In this tutorial, I'm going to improve the DirectAdmin environment, make it faster and more secure. I assume that you have installed DirectAdmin on your server (for this guide, I use CentOS 7 64bit). A good understanding of Linux basics is needed to follow this guide. Now we begin:
Use Nginx reverse proxy
Performance can be improved by the reverse proxy handling static content and from application requests. If your web server is not set to this mode, follow the commands below:
cd /usr/local/directadmin/custombuild ./build update ./build set webserver nginx_apache ./build nginx_apache
Restore original visitor IP if come from CloudFlare
nano /etc/nginx/nginx-includes.conf
Add the following lines
# use any of the following two
real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;
Enable HTTP/2
HTTP/2 is the latest update to the HTTP protocol with many advancements in efficiency, security and speed. Simply run the commands below to enable HTTP/2:
mkdir /usr/local/directadmin/custombuild/custom/
mkdir /usr/local/directadmin/custombuild/custom/nginx_reverse
mkdir /usr/local/directadmin/custombuild/custom/nginx_reverse/conf
cp -p /usr/local/directadmin/custombuild/configure/nginx_reverse/conf/nginx-vhosts.conf /usr/local/directadmin/custombuild/custom/nginx_reverse/conf/
Next, we update the nginx-vhosts:
nano /usr/local/directadmin/custombuild/custom/nginx_reverse/conf/nginx-vhosts.conf
Add http2 to all SSL listen like this:
Rewrite conf filres and restart the services:
cd /usr/local/directadmin/custombuild
./build rewrite_confs
Use PHP 7
Up to 2x faster performance and 50% better memory consumption than PHP 5.6.
cd /usr/local/directadmin/custombuild
./build set php1_release 7.1
If you have CloudLinux:
./build set php1_mode lsphp
If you don't have CloudLinux:
./build set php1_mode php-fpm
Then build php:
./build update ./build php d
Edit /usr/local/php71/lib/php.ini and double those settings: memory_limit, max_execution_time, max_input_time
Enable OpCache
OpCache can improves PHP performance as well, run the following commands:
cd /usr/local/directadmin/custombuild
./build set opcache yes
./build opcache
Add dangerous php functions to the disable_functions list
cd /usr/local/directadmin/custombuild
./build update
./build secure_php
Use MariaDB
A lot of optimizer enhancements in MariaDB, if your server is not set to use MariaDB, follow this:
cd /usr/local/directadmin/custombuild
./build set mariadb 10.2
./build set mysql_inst mariadb
./build set mysql_backup yes
./build update
./build mariadb
Increase max allowed packet:
nano /etc/my.cnf.d/server.cnf
Set max_allowed_packet = 256M , innodb_log_file_size = 256M and bind-address = 127.0.0.1 in [mysqld] section. Also add max_allowed_packet=256M in [mysqldump] section.
Enable SSL for all services
Assume that your server hostname is server.domain.com. We use "Let's Encrypt" tool to setup SSL for server hostname and all services, now edit the directadmin.conf file:
nano /usr/local/directadmin/conf/directadmin.conf
set enable_ssl_sni=1
set ssl_redirect_host=server.domain.com
set force_hostname=server.domain.com
set carootcert=/usr/local/directadmin/conf/carootcert.pem
set letsencrypt=1
set dns_ttl=1
set letsencrypt_renewal_notice_to_admins=0
Next run the following commands:
service directadmin restart
cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt
cd /usr/local/directadmin/scripts
./letsencrypt.sh request server.domain.com 4096
Now set SSL=1 in directadmin.conf and restart directadmin service again.
Next, update Roundcube config for SSL connection:
nano /var/www/html/roundcube/plugins/password/config.inc.php
set $config['password_directadmin_host'] = 'ssl://localhost';
Testing SSL by running the following commands, one by one:
openssl s_client -connect 127.0.0.1:465
openssl s_client -connect 127.0.0.1:993
openssl s_client -connect 127.0.0.1:2222
openssl s_client -connect 127.0.0.1:443
openssl s_client -connect 127.0.0.1:21 -starttls ftp
Make sure you can see the Certificate in the result like this:
Then we make new domains to use a private_html link that pointing to public_html, we do this by creating this custom script:
/usr/local/directadmin/scripts/custom/domain_create_post.sh
then add the following code and chmod the script to 755:
#!/bin/sh
D=/home/$username/domains/$domain
PH=$D/private_html
if [ -d $PH ]; then
rm -rf $PH
ln -s public_html $PH
chown -h $username:$username $PH
fi
exit 0;
Use hostname for alias
cd /usr/local/directadmin/custombuild
./build update
./build set use_hostname_for_alias yes
./build set redirect_host_https yes
./build rewrite_confs
Enable DKIM and rspamd
Enable this feature will help you keep emails sending from your server out of the Spam folder, download the dkim.conf file:
cd /etc
wget -O exim.dkim.conf http://files.directadmin.com/services/exim.dkim.conf
Edit your /etc/exim.conf, and find the code:
remote_smtp:
driver = smtp
Then change it to look like:
remote_smtp:
driver = smtp
.include_if_exists /etc/exim.dkim.conf
Update your exim.conf with CustomBuild:
cd /usr/local/directadmin/custombuild
./build update
./build set eximconf yes
./build set eximconf_release 4.5
./build set blockcracking yes
./build set easy_spam_fighter yes
./build set spamd rspamd
./build set exim yes
./build exim
./build set dovecot_conf yes
./build dovecot_conf
./build update
./build exim_conf
Then restart exim:
service exim restart
Finally, update directadmin.conf file:
nano /usr/local/directadmin/conf/directadmin.conf
set dkim=2 hide_outlook=1 and then restart DirectAdmin
Now we can create DKIM for the server hostname:
cd /usr/local/directadmin/scripts
./dkim_create.sh server.domain.com
Now go to DirectAdmin > DNS Administration and click on your server hostname to check and DKIM key, and update your SPF record (for IPv6).
Check your /etc/hosts file, we don't want to see localhost on the ::1 line (localhost6 and other "6" variants are fine) "localhost" should only be on the 127.0.0.1 line.
Enable Auto Update
Install yum-cron:
yum -y install yum-cron
sed -ie 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron.conf
Start yum-cron service:
systemctl start yum-cron.service
Enable DA cron:
nano /usr/local/directadmin/custombuild/options.conf
Then set the following values:
cron=yes
cron_frequency=monthly
[email protected]
notifications=yes
da_autoupdate=yes
updates=yes
webapps_updates=yes
Finally, build cron:
cd /usr/local/directadmin/custombuild/
./build cron
One-Click login phpMyAdmin
To enable, turn it on in the directadmin.conf and also re-install PMA:
cd /usr/local/directadmin/
./directadmin set one_click_pma_login 1
service directadmin restart
cd custombuild
./build update
./build phpmyadmin
Enable IP Blocking
Run the following commands
yum -y install iptables-services
systemctl enable iptables
cd /usr/libexec/iptables
mv iptables.init iptables.init.backup
wget -O iptables.init http://files.directadmin.com/services/all/block_ips/2.2/iptables
chmod 755 iptables.init
systemctl reload iptables
cd /usr/local/directadmin/scripts/custom
wget -O block_ip.sh http://files.directadmin.com/services/all/block_ips/2.2/block_ip.sh
wget -O show_blocked_ips.sh http://files.directadmin.com/services/all/block_ips/2.2/show_blocked_ips.sh
wget -O unblock_ip.sh http://files.directadmin.com/services/all/block_ips/2.2/unblock_ip.sh
chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh
touch /root/blocked_ips.txt
touch /root/exempt_ips.txt
cd /usr/local/directadmin/scripts/custom
wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/block_ips/2.2/brute_force_notice_ip.sh
chmod 700 brute_force_notice_ip.sh
echo "hide_brute_force_notifications=1" >> /usr/local/directadmin/conf/directadmin.conf
Note: sometime iptables.init is overwritten by system update,
chattr +i iptables.initto prevent this.
Update Settings in Directadmin like below:
Now you have an excellent hosting server! If you need any help please let me know.
