DirectAdmin: Improve performance and security Oct 18, 2016

DirectAdmin Optimized

In this tutorial, I'm going to improve the DirectAdmin environment, make it faster and more secure. I assume that you have installed DirectAdmin on your server (for this guide, I use CentOS 7 64bit). A good understanding of Linux basics is needed to follow this guide. Now we begin:

Use Nginx reverse proxy

Performance can be improved by the reverse proxy handling static content and from application requests. If your web server is not set to this mode, follow the commands below:

cd /usr/local/directadmin/custombuild
./build update
./build set webserver nginx_apache
./build nginx_apache

Restore original visitor IP if come from CloudFlare

nano /etc/nginx/nginx-includes.conf

Add the following lines

# use any of the following two
real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;

Enable HTTP/2

UPDATE: DirectAdmin version v1.52+ auto enable http2 if you run OpenSSL 1.0.2 or higher.

HTTP/2 is the latest update to the HTTP protocol with many advancements in efficiency, security and speed. Simply run the commands below to enable HTTP/2:

mkdir /usr/local/directadmin/custombuild/custom/
mkdir /usr/local/directadmin/custombuild/custom/nginx_reverse
mkdir /usr/local/directadmin/custombuild/custom/nginx_reverse/conf
cp -p /usr/local/directadmin/custombuild/configure/nginx_reverse/conf/nginx-vhosts.conf /usr/local/directadmin/custombuild/custom/nginx_reverse/conf/

Next, we update the nginx-vhosts:

nano /usr/local/directadmin/custombuild/custom/nginx_reverse/conf/nginx-vhosts.conf 

Add http2 to all SSL listen like this:

Rewrite conf filres and restart the services:

cd /usr/local/directadmin/custombuild
./build rewrite_confs

Use PHP 7

Up to 2x faster performance and 50% better memory consumption than PHP 5.6.

cd /usr/local/directadmin/custombuild
./build set php1_release 7.1

If you have CloudLinux:

./build set php1_mode lsphp

If you don't have CloudLinux:

./build set php1_mode php-fpm

Then build php:

./build update
./build php d

Edit /usr/local/php71/lib/php.ini and double those settings: memory_limit, max_execution_time, max_input_time

Enable OpCache

OpCache can improves PHP performance as well, run the following commands:

cd /usr/local/directadmin/custombuild
./build set opcache yes
./build opcache

Add dangerous php functions to the disable_functions list

cd /usr/local/directadmin/custombuild
./build update
./build secure_php

Use MariaDB

A lot of optimizer enhancements in MariaDB, if your server is not set to use MariaDB, follow this:

cd /usr/local/directadmin/custombuild
./build set mariadb 10.2
./build set mysql_inst mariadb
./build set mysql_backup yes
./build update
./build mariadb

Increase max allowed packet:

nano /etc/my.cnf.d/server.cnf 

Set max_allowed_packet = 256M , innodb_log_file_size = 256M and bind-address = in [mysqld] section. Also add max_allowed_packet=256M in [mysqldump] section.

Enable SSL for all services

Assume that your server hostname is We use "Let's Encrypt" tool to setup SSL for server hostname and all services, now edit the directadmin.conf file:

nano /usr/local/directadmin/conf/directadmin.conf

set enable_ssl_sni=1
set carootcert=/usr/local/directadmin/conf/carootcert.pem
set letsencrypt=1
set dns_ttl=1
set letsencrypt_renewal_notice_to_admins=0

Next run the following commands:

service directadmin restart
cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt
cd /usr/local/directadmin/scripts
./ request 4096

Now set SSL=1 in directadmin.conf and restart directadmin service again.

Next, update Roundcube config for SSL connection:

nano /var/www/html/roundcube/plugins/password/

set $config['password_directadmin_host'] = 'ssl://localhost';

Testing SSL by running the following commands, one by one:

openssl s_client -connect
openssl s_client -connect
openssl s_client -connect
openssl s_client -connect
openssl s_client -connect -starttls ftp

Make sure you can see the Certificate in the result like this:
SSL test

Then we make new domains to use a private_html link that pointing to public_html, we do this by creating this custom script:


then add the following code and chmod the script to 755:


if [ -d $PH ]; then
   rm -rf $PH
   ln -s public_html $PH
   chown -h $username:$username $PH
exit 0;

Use hostname for alias

cd /usr/local/directadmin/custombuild
./build update
./build set use_hostname_for_alias yes
./build set redirect_host_https yes
./build rewrite_confs

Enable DKIM and rspamd

Enable this feature will help you keep emails sending from your server out of the Spam folder, download the dkim.conf file:

cd /etc
wget -O exim.dkim.conf

Edit your /etc/exim.conf, and find the code:

 driver = smtp

Then change it to look like:

  driver = smtp
  .include_if_exists /etc/exim.dkim.conf

Update your exim.conf with CustomBuild:

cd /usr/local/directadmin/custombuild
./build update
./build set eximconf yes
./build set eximconf_release 4.5
./build set blockcracking yes
./build set easy_spam_fighter yes
./build set spamd rspamd
./build set exim yes
./build exim
./build set dovecot_conf yes
./build dovecot_conf
./build update
./build exim_conf

Then restart exim:

service exim restart

Finally, update directadmin.conf file:

nano /usr/local/directadmin/conf/directadmin.conf

set dkim=2 hide_outlook=1 and then restart DirectAdmin

Now we can create DKIM for the server hostname:

cd /usr/local/directadmin/scripts

Now go to DirectAdmin > DNS Administration and click on your server hostname to check and DKIM key, and update your SPF record (for IPv6).

Check your /etc/hosts file, we don't want to see localhost on the ::1 line (localhost6 and other "6" variants are fine) "localhost" should only be on the line.

Enable Auto Update

Install yum-cron:

yum -y install yum-cron
sed -ie 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron.conf

Start yum-cron service:

systemctl start yum-cron.service

Enable DA cron:

nano /usr/local/directadmin/custombuild/options.conf

Then set the following values:

[email protected]

Finally, build cron:

cd /usr/local/directadmin/custombuild/
./build cron

One-Click login phpMyAdmin

To enable, turn it on in the directadmin.conf and also re-install PMA:

cd /usr/local/directadmin/
./directadmin set one_click_pma_login 1
service directadmin restart
cd custombuild
./build update
./build phpmyadmin

Enable IP Blocking

Run the following commands

yum -y install iptables-services
systemctl enable iptables
cd /usr/libexec/iptables
mv iptables.init iptables.init.backup
wget -O iptables.init
chmod 755 iptables.init
systemctl reload iptables

cd /usr/local/directadmin/scripts/custom
wget -O
wget -O
wget -O
chmod 700

touch /root/blocked_ips.txt
touch /root/exempt_ips.txt

cd /usr/local/directadmin/scripts/custom
wget -O
chmod 700

echo "hide_brute_force_notifications=1" >> /usr/local/directadmin/conf/directadmin.conf

Note: sometime iptables.init is overwritten by system update, chattr +i iptables.init to prevent this.

Update Settings in Directadmin like below:

DirectAdmin Settings

Now you have an excellent hosting server! If you need any help please let me know.



Latest Updates