Regify provider appliance tech

From regify WIKI
Jump to navigation Jump to search

Appliance Tips

Appliance Shutdown

If you like to turn off the regify Provider Appliance, exit the appliance menu, login as root and enter

> shutdown -h now

It may be you need to use sudo, if you only logged in using 'regify' or you used the 'drop to shell' option.

If you cannot login by SSH any more, consider using the direct shell access (terminal) of your hosting tools.

Activating regibox

In order to activate regibox on your regify provider, please follow those steps:

  1. Make sure that you run the moste recent appliance version (Appliance-menu "Check for Updates").
  2. Provide an adequate SMB-share in your network-range.
  3. Activate regibox in your provider appliance menu and enter the SMB path (check regify provider appliance manual).
  4. If your regify provider is not installed in 2016 or later, you may need to activate the menu-option "X" (Web-Admin -> "Manage sub-providers" -> "Manage sub-provider menu flags"). This must be done for every sub-provider (if you have some).
  5. If you like to activate regibox by default for all new regify accounts, please edit the regify-provider main configuration file and add
    define('ENABLE_RGB_FOR_ALL', TRUE);
    (Web-Admin -> "Manage sub-providers" -> "Edit main provider configuration file"). If you do not set this flag, new regify users will not have regibox activated by default.
    Important: Activated regibox users cause cost, based on the regular regify price list!
  6. You can also re-define the regibox default size for all users with no individual regibox size (default is 2GB). For this, add the following to your regify-provider main configuration file:
    define('MAXBOXSIZE', 5); // new default size 5 GB
    This will set the default size to 5GB. If needed, you can overwrite the default value in the individual users product settings.

PostFix E-Mail Service

The regify Provider Appliance runs a PostFix server as MTA or SmartHost. You can use the following tricks to get a closer look:

To show the mail log (continuously):

> tail -f /var/log/maillog

To investigate the mail log (look and search using vim):

> vim /var/log/maillog

To see the queue status:

> mailq

To flush the mailqueue (maybe, after you changed something)

> postqueue -f

Delete all deferred messages in your mailqueue (remove all hanging and/or delayed):

> postsuper -d ALL deferred

Delete a specific message (get Queue ID from mailq command)

> postsuper -d Queue ID

Logfiles

You can find most logs in

> /var/log/
> /var/log/httpd/

Timeserver

Sometimes it happens that your NTP does not sync because of a difference that is to big. You can force a re-sync with the following lines (as root):

systemctl stop ntpd
ntpdate 0.pool.ntp.org
systemctl start ntpd

Scaling

If the server becomes unresponsive and the number of httpd processes reaches 256, you need to increase the number of available apache httpd processes. Especially, if you offer regibox, every regibox manager needs a continuously running httpd process for himself.

Check the number of running httpd processes like this:

ps -ef | grep httpd | wc -l

If you want to set new settings for 600 processes, create a new file limits.conf in your /etc/httpd/conf.d/ folder:

vim /etc/httpd/conf.d/limits.conf

Add the following content:

Timeout 120
KeepAlive Off
MaxKeepAliveRequests 0
KeepAliveTimeout 15 

<IfModule prefork.c>
StartServers       8
MinSpareServers    5
MaxSpareServers    20
ServerLimit        600
MaxRequestWorkers  600
MaxConnectionsPerChild  1000
</IfModule>

Then, restart the web server using appliance menu(!) in Provider... -> Stop/Start Webserver. Please do not restart using apachectl or systemctl because this will not restart the websocket servers and take a very long time! Use the appliance menu!

IMPORTANT: You need to monitor your memory! Every running httpd process needs memory (around 1MB each). There must be enough memory for all 600 processes running during high load.

Networking

SSH login information

In order to find out what source IP address your current SSH session is using, try this:

echo $SSH_CLIENT

This is very useful for limiting the SSH access in "Network..." -> "Advanced Settings..." -> "SSH settings".

Networking Diagnostics

If you have any other networking issues, please always use the diagnostics first! Enter your regify appliance menu (from command line type "providerConfig" or "regigateConfig" if you are not yet in the menu) and go to "Network..." -> "Run Diagnostics". The result should point you to most of the possible sources.

Certificates

Upgrade or renew existing SSL certificate

NOTE: All your certificates and key must be in PEM-Format. The regify appliance can not deal with IIS-Certificates like .cer or .p7 formats. If you only have such, you may want to convert using OpenSSL (google is your friend).

In order to upgrade/renew an existing SSL certificate, simply follow this guide:

  • Step 1: Get certificate signing request
    • Login to regify provider appliance menu (SSH or PuTTY)
      • Hint: If you login with root, you need to type providerConfig to run the menu.
    • Enter "Provider..." -> "Edit Subprovider..." and select your provider to update
    • Select "Show Cert Request"
    • Fill in or update your certificate values (or simply select "OK")
    • Copy the certificate request and use this to let it sign by your certificate vendor (please ensure compatibility for Apache or ModSSL)
  • Step 2: Prepare the signed certificate
    • In most cases, the certificate you bought consists of the final certificate and some more intermediate certificates.
    • It turned out to be helpful if you open up your favorite text editor to copy all intermediate certificates and the final signed certificate into one file.
    • The order is not important. Only your signed cert and all intermediate certs must be in here.
    • Use this compiled information for copy & paste in the next step.
  • Step 3: Install signed certificate
    • Login to regify provider appliance menu (SSH or PuTTY)
      • Hint: If you login with root, you need to type providerConfig to run the menu.
    • Enter "Provider..." -> "Edit Subprovider..." and select your provider to update
    • Select "Import Cert & Optionally Key"
    • Paste the signed certificate and all intermediate certificates (certificate chain) into the window and confirm using CTRL+D
  • Step 4: Test it
    • Please go to some SSL certificate test tool like ssl-checker and verify your domain for a valid certificate.

If you have any problems on this, please contact support (at) regify.com.

SMS gateway

You can find information about the SMS gateway at the regify homepage. Re-run your regify web administration wizard (provider maintenance dialogue) to change your SMS gateway settings.

Changing the clearing password

Beginning with regify provider V4.1, the hash-codes of the users passwords are encrypted using the SHA256 of the clearing password. Thus, if your clearing password has changed, it will need re-calculation of all encrypted passwords in the database. Luckily, there is a function in your provider maintenance dialogue to do this automatically. If you run a redundant system with some master-master or master-slave configuration, you need to update the clearing password on both systems. Follow this guide to do a clearing-password update:

  1. Create a backup of your provider database (refer to #Backup_and_recovery).
  2. Enter the provider maintenance dialogue of your regify provider web administration.
  3. If you run a redundant system, please use a second web-browser instance now(!) and also login to the second one.
  4. Make sure your system(s) are in maintenance mode. This prevents user from registering and log-in during your work. Normally, if clearing has changed the password, this happened automatically.
  5. Enter the provider maintenance dialogue of your regify provider web administration.
  6. Click "Change clearing password now" and activate the function.
  7. Enter the old (current) clearing password and enter the new one (twice).
  8. Click on "Change clearing password now" and start the recalculation.
  9. If you do not run a redundant system, jump to the last step now.
  10. Switch to the already open web administration of the second system.
  11. Click "Change clearing password now" and activate the function.
  12. Enter the old (current) clearing password and enter the new one (twice).
  13. Click on "Change clearing password now" and start the recalculation.
  14. Done. Validate all your login functions.

Install VMWare Tools

1) Please respect the licence and support information about third party software on the regify provider appliance. You can find this information in your regify appliance manual. In short words, you are not allowed to install anything except software that is essentially needed for running the appliance on a virtual environment. No other RPM repositories allowed!

2) Chose to install or update VMWare tools for your virtual machine. This will create a new CD rom device for the regify provider software appliance.

3) Enter in terminal:

mkdir /mnt/cdrom
mount /dev/cdrom /mnt/cdrom
cp /mnt/cdrom/VMwareTools-*.tar.gz /tmp
umount /mnt/cdrom
tar -zxf /tmp/VMwareTools-*.tar.gz -C /tmp
cd /
./tmp/vmware-tools-distrib/vmware-install.pl --default
rm -f /tmp/VMwareTools-*.tar.gz
rm -rf /tmp/vmware-tools-distrib

Sometimes, you might need to mount /dev/sr0 instead of /dev/cdrom.

4) Check if the VMWare tools are running:

/etc/init.d/vmware-tools status

Manually run the updates

In order to manually run the updates for the provider and regigate without SSH GUI, simply execute

yum upgrade

Enable NAGIOS support

Please note that we ship the NAGIOS modules. But you need to know and understand NAGIOS and how it works. regify does not support you in setting up your monitoring environment.

To enable NRPE, edit /etc/nagios/nrpe.cfg to fit your needs followed by

chkconfig nrpe on
/etc/init.d/nrpe start

Now the firewall must get opened. Open /etc/sysconfig/iptables and locate the following line:

-A INPUT -i lo -j ACCEPT

Below this, please add the following new line:

-A INPUT -m state --state NEW -s <your_nagios_ip> -m tcp -p tcp  --dport 5666 -j ACCEPT

Now save and close these changes.

To enable the new rule, restart iptables:

/etc/init.d/iptables restart