After 2 years a new install & questions on the provided config file.

webunity

Verified User
Joined
Sep 23, 2014
Messages
49
I am planning on running Magento 2 on my new server so i am going for a PHP 7.x server setup only and migrate sites on a per-site basis. It has been quite some time since i've looked at CustomBuild 2 options.conf and i see a lot has changed in the last couple of years. Off course i've checked the CustomBuild 2.0 FAQ (DirectAdmin 1.46 or later is recommended) page for all the options where something wasn't clear for me.

I hope you can help tune my options.conf. Please take a look at the following sections and feel free to advise me where needed.

Code:
#PHP Settings
php1_release=7.1
php1_mode=php-fpm
php2_release=[B]no[/B] (was 5.6)  
php2_mode=php-fpm
secure_php=[B]yes[/B] (was: no)
opcache=yes
htscanner=no
php_ini=no
php_timezone=Europe/London
php_ini_type=production
ioncube=yes
zend=yes
suhosin=[B]yes[/B] (was: no)
x_mail_header=[B]no[/B] (was: yes)

Q: Where do i find the latest PHP version supported?
Q: I want to run the sites (PHP scripts) as the user itself. In the past i've installed mod_ruid2 on the server by manually installing it and it has worked fine ever since. I now see that php-fpm does thesame?

Code:
#MySQL Settings
mysql=[B]5.7[/B] (was 5.6)
mariadb=[B]10.3[/B] (was 10.2)
mysql_inst=mariadb
mysql_backup=yes
mysql_backup_gzip=yes
mysql_backup_dir=/usr/local/directadmin/custombuild/mysql_backups
mysql_force_compile=no (<- Flag is not mentioned in the FAQ)

I see nothing strange here

Code:
#WEB Server Settings
webserver=apache
http_methods=GET:HEAD:POST
litespeed_serialno=trial
modsecurity=no
modsecurity_ruleset=comodo
apache_ver=2.4
apache_mpm=auto
mod_ruid2=no
userdir_access=yes
harden_symlinks_patch=yes
use_hostname_for_alias=no
redirect_host=localhost.localdomain
redirect_host_https=no

Q: What is the advice on mod_security?
Q: mod_ruid2 can remain to 0 if i use php-fpm?

Code:
#WEB Applications Settings
phpmyadmin=yes
phpmyadmin_ver=4
squirrelmail=no
roundcube=yes
webapps_inbox_prefix=no

Q: webapps_inbox_prefix is set to "no", but my roundcube config has this line: $config['default_folders'] = array('INBOX', 'Drafts', 'Sent', 'INBOX.spam', 'Trash'); isn't the "INBOX.spam" value strange? Shouldn't this be just "Spam" or "Junk"?

Code:
#ClamAV-related Settings
clamav=[B]yes[/B] (was: no)
clamav_exim=yes
modsecurity_uploadscan=yes
proftpd_uploadscan=yes
pureftpd_uploadscan=yes
suhosin_php_uploadscan=yes

Q: I would like to scan for viruses off course, especially in my emails i receive. If the option "clamav" is set to "no" would that mean also no e-mail scanning would occur? That would be strange considering the default for "clamav_exim" is "yes" right?.
Q: Can i enable all uploadscans? Will that also scan files uploaded through WinSCP for example?
Q: Will ClamAV also auto-update the definitions? (e.g. running freshclam?)

Code:
#Mail Settings
exim=yes
eximconf=yes
eximconf_release=4.5
blockcracking=no
easy_spam_fighter=yes
spamd=spamassassin
sa_update=daily
dovecot=yes
dovecot_conf=yes
pigeonhole=[B]yes[/B] (was no; set to yes to enable SIEVE auto-replies)

Q: regarding "mail_sni" is my assumption correct that, whenever i have set "mail_sni" to "1" and i create a certificate for a customer domain using letsencrypt, that SSL will be enabled for the mailserver "mail.customerdomein.ext" ?
Q: If i enable pigeonhole, i assume i still need to follow this guide from Poralix in order to set everything up correctly. However, if i ONLY use vacation responders, i do not need pigeonhole at all, right?

Code:
#Statistics Settings
awstats=no
webalizer=yes

Q: In my current setup i use awstats, are there any reasons to switch to Webalizer? I've read that Webalizer doesn't differentiate between bots & humans

Code:
#CustomBuild Settings
custombuild=2.0
autover=yes
bold=yes
clean=yes
cleanapache=yes
clean_old_tarballs=yes
clean_old_webapps=yes
[I]downloadserver=files6.directadmin.com[/I]

Q: I have removed 'downloadserver' since i assume DA will sort that out for me. Correct?

Code:
#Cronjob Settings
cron=yes
cron_frequency=weekly
[email protected]
notifications=yes
da_autoupdate=yes
updates=no
webapps_updates=yes

Q: regarding webapps_updates. If i add a plugin to the roundcube directory, and also to /var/www/html/roundcube/config/config.inc.php; is this plugin removed and/or the config overwritten when DA updates roundcube?

I have done loads of other configuration but i will ask that once my DA setup has been done.
 
Last edited:
I am planning on running Magento 2 on my new server so i am going for a PHP 7.x server setup only and migrate sites on a per-site basis. It has been quite some time since i've looked at CustomBuild 2 options.conf and i see a lot has changed in the last couple of years. Off course i've checked the CustomBuild 2.0 FAQ (DirectAdmin 1.46 or later is recommended) page for all the options where something wasn't clear for me.

I hope you can help tune my options.conf. Please take a look at the following sections and feel free to advise me where needed.

Code:
#PHP Settings
php1_release=7.1
php1_mode=php-fpm
php2_release=[B]no[/B] (was 5.6)  
php2_mode=php-fpm
secure_php=[B]yes[/B] (was: no)
opcache=yes
htscanner=no
php_ini=no
php_timezone=Europe/London
php_ini_type=production
ioncube=yes
zend=yes
suhosin=[B]yes[/B] (was: no)
x_mail_header=[B]no[/B] (was: yes)

Q: Where do i find the latest PHP version supported?
A:
Code:
grep PHP1_RELEASE_SET= build
Q: I want to run the sites (PHP scripts) as the user itself. In the past i've installed mod_ruid2 on the server by manually installing it and it has worked fine ever since. I now see that php-fpm does thesame?
A: Yes, php-fpm runs php as the User. mod_ruid2 is not required. In fact the only combination to NOT have php run as the User is mod_php with mod_ruid2=no.
All other combinations run php as the User. I believe mod_ruid2=yes and php-fpm can still be used if you want, but not required.

Code:
#MySQL Settings
mysql=[B]5.7[/B] (was 5.6)
mariadb=[B]10.3[/B] (was 10.2)
mysql_inst=mariadb
mysql_backup=yes
mysql_backup_gzip=yes
mysql_backup_dir=/usr/local/directadmin/custombuild/mysql_backups
mysql_force_compile=no (<- Flag is not mentioned in the FAQ)
A: The mysql_force_compile=yes is really only for Debian/FreeBSD where they might not have binaries provided. You'd only set this if you know you need to.

I see nothing strange here

Code:
#WEB Server Settings
webserver=apache
http_methods=GET:HEAD:POST
litespeed_serialno=trial
modsecurity=no
modsecurity_ruleset=comodo
apache_ver=2.4
apache_mpm=auto
mod_ruid2=no
userdir_access=yes
harden_symlinks_patch=yes
use_hostname_for_alias=no
redirect_host=localhost.localdomain
redirect_host_https=no

Q: What is the advice on mod_security?
A: It filters GET requests that it thinks are suspicious. It's another layer of security to use, in case you don't trust the website scripts are written securely.
Q: mod_ruid2 can remain to 0 if i use php-fpm?
A: Yes, mod_ruid2 is for httpd, and because php-fpm is a separate process, mod_ruid2 has no effect on php-fpm, thus doesn't matter what you set (aside from the fact that httpd needs to read the php sockets a each User, rather than as "apache", but again, shouldn't matter, permissions should support either)

Code:
#WEB Applications Settings
phpmyadmin=yes
phpmyadmin_ver=4
squirrelmail=no
roundcube=yes
webapps_inbox_prefix=no
Q: webapps_inbox_prefix is set to "no", but my roundcube config has this line: $config['default_folders'] = array('INBOX', 'Drafts', 'Sent', 'INBOX.spam', 'Trash'); isn't the "INBOX.spam" value strange? Shouldn't this be just "Spam" or "Junk"?
A: Looking at the build script, the webapps_inbox_prefix option only affects Trash, Sent, Drafts.
Because the /etc/virtual/domain.com/filter file is written by DA, not CB, it's a directadmin.conf setting (I had to dig back to see how we did it)
https://www.directadmin.com/features.php?id=2024

Code:
#ClamAV-related Settings
clamav=[B]yes[/B] (was: no)
clamav_exim=yes
modsecurity_uploadscan=no
proftpd_uploadscan=no
pureftpd_uploadscan=no
suhosin_php_uploadscan=no

Q: I would like to scan for viruses off course, especially in my emails i receive. If the option "clamav" is set to "no" would that mean also no e-mail scanning would occur? That would be strange considering the default for "clamav_exim" is "yes" right?.
If you want clamav installed, you must have clamav=yes. Without that, no other clamav setting will have any effect.
So if clamav=yes is set and installed, then clamav_exim=yes, with a rewrite of the exim.conf should scan emails for viruses.
Q: Can i enable all uploadscans? Will that also scan files uploaded through WinSCP for example?
A: No, only functionality that supports upload hooks, like php or ftp will scan the uploads. (scp may have a hook, but I'm not aware of it)
Q: Will ClamAV also auto-update the definitions? (e.g. running freshclam?)
A: Yes, I believe it does that with the cb2 cron update (See #3) when it automatically does a ./build update (even without actually updating things). This might need to be confirmed, as I don't play with it too often.

Code:
#Mail Settings
exim=yes
eximconf=yes
eximconf_release=4.5
blockcracking=no
easy_spam_fighter=yes
spamd=spamassassin
sa_update=daily
dovecot=yes
dovecot_conf=yes
pigeonhole=[B]yes[/B] (was no; set to yes to enable SIEVE auto-replies)

Q: regarding "mail_sni" is my assumption correct that, whenever i have set "mail_sni" to "1" and i create a certificate for a customer domain using letsencrypt, that SSL will be enabled for the mailserver "mail.customerdomein.ext" ?
A: Yes. Assumes you've got a recent exim.conf (eg: 4.5.x) and an OS that supports SNI (CentOS 6 and newer)
Q: If i enable pigeonhole, i assume i still need to follow this guide from Poralix in order to set everything up correctly. However, if i ONLY use vacation responders, i do not need pigeonhole at all, right?
A: Another area I don't frequent, but looking at the guide, it's old and CB2 already does that automatically with the ./build dovecot_conf if you have pigeonhole enabled in the options.conf. So I believe that's a "no", I don't think the guide is needed to setup pigeonohole/dovecot. Just confirm the filter options show up correct in RoundCube/Squirremail (wherever they're supposed to be visible). May need ./build roundcube to set that.


Code:
#Statistics Settings
awstats=no
webalizer=yes

Q: In my current setup i use awstats, are there any reasons to switch to Webalizer? I've read that Webalizer doesn't differentiate between bots & humans
A: Awstats is more current and most prefer it over webalizer. Webalizer is the original stats tool, but is static, but simpler to use (from DA's point of view).
Awstats is much more feature rich and is dynamic for past months, etc.. at the code of a messy script we've created to call it for each account.

Code:
#CustomBuild Settings
custombuild=2.0
autover=yes
bold=yes
clean=yes
cleanapache=yes
clean_old_tarballs=yes
clean_old_webapps=yes
[I]downloadserver=files6.directadmin.com[/I]

Q: I have removed 'downloadserver' since i assume DA will sort that out for me. Correct?
A: I believe it should be re-added. If not, try:
Code:
./build set_fastest

Code:
#Cronjob Settings
cron=yes
cron_frequency=weekly
[email protected]
notifications=yes
da_autoupdate=yes
updates=no
webapps_updates=yes

Q: regarding webapps_updates. If i add a plugin to the roundcube directory, and also to /var/www/html/roundcube/config/config.inc.php; is this plugin removed and/or the config overwritten when DA updates roundcube?
A: If you directed edited it, yes, it would get removed.
Use this guide:
https://help.directadmin.com/item.php?id=365

I have done loads of other configuration but i will ask that once my DA setup has been done.

Hope that helps clarify things :)

John
 
Thanks! So i will enable spamassassin by default by using my old script;
Code:
#!/bin/sh
if [ "$spam" = "ON" ]; then
	DIR=/home/$username/.spamassassin
	if [ ! -d "$DIR" ]; then
		mkdir  $DIR
	fi

	# Create default settings
	if [ ! -f "$DIR/user_prefs" ]; then
		touch $DIR/user_prefs
		echo rewrite_header Subject *****SPAM***** > $DIR/user_prefs
		echo report_safe 1 >> $DIR/user_prefs
	fi

	# Finish up
	chown  ${username}:mail $DIR
	chmod 771 $DIR
	chown $username:$username  $DIR/user_prefs
	chmod 755 $DIR/user_prefs
	touch $DIR/spam
	chown  mail:$username $DIR/spam
	chmod 660 $DIR/spam
fi
exit 0;

And i'll enable my spamassassin learn script, so my customers can move 'SPAM' to the spam folder themselves;
Code:
#!/bin/sh

#----------------------------------------------------------
# Functions
#----------------------------------------------------------
learn_Maildir()
{
	FILESPAM=${1}/.INBOX.spam
	if [ ! -d "$FILESPAM" ]; then
		mkdir $FILESPAM
	fi

	FILEHAM=${1}/.INBOX.ham
	if [ ! -d "$FILEHAM" ]; then
		mkdir $FILEHAM
	fi

	if [ -d ${FILESPAM}/new ] || [ -d ${FILESPAM}/cur ]; then
		echo "learning spam via ${FILESPAM}...";
		sa-learn --no-sync --spam ${FILESPAM}/{cur,new}
	fi

	if [ -d ${FILEHAM}/new ] || [ -d ${FILEHAM}/cur ]; then
		echo "learning ham via $FILEHAM...";
		sa-learn --no-sync --ham ${FILEHAM}/{cur,new}
	fi

	# Delete teach data?
	rm -f ${FILESPAM}/new/* ${FILESPAM}/cur/*
	rm -f ${FILEHAM}/new/* {FILEHAM}/cur/*
}

#----------------------------------------------------------
# Start script
#----------------------------------------------------------
for DA_USER in `ls /home`; do
{
	# Don't process these users
	if [ "${DA_USER}" == "tmp" ] || [ "${DA_USER}" == "ftp" ]; then
		continue;
	fi

	DA_HOME=/home/${DA_USER}
	if [ -d "$DA_HOME/Maildir" ]; then
		learn_Maildir $DA_HOME/Maildir
	fi

	if [ ! -d "$DA_HOME/imap" ]; then
		continue;
	fi

	for d in `ls $DA_HOME/imap`; do
	{
		DOMAIN_DIR=${DA_HOME}/imap/${d}
		if [ -h $DOMAIN_DIR ]; then
			continue;
		fi

		for maildir in `ls -d ${DOMAIN_DIR}/*/Maildir 2>/dev/null`; do
		{
			learn_Maildir ${maildir}
		};
		done;
	};
	done;
};
done;

echo "syncing...";
sa-learn --sync

echo "current status:"
sa-learn --dump magic

exit 0;

Enable the cronjob:
Code:
nano /etc/cron.d/webunity_cron

Code:
MAILTO="[email protected]"
0 */6 * * * root /usr/local/sbin/SpamAssassin-learn.sh

I only need to tune some defaults, for which i think i can use this forumpost.

update: get additional info from; https://help.directadmin.com/item.php?id=304
 
Update: Martynas pointed out a feature that would be helpful:
Code:
./build opt_help
or
./build opt_help full
John
 
Back
Top