Get Social

Templates for Yii2 on Vesta CP for backend and frontend versions.

So, I had problems with manual editing of configs in the Vesta CP (which it constantly rewrites, when something changes or is updated), I set out to make a more or less automated solution.

It did not work very nicely, because it is necessary that the backend and the frontend look in the same folder as the subfolders. This can not be achieved only by editing templates. This can be understood by looking at their syntax, which is handled by scripts, like v-add-web-domain.

There is code on github.

The templates and the script work, based on the fact that: the frontend is here -> /home/$USER/web/$DOMAIN/public_html/frontend/web backend is here -> /home/$USER/web/$DOMAIN/public_html/backend/web

Instruction

(1)
Add the “apache2” and “nginx” directories from the githab repository (mentioned above) to /usr/local/vesta/data/templates/web/ (in CentOS / RHEL, you may need to rename “apache2” to “httpd”). Add Yii2-cconf.sh script in any, you need a place on the server.

(2)
In the Vesta control panel, you can create both domains:
example.com
backend.example.com

After that, in Vesta CP you can edit the domain settings and set the templates:
Yii2-frontend for example.com and yii2-backend for backend.example.com

(3)
In the end, you can run the yii2-cconf.sh script with the command:
( cd your-some-directory/ )
bash ./yii2-cconf.sh vestacpuser example.com

How to change the address of the Vesta CP web interface to a subdomain

It is not always convenient for mail to be located at /webmail. But this configuration is in Vesta CP by default. While the developers of the panel have not done the same thing that we are going to do, this will have to be repeated with each new server installation.

So, let’s start:

1. Create a web domain in Vesta CP: mail.your-domain.com (it can be immediately configured on https using the new, built-in ability to generate ssl certificates – letsencrypt).

2. Delete the links to the roundcube and / or roundcube.inc in /etc/apache2 (in the sub-folders conf.d, sites-available, sites-enabled) and /etc/nginx (in the subfolder conf.d).

3. Edit Nginx configuration file (for simplicity, we use /home/admin – the standard user folder in vesta):

/home/admin/conf/web/nginx.conf
/home/admin/conf/web/snginx.conf

replace
root /home/admin/web/your-domain/public_html;
to
root /var/lib/roundcube;

4. Edit Apache configuration file:

/home/admin/conf/web/apache.conf
/home/admin/conf/web/sapache.conf

replace
DocumentRoot /home/admin/web/mail.nebulonis.com/public_html
to
DocumentRoot /var/lib/roundcube/

and add:

# Access to tinymce files
<Directory "/usr/share/tinymce/www/">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order allow,deny
    allow from all
</Directory>

<Directory /var/lib/roundcube/>
    Options +FollowSymLinks
    # This is needed to parse /var/lib/roundcube/.htaccess. See its
    # content before setting AllowOverride to None.
    AllowOverride All
    order allow,deny
    allow from all
</Directory>

# Protecting basic directories:
<Directory /var/lib/roundcube/config>
    Options -FollowSymLinks
    AllowOverride None
</Directory>

<Directory /var/lib/roundcube/temp>
    Options -FollowSymLinks
    AllowOverride None
    Order allow,deny
    Deny from all
</Directory>

<Directory /var/lib/roundcube/logs>
    Options -FollowSymLinks
    AllowOverride None
    Order allow,deny
    Deny from all
</Directory>

5. Let’s check the syntax:
apachectl configtest
nginx -t

6. Restart:
apachectl graceful
service nginx restart

7. And, finally, in the panel settings (https://your-ip-or-address:8083/edit/server/) SERVER -> CONFIGURE In the tab MAIL -> Webmail URL change to new (https://mail.your-domain.com)

How to configure Nginx in Vesta CP and get an A+ rating on ssllabs

image - Как настроить Nginx в Vesta CP, чтобы получить A+ рейтинг на ssllabs

Task: setup SSL (https) settings in Nginx config file in order to get grade A+ there: https://www.ssllabs.com/ssltest/

Best way – edit the /usr/local/vesta/data/templates/web/nginx/default.stpl
(the more, so if you will edit something from the panel, than Vesta CP will overwrite any changes made manually in the configuration)

Open in your favorite editor (of course nano :))
nano /usr/local/vesta/data/templates/web/nginx/default.stpl

Add next 4 fragments:

1. Add to field %ip%:%proxy_ssl_port% (in the same line):

ssl http2

2. After server_name:

add_header Strict-Transport-Security "max-age=31536000;" always;
ssl_stapling on;
ssl_stapling_verify on;

3. After ssl_certificate_key %ssl_key%;
ssl_dhparam /home/admin/conf/web/dhparams.pem;
(first you need to generate dhparams.pem and put it in the right folder:
openssl dhparam -out /home/admin/conf/web/dhparams.pem 4096
)

4. (This fragment cannot just be copied from the browser, check for line breaks)

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

we get something like the following:

server {
listen %ip%:%proxy_ssl_port% ssl http2;
server_name %domain_idn% %alias_idn%;
add_header Strict-Transport-Security "max-age=31536000;" always;
ssl_stapling on;
ssl_stapling_verify on;

ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
# ssl_dhparam /home/admin/conf/web/dhparams.pem;
error_log /var/log/%web_system%/domains/%domain%.error.log error;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

location / {
proxy_pass https://%ip%:%web_ssl_port%;
location ~* ^.+\.(%proxy_extentions%)$ {
root %sdocroot%;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
try_files $uri @fallback;
}
}

location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}

location @fallback {
proxy_pass https://%ip%:%web_ssl_port%;
}

location ~ /\.ht {return 404;}
location ~ /\.svn/ {return 404;}
location ~ /\.git/ {return 404;}
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}

include %home%/%user%/conf/web/snginx.%domain%.conf*;
}

Pages:123