Administration of AUTOM8N plugin

The end user and administrator has an intuitive UI for managing domains hosted on cPanel and other settings

AUTOM8N does not require constant maintenance .It is meant to do things on its own with input from cPanel end users

Quick Reference of scripts for sysadmins

# Enable or disable the plugin .
/opt/nDeploy/scripts/cpanel-nDeploy-setup.sh disable
/opt/nDeploy/scripts/cpanel-nDeploy-setup.sh enable

# Automatically fix all errors.Can be run if you notice nginx config error or php error etc
# Following will regenerate all config and restart associated services. Use force only if normal run does not fix
/opt/nDeploy/scripts/attempt_autofix.sh
/opt/nDeploy/scripts/attempt_autofix.sh force  # force regenerate
/opt/nDeploy/scripts/init_backends.py autofix # fix php-fpm app server issue


# A best effort to switch as many websites as possible to native nginx
# See file /opt/nDeploy/conf/appsignatures.yaml for switching logic
# Add username to /opt/nDeploy/conf/auto_config.exclude to exclude a specific user
/opt/nDeploy/scripts/switch_to_native_nginx.sh


#Install various application servers
/opt/nDeploy/scripts/easy_php_setup.sh
/opt/nDeploy/scripts/easy_passenger_setup.sh

#Install netdata monitoring
/opt/nDeploy/scripts/easy_netdata_setup.sh

# Restart application server .note that Passenger apps gets restarted with nginx
systemctl restart ndeploy_backends  # PHP

# Retart cluster file syncing service
systemctl restart ndeploy_unison


# Adding/removing application servers
/opt/nDeploy/scripts/update_backend.py [add|del] backend_category backend_name backend_path

# Adding/removing application template (generic)
/opt/nDeploy/scripts/update_profiles.py [add|del] [root|cpanelusername] [main|subdir] [backend] [templatefilename] [quoted description]
# Examples
/opt/nDeploy/scripts/update_profiles.py add root main PHP 5001.j2 "Wordpress"
/opt/nDeploy/scripts/update_profiles.py add root subdir PHP 5001_subdir.j2 "Wordpress in subdir"
/opt/nDeploy/scripts/update_profiles.py add cpanelusername main PHP 5001.j2 "Wordpress"
/opt/nDeploy/scripts/update_profiles.py add cpanelusername subdir PHP 5001_subdir.j2 "Wordpress in subdir"

Config Generation logic and customizations

Config generation is based on Templates and YAML settings ( Jinja2 templating engine and YAML settings ) For generating a single nginx vhost following files are parsed in order .The customization filename are mentioned beside them in brackets If the file mentioned in brackets is present, it is used instead of the AUTOM8N package provided one A Sysadmin mostly only need to add /edit application templates and this use minimum template logic for easy manipulation

/opt/nDeploy/domain-data/domain.com # User settings for domain
# if above file is not present ,it is created with default settings from
/opt/nDeploy/conf/domain_data_default.yaml  # ( plan/package based customization can be done from WHM UI )
/opt/nDeploy/conf/domain_data_suspended.yaml # ( /opt/nDeploy/conf/domain_data_suspended_local.yaml )

# Following file generate /etc/nginx/sites-enabled/domain.com.conf
/opt/nDeploy/conf/server.j2 # ( /opt/nDeploy/conf/server_local.j2 )

# The application template defined in domain_data setting file is used for generating /etc/nginx/sites-enabled/domain.com.include
/opt/nDeploy/conf/APPTEMPLATENAME.j2

# Default vhost template
/opt/nDeploy/conf/default_server.conf.j2 # ( /opt/nDeploy/conf/default_server_local.conf.j2 )

Layer7(Application layer) DDOS mitigation

AUTOM8N integrates https://firehol.org/ for a secure firewall and acting as a SYNPROXY for Layer7 SYN Flood protection

https://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-enterprise-linux-7-beta/

Additionally Nginx DDOS mitigation will setup rate limits on a per IP address and per vhost basis and ensure the connection timeouts are fine tuned for mitigating attacks

Both the SYNPROXY and NGINX mitigation systems can be activated from WHM AUTOM8N User Interface

SYNPROXY need prior setup of the FireHol firewall to work .It is incompatible with CSF firewall. So during an attack you must disable CSF and activate FireHol from the AUTOM8N WHM UI

cd /opt/nDeploy/conf/nDeploy-firewall/
ansible-playbook -i ./hosts firewall.yml --extra-vars "ansible_port=22"
# ansible_port is the SSH port on the server , if you give it wrong you will be locked out!

#optionally you can customize the firewall and redeploy
cp -p /opt/nDeploy/conf/nDeploy-firewall/roles/firehol_deploy/templates/firehol.conf.j2 /opt/nDeploy/conf/nDeploy-firewall/roles/firehol_deploy/templates/custom_firehol.conf.j2
# edit file /opt/nDeploy/conf/nDeploy-firewall/roles/firehol_deploy/templates/custom_firehol.conf.j2
# Common config you can do
# Allow incoming port 6556 from IP address 35.205.96.26
server4 custom checkmk "tcp/6556" default accept src 35.205.96.26
# Allow all incoming ports from 35.205.96.26
server4 all accept src 35.205.96.26
# Allow all outgoing ports to 35.205.96.26
client4 all accept dst 35.205.96.26
Once you have edited the template
cd /opt/nDeploy/conf/nDeploy-firewall/
ansible-playbook -i ./hosts firewall.yml --extra-vars "ansible_port=22"
# this will deploy your custom template as firehol.conf
firehol try
# ensure firewall rules are activated without any issues

What version of AUTOM8N am I running

AUTOM8N is delivered as RPM packaged software and the version details can be obtained from commandline

All software in AUTOM8N software repository has the tag - nDeploy

[root@li931-182 ~]# rpm -qa|grep nDeploy
nginx-nDeploy-module-redis-1.15.3-2.el7.x86_64
nDeploy-4.6-4.el7.noarch                     # AUTOM8N
csync2-nDeploy-2.0-5.el7.x86_64
nginx-nDeploy-module-echo-1.15.3-2.el7.x86_64
unison-nDeploy-2.48.4-1.el7.x86_64
nginx-nDeploy-module-passenger-1.15.3-2.el7.x86_64
nDeploy-release-centos-1.0-7.noarch
nginx-nDeploy-module-srcache_filter-1.15.3-2.el7.x86_64
nginx-nDeploy-1.15.3-2.el7.x86_64            # Nginx
gdnsd-nDeploy-2.4.0-5.el7.x86_64
nginx-nDeploy-module-set_misc-1.15.3-2.el7.x86_64
nginx-nDeploy-module-redis2-1.15.3-2.el7.x86_64

Upgrading AUTOM8N and Nginx

yum --enablerepo=ndeploy upgrade *nDeploy*
/opt/nDeploy/scripts/attempt_autofix.sh

# Ensure Nginx has a valid Config
nginx -t

# Restart nginx if Required
needs-restarting |grep nginx && service nginx restart

AUTOM8N cluster upgrade

Upgrade the master and slave individually

yum --enablerepo=ndeploy upgrade *nDeploy*

#Do the following in master Only
/opt/nDeploy/scripts/attempt_autofix.sh

cd /opt/nDeploy/conf/nDeploy-cluster
ansible-playbook -i ./hosts cluster.yml

Migrating AUTOM8N settings

In case you are migrating the entire cPanel accounts to a new server.

  1. Do the cPanel migration
  2. Install AUTOM8N on the new server
  3. Edit the file /opt/nDeploy/scripts/migrate_xtendweb_settings.sh and change REMOTE_SERVER=’ip.ip.ip.ip’ and SSH_PORT with the new servers ip and ssh port
  4. Run the script /opt/nDeploy/scripts/migrate_xtendweb_settings.sh #Input password of remote server whenever prompted

Temporarily disable the plugin

/opt/nDeploy/scripts/cpanel-nDeploy-setup.sh disable

Uninstall the plugin

/opt/nDeploy/scripts/cpanel-nDeploy-setup.sh disable
yum remove nginx-nDeploy nDeploy

Remove Obsolete PHP-FPM selector plugin

/opt/nDeploy/scripts/init_backends.py httpd-php-uninstall
/opt/nDeploy/scripts/attempt_autofix.sh
/usr/local/cpanel/scripts/uninstall_plugin /opt/nDeploy/PHPfpmSelector