Author Topic: การติดตั้ง directadmin บน Google cloud platform หรือบน cloud AWS  (Read 10446 times)

golfreeze

  • Administrator
  • Hero Member
  • *****
  • Posts: 2145
    • View Profile
    • นั่งสมาธิ สติปัฏฐานสี่ พาเที่ยววัด แนะนำวัด แจกcd ธรรมะฟรี
    • Email
วันนี้มีโจทย์คือ ลง Directadmin บน GCP ครับ

ซึ่งโดยปกติเวลาสร้าง instance เสร็จมันจะมี IP ที่เป็น private มาให้ และก็ ip external ที่แบบว่าไม่ได้จองไว้
สิ่งที่เราต้องทำคือไป ทำให้ ip external นั้นเป็น static ก่อน แล้วให้ assign ลงบน instance ที่เราจะใช้งาน
https://cloud.google.com/compute/docs/configure-ip-addresses

หลังจากนั้นทำการแอด network เสมือนอีก1 ใบ
ถ้า internal ip ใช้เป็น eth0
ก็ทำการสร้างเป็น eth0:1

#vi /etc/sysconfig/network-scripts/ifcfg-eth0:1

DEVICE=eth0:1
BOOTPROTO=none
ONPARENT=yes
IPADDR=xxx.yyy.zzz.aaa
NETMASK=255.255.255.255
ONBOOT=yes

โดยที่ xxx.yyy.zzz.aaa เป็น ip external ที่ตั้ง static เอาไว้ก่อนหน้านี้ครับ

ทำการ restart network 1 รอบ
#/etc/init.d/network restart

เวลาเช็ค ifconfig ก็จะมองเห็น eth0:1 ขึ้นมาครับ

หลังจากนั้น ทำการแจ้งว่าจะติดต่อ da ผ่าน lan แล้วก็ download setup.sh ของ directadmin มาครับ
echo 1 > /root/.lan
wget http://www.directadmin.com/setup.sh
chmod 755 setup.sh
./setup.sh

###หลังจากนั้นทำตามด้านล่างนี้
Add the LAN IP to DA's IP manager. Don't assign it to any Users or Domains.
View the details of the external IP: Admin Level -> IP Manager -> Click the public/external IP.
Link the internal IP to the external IP: Select the LAN IP from the drop down.
Only select Apache, do not select DNS

หลังจากนั้นก็ทำตามขั้นตอน 5 ตามลิ้งด้านล่างเลยครับ
https://www.directadmin.com/lan.php

5.Add the following value to your directadmin.conf, and restart DA:
lan_ip=192.168.1.2
where you'd replace 192.168.1.2 with the LAN IP value that should be used for outbound connections (Private IP).

##Reference
https://help.directadmin.com/item.php?id=241
https://help.directadmin.com/item.php?id=418

###Detail
DirectAdmin can run on a LAN/NAT, many of our clients do it, even though it's not "officially" supported.

The only reason it's unofficial is due to the non-standard way of loading the external IP into the internal/LAN device. Operating should still be fine.

Type the following before running the setup.sh:
echo 1 > /root/.lan

to have DA download the update.tar.gz and license.key more easily (skips the --bind-address option).
You'll need to make sure that the licensed IP is in the device. This guide can help with that.
Install DirectAdmin normally, using the setup.sh
When it asks for which ethernet device, make sure you pick the device that holds the licensed IP (often eth0:0 or venet0:0).
Enter the license IP, and not the LAN ip when asked.
After the install is done, make sure you complete steps 4 and 5 below.
Link the LAN IP to your public IP using the Linked IP feature.
With this feature, you'd do the following:
Add the LAN IP to DA's IP manager. Don't assign it to any Users or Domains.
View the details of the external IP: Admin Level -> IP Manager -> Click the public/external IP.
Link the internal IP to the external IP: Select the LAN IP from the drop down.
Only select Apache, do not select DNS
Add the following value to your directadmin.conf, and restart DA:
lan_ip=192.168.1.2

where you'd replace 192.168.1.2 with the LAN IP value that should be used for outbound connections.
You must disable popb4smtp via the exim.conf if all incoming IPs are your router's IP (always the same). If inbound IPs are external, then this is not requierd. If you type "who", check which IP shows up as your inbound ssh IP. If it's the router IP, disable pophosts.
« Last Edit: พฤษภาคม 19, 2017, 09:51:33 PM by golfreeze »

golfreeze

  • Administrator
  • Hero Member
  • *****
  • Posts: 2145
    • View Profile
    • นั่งสมาธิ สติปัฏฐานสี่ พาเที่ยววัด แนะนำวัด แจกcd ธรรมะฟรี
    • Email
https://harrytang.xyz/blog/directadmin-improve-performance-security

Use Nginx reverse proxy
Performance can be improved by the reverse proxy handling static content and from application requests. If your web server is not set to this mode, follow the commands below:

cd /usr/local/directadmin/custombuild
./build update
./build set webserver nginx_apache
./build nginx_apache
Enable HTTP/2
HTTP/2 is the latest update to the HTTP protocol with many advancements in efficiency, security and speed. Simply run the commands below to enable HTTP/2:

cd /usr/local/src/
wget ftp://ftp.openssl.org/source/openssl-1.0.2k.tar.gz
tar xzf openssl-1.0.2k.tar.gz
mkdir /usr/local/directadmin/custombuild/custom/
mkdir /usr/local/directadmin/custombuild/custom/nginx_reverse
mkdir /usr/local/directadmin/custombuild/custom/nginx_reverse/conf
cp -p /usr/local/directadmin/custombuild/configure/nginx_reverse/configure.nginx /usr/local/directadmin/custombuild/custom/nginx_reverse/
cp -p /usr/local/directadmin/custombuild/configure/nginx_reverse/conf/nginx-vhosts.conf /usr/local/directadmin/custombuild/custom/nginx_reverse/conf/
Then we edit the configure file:

nano /usr/local/directadmin/custombuild/custom/nginx_reverse/configure.nginx
And add 2 lines:

--with-http_v2_module
--with-openssl=/usr/local/src/openssl-1.0.2k
http/2 nginx

Next, we update the nginx-vhosts:

nano /usr/local/directadmin/custombuild/custom/nginx_reverse/conf/nginx-vhosts.conf
Add http2 to all SSL listen like this:
HTTP2

If you have LAN_IP/IPv6, then replace |LINKEDIPSSL| with your IP(s) like below:

listen 172.xxx.xxx.xxx:443 ssl http2;
listen [2600:1f16:5a8:aaaa:aaaa:aaaa:aaaa:aaaa]:443 ssl http2;
Finally, build and restart the service:

cd /usr/local/directadmin/custombuild
./build nginx_apache
Use PHP 7
Up to 2x faster performance and 50% better memory consumption than PHP 5.6.

cd /usr/local/directadmin/custombuild
./build set php1_release 7.0
If you have CloudLinux:

./build set php1_mode lsphp
If you don't have CloudLinux:

./build set php1_mode php-fpm
Then build php:

./build update
./build php d
Edit php.ini and double those settings: memory_limit, max_execution_time, max_input_time

Enable OpCache
OpCache can improves PHP performance as well, run the following commands:

cd /usr/local/directadmin/custombuild
./build set opcache yes
./build opcache
Use MariaDB
A lot of optimizer enhancements in MariaDB, if your server is not set to use MariaDB, follow this:

cd /usr/local/directadmin/custombuild
./build set mariadb 10.1
./build set mysql_inst mariadb
./build set mysql_backup yes
./build update
./build mariadb
Increase max allowed packet:

nano /etc/my.cnf.d/server.cnf
Set max_allowed_packet = 50M , innodb_log_file_size = 100M and bind-address = 127.0.0.1 in [mysqld] section.

Enable SSL for all services
Assume that your server hostname is server.domain.com. We use "Let's Encrypt" tool to setup SSL for server hostname and all services, now edit the directadmin.conf file:

nano /usr/local/directadmin/conf/directadmin.conf
set enable_ssl_sni=1
set ssl_redirect_host=server.domain.com
set force_hostname=server.domain.com
set carootcert=/usr/local/directadmin/conf/carootcert.pem
set letsencrypt=1

Next run the following commands:

service directadmin restart
cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt
cd /usr/local/directadmin/scripts
./letsencrypt.sh request server.domain.com 4096
Now set SSL=1 in directadmin.conf and restart directadmin service again.

Next, update Roundcube config for SSL connection:

nano /var/www/html/roundcube/plugins/password/config.inc.php
set $config['password_directadmin_host'] = 'ssl://localhost';

Testing SSL by running the following commands, one by one:

openssl s_client -connect 127.0.0.1:465
openssl s_client -connect 127.0.0.1:993
openssl s_client -connect 127.0.0.1:2222
openssl s_client -connect 127.0.0.1:443
openssl s_client -connect 127.0.0.1:21 -starttls ftp
Make sure you can see the Certificate in the result like this:
SSL test

Then we make new domains to use a private_html link that pointing to public_html, we do this by creating this custom script:

/usr/local/directadmin/scripts/custom/domain_create_post.sh
then add the following code and chmod the script to 755:

#!/bin/sh
D=/home/$username/domains/$domain
PH=$D/private_html

if [ -d $PH ]; then
   rm -rf $PH
   ln -s public_html $PH
   chown -h $username:$username $PH
fi
exit 0;
Use hostname for alias
cd /usr/local/directadmin/custombuild
./build update
./build set use_hostname_for_alias yes
./build set redirect_host_https yes
./build rewrite_confs
Enable DKIM
Enable this feature will help you keep emails sending from your server out of the Spam folder, download the dkim.conf file:

cd /etc
wget -O exim.dkim.conf http://files.directadmin.com/services/exim.dkim.conf
Edit your /etc/exim.conf, and find the code:

remote_smtp:
 driver = smtp
Then change it to look like:

remote_smtp:
  driver = smtp
  .include_if_exists /etc/exim.dkim.conf
If you don't want to see the hostname in user's emails "on behalf of":

untrusted_set_sender = *
no_local_from_check
Then restart exim:

service exim restart
Finally, update directadmin.conf file:

nano /usr/local/directadmin/conf/directadmin.conf
set dkim=1 dns_spf=1 hide_outlook=1 and then restart DirectAdmin

Now we can create DKIM for the server hostname:

cd /usr/local/directadmin/scripts
./dkim_create.sh server.domain.com
Now go to DirectAdmin > DNS Administration and click on your server hostname to check and DKIM key, and update your SPF record (for IPv6).

Enable Auto Update
Install yum-cron:

yum -y install yum-cron
sed -ie 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron.conf
Start yum-cron service:

systemctl start yum-cron.service
Enable DA cron:

nano /usr/local/directadmin/custombuild/options.conf
Then set the following values:

cron=yes
cron_frequency=weekly
email=your@email.com
notifications=yes
da_autoupdate=yes
updates=yes
webapps_updates=yes
Finally, build cron:

cd /usr/local/directadmin/custombuild/
./build cron
Enable IP Blocking
We will use BFM and CSF:

yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch
cd /usr/local/src
wget https://download.configserver.com/csf.tgz
tar -zxvf csf.tgz
cd ./csf
./install.directadmin.sh
Download config fires:

cd /usr/local/directadmin/scripts/custom/
wget -O block_ip.sh http://files.plugins-da.net/dl/csf_block_ip.sh.txt
wget -O unblock_ip.sh http://files.plugins-da.net/dl/csf_unblock_ip.sh.txt
wget -O show_blocked_ips.sh http://files.plugins-da.net/dl/csf_show_blocked_ips.sh.txt
wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/brute_force_notice_ip.sh
chmod 700 block_ip.sh unblock_ip.sh show_blocked_ips.sh brute_force_notice_ip.sh
echo "hide_brute_force_notifications=1" >> /usr/local/directadmin/conf/directadmin.conf
Create the empty block list and exempt list files:

touch /root/blocked_ips.txt
touch /root/exempt_ips.txt
Open ports 465, 2525, 35000:35999 in CSF:

Admin Level -> ConfigServer Firewall&Security -> Firewall Configuration:
IPv4 Port Settings -> TCP_IN: Add: 35000:35999
IPv4 Port Settings -> TCP_OUT: Add: 465, 2525
IPv6 Port Settings -> TCP6_IN: Add: 35000:35999
IPv6 Port Settings -> TCP_OUT: Add: 465, 2525
Enable and start the firewall. Edit /etc/csf/csf.conf:

TESTING = "0"
LF_TRIGGER = "0"
LF_SSHD = "0"
LF_FTPD = "0"
LF_SMTPAUTH = "0"
LF_EXIMSYNTAX = "0"
LF_POP3D = "0"
LF_IMAPD = "0"
LF_HTACCESS = "0"
LF_MODSEC = "0"
LF_DIRECTADMIN = "0"
Update Settings in Directadmin like below: