Cpanel Firewall Ports SSL Only

I was checking a few things on one of my CPanel servers this morning and noted that we had some http access rather than https. This was via cpanel logins and webmail.

I thought that the server was configured to redirect automatically to the SSL equivalent port so I checked the server WHM console Tweak Settings -> Redirection -> “Choose the closest matched domain for which that the system has a valid certificate……” setting which was ‘On’ by default.

Next I reviewed the firewall and at some point I had apparently followed a list of ‘Open these Ports for CPanel’ and had included the non-ssl access ports. While the server setting would not accept connections the firewall was allowing scan activity through.

So I reviewed this documentation at CPanel for a full list of ports and removed a few ports from the firewall.

Specifically we do not need to open

  • 2082 – Cpanel
  • 2086 – WHM
  • 2095 – Webmail

And we can (should) have the SSL equivalents open

  • 2083 – Cpanel
  • 2087 – WHM
  • 2096 – Webmail

This forum thread also relates https://forums.cpanel.net/threads/is-there-a-way-to-shut-off-the-non-ssl-ports-2082-2086-2095.164950/

How to change the Storage Repository label for Xen XCP-ng

A short note on How to change the Storage Repository label for Xen XCP-ng.

While creating a new storage repository I had done a quick copy / paste without noticing that the pasted double quotes surrounding the volume label were not accepted and converted to the ? mark character.

This is what I pasted:

xe sr-create content-type=user device-config:device=/dev/disk/by-id/scsi-3600508b400dc45c8k47fe45763a27qq8-part1 host-uuid=19458bfa-48e3-42d1-b345-266j6fdq4ed6f name-label=”Local Storage 2” shared=false type=lvm

but this is what appeared and I hit enter before realising the change (look for the ? marks towards the end in the name-label parameter):

xe sr-create content-type=user device-config:device=/dev/disk/by-id/scsi-3600508b400dc45c8k47fe45763a27qq8-part1 host-uuid=19458bfa-48e3-42d1-b345-266j6fdq4ed6f name-label=?Local Storage 2? shared=false type=lvm

and what I ended up with was

uuid ( RO) : ff2c5f2e-9v8c-45j4-bxc0-50a338qe63ac
name-label ( RW): ?Local <--- this is wrong / ugly
name-description ( RW):
host ( RO): my-svr-name
type ( RO): lvm
content-type ( RO): user

To correct it, and add a longer description I used:

xe sr-param-set uuid=ff2c5f2e-9v8c-45j4-bxc0-50a338qe63ac name-label="Local Storage 2"

…and…..

xe sr-param-set uuid=ff2c5f2e-9v8c-45j4-bxc0-50a338qe63ac name-description="RAID Drives 4,5,6,7"

Which results in a final check as

uuid ( RO) : ff2c5f2e-9v8c-45j4-bxc0-50a338qe63ac
name-label ( RW): Local Storage 2
name-description ( RW): RAID Drives 4,5,6,7
host ( RO): my-svr-name
type ( RO): lvm
content-type ( RO): user

In case you are wondering, all the uuid’s have been changed to protect the innocent and no face masks were harmed in the making of this post…. (if you are reading this in a few years, then the face mask reference may be obscure. 2020 the year that never was.)

XCP-Ng Xen Server Adding a New SR Storage Repository

An update to my previous posts on XCP-Ng Xen Server Adding a New SR Storage Repository.

My earlier posts, quite a while ago, Xen Server install without local storage and Xen Server has no local storage, were written for Xen but equally apply to XCP-ng which is my preferred platform.

In preparing some new servers and adding disks today I again found a need for formatting beyond the 2Tbyte limit of fdisk and decided I should document the process for future reference.

The configuration of the RAID array belongs with the controller, and regardless of the combination the following should apply to any RAID config. In this case I have installed 6 1Tbyte drives as RAID 50 with a useable array capacity of ~4Tbytes.

Accessing the XCP-ng centre console (yes, I know XenOrchestra exists, but I am really ok working with the center console and the CLI).

So first up I need to find the array information from the console:

# fdisk -l
Disk /dev/sda: 1000.2 GB, 1000171331584 bytes, 1953459632 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk label type: gpt

Disk /dev/sdb: 4000.7 GB, 4000684662784 bytes, 7813837232 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes

Ok, so I can see the original Local Storage /dev/sda and the new RAID space is /dev/sdb and now I want to use ‘parted’ to create the volume / partition. In this example I was on another system with a 3Tb drive array (4x 1T disks, RAID 5)

#parted /dev/sdb
(parted) mklabel GPT
Warning: The existing disk label on /dev/sdb will be destroyed and all data on this disk will be lost. Do you want to continue?
Yes/No? yes
(parted) mkpart Partition name? []? primary
File system type? [ext2]? ext4
Start? 2048s
End? 100%
(parted) print
Model: HP LOGICAL VOLUME (scsi)

Disk /dev/sdb: 3001GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
1 1049kB 3001GB 3001GB primary
(parted)q
#

Now we have a configured partition it needs to be formatted:

# mkfs.ext4 /dev/sdb1
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
183140352 inodes, 732546816 blocks
36627340 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=2881486848
22356 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 102400000, 214990848, 512000000, 550731776, 644972544
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information:done

and then it can be used for a XCP-ng / Xen Storage Repository, but it needs a few bits of info for the command:

xe sr-create content-type=user device-config:device=<disk device identifier> host-uuid=<host uuid that the SR is on> name-label=”A nice name label” shared=false type=lvm

xe host-list
uuid ( RO) : 19458bfa-48e3-42d1-b345-266j6fdq4ed6f
name-label ( RW): my-svr-name
name-description ( RW): Default install of XenServer

The ls command below will show all the /sdb devices. Use the /dev/sdb1 scsi code to identify the partition that will be the storage repository.

# ls -lah /dev/disk/by-id | grep sdb
lrwxrwxrwx 1 root root 9 Sep 25 19:26 scsi-3600508b400dc45c8k47fe45763a27qq8 -> ../../sdb
lrwxrwxrwx 1 root root 10 Sep 25 19:26 scsi-3600508b400dc45c8k47fe45763a27qq8-part1 -> ../../sdb1 lrwxrwxrwx 1 root root 9 Sep 25 19:26 wwn-0x600518b1001q45c8887fe45764a27bb8 -> ../../sdb
lrwxrwxrwx 1 root root 10 Sep 25 19:26 wwn0x600518b1001q45c8887fe45764a27bb8-part1 -> ../../sdb1

Using the above codes in the sr-create command should look like this:

xe sr-create content-type=user device-config:device=/dev/disk/by-id/scsi-3600508b400dc45c8k47fe45763a27qq8-part1 host-uuid=19458bfa-48e3-42d1-b345-266j6fdq4ed6f name-label=”Local Storage 2” shared=false type=lvm

and a final check to confirm (aside from looking at the new SR in the XCP-ng center console) is to use:

# xe sr-list

and review the list for Local Storage 2 device.

The only issue I had was when I copy/pasted the sr-create command and missed the double quotes being converted. Thats the topic of the next post How to change the Xen XCP-ng Storage Repository label and description from the Command Line.

WordPress Multisite Error

A very open headline for what was a confusing WordPress Multisite Error. A more accurate headline after the event might be WordPress Multisite migration to a new server or domain url.

Scenario: An older wordpress site was migrated to a new server with PHP7.3 but was using PHP 5.6 on the old server and was not working on the new server. The problem was that the old server had been decommissioned.

At this point I was asked to review and fix if possible. I tried a number of processes just to see if an in-place fix was possible, including turning off the multi-site function for the site copy on the new server and processing wordpress updates, but turning the multisite back on failed to run the site.

So I created a ‘dev’ copy on a PHP5.6 enabled server, copied in the database, and the files, configured the options settings to change the live url to the dev url, and then stepped through the following:

First issue was that the url of https://dev.insertdomainnamehere.com/ would process but come up with a result of ‘server not found’ with the url modified to show as https://http//dev.insertdomainnamehere.com// which looked weird, was obviously broken, but why was it happening?

It seemed like a mod_rewrite issue, which pointed at the .htaccess setup so I reviewed that. Reference https://wordpress.org/support/article/multisite-network-administration/#htaccess-and-mod-rewrite
and compared all the lines, and the (potential) version matching issues, and I used the settings for 3.5+ which seems to still hold true for WordPress 5+. Nothing seemed wrong here.

Next I checked in the wp-config.php file and confirmed the database settings and then the various WordPress multisite parameters and in particular the define(‘DOMAIN_CURRENT_SITE’, ‘ https://dev.insertdomainnamehere.com/’) which I had modified from the live site url. I found that if I modified this setting then the broken url changed to correspond to this domain setting.

Why the weird url? Because this parameter should not include the protocol or the trailing slash. The correct format of this parameter would be:

define( 'CURRENT_DOMAIN_SITE', "dev.insertdomainnamehere.com"); 

So I turned off multisite setting with define(‘MULTISITE’, false) in the wp-config.php file and found that the access to the site was working, albeit without the Network option or subsites available. This just confirmed that the database connection was working and that the site configuration was ok, at least in part.

Checking the content of the database I noted that the subsites had table prefixes of wp_2_ and wp_3_ consistent with a multisite database, except there was no wp_1_ which made me wonder if the primary site was not configured correctly (strange as it had been working previously).

But that is correct. From one of the pages I reviewed ” It’s not supposed to make wp_1_* tables anymore. That was only done in WPMU and as of WordPress 3.0, you start with wp_* and all subsequent sites get numbers. ” So the wp_2 and wp_3 are correct.

Reviewing some more WordPress commentary searching for wp_1 gave up this reference at Stackoverflow on a WordPress database issue and while the problem was not the same, one of the replies slapped me as I had missed one of the multisite settings (or lack of it) in the wp-config.php.

define( 'WP_ALLOW_MULTISITE', true ); 

This is not the same as

define('MULTISITE', true);

and the wp-config.php file was missing the WP_ALLOW_MULTISITE parameter. (Why and for how long?) In any it was now added.

Not so much second, but just somewhere in the mix, I found that with some setting combinations, I would get a “Error establishing database connection” as a WordPress formatted error page. Which made me think that the database connection was wrong, but as mentioned above, swapping to multisite = false worked ok, so not database as such.

Next reference was found while I looked at Stackoverflow results again with https://stackoverflow.com/questions/19724781/wordpress-multisite-error-establishing-a-database-connection-in-localhost in which another comment not directly relevant to the issue was about checking the wp_blogs table.

Noting that I had modified all the wp_options tables to use the ‘dev’ site url, I checked the wp_blogs table only to find that these were (naturally) still pointing to the live site url’s. A quick modification to each of the primary and two subsite urls and the site was running smoothly.

In summary, for multi-site to work, we must have:

  • wp-config.php with both WP_ALLOW_MULTISITE and MULTISITE parameters defined as True.
  • update the wp_options tables AND the wp_blogs table to reference the new site url.
  • update or at least check in the wp_site_meta table for the ‘network admin’ access
  • correct format of the parameter for CURRENT_DOMAIN_SITE

Now, I should be able to get on with security patching and reinstatement as a live site.