Tech Help Blog

For a long time we have been working so hard on content and meta tags and image tags and alt tags, etc, etc that we have often left the speed and performance of our websites be pushed to the back burner! And if any of you have use Google Webmasters tools you’ll stand up and take notice of the Performance area which compares the speed of your website with, well, all others in some sort of low quality result comparison. This comparison, I’m lead to believe, is actually now a small(may be more than a small part) part of the google algorithm and is taken into consideration when page rank/page quality/content quality, etc, etc is calculated in the google brain.

Which brings me to this post, a helpful method of speeding up those sluggish ecommerce or heavily content driven sites is by utilizing Gzip, which is available in Apache version 2.x and up. Gzip will compress the content on the server delivering a much smaller file size to the browser where it is uncompressed and served as per normal, this reduces bandwidth and in most cases drastically reduces the viewing time of your websites. The only downside is there will be some increase in CPU load on the server side and also a slight increase in the browsers load as it decompresses the content, this is minimal and I haven’t yet seen any negative effects.

Basically in order for Gzip to work Apache 2.x needs to be compiled with mod_deflate so the first step, if it isn’t already enabled, is to enable mod_deflated and recompile your apache.

1. Using EasyApache in WHM we rebuild with mod_deflate enabled
   I won’t go through the initial steps in detail, once clicked into the Easy Apache area  ensure the Previously Saved Config (**DEFAULT**) is selected and click start customizing based on profile leave the next screen on its default which should be the current apache version (remember needs to be 2.x to support mod_deflated) choose NEXT leave the PHP Major version the same and click NEXT, leave PHP minor version the same and click NEXT, leave Short Options List the same and click Exhaustive Options List, Here we will check the box that says Deflated. See image right. Then select save and build note that this can take a long time depending on the servers performance, etc. Once its done, apply it and thats it Deflate is now compiled into Apache.
   
2. With mod_deflate enabled we can turn on Gzip on a per account basis.
   In CPanel under the specific accounts you can enable Gzip via the Optimize Website page! See image below.
   
   Once in the Optimize Website menu you can choose from a few options as shown below. I’ll leave that up to you, its relativelt self explanitory. If you want to check your site to see if it is being gzipped you can use  this little tool http://www.gidnetwork.com/tools/gzip-test.php which is pretty helpful, or google gzip test as there is a whole bunch of them out there.
   

Hope this helped give you an idea of how to enable Gzip in CPanel! Questions in the comments, happy fast browsing

So you have, for whatever reason, a requirement to send all mail from CPanel server x addressed to *@domain.com via a specific smtp server. I recently ran into this issue and found a relatively simple fix. Unlike Microsoft Exchange and its easy UI where you can create a send connector with a bunch of prerequisites, with exim you need to work on the exim.conf file. Luckily its actually not that hard, once you know how!

1. Open Exim configuration from within WHM
   Open up a WHM connection to your CPanel server and head to Service Configuration >> Exim Configuration Editor then click on Advanced Editor.
I will take this moment to make a note:- if you are running a CPanel server you MUST use the WHM editor Exim Configuration Editor, I learnt the hard way before I even knew you could edit this option in WHM by editing exim.conf on a CPanel server that it will definitely be overwritten at some stage by an update! However these changes also apply to a non CPanel server that uses Exim by applying the same changes to /etc/exim.conf. See image below.



2. Find and edit the Routers Configuration
   Find the editable section below ROUTERS CONFIGURATION it looks something like this.
   Just below the section that says demo accounts are not permitted to relay email is where we are going to add our relay hosts. And below is a demo of a very basic send connector.

   domain1send:
   driver = manualroute
   transport = remote_smtp
   route_list = domain1.com smtp2.anotherserver.com

   This one here basically would take anything sent to a @domain1.com address and send it out via smtp2.anotherserver.com.

3. Save your changes and restart Exim
   Save the changes you have made by clicking save at the bottom of the page, then go to Restart Services >> Mail Server (Exim) then click yes. And test away.

This is a fairly basic setup and is intended to be used in a server that “sends to the world” directly already. IE this is for those domains that become a problem or in your environment may need to be routed differently than what the DNS resolve for that address might come up with.

Any questions, leave them in the comments!

There are many ways to secure SSH on a CPanel Server, including authenticating with keys and more. However I usually go for a simpler way. Given most of my personal applications are dedicated & shared servers there is only a small list of people requiring access to SSH (I don’t allow SSH for shared servers at all) often only myself. What I tend to do is restrict ssh to protocol 2 to start with, then change the listening port for ssh and lastly utilize CPanel’s built in hosts access control to restrict what sources are able to access ssh.

1. Restrict SSH to Protocol 2 & Restrict the Port to a non standard port.

to do this simply log into the console of the server as the root user and use your favourite editor to modify the sshd configuration file like so.

pico /etc/ssh/sshd_config

Find the line that reads Protocol 2,1 and the line that reads Port. Below is an example of a modified configuration. Port 22444 is the new ssh port and the #Protocol 2,1 is removing that line from the config and the line below it is restricting the Protocol to 2 only.

Port 22444

#Protocol 2,1

Protocol 2

2. Restrict Source Hosts from within CPanel.
   From within your WHM head to Security Center >> Host Access Control.
   Here we can add in some rules to control who can access sshd. View the image below you can see how I have added access to Office and Head Office with two rules (Access List is internal ranges in this case, would normally be a single external source, IE 123.211.123.211) & the third rule is to deny ALL others, the final deny rule must be the last of the sshd rules.
   
   
3. Restart SSHD service.
   From console/terminal or WHM restart the sshd service. type service sshd restart in console/terminal or go to Restart Services >> SSH Server (OpenSSH) from within WHM and hit YES.

NOTES: I am using OpenSSH in this example. If you have any third party firewall’s in place you will need to punch a hole in those with the different port as well. Also as I recommend you run a firewall on your CPanel box you will also need to configure that. I recommend Config Server Firewall as an addon/pluggin for CPanel and will have an install and configuration writeup on that at some stage soon! Post a Comment if you have any questions.

From time to time my configuration of CPanel Hosting servers requires the ability to allow a Windows  (or other) style DNS server to retrieve hosted dns zones from the hosting server. As default AXFR is blocked with Bind/NSD on a CPanel box, and with good cause! My configuration in an environment where Windows DNS servers are God means in order to give control over things like subdomains, mx entries and the plethora of CPanel adjustable DNS related items to the individual I need a way of allowing the Windows box (or other dns server) to get its primary records from the CPanel box! This comes in the form of a zone transfer (AXFR). While the CPanel box will respond to queries it certainly will not give up the entire zone of a domain unless we tell it to! So here is how to allow zone transfers to a specific list of sources.

1. Create an ACL (Access List) within named.conf

Get access to your CPanel servers console or SSH in with root permissions. Using your favourite editor, pico in my case, edit the following file

pico /etc/named.conf

Here is the section of named.conf we are going to add in our ACL. This is prior to any changes to show the default file.

controls {
inet 127.0.0.1 allow { localhost; } keys { “rndc-key”; };
};
WE WANT TO ADD HERE
options {

here is an example of the same section with a basic ACL added. Bolded for convenience.

controls {
inet 127.0.0.1 allow { localhost; } keys { “rndc-key”; };
};
acl trusted-servers {
192.168.100.0/24;   //Showing a entire range allowed
123.122.123.122;     //dns0.something.com
122.123.122.123;     //dns1.something.com
};
options {

Above you can see we have allowed the entire 192.168.100.0 address range (just an example of allowing a range of IPs) and we have added specific access from the two dns0 and dns1 servers. Everything behind the // is ignored and only used to comment the file so we can understand what we have done when we need to view this file some random time in the future! It saves the headache of trying to figure out what the hell we did last time

2. Apply our new ACL to the main options in named.conf
   Now all we need to do is add in the trusted-servers ACL we created!
   Find the below bit a little further down in named.conf

// Put files that named is allowed to write in the data/ directory:
directory                ”/var/named”; // the default
pid-file                 “/var/run/named/named.pid”;
dump-file                ”data/cache_dump.db”;
statistics-file          ”data/named_stats.txt”;
/* memstatistics-file     “data/named_mem_stats.txt”; */
allow-transfer {none;};
};

And below example is the same area changed to add in the ACL we created. I have bolded the bit I changed.

// Put files that named is allowed to write in the data/ directory:
directory “/var/named”; // the default
pid-file “/var/run/named/named.pid”;
dump-file “data/cache_dump.db”;
statistics-file “data/named_stats.txt”;
/* memstatistics-file “data/named_mem_stats.txt”; */
allow-transfer { trusted-servers; };
};

Save your changed file and restart BIND/NSD. You can do this from command or simply from within the WHM panel!

Now TEST! From an allowed source you can use nslookup from command, if its a windows box simply run nslookup then server then ls -d domainname.com domainname.com being a domain which is hosted on the CPanel server. You should recieve a copy of the entire zone on screen! Any questions, put them in the comments.

C:\>nslookup
>server my.cpanelhost.com
>ls -d domainname.com
Zone information will be displayed.