CSF V10

yoyo699
Junior Member
Posts: 16
Joined: 22 Oct 2016, 11:37

CSF V10

Post by yoyo699 »

I have upgraded to last CSF :
https://download.configserver.com/csf/changelog.txt

I'm very interested in adding https use to messenger which I use fine for years

Logs
Feb 27 18:45:31 web1 lfd[611595]: MESSENGER: Error starting HTTPS service: No SSL certs found in MESSENGER_HTTPS_CONF location
Feb 27 18:45:31 web1 lfd[611595]: MESSENGER: HTTPS service temporarily DISABLED

See in csf.conf

This option points to the file(s) containing the Apache VirtualHost SSL
definitions. This can be a file glob if there are multiple files to search.
Only Apache v2 SSL VirtualHost definitions are supported
MESSENGER_HTTPS_CONF = /usr/local/apache/conf/httpd.conf

Just tell me what to do, since we have hostname ssl, and a lot from client users on server...
yoyo699
Junior Member
Posts: 16
Joined: 22 Oct 2016, 11:37

Re: CSF V10

Post by yoyo699 »

I now installed Perl Module "IO::Socket::SSL"

rebuilt apache in case

We still get :
Feb 27 19:42:53 web1 lfd[665784]: MESSENGER: Error starting HTTPS service: No SSL certs found in MESSENGER_HTTPS_CONF location
Feb 27 19:42:53 web1 lfd[665784]: MESSENGER: HTTPS service temporarily *DISABLED*
yoyo699
Junior Member
Posts: 16
Joined: 22 Oct 2016, 11:37

Re: CSF V10

Post by yoyo699 »

Nothing is working :

Searching IO::Socket::SSL on cpanmetadb (http://cpanmetadb.cpanel.net/v1.0/packa ... ocket::SSL) ...
Source: httpupdate.cpanel.net ... IO::Socket::SSL is up to date. (1.94)
yoyo699
Junior Member
Posts: 16
Joined: 22 Oct 2016, 11:37

Re: CSF V10

Post by yoyo699 »

I am pretty sure there is no perl issue

error is
MESSENGER: Error starting HTTPS service: No SSL certs found in MESSENGER_HTTPS_CONF location

After some investigation, i found that csf is a little myopic, he does not recognize the setting of nginx proxy which listens on port 4430 for 443

After adding this port in messenger port settings, all works
yoyo699
Junior Member
Posts: 16
Joined: 22 Oct 2016, 11:37

Re: CSF V10

Post by yoyo699 »

I observe that lfd SSL messenger is eating already 3% memory, let say 4 GB
on our server

seem abnormal
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: CSF V10

Post by ForumAdmin »

lfd will only detect Apache SSL virtualhost definitions that you point that MESSENGER_HTTPS_CONF to of the regex formats:

Code: Select all

^\s*<VirtualHost .*:(\d+)> # where (\d+) matches one of the ports you list in MESSENGER_HTTPS_IN
\s*ServerName\s+(\S+)
\s*ServerAlias\s+(.*) # this is optional
\s*SSLCertificateFile\s+(\S+)
\s*SSLCertificateKeyFile\s+(\S+)
^\s*<\/VirtualHost>
If you have Apache SSL virtualhost definitions in the file glob that you have pointed MESSENGER_HTTPS_CONF to, then you need to post an example that contains those attributes that you believe is not being detected.
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: CSF V10

Post by ForumAdmin »

yoyo699 wrote: 27 Feb 2017, 20:43 I observe that lfd SSL messenger is eating already 3% memory, let say 4 GB
on our server
That is likely due to the session cache size used by IO::Socket::SSL and the Net::SSLeay instance. It is also likely to be a factor of the number of certificates being served multiplied by the number of domains and aliases.

It's likely the cost for using the feature and little, if anything, that we can do about it.
yoyo699
Junior Member
Posts: 16
Joined: 22 Oct 2016, 11:37

Re: CSF V10

Post by yoyo699 »

This is a busy shared hosting server with more than 1000 websites on it, and lots are using SSL....

This feature is really interesting, this will decrease tickets opened from clients being frustrated because they see suddenly : ssl error connect, not seeing then our custom message to unblock themselves alone from client area with module unblockip from modulesgarden....

When I checked this morning i have found in double the process this time ;
lfd HTTPS messenger
I now put only 4430, and not 443 at same time
let see

1.
This is what i have in httpd.conf for 1 ssl domain

<VirtualHost 151.90.108.15:4430>
ServerName user.name.com
ServerAlias mail.user.name.com www.user.name.com
DocumentRoot /home/username/public_html
ServerAdmin webmaster@user.name.com
UseCanonicalName Off
Options -ExecCGI -Includes
RemoveHandler cgi-script .cgi .pl .plx .ppl .perl
CustomLog /etc/apache2/logs/domlogs/user.name.com combined
<IfModule log_config_module>
<IfModule logio_module>
CustomLog /etc/apache2/logs/domlogs/user.name.com-bytes_log "%{%s}t %I .\n%{%s}t %O ."
</IfModule>
</IfModule>
## User username # Needed for Cpanel::ApacheConf
<IfModule userdir_module>
<IfModule !mpm_itk.c>
<IfModule !ruid2_module>
UserDir disabled
UserDir enabled username
</IfModule>
</IfModule>
</IfModule>

# Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.
# To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in
# the user's .htaccess file. For more information, please read:
# http://httpd.apache.org/docs/2.4/mod/mo ... exprparser
<IfModule mod_include.c>
<Directory "/home/username/public_html">
SSILegacyExprParser On
</Directory>
</IfModule>

<IfModule mod_suphp.c>
suPHP_UserGroup username username
</IfModule>
<IfModule suexec_module>
<IfModule !mod_ruid2.c>
SuexecUserGroup username username
</IfModule>
</IfModule>
<IfModule ruid2_module>
RMode config
RUidGid username username
</IfModule>
<IfModule mpm_itk.c>
# For more information on MPM ITK, please read:
# http://mpm-itk.sesse.net/
AssignUserID username username
</IfModule>

<IfModule ssl_module>
SSLEngine on

SSLCertificateFile /var/cpanel/ssl/installed/certs/user_name_com_d339b_8b65d_1492905599_6323db27dcd34ac3962c547deb7eecf9.crt
SSLCertificateKeyFile /var/cpanel/ssl/installed/keys/d339b_8b65d_8432e236ccad45730b6c56e5e8fda202.key
SSLCACertificateFile /var/cpanel/ssl/installed/cabundles/cPanel_Inc__681917bfb43af6b642178607e0b36ccc_1747526399.cabundle
CustomLog /etc/apache2/logs/domlogs/user.name.com-ssl_log combined
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
<Directory "/home/username/public_html/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
</IfModule>

2.
For high memory usage, I suggest simply that by default, ssl of hostname be used, it is a too costly gadget to consume such amount of RAM just for the luxury to display to client its own domain with SSL if any

OR, I suggest that we have the choice to choose this behavior in CSF setting :
Use only SSL hostname : ON/OFF
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: CSF V10

Post by ForumAdmin »

yoyo699 wrote: 28 Feb 2017, 05:13 For high memory usage, I suggest simply that by default, ssl of hostname be used, it is a too costly gadget to consume such amount of RAM just for the luxury to display to client its own domain with SSL if any
If you only want to offer the hostname certificate, then you can create a separate file and point MESSENGER_HTTPS_CONF to it with just a single VirtualHost in it mimicking what you find in the Apache configuration that just contains a section specifying the hostname certificate and key. All connections would then fallback to that key. However, due to the way SSL works, all browsers will throw an exception message as the certificate will only match if the user browsed to the server hostname.
yoyo699
Junior Member
Posts: 16
Joined: 22 Oct 2016, 11:37

Re: CSF V10

Post by yoyo699 »

Then it's not good solution, we don't need a warning on top of all this....
Post Reply