How to reinstall CSF into DA?

[beansbaxter]

When DA was installed a few years ago, I also installed CSF using the following:

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

But then I read this post, which says I should have used this command for the install line:

sh install.directadmin.sh

Should I uninstall CSF and redo it again?

I've been getting a megaton of Cloudflare 520 errors in the last few weeks, and I've made sure Cloudflare's current IP addresses are added to CSF whitelist, but I don't know what else to try/do to stop these completely random 520 errors that are not showing up in any logs. Frustrating, to say the least.

 

[RoseHosting]

Running sh install.sh is enough, the install.sh script will check what control panel you are using then it will run the appropriate .sh script file.

Cloudflare error 520 doesn't always about firewall, check your web server log for more information about it.

 

[Richard G]

Should I uninstall CSF and redo it again?

I hope indeed that install.sh will check what control panel you're using. It's easy to check, if ports for mail and port 2222 is enabled in CSF, then it's ok. Be sure to check the paths for the logfiles if that is correct.

That having said, the ./install.directadmin.sh does not integrade Cloudflare ip's either in it's whitelist. If you need that, you should add them manually.
However, check first what Rosehosting said about web server log on info about the errors.

 

[hmaddy]

https://download.configserver.com/csf/install.txt

Instead of the command
sh install.sh
in this doc, use the command:
sh install.directadmin.sh

You still have to configure several things yourself.

 

[beansbaxter]

The default install command appears to work great for DA. It does keep the 2222 port open.

During the configuration of CSF, before I enable it, I add my dedicated SSH port and whitelist all Cloudflare IP addresses.

I'm still getting completely random 520 errors with Cloudflare. Refreshing the page always works good again, but it started happening across hundreds of websites across multiple DA servers. Clients report the problem, and of course there is no pattern.

Looking through the error logs, there is nothing.

I've been using Cloudflare for years and this never happened before... not sure what else to try...

 

[Richard G]

I presume port 53 udp is also open incoming and outgoing.
I don't think Cloudflare 520 errors are a CSF issue but rather a site or DNS issue.

I've found a site to see how to fix Cloudflare's error 520 issues, but that's completely in Dutch.

Looking through the error logs, there is nothing.

Both looked at the server logs too? Not only error logs, and also the logs of the domains with the most issues.
Don't forget to check DNS logs too.

 

[beansbaxter]

I've found a site to see how to fix Cloudflare's error 520 issues, but that's completely in Dutch.

Send it my way, please. I can use Google Translate.

I have checked server logs throughout, nothing looks out of place. And unfortunately, Cloudflare doesn't do much in helping to understand the 520 error. I'm truly at a loss.

Hundreds of websites across multiple DA servers running fine, with zero problems, for a very long time. And all of a sudden, every one of these websites all are getting these completely random 520 Cloudflare errors.

 

[Ohm J]

maybe relate to SYNFlood Protection in csf firewall ?
try disable it

csf.ignore doesn't ignore this option ( In the past I try with this option )

 

[beansbaxter]

maybe relate to SYNFlood Protection in csf firewall ?
try disable it

csf.ignore doesn't ignore this option ( In the past I try with this option )

I checked and this function was already set to off. That must have been the default CSF settings, as I never changed it.

Thanks for the suggestion.

 

[beansbaxter]

Researching other possibilities, and many people have reported some issues with the SSL.

I checked the current OpenSSL version on DA is 1.0.2

[root@server ~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

And looks like the most recent stable release is OpenSSL 1.1.1k (25 March 2021)

Doing a "yum update" on CentOS 7 shows no updates available.

 

[Zhenyapan]

Researching other possibilities, and many people have reported some issues with the SSL.

I checked the current OpenSSL version on DA is 1.0.2

[root@server ~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

And looks like the most recent stable release is OpenSSL 1.1.1k (25 March 2021)

Doing a "yum update" on CentOS 7 shows no updates available.

You can't simply update openssl by YUM, because all internal services using it.
So there two ways - move to new OS with new kernel and openssl or recompile needed services with custom openssl version (there was few manuals on forum, you can search for it)

 

[Richard G]

Send it my way, please. I can use Google Translate.

I also think it might have to do with the open SSL version, but Centos (not DA) is not using a newer version by default, so a yum update will not help.
Centos 8 uses openssl 1.1.1g so also still not the newest, which is quite normal in Centos. Maybe Almalinux uses a newer one.

As requested:

Zo fiks je Cloudflare's “Error 520: Web Server Is Returning an Unknown Error”

De Error 520 ontstaat als een probleem op je server zorgt dat Cloudflare niet kan verbinden. Check hoe je de oorzaak opspoort en het probleem oplost.

kinsta.com

this might be the same in English, I didn't check:

Tips to fix Cloudflare 520 error

The 520 error in Cloudflare happens when the origin server returns an empty, unknown, or unexpected response to Cloudflare.

bobcares.com

and found one from Cloudflare itself, but you probably already seen that:

Troubleshooting Cloudflare 5XX errors

Diagnose and resolve 5XX errors for Cloudflare proxied sites. Overview Error analytics Error 500: internal server error Error 502 bad gateway or error 504 gateway timeout Error 503: service tempora...

support.cloudflare.com

 

[ikkeben]

You can't simply update openssl by YUM, because all internal services using it.
So there two ways - move to new OS with new kernel and openssl or recompile needed services with custom openssl version (there was few manuals on forum, you can search for it)

Custom openssl is and stay then a problem you have to handle everytime with update and sometimes things break.

If you can and have a choice better update OS , if not ok then you need custom..

But take care for versions i did some things testing a year ago not all newest are suported.

For de errors browsers Letsencrypt did had a update and then YUP older browsers not supported with that older openssl , don't know if this is cause of your problems in log files, but do some reading sofar i remember somewhere in Letsencrypt updating basic certs an openssl version supported and how...

 

[beansbaxter]

I don't think OpenSSL is the problem.

Looking at the timing of when customers reported the errors, it was the same window when I updated Apache/PHP on the DA servers. I did all the standard server updates, and a week later, every customer on every server is all experiencing these random 520 errors.

Nothing in the logs.

I've tried rebuilding Apache and PHP. Nothing changes.

This is unbelievable. Everything has been working great for the last few years, and now a wave of errors.

I'm very frustrated...

 

[ikkeben]

I don't think OpenSSL is the problem.

Looking at the timing of when customers reported the errors, it was the same window when I updated Apache/PHP on the DA servers. I did all the standard server updates, and a week later, every customer on every server is all experiencing these random 520 errors.

Nothing in the logs.

I've tried rebuilding Apache and PHP. Nothing changes.

This is unbelievable. Everything has been working great for the last few years, and now a wave of errors.

I'm very frustrated...

IT is maybe the combination fomr some more see starting changes LETSencrypt ( that is a combination of openssl and more also teh DA script and some certs) 4 MAy

exim issue diffie hellman

Yes well. You are correct there, but that is not my task, I wouldn't even know where to begin. This all started after updating Directadmin to the latest version, so it must be somewhere in there and DA support is way better in knowing what changed in Directadmin. Intermediate should be the...

forum.directadmin.com

The forum Letsencrypt is HOt but don't know about cloudflare and do you use LE?

Help thread for DST Root CA X3 expiration (September 2021)

If you have any questions about whether you need to do anything special for the upcoming DST Root CA X3 expiration in September 2021, please post them here. A staff member may split out some conversations into their own …

community.letsencrypt.org

 

[beansbaxter]

Yes, using the latest version of Let's Encrypt on the DA side.

Cloudflare is running Full SSL, so the end user is using Cloudflare's SSL Certificate in their browser. On the DA side, Let's Encrypt still runs and renews the server side certificate automatically.

This SSL configuration has not been changed, so I didn't expect this to be the problem.

 

[ikkeben]

There are is what i am trying to say more problems after changes letsencrypt en da letsencryt script and certs please read the topics i linked to


Could be related for some visitors with some browsers / devices or even maybe some cloudflare....

OYEA the Dutch Manual Richard linked for you to say first disable cloudflare to find out it i server self.. or cloudflare or combi.
Also in that manual how to pause cloudflare !

 

[beansbaxter]

OYEA the Dutch Manual Richard linked for you to say first disable cloudflare to find out it i server self.. or cloudflare or combi.
Also in that manual how to pause cloudflare !

I will disable Cloudflare and troubleshoot.

 

[ikkeben]

I disabled Cloudflare within the dashboard, and the Cloudlfare 520 errors still randomly show up.

UH "cloudflare 520" errors or "520" errors?

Ofcourse there is a delay in logs and errors and time before yes no cloudflare at client site is of.

IN same manual more tips and where to look if on server or aplication


But as i did write the Changes Letsencrypt and DA and co could be related, even if time outs / timigs / delay's are changed by those for example.

Also compare statistics before and after this 520 more loads / visits / traffic?

 

[beansbaxter]

UH "cloudflare 520" errors or "520" errors?

The errors are Cloudflare 520 errors. Always Online is turned off on the Cloudflare side.