

Also, the needs of those connecting that a given server may be different from box to box, eg:

etc.. so each case might be different.

For using different ciphers with Apache 2.x and CustomBuild 2.0, you can use the “custom” folder method to manage your own cipher lists and ssl rules.

Run the following:

cd /usr/local/directadmin/custombuild
mkdir -p custom/ap2/conf/extra
cp configure/ap2/conf/extra/httpd-ssl.conf custom/ap2/conf/extra/httpd-ssl.conf

which then lets you edit:

/usr/local/directadmin/custombuild/custom/ap2/conf/extra/httpd-ssl.conf

for changes such as:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

SSLHonorCipherOrder On

SSLCompression off

for example, if you intend a more secure list of ciphers.
Note: the SSLCipherSuite list is all one long line.

Once you have created the custom httpd-ssl.conf as desiring, you can then install it with:

cd /usr/local/directadmin/custombuild
./build rewrite_confs

To disable TLSv1.1 and only allow TLSv1.2 and TLSv1.3 on OpenLiteSpeed:

echo ‘|?SSLPROTOCOL=24|’ >> /usr/local/directadmin/data/templates/custom/openlitespeed_vhost.conf.CUSTOM.pre
/usr/local/directadmin/custombuild/build rewrite_confs

Force https using an .htaccess file

If you intend to force a given website or path to use https, redirected from http, you must create an .htaccess file in the DocumentRoot for that domain or hostname, and add the following code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

In which will redirect any non-https connections to https using the same request and GET variables.

If there your site is running through CloudFlare, your https requests to it may actually hit your server in plaintext (http), which will be confusing.
For that case, you might need something like this for an http to https redirect:

RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

where the only usable header is X-Forwarded-Proto, because the %{HTTPS} variable is “off” for requests from the CloudFlare network.

Globally in Apache

If you intend this applies to all domains in your server, follow these instructions:

1. Create the global file:

   /usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.pre

   and insert the code:

   |?SSL_REDIRECT_HOST=www.`DOMAIN`|
   |*if SUB|
   |?SSL_REDIRECT_HOST=`SUB`.`DOMAIN`|
   |*endif|
   |*if SSL_TEMPLATE=”1″|
   |?SSL_REDIRECT_HOST=|
   |*endif|

   This will tune what we want to redirect to, and blank the redirect if it’s an SSL VirtualHost

2. Next, we want to actually use the variable, so create the file

   /usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.post

   and then add code:

   |*if SSL_REDIRECT_HOST!=””|
   Redirect / https://|SSL_REDIRECT_HOST|/
   |*endif|

3. If you intent to disable this for any domain, go to:

   Admin Level -> Custom Httpd Config -> domain.com

   and in the CUSTOM token textarea, add this text

   |?SSL_REDIRECT_HOST=|

   which makes the variable blank, so it’s not used.

4. Lastly, rewrite the configs to use it

   cd /usr/local/directadmin/custombuild
   ./build rewrite_confs

Nginx

If there you’re running nginx, go to:

Admin Level -> Custom Httpd Config -> domain.com

and in token |CUSTOM4|, add:

|*if SSL_TEMPLATE=”0″|
return 301 https://$host$request_uri;
|*endif|

HSTS

For adding security, you can tell all clients to always use https, even if there is an http link from somewhere.  HSTS will silently change the request to use https without need to be ask, so at no point is http ever using (except on the first attempt, where the browse is giving the header, then ever asks again).

To setup HSTS, so add this to your public_html/.htaccess file:

Header set Strict-Transport-Security “max-age=31536000” env=HTTPS

Note: This means you can not connect to http again, even if you prefer to, so usually only it applies to sites that only ever use https, and never want http.

A few reports of issues on Debian 8 boxes with the following error are preventing httpd from starting up:

root@server:/usr/local/directadmin/custombuild# systemctl start httpd
Job for httpd.service failed. See ‘systemctl status httpd.service’ and ‘journalctl -xn’ for details.
root@server:/usr/local/directadmin/custombuild# systemctl status httpd.service
httpd.service – The Apache HTTP Server
Loaded: loaded (/etc/systemd/system/httpd.service; enabled)
Active: failed (Result: exit-code) since Tue 2016-01-26 12:16:17 MSK; 10s ago
Process: 14703 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=226/NAMESPACE)

Jan 26 12:16:17 server.domain.com systemd[14703]: Failed at step NAMESPACE spawning /usr/sbin/httpd: Permission denied

Where the likely causes is a symbolic link

/tmp -> /var/tmp
or
/var/tmp -> /tmp

Neither /tmp nor /var/tmp should be symbolic links.
The simply solution is to simply delete the giving link and create a 2nd folder instead
Eg: if you had /var/tmp -> /tmp, then type:

rm -f /var/tmp
mkdir /var/tmp
chmod 1777 /var/tmp

From a systemd perspective, a less desirable workaround is to edit:

/etc/systemd/system/httpd.service

and replace this line:

PrivateTmp=true

with these two lines:

PrivateTmp=false
NoNewPrivileges=yes

and then you reload the systemctl deamon:

systemctl daemon-reload

and then httpd should be able to start up:

root@server:/etc/systemd/system# systemctl start httpd
root@server:/etc/systemd/system# systemctl status httpd.service
httpd.service – The Apache HTTP Server
Loaded: loaded (/etc/systemd/system/httpd.service; enabled)
Active: active (running) since Tue 2016-01-26 12:19:04 MSK; 11s ago
Process: 17276 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=0/SUCCESS)
Main PID: 17284 (httpd)
CGroup: /lxc/101/system.slice/httpd.service

Jan 26 12:19:04 server.domain.com systemd[1]: Started The Apache HTTP Server.
Jan 26 12:19:14 server.domain.com systemd[1]: Started The Apache HTTP Server.

We will continue to monitor for other reports and we will consider changing the default boot script if it’s a common problem.

One other finding was that “localhost” couldn’t be use, even though “127.0.0.1 localhost” should tune in the /etc/hosts.
Change the host value in various places to 127.0.0.1 seeming to work…  although this might be an unrelated reverse dns issue (not yet sure)

./build: line 12786: autoreconf: command not found

If you are trying to compile apache, but run into this error:

Configuring httpd-2.4.18
./build: line 12786: autoreconf: command not found

try updating autoconf and automake:

and then try the apache compile again.

If you there routinely need to remove apache semaphores with the ipcs/ipcrm tool, then if you can not sort out why they keep building them up, then using a cronjob to automatically clear them out if they’ve piled up may help.

UPDATE: DirectAdmin 1.53.0+ now has a hook script which can be call, instead of using a cron.

where you would use the script below, after confirming the “$service” is “httpd”, eg:

if [ “$service” != “httpd” ]; then
exit 1;
fi

insert just below the #!/bin.sh line.

Else for the cron method, create the script in:

/etc/cron.hourly/ipcs_check

with the contents:

#!/bin/sh

EMAIL=your@email.com
MAX_SEMAPHORES=15

IPCS=/usr/bin/ipcs
IPCRM=/usr/bin/ipcrm
MAIL=/bin/mail

COUNT=`${IPCS} | grep apache | wc -l`

if [ “$COUNT” -le $MAX_SEMAPHORES ]; then
#all is well, there are no semaphore build-ups.
exit 0;
fi

#we have more than MAX_SEMAPHORES, so clear them out and restart Apache.

LIST=/root/sem.txt

${IPCS} | grep apache | awk ‘{print $2}’ > ${LIST}
for i in `cat ${LIST}`; do
{
${IPCRM} -s $i;
};
done;

/etc/init.d/httpd restart

TXT=”${COUNT} semaphores cleared for apache for `hostname`”
echo “${TXT}” | ${MAIL} -s “${TXT}” ${EMAIL}

exit 1;

and then do chmod the script to 755:

chmod 755 /etc/cron.hourly/ipcs_check

Check your /var/log/cron on each hour, to ensure that crond is running well on it.
If all is well, then there shouldn’t be any issues, and the script will exit with a return code of 0.

Counting a list of 2 numbers from a file, using awk (apache .bytes files)

If there you want to quickly add up the .bytes files, so you can compare the daily total with webalizer, awk makes this very easy.

The format of the .bytes logs are like this:

6716 681
2408 355
2408 355
338 408
2408 490
2408 390
6709 678
2408 483

where the downloading bytes for a request is on the left, and the uploading bytes on the right.

Using awk, you can add up these 2 columns, and display the totals for each column.

cd /var/log/httpd/domains
awk ‘{d+=$1; u+=$2} END {print d ” ” u}’ dmoain.com.bytes

which will output the downloading bytes on the left, and the uploading bytes on the right.

Prevent apache logging of certain requests

If there you have a common request that might be filling up your logs or you simply do not wish to see it (knowing it may skew your web stats), then you can tell Apache not to log it by doing:

1. Create

   /etc/httpd/conf/extra/dontlog.conf

   and then add the code

   CustomLog /var/log/httpd/domains/directadmin.com.log combined env=!dontlog

2. In your /etc/httpd/conf/extra/httpd-includes.conf, add this code:

   Include /etc/httpd/conf/extra/dontlog.conf

3. Lastly, for any sites where you wish to disable the request of a given file, let’s call it:
   
   You could go to:

   Admin Level -> Custom Httpd Config -> domain.com

   and in the top CUSTOM textarea, add:

   SetEnvIf Request_URI “^/commonfile.txt” dontlog
   |?COMBINED_LOG=combined env=!dontlog|

If you want a path with sensitive data that you don’t want it to be public, then you can restrict the path to only be accessible by your own IP address, using an .htaccess file.

Creating the .htaccess file in the path you would like to protect.
Add this code, where you would replace  with your own IP.

<Limit GET POST>
order deny,allow
deny from all
allow from 1.2.3.4
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>

Other variations on this are possible, google should have many guides on it.

Redirect domain.com to www.domain.com

If you want to force clients to use www.domain.com, then you can redirect them from domain.com to the www version with an .htaccess file.

In your public_html folder, create a file calls

.htaccess

and add the code:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

The Other versions of the same thing to do a negation check to see if the domain is not www.domain.com, but that does not work if you have subdomains.. therefore the need for the explicit check for the value we don’t want.

Search engine crawlers are increasing my system load

Since a search engine like google need to parse your website to determine what to search for, if your website has a lot of data, this can often cause a high load on your system if the crawl is done in a short amount of time.

By creating a robots.txt file in your public_html folder, you can instruct these crawlers to slow down.

A sample robots.txt might look like this:

User-agent: *
Crawl-delay: 300

And Which tells all crawlers to wait 300 seconds before each request.

Without it, a cralwer might make multiple requests per second, thus increasing your system load.

I need awstats to rebuild the static html pages for previous months

Assuming the data for the require months does exist in here:

/home/username/domains/domain.com/awstats/.data

you should be able to re-generate your static html pages for those months.  The script below can do it for you:

#!/bin/sh
if [ “$#” -eq 0 ]; then
echo “Usage:”;
echo ”    $0 <MM> <YY>”;
exit 1;
fi

month=$1
short_year=$2
full_year=20${short_year}

for u in `ls /usr/local/directadmin/data/users`; do
{
for d in `cat /usr/local/directadmin/data/users/$u/domains.list`; do
{
echo “”;
echo “$u: $d: $month $full_year”;
DATA=/home/$u/domains/$d/awstats/.data/awstats${month}${full_year}.${d}.txt
if [ ! -s $DATA ]; then
echo “Cannot find $DATA for $month $full_year. Skipping.”;
continue;
fi

/usr/bin/perl /usr/local/awstats/tools/awstats_buildstaticpages.pl \
-config=$d -configdir=/home/$u/domains/$d/awstats/.data -update \
-diricons=icon -awstatsprog=/usr/local/awstats/cgi-bin/awstats.pl \
-dir=/home/$u/domains/$d/awstats -builddate=${short_year}${month} \
-year=$full_year -month=$month

echo “”;
}
done;
}
done;
exit 0;

save this to a script, say old_awstats.sh, and set it to 755.

Run it for each month, for example, April (month 04) 2014:

./old_awstats.sh 04 14

If there you are running a service on Apache where the connection can not be broken, you may need to disable some of the apache retart options that DA uses:

1) Disable the log rotatation with the directadmin.conf option:

rotation=0

this will prevent the HUP from sending  to the PID in /var/run/httpd.pid, at 12:10am (very start of each tally).  Webalizer should still be able to work on the live logs, but it’s not recommending (in the webalizer documentation)

2) You can disable the post-tally Apache restart:

restart_apache_after_tally=0

3) Another good option is to change DA to issue graceful restarts instead of full restarts, which would negate the need to use #2 above:

graceful_restarts=1

I’m trying to use an /icons folder with my website, but it is not working

If you are trying to use /icons with your website, this is reserved for Apache.
It is using for the icons/images, such as the folder icons with an Apache directory listing.

If possible, use a different path for your website.

If you can not get around it, then edit:

/etc/httpd/conf/extra/httpd-autoindex.conf

to remove or rename the Alias:

Alias /icons/ “/var/www/icons/”

This will break the apache icons, but most people will not even notice.

I want a second shared certificate on a second shared IP

There might be some cases where you would want 2 IPs, both with their own shared certificates (eg: each has it’s own wildcard certificate, or you might have 2 different hosting companies).
This can be doing for apache, but requires a few manual changes to things.

I will refer to the 2nd IP, which will be the IP we are manually going to share among many Resellers (contrary to the default behavior DA allows)
We’ll call it 1.2.3.4

1) The second IP must be “shared”.. so that people can use it.  Set this at Reseller Level -> IP manager for which ever account controls the IP (eg: “admin”)

2) For any Re-seller (or just admin) that needs to have access to it, to give out to Users, it needs to be in:

/usr/local/directadmin/data/users/resellername/ip.list

eg: replace resellername with admin.. or the name of the Re-seller, etc.
It’s only really an issue if you have multiple Re-sellers/Admins.

3) The template (imporant part) is where we manually set it to use the other certificate.

cd /usr/local/directadmin/data/templates/custom
cp ../ips_virtual_host.conf .

edit the custom/ips_virtual_host.conf file.

Find this line (the SSL VH on 443)):

<VirtualHost |IP|:|PORT_443|>

and immediately above it, add the code:

|*if IP=”1.2.3.4“|
|?CERT=/etc/httpd/conf/ssl.crt/subdomain.cert|
|?KEY=/etc/httpd/conf/ssl.key/subdomain.key|
|?CAROOT=/etc/httpd/conf/ssl.crt/subdomain.cacert|
|*endif|

Which it controls the automatic adding of VHs to (don’t edit this file directly):

/etc/httpd/conf/ips.conf

which are the first VHs for the IP.. thus control which certificate is using. (somewhat relating explanation)

4) You might need to do the same thing for the virtual_host2_secure.conf and virtual_host2_secure_sub.conf… but in theory, should not be needed (but might be a good idea, as the VH’s cert would not match the 2nd IP cert)

mutex, If you want the following error, or errors:

[Wed Nov 16 08:37:07 2011] [emerg] (13)Permission denied: couldn’t grab the accept mutex
[Wed Nov 16 08:37:08 2011] [alert] Child 5376 returned a Fatal error… Apache is exiting!
[Wed Nov 16 08:37:08 2011] [emerg] (43)Identifier removed: couldn’t grab the accept mutex
[Wed Nov 16 08:37:09 2011] [emerg] (22)Invalid argument: couldn’t release the accept mutex
[Wed Nov 16 08:37:11 2011] [emerg] (22)Invalid argument: couldn’t grab the accept mutex

one reporting solution is to add

AcceptMutex flock

to your main httpd.conf.

The Other reports claim that doesn’t work, and that the following does, so see which works best for you:

AcceptMutex posixsem

With apache 2.4, use Mutex instead of AcceptMutex

Please Note that when adding customizations to the main httpd.conf, you will need to use one of the two methods to prevent your settings from being lost.

I’m seeing a lot of localhost VHost entires on my server-status page

If you have enabled the server-status tool in apache, you may see many entries that looks like this:

37-0 – 0/0/9   . 0.00 24325 0   0.0 0.00 0.18 1.2.3.4 localhost NULL
39-0 – 0/0/8   . 0.00 24324 65  0.0 0.00 0.15 2.3.4.5 localhost NULL
40-0 – 0/0/15  . 0.00 24306 179 0.0 0.00 0.34 3.4.5.6 localhost NULL
41-0 – 0/0/110 . 1.10 23858 48  0.0 0.00 0.54 4.5.6.7 localhost NULL

Too Many new browsers will pre-connect to Apache.  When a client browses your websites, it’s logical to assume that a client would click a link on that website.  When that happens the browser needs to connect to your server again to make this new request.

The Newer browsers (such as Chrome) will pre-connect to a server.

After each client loads his first page, knowing that the client would likely click a link, the browser will connect to your server before the client has clicked anything.

For these cases, no request has yet been made for this … it is just an empty, idle connection without any communication over it yet (until a click happens).

Since the “Host” header has not yet been sent, Apache will not know which VirtualHost to send the request to, so it defaults to the very first VirtualHost on that IP, which in this case, is in /etc/httpd/conf/httpd-vhosts.conf, as it uses a ServerName of “localhost”, since nothing specific seems approriate. (it could also be in the /etc/httpd/conf/ips.conf for a shared IP)

How to check the details of a certificate request

If you just have a certificate request, and want to see what information is placed inside, you can use the “openssl” command with the “req” option to get you more info on the CSR.

[root@server]# openssl req -in /path/to/your/certificate.request -text -noout
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Alberta, L=St. Albert, O=JBMC-Software, CN=www.testdomain.com/emailAddress=my@email.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c5:bb:20:60:a2:bd:c1:aa:10:76:f4:d5:46:73:
e5:c5:b1:f8:a5:ae:f8:f0:70:02:1e:52:fb:ef:e3:
d5:8b:75:d0:b8:d5:72:ad:63:11:10:4a:99:b4:41:
ab:06:91:6a:5e:68:3b:5e:e2:c3:cb:d6:51:19:cb:
25:5a:40:05:fe:13:1b:f0:87:49:0e:95:04:d5:81:
bb:7c:07:1b:3c:69:08:9e:ad:ef:9e:1e:97:a0:5e:
f5:66:c2:e0:f5:65:2d:6f:cb:eb:45:4d:f6:3b:e0:
33:43:78:48:30:14:5b:40:99:e0:e3:14:7e:46:5b:
11:d0:d4:d9:6d:bf:61:ec:02:a0:96:d5:f8:0c:30:
ae:ce:88:64:88:01:a1:83:03:90:68:67:16:2d:77:
6c:41:ca:c4:8a:42:1d:b6:1a:a2:c2:06:20:31:89:
36:ae:6a:03:9f:e6:4f:cc:97:a4:24:f4:a5:c6:c2:
c6:be:d7:73:2f:a6:56:89:28:83:e1:be:cf:b7:57:
70:66:e5:7f:28:ac:2b:e2:3e:1e:a8:79:4c:64:db:
d7:a2:9c:20:5c:b2:cb:92:e5:4d:07:45:b2:4c:9a:
a6:01:ea:49:88:f4:c6:fc:d0:45:52:92:39:32:3e:
93:54:6a:d8:3d:c4:42:d1:30:a3:45:89:86:9c:c8:
12:63
Exponent is : 65537 (0x10001)
The Attributes:
challengePassword        :A challenge password
Signature Algorithm: md5WithRSAEncryption
a8:b2:06:3d:a0:56:86:72:53:9a:8b:9a:b3:1a:9f:4f:6f:27:
a2:d7:25:28:63:3b:39:3c:6d:f6:e0:66:43:1d:a6:1f:fc:2c:
af:af:11:04:80:5d:4a:29:03:1f:24:8e:c2:3e:65:36:75:82:
1e:6e:12:aa:68:fd:d7:8d:d5:8d:9c:12:74:6c:5e:8a:d1:af:
a4:da:12:6e:fa:df:fe:cf:9c:1d:22:cd:8c:91:2a:1e:67:1b:
bf:2f:95:7c:b2:4e:7d:e0:9b:41:d3:c5:30:e7:5e:04:91:e6:
95:0e:8d:da:4c:cd:86:ac:37:c7:95:d5:3a:0a:9f:5e:d8:1e:
9b:ea:27:11:7e:03:ff:b3:1a:66:da:ab:82:d2:ad:ad:8d:cd:
b4:cb:67:b0:99:63:ae:e1:b9:8d:13:26:b1:df:84:85:72:61:
a4:4f:82:9b:86:10:37:57:bc:d4:d8:6b:8b:f7:12:27:a3:ef:
b3:c0:4b:20:8d:bb:0d:18:64:f8:38:06:69:31:0c:2d:2d:86:
39:a1:98:26:7c:a7:02:98:e1:35:d8:ee:ca:a8:fe:80:29:d5:
5c:6f:55:d0:b5:12:9e:31:86:ed:8f:c2:1c:ff:ec:3a:9b:3b:
2c:c6:80:c2:1e:c7:a5:de:a0:ea:11:ef:f3:c7:df:74:8e:5e:
a4:b6:50:80
[root@server]#