Install own isp style root server using CentOS Web Panel
Install Centos 7
This describes the steps I took to install centos web panel using centos7 and configuring it until the external tests of my testdomain are showing good configuration settings for mail, dns and web.
Minimal setup
As fist step I just install a plain centos 7 minimal installation. During Installation I do not create an additional user and I enable NTP to set the time of the server. All required packages and settings will be done after the installation.
I set a root password that I am able to type for my first login. Later I will replace it with a generated one. But if something fails and I have to log in using the remote console, I will be happy if I do not have to type a 20 char generated password.
Note The data of the users are stored within /home. So keep this in mind when creating the partitions. Separating /home is highly recommended!
Tools installation
Next I just install some tools I usually use to work on the server
yum -y install mc htop nano qemu-guest-agent
systemctl enable qemu-guest-agent
Static ip address and hostname
Next make sure the server has a static ip address configured. This address should not change as all of your configurations build up on it.
On centos you have to modify the config file for the given network interface
hostname srv1.example.com
nano /etc/sysconfig/network-scripts/ifcfg-eth0
The param BOOTPROTO should be there already. You have to change it from dhcp to static. The other entries might be missing and should be added to the file.
BOOTPROTO="static"
IPADDR="a.b.c.d"
NETMASK="255.255.255.0"
GATEWAY="a.b.c.e"
DNS1="a.b.c.d"
DNS2="a.b.c.d"
DNS3="a.b.c.d"
Reboot the server or restart the networking unit should apply the new settings.
Securing ssh
By default on centos root is allowed to login with a password. We do not like that and restrict root logins to a key based authentication.
First we copy the ssh id of our local system to the new server. On your local linux system, you can run this with the following command:
ssh-copy-id root@your.server.example
If you are on windows or need to know how to generate a key. There are some good search engines out there :-D
Next we need to update the /etc/ssh/sshd_config. I normally keep the original content so I copy the Line and change it a little bit. This wil force any root account log in with a key.
#PermitRootLogin yes
PermitRootLogin prohibit-password
After that, I do change to root password to a value generated by my password manager.
updating the system
Make sure all is up to date before you start with the panel installation. Run yum to update the system.
yum -y update
When all updates are installd and the basic configuration is made, the server should be rebooted.
reboot
Now we have a minimal installation ready and if you use a virtual machine, you should make a backup here. This will save some time if you mess up something and you want to try again.
Install the Centos Web Panel
To install the web panel, you can follow the guide on the webpage. The process is fully automated and you have nothing to run except the installation script itself.
cd /usr/local/src
wget http://centos-webpanel.com/cwp-el7-latest
sh cwp-el7-latest
If you do not trust such installer scripts, you are free to read it and check what it is going to do. I just had a short look at the script and most of the time it adds some repositories, installs some packages or modifies some configuration files. If you really want to check each step, feel free.
reboot
Post install configuration
Do not be surprised when you log in to your new panel. During the first time all tasks and checks run, there will some alerts and security warnings show up. These are things you will solve by configuring the system. The hints are good and help you to improve your configuration.
Configure the nameserver
First of all you should configure the nameservers. You may find the feature under DNS Functions -> Edit Nameservers IP's or by typing namservers to the searchbar above the menu. Change the nameserver 1 and 2 including the corresponding ip address. Make sure you set the checkboxes and hit “Save changes”.
Next the template of the nameserver should be updated. The default serial contains a date from 2013 and this should be updated a bit. In my case I have to add two additional nameserver to the zone template as my secondary nameserver provider gives me a total of three servers. Added with my primary server there are four different Nameservers per domain available.
To open the template editor, simple follow the path DNS Functions -> Edit Zone Templates. This brings up all templates used by centos web panel. You may have a look at my example below. I changed the serial, expire seconds and added two more nameserver entries.
; Generated by CWP
; Zone file for DOMAIN_REPLACE
$TTL 14400
DOMAIN_REPLACE. 86400 IN SOA NS1_REPLACE. DNS_EMAIL. (
2018090100 ; serial, todays date+todays
86400 ; refresh, seconds
7200 ; retry, seconds
1209600 ; expire, seconds
86400 ) ; minimum, seconds
DOMAIN_REPLACE. 86400 IN NS NS1_REPLACE.
DOMAIN_REPLACE. 86400 IN NS NS2_REPLACE.
DOMAIN_REPLACE. 86400 IN NS ns6.dnsmadeeasy.com.
DOMAIN_REPLACE. 86400 IN NS ns7.dnsmadeeasy.com.
DOMAIN_REPLACE. IN A IP_REPLACE
localhost.DOMAIN_REPLACE. IN A 127.0.0.1
DOMAIN_REPLACE. IN MX 0 DOMAIN_REPLACE.
mail IN CNAME DOMAIN_REPLACE.
www IN CNAME DOMAIN_REPLACE.
ftp IN CNAME DOMAIN_REPLACE.
; Add additional settings below this line
_dmarc 14400 IN TXT "v=DMARC1; p=none"
With this in place, I save the template and went on to configure the next parts.
Webserver selection
Next the web server configuration should be set. You find these settings under Apache Settings -> Select WebServers. Make sure that you restart all services after the rebuild. I’m using Apache only now after playing with nginx reverse proxy. But why make it more complicated as needed. As long as the server holds the load, it is ok. And I have not much load.
Apache Redirects
By default the scripts takes the ip address to build up the apache redirects. These have to be fixed and changed back to use the hostname. The redirects can be found under Apache Settings -> Apache Redirects.
Let’s encrypt for server admin panel
Now it is time that the admin panel gets a real issed certificate from let’s encrypt. To enable this, you have to change the hostname under Server Settings -> Change Hostname. Just keep the name that is there and hit “Change Hostname” to trigger a update. Check the log and make sure the certificate is installed correctly. When this was successfully you should restart the web servers or the whole server to make sure the new certs get picked up.
Configure the mail server
As final step before adding a customer you have to configure the mail server. This can be done under EMail -> MailServer Manager. Select the checkboxes of the features you like to activate and make sure the host and domain name are correct. Use the values of the panel itself. When ready hit the “Rebuild Mail Server” button to reconfigure all the services.
Configure firewall
The firewall is configured quite well but disabled at the beginning. So now follow Security -> Firewall Manager and enable the firewall. The basic set of ports to manager the system are available and open. So by enabling it, nothing should break.
Secure Processes visibility
This makes sure a normal user is not able to see the processes of other users. This is disabled by default but should be enabled as well.
Install PHP versions
I like to have different php versions on the server to upgrade the sites / applications one by one. So there is a nice Page called PHP Settings -> PHP Selector that you can use to install additional php versions.
You also should configure the basic settings for your php installation like max memory, upload and post size and time zone. This can be done PHP Settings -> PHP Simple Editor.
Https redirect and headers
By default the apache configuration does not send security relevant headers. As well as it does not redirect to ssl as well. This is ok, as you would need a certificate first and you can redirect after that.
So first, I enable autossl for my new user account and the assigned domain. As soon as the certificate is in place, I create and upload the .htaccess as show below.
RewriteEngine On
RewriteCond %{HTTPS} off
# only needed if you have nginx proxy enabled
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Xss-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin"
Header always set Content-Security-Policy "default-src 'self' https: *.YOURDOMAIN; script-src 'self'; style-src 'self' 'unsafe-inline'"
Header always set Feature-Policy "microphone 'none';camera 'none';payment 'none';usb 'none'"
Some apache settings for ssl and security
httpd.conf
We just like to hide some information from the rest of the world.
ServerTokens Prod
ServerSignature Off
TraceEnable off
hostname-ssl.conf
As the default ssl host has it’s own configuration, we make sure it is aligned with the defaults.
SSLProtocol -ALL +TLSv1.2
SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLProxyProtocol -ALL +TLSv1.2
SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
ssl.conf
Configure the default TLS parameters. We only allow TLS 1.2 and high and medium cipher suites. This way, older devices may have a chance to communicate with the server. Don’t be too gentle here if you do not have to.
<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
SSLProtocol -ALL +TLSv1.2
SSLHonorCipherOrder on
#SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLProxyProtocol -ALL +TLSv1.2
SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
CWP Configuration Templates for apache_ssl
We like to disable the cipher and protocol configurations for the vhosts to use the defaults configured above.
#SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
#SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
When ready, rebuild your vhost configuration for all of your hosts. Beware that you may loose your custom vhost changes / settings of this file
Restart apache after updating the configuration files and check your results with https://www.ssllabs.com/ssltest/ . You should be able to get a A+ ranking.
CWP Pro
The installation contains the free version of CentOS Web Panel. And you are asked to upgrade to the “pro” version by donating 1$ per month or 10$ per year. By doing so you unlock some more features like setup of monit monitoring and more rules for mod security. It is up to you but for me it feels right to spend these 10$.
Conclusion
I set up my server using the centos web panel and dropped my vesta cp setup.
Here are the points I do like on centos panel
- A complete setup of all services
- The admin panel does not miss any functionality
- Includes easy support for let’s encrypt of the admin panels
- Keep the control over the whole configuration of the services
- FTP uses TLS by default
- Nice hints and checks to improve the configuration
- Easy to understand UI for the firewall including temporary blocks
- All the nice tools like roundcube and phpmyadmin included
What I do not like so far
- The structure of the main menu in the admin (not customer) panel (e.g. “Network configuration” info is located under “Service SSH”)
- The bugs in the main menu with open and collapse of the categories
- Some pages open in a new tab / window and some not. I would like to be able to decide on my own depending on my current tasks.
- The license so far. I would prefer a true free software.
VestaCP provides more or less the same functionality but not all Tasks are supported as well as with CentOS Web Panel. There is not tls support for ftp configured by default and no let’s encrypt support for the panel. This is not a big problem as one may configure this by hand but it was one of the things that made my decision. The unknown for me is CentOS because I’m used to Debian based system. But I think I’ll learn that quite quickly :-D
I set up a mirror of this blog at haefelfinger.org to test the system and integration. If all goes well, I’ll move all my pages to this new server.
Ah yea and I have to finish my IPv6 setup :-D