Fidolas

May be you should change line 87 in /scripts/cwp_security_audit like this: local CURRENT_PORTS=$(ss -ltnp | grep "pid=$PID," | sed -nE 's/.*:([0-9]+).*/\1/p') This way there is no false positives. Or may be, even better: local CURRENT_PORTS=$(ss -ltnp state listening | grep "pid=$PID," | sed -nE 's/.*:([0-9]+).*/\1/p' | sort -u) and after the "for ... do" line: [[ "$PORT" =~ ^[0-9]+$ ]] || continue to avoid garbage.

May be that this also helps on EL9, because imap can't be natively installed from PECL: imap.sh #!/bin/bash set -euo pipefail BASEPATH="/opt/alt/php-fpm85" TMPDIR="/tmp/imap-rpm" RPM_URL="https://rpms.remirepo.net/enterprise/9/modular/x86_64/php-pecl-imap-1.0.3-1.module_php.8.5.el9.remi.x86_64.rpm" echo "[*] Cleaning temporary folder..." rm -rf "$TMPDIR" mkdir -p "$TMPDIR" cd "$TMPDIR" echo "[*] Downloading IMAP RPM..." wget -q --show-progress "$RPM_URL" -O php-pecl-imap.rpm echo "[*] Extracting RPM without installing..." rpm2cpio php-pecl-imap.rpm | cpio -idmv >/dev/null # Detect PHP extension directory EXT_DIR=$("$BASEPATH/usr/bin/php" -r 'echo ini_get("extension_dir");') if [[ ! -d "$EXT_DIR" ]]; then echo "[*] Creating extension directory at $EXT_DIR" mkdir -p "$EXT_DIR" fi echo "[*] Copying imap.so to $EXT_DIR" cp "$TMPDIR/usr/lib64/php/modules/imap.so" "$EXT_DIR/" # Detect php.d folder PHP_D_DIR="$BASEPATH/usr/php/php.d" if [[ ! -d "$PHP_D_DIR" ]]; then echo "[*] Creating php.d folder at $PHP_D_DIR" mkdir -p "$PHP_D_DIR" fi rm -rf "$TMPDIR" # Create the .ini file INI_FILE="$PHP_D_DIR/30-imap.ini" echo "[*] Creating $INI_FILE" echo "extension=imap.so" > "$INI_FILE" echo "[*] Installation complete. Restart PHP-FPM to activate the extension." echo "[*] Verification:" "$BASEPATH/usr/bin/php" -m | grep -i imap || echo "imap not loaded" "$BASEPATH/usr/bin/php" -r "var_dump(function_exists('imap_timeout'));" echo "[*] Done."

Don't do it. Even if you update it, the CWP daily cron will restore the 5.1 version again automatically.

Yep. I'm now getting an alert about unauthorized ports for php-fpm. I'm not sure if it's due to my recent tweak to add php 8.5 support in CWP selectors.

Really useful. Thanks a lot. But all scripts into the 8.5 folder should be modified to have a fixed version because as it's right now it doesn't work if you need to have both 8.4 and 8.5 versions installed at the same time. There is a fallback logic that always goes into 8.4 and that makes the 8.5 build to fail.

Ok. Thanks a lot. I'll try this way. What I want is to forbid access to phpMyAdmin from outside, not to uninstall it.

I want to disable the phpMyAdmin interface but I can't see any easy way to do so. Is there any way to easily enable and disable this? Thanks in advance,

Now that nginx 1.26 adds http3 experimental support, it could be useful to update this guide to also enable http3 when building nginx from sources

CWP only uses PHP 7.1 and not 8.1. You can use any PHP version you want on your server but CWP will use always the 7.1 version.

It looks promising. Is there any other but for Centos 8 Stream? Or do you recommend Almalinux 8 over Centos 8 Stream?

I want to mean that I can go with snapshots of the whole drive. And if there are serious issues then I can rollback into the previous system. That's why I want a method more or less reliable to upgrade and try it.

Well, I can experiment, no worries. What kind of problems are they?

Until the end of your life... But now seriously. There is no way to upgrade a server from Centos 7 to Centos 8 Stream?

I see. But that was when you have two servers with two different IP address. But what if you only have a single server?

What is "cwp-cwp migration module"?

Thanks for answer about this issue. Is there any script to ease the upgrade from Centos 7 to Centos 8 Stream? Is there any tutorial published? There are issues?

Hi, Due to the end of life of Centos 7, my question is aimed at knowing what the recommendations may be to migrate the system. As I understand it, Centos 8 has an even worse situation than Centos 7 and therefore other alternatives will have to be evaluated. I would like to know if there are already some proven working scripts that facilitate the migration, allowing the CWP configurations to be preserved when moving them to a new operating system. Is there a tutorial posted here that makes this task easier? What is the recommendation regarding this matter? Of all the possibilities, which one is the closest in terms of stability and security to what Centos 7 offered until now?

I want to mean that from my point of view (and may be I'm totally wrong) it depends on the webserver settings selected. It's not the same for a single apache on front than when it's nginx + apache or litespeed or whatever. In cases where it's apache only or nginx only then it has sense to have the public ip into the vhosts. So CWP should use a different setup for each case. I'm not sure at all and that's why I'm asking. I believe that it could be more secure to use localhost/127.0.0.1 when the webserver is not on the front. That way this also avoids the firewall setups to keep the upstream server blocked to direct access to the listening ports.

shouldn't it be added as a template to let the user select the best for the case? For example, when apache is behind a nginx local reverse proxy or other configurations. In that cases is the proxy on the front that manages the ip for the domains. Isn't it?

Can't understand why CWP configures apache vhosts listening on the public IP and not in localhost/127.0.0.1. Why is this setup if it's behind a nginx proxy and not serving pages outside? It shouldn't be better to use 127.0.0.1?

This doesn't solve the issue. Into the DKIM manager there is a line with domain.tld with all the green dots, and under that line there is another one with domain.tld.db.sig with all dots in red. I've added the "RemoveOldSignatures yes" into opendkim.conf then restarted opendkim service but in CWP there is already the issue.

Ok. Forget about my previous message. I had to run this: curl -s -L https://www.alphagnu.com/upload/tmp/cwp_rc_fix.sh | bash but AFTER the installation. Not sure why. Now it works and no "Server error!" messages anymore.

I'm also having "Server error!" into the Roundcube interface after updating. Not sure if there are necessary changes into the config.inc.php in roundcube installation folder. Do I need to change anything there?

I believe that there is an error in these lines. It should say: cd roundcubemail-1.5.6 sed -i "s@\/usr\/bin\/env php@\/usr\/bin\/env \/usr\/local\/cwp\/php71\/bin\/php@g" /usr/local/src/roundcubemail-1.5.6/bin/installto.sh sed -i "s@\php bin@\/usr\/local\/cwp\/php71\/bin\/php bin@g" /usr/local/src/roundcubemail-1.5.6/bin/installto.sh bin/installto.sh /usr/local/cwpsrv/var/services/roundcube So the example is about 1.5.6 version. I'm trying to follow these steps but using the latest one to date https://github.com/roundcube/roundcubemail/releases/download/1.6.5/roundcubemail-1.6.5-complete.tar.gz But it complains that "Unsupported PHP version. Required PHP >= 7.3" I suppose that there is no solution until CWP gets updated to use PHP > 7.3 Anyway, thanks a lot, as always, for detailed instructions.

I've a question about this step. After doing this there is a problem on CWP -> DKIM Manager where the zone appears duplicated and the signed one is not recognized. How can it be solved for CWP? What are the additional steps to get it working?