We Keep Coding

How do I set up a reverse proxy in ISPConfig?

Is it possible to set up a reverse proxy in ISPConfig?
I tried this setting on a subdomain, but I only receive a error 500.
The /var/www/influxdb2.*******.***/log/error.log says the following:
==> error.log <==
[Fri Jan 01 21:24:15.963158 2021] [proxy:warn] [pid 30333] [client ***.***.***.***:59356] AH01144: No protocol handler was valid for the URL /favicon.ico (scheme 'http'). If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer: https://influxdb2.*******.***/

For me, the proxy_http mod was missing.
Enable it via sudo a2enmod proxy_http and restart your apache with systemctl restart apache2 (thanks to https://serverfault.com/questions/773449/no-protocol-handler-valid-for-the-url-with-httpd-mod-proxy-balancer).
Also note that the "redirect type" setting sometimes seems to reset itself to "none" on saving (or at least does not display the correct value on loading the page as of ISPConfig 3.2.1). So double check that setting if something does not work.
For the "Domain" tab, settings are pretty straightforward. Just enter your domain and probably enable Let's Encrypt.
Note that this seems to use mod_rewrite for proxying. The Apache2 documentation on mod_rewrite states that better ProxyPass of mod_proxy should be used instead. So if anything breaks with some applications, this might be a starting point for further investigations (worked for me for reverse proxying to the HTTP endpoint of InfluxDB 2.0.3 at http://localhost:8086).

configure proftpd to serve ftp and sftp simultaneously

Using Ubuntu 18.04 LTS and ProFTPD 1.3.5e.
I have ProFTPD serving FTP on ports 20, 21 and running just fine.
When I add in /etc/proftpd/conf.d/sftp.conf, FTP quits working. When I delete the sftp.conf and restart proftpd, FTP starts working again. I conclude that there is something wrong with this conf file.
Also, I want sftp to accept just a login id and password for authentication. How do I do that? I have looked at the SFTPAuthMethods directive and it looks like if I leave it out then it will allow all authentication methods and that is okay with me.
Here is the sftp.conf file:
<IfModule mod_sftp.c>
SFTPEngine on
Port 2222
SFTPLog /var/log/proftpd/sftp.log
# Configure both the RSA and DSA host keys, using the same host key
# files that OpenSSH uses.
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u
# Enable compression
SFTPCompression delayed
</IfModule>
What should I change to get SFTP running on port 2222 and continue to have FTP running on ports 20 & 21?
Thanks in advance!
Update:
Based on the excellent feedback I have received in the notes, instead of using the sftp.conf file I have above, I added a wrapper and some other configuration parameters and have put that config into the proftpd.conf file. It reads as follows:
<snip>
<IfModule mod_sftp.c>
<VirtualHost 0.0.0.0>
# The SFTP configuration
SFTPEngine on
Port 2222
SFTPLog /var/log/proftpd/sftp.log
Include /etc/proftpd/sql.conf
SFTPAuthMethods password keyboard-interactive hostbased publickey
# Configure both the RSA and DSA host keys, using the same host key
# files that OpenSSH uses.
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u
# Enable compression
SFTPCompression delayed
</VirtualHost>
</IfModule>
So now the server is answering on FTP ports normally and on port 2222. When I attempt to connect to port 2222 using WinSCP, it fails authentication. Here is the sftp.log file snipped that is generated each time I try to connect.
2020-04-21 21:03:50,340 mod_sftp/0.9.9[13017]: sent server version 'SSH-2.0-mod_sftp/0.9.9'
2020-04-21 21:03:50,355 mod_sftp/0.9.9[13017]: received client version 'SSH-2.0-WinSCP_release_5.17.3'
2020-04-21 21:03:50,355 mod_sftp/0.9.9[13017]: handling connection from SSH2 client 'WinSCP_release_5.17.3'
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]: + Session key exchange: ecdh-sha2-nistp256
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]: + Session server hostkey: ssh-rsa
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]: + Session client-to-server encryption: aes256-ctr
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]: + Session server-to-client encryption: aes256-ctr
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]: + Session client-to-server MAC: hmac-sha2-256
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]: + Session server-to-client MAC: hmac-sha2-256
2020-04-21 21:03:51,285 mod_sftp/0.9.9[13017]: + Session client-to-server compression: none
2020-04-21 21:03:51,285 mod_sftp/0.9.9[13017]: + Session server-to-client compression: none
2020-04-21 21:03:51,957 mod_sftp/0.9.9[13017]: sending acceptable userauth methods: password,keyboard-interactive,hostbased,publickey
2020-04-21 21:03:52,302 mod_sftp/0.9.9[13017]: expecting USER_AUTH_INFO_RESP message, received SSH_MSG_IGNORE (2)
2020-04-21 21:03:52,322 mod_sftp_pam/0.3[13017]: PAM authentication error (7) for user 'test': Authentication failure
For FTP, I am authenticating successfully from a MySQL database. But the last line of the sftp.log file says that PAM authentication failed for my SFTP attempt. I am just trying to authenticate in the WinSCP client with a login and password that come from MySQL. Does that involve PAM authentication?
I think I am getting close!
Thanks in advance!

Here is the full /etc/proftpd/proftpd.conf that accomplishes my goals as stated above.
Note that I am also using mod_sql to provide for authentication via MySQL. So there are other configuration files referenced by this config file but are not listed in this posting.
# cat /etc/proftpd/proftpd.conf
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes, reload proftpd after modifications, if
# it runs in daemon mode. It is not required in inetd/xinetd mode.
#
# Includes DSO modules
Include /etc/proftpd/modules.conf
# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 on
# If set on you can experience a longer connection delay in many cases.
IdentLookups off
ServerName "hostname"
# Set to inetd only if you would run proftpd by inetd/xinetd.
# Read README.Debian for more information on proper configuration.
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"
DenyFilter \*.*/
# Use this to jail all users in their homes
DefaultRoot ~
# This line will create the user directories of an FTP user if they successfully authenticate but do not have a user directory.
# See http://www.proftpd.org/docs/howto/CreateHome.html
# CreateHome off|on [<mode>] [skel <path>] [dirmode <mode>] [uid <uid>] [gid <gid>] [homegid <gid>] [NoRootPrivs]
CreateHome on dirmode 750
# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
RequireValidShell off
# Port 21 is the standard FTP port.
Port 21
# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts 49152 65534
# If your host was NATted, this option is useful in order to
# allow passive transfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress 1.2.3.4
# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 50
# Set the user and group that the server normally runs at.
User proftpd
Group nogroup
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd off
# This is required to use both PAM-based authentication and local passwords
# AuthOrder mod_auth_pam.c* mod_auth_unix.c
# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile off
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
# Logging onto /var/log/lastlog is enabled but set to off by default
#UseLastlog on
# In order to keep log file dates consistent after chroot, use timezone info
# from /etc/localtime. If this is not set, and proftpd is configured to
# chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
# savings timezone regardless of whether DST is in effect.
#SetEnv TZ :/etc/localtime
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
# Delay engine reduces impact of the so-called Timing Attack described in
# http://www.securityfocus.com/bid/11430/discuss
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
Include /etc/proftpd/sql.conf
#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf
#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.conf
# A basic anonymous configuration, no upload directories.
# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>
# Include other custom configuration files
Include /etc/proftpd/conf.d/
<IfModule mod_sftp.c>
<VirtualHost 0.0.0.0>
# The SFTP configuration
SFTPEngine on
Port 2222
SFTPAuthMethods password
RequireValidShell off
SFTPLog /var/log/proftpd/sftp.log
Include /etc/proftpd/sql.conf
# Configure both the RSA and DSA host keys, using the same host key
# files that OpenSSH uses.
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
#SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u
# Enable compression
SFTPCompression delayed
DefaultRoot ~
</VirtualHost>
</IfModule>
# Time stamp - IP Address - Protocol - User Name - UID - Filename - File Sizeo - Response Time in Milliseconds - Transfer Time in Seconds - Transfer Status - Reason for failure if applicable
# http://www.proftpd.org/docs/modules/mod_log.html#LogFormat
LogFormat custom "%{iso8601} %a %{protocol} %u %{uid} %f %{file-size} %R %T %{transfer-status} %{transfer-failure}"
ExtendedLog /var/log/proftpd/custom.log READ,WRITE custom

The essence of the solution to make it listen on both FTP 21 and SFTP 2222 is to add <VirtualHost 0.0.0.0> section inside of <IfModule mod_sftp.c>:
...
Port 21
...
<IfModule mod_sftp.c>
<VirtualHost 0.0.0.0> # << *** this part makes it listen on both 21 above and 2222 below ***
...
Port 2222
...
</VirtualHost> # << closing tag
</IfModule>
(thanks to the original question author and his response, eyeballing two configs I was able to boil it down to this)

LWP Won't Run in CGI Script

I have a CGI script to load publications from BibBase:
#!/usr/bin/perl
use LWP::UserAgent;
my $url = 'https://bibbase.org/show?bib=http://www.example.com/pubs.bib';
my $ua = LWP::UserAgent->new;
my $can_accept = HTTP::Message::decodable;
my $response = $ua->get($url, 'Accept-Encoding' => $can_accept);
print "Content-type: text/html\n\n";
print $response->decoded_content;
(This is copied from BibBase with the exception that the URL is hard-coded.)
I have three webservers running RHEL7 and Apache 2.4 that are configured the same way by Puppet. On all three I can run the script on the command line and get the expected results:
[root#server1 cgi-bin]# ./bibbase_proxy2.cgi | head
Content-type: text/html
<img src="//bibbase.org/img/ajax-loader.gif" id="spinner" style="display: none;" alt="Loading.." />
<div id="bibbase">
<script type="text/javascript">
var bibbase = {
params: {"bib":"http://www.example.com/pubs.bib","host":"bibbase.org"},
When I try to run the script with CGI, I get three different results:
Server1
Unrecognised protocol tcp at /usr/share/perl5/LWP/Protocol/http.pm line 31.
Server2
Can't connect to bibbase.org:443 System error at /usr/share/perl5/LWP/Protocol/http.pm line 51.
Server3
No http output and the error log says AH01215: Out of memory!.
I can't find anything different between the three servers and I can't figure out why the script works fine on the command line and doesn't work when run as a CGI.
I have selinux in permissive mode and it is logging the outgoing request, so I know the script gets that far:
type=AVC msg=audit(1532465859.921:331235): avc: denied { name_connect } for pid=161178 comm="perl" dest=80 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
For testing, I have set selinux to disabled and restarted the server.

SE-Linux denied the TCP connection.
avc: denied { name_connect }
The default access controls for networking by SELinux are based on the labels assigned to TCP and UDP ports and sockets. For instance, the TCP port 80 is labeled with http_port_t (and class tcp_socket). Access towards this port is then governed through SELinux access controls, such as name_connect and name_bind.
When an application is connecting to a port, the name_connect permission is checked. However, when an application binds to the port, the name_bind permission is checked.
Permissive mode or not, Perl is acting like it was denied a TCP connection. Unrecognised protocol tcp means getprotobyname("tcp") failed inside IO::Socket::IP. That's very, very unusual. One of the ways that can happen is via exactly that SELinux denial.
I'm no SELinux expert, but according to RedHat and Gentoo some SELinux aware applications will ignore the global permissive setting and go it alone. RHEL 7 Apache appears to be one of them. It appears to have its own domain which must be set permissive.
On all three I can run the script on the command line and get the expected results:
There's two reasons for that, and they both have to do with users.
When you run the program you're running as your own user with your own configuration, permissions, and environment variables. In fact, you ran it as root which usually bypasses restrictions. When it runs on the server it runs as a different user, probably the web server user with severe restrictions.
In order to do a realistic test, you need to run it as the same user the web server will. You can use sudo -u for this. For example, if the user is apache...
sudo -u apache ./bibbase_proxy2.cgi
BTW Do not test software as root! Not only is it not going to give you sensible results, but if there's a bug in the software there are no safeguards preventing it from wrecking your system.
The second problem is #!/usr/bin/env perl. That means to run whatever perl is in your PATH. PATH will be different for different users. Running ./bibbase_proxy2.cgi may run with one Perl on the command line and a different one via the web server.
In a server environment, use a hard coded path to Perl like #!/usr/bin/perl.

We tested by rewriting the same script in Python and PHP. Both of them showed error which pointed us in the right direction.
Python urllib2 produced the error
<class 'urllib2.URLError'>: <urlopen error [Errno 16] Device or resource busy>
args = (error(16, 'Device or resource busy'),)
errno = None
filename = None
message = ''
reason = error(16, 'Device or resource busy')
strerror = None
PHP (run as CGI) wouldn't even start:
[Wed Jul 25 15:24:52.988582 2018] [cgi:error] [pid 10369] [client 172.28.6.200:44387] AH01215: PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/curl.so' - libssh2.so.1: failed to map segment from shared object: Cannot allocate memory in Unknown on line 0
[Wed Jul 25 15:24:52.988980 2018] [cgi:error] [pid 10369] [client 172.28.6.200:44387] AH01215: PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/dba.so' - libtokyocabinet.so.9: failed to map segment from shared object: Cannot allocate memory in Unknown on line 0
---- Similar lines for all extensions. ----
It appears that RLimitMEM blocks access to shared memory and that is required for opening sockets. I can't find any documentation, but removing that line makes it work.

ProFTPD Version 1.3.5d ExtendedLog is not working?

I am a beginner in Linux. I am using Plesk onyx with 17.5.3 Ubuntu 16.04 1705170317.16. My ExtendedLog configured in /etc/proftpd.conf is not working.
Following is my /etc/proftpd.conf
#
# To have more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD"
#ServerType standalone ServerType inetd DefaultServer on LogFormat nijin "%t %h %u %D
%f \"%r\" %s %b" ExtendedLog /var/log/ftp.log ALL nijin <Global
DefaultRoot ~ psacln AllowOverwrite on
<IfModule mod_tls.c
# common settings for all virtual hosts
TLSEngine on
TLSRequired off
TLSLog /var/log/plesk/ftp_tls.log
TLSRSACertificateFile /usr/local/psa/admin/conf/httpsd.pem
TLSRSACertificateKeyFile /usr/local/psa/admin/conf/httpsd.pem
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
TLSRenegotiate none
# As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
# that reuse the SSL session of the control connection, as a security measure.
# Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.
TLSOptions NoSessionReuseRequired </IfModule PassivePorts 50001 50100 </Global DefaultTransferMode binary UseFtpUsers
on
TimesGMT off SetEnv TZ :/etc/localtime
# Port 21 is the standard FTP port. Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable. Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd) MaxInstances 30
#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.
#Include directive should point to place where FTP Virtual Hosts configurations
#preserved
ScoreboardFile /var/run/proftpd_scoreboard
# Primary log file mest be outside of system logrotate province
TransferLog /var/log/plesk/xferlog
#Change default group for new files and directories in vhosts dir to psacln
<Directory /var/www/vhosts
GroupOwner psacln </Directory
# Enable PAM authentication AuthPAM on AuthPAMConfig proftpd
IdentLookups off UseReverseDNS off
AuthGroupFile /etc/group
Include /etc/proftpd.d/*.conf
This is my customized configuration file. Added ExtendedLog /var/log/ftp.log in my configuration file. But extended log /var/log/ftp.log is not created yet. I touch this file manually but no use, logs are not populating.
Any answers will be appreciated.

Update: the permissions were set to 664

Try to set non-world writable permissions to /var/log/ftp.log as it recommended at http://www.proftpd.org/docs/directives/linked/config_ref_ExtendedLog.html
I have tested it by the following steps and it worked:
echo "ExtendedLog /var/log/ftp.log read,write" >> /etc/proftpd.conf
touch /var/log/ftp.log && chmod 644 /var/log/ftp.log
upload a test file
check the log:root#server:/# cat /var/log/ftp.log
192.168.34.219 UNKNOWN mario [14/Jun/2017:11:38:20 +0700] "STOR Google Chrome.lnk" 226 2356

mod_fcgid: read data timeout in 40 seconds

we're running centos/cPanel on a good size dedicated server with only one website. we need speed and ability to upload files under 'nobody'. that means suPHP and DSO are out. so the php handler is mod_fcgid. from time to time apache error logs will show mod_fcgid: read data timeout in 40 seconds. we assume it means mod_fcgid is not properly configured when installed using easyapache.
after reading up on g about how to fix we found two tidbits. one deals with MPM. the other, surprisingly, shows how to increase the timeout response (normally increasing timeout response is bad thing as there is something worse inside the server).
should we use MPM event, prefork, and/or worker with mod_fcgid? we currently have prefork configured.
if we do increase the timeout should we use the following settings:
IPCConnectTimeout 20
ProcessLifeTime 120
IdleTimeout 60
IdleScanInterval 30
MaxRequestsPerProcess 499
MaxProcessCount 100
OR
FcgidProcessLifeTime 8200
FcgidIOTimeout 8200
FcgidConnectTimeout 400
FcgidMaxRequestLen 1000000000
And if we do use either of these settings where should they be set: 1) in php.fcgi script, or 2) FastCGI configuration in Apache.

My tested solution, same issue
target config file :
/usr/local/apache/conf/includes/pre_virtualhost_global.conf
target value :
FcgidIOTimeout
applying changes :
/scripts/rebuildhttpdconf
/etc/init.d/httpd restart
reference :
https://wiki.mikejung.biz/Fcgid#FcgidMaxRequestLen

/etc/apache2/mods-enable/fcgid.conf
*/mods-available/fcgid.conf
*/sites-enable/site.com.vhost
<IfModule mod_fcgid.c>
AddHandler fcgid-script .fcgi
IdleTimeout 300
BusyTimeout 300
ProcessLifeTime 7200
IPCConnectTimeout 300
IPCCommTimeout 7200
</IfModule>