Skip to main content

Recommended Settings for CloudPanel

ivan@ivancarlos.com.br
Updated

Disabling Unused Services:

MariaDB

  • This is CloudPanel's default database service, compatible with MySQL commands
  • Disable it if you are not using this database
sudo systemctl disable mariadb --now

PHP.FPM

  • These are the services that allow PHP applications to run
  • Disable them if you are not using PHP applications; you can disable only the unused versions. PHP sites use PHP 8.0 by default and can be changed through the configuration panel. If PHP 8.0 is disabled, some processes such as creating PHP sites may fail.
sudo systemctl disable php7.1-fpm --now
sudo systemctl disable php7.2-fpm --now
sudo systemctl disable php7.3-fpm --now
sudo systemctl disable php7.4-fpm --now
sudo systemctl disable php8.0-fpm --now
sudo systemctl disable php8.1-fpm --now
sudo systemctl disable php8.2-fpm --now
sudo systemctl disable php8.3-fpm --now
sudo systemctl disable php8.4-fpm --now

Less Commonly Used Service Packages:

  • Memcached: This is an object caching system equivalent to Redis
  • Postfix: This is a service for sending and delivering email messages
  • ProFTPD: This is a service that enables FTP access
  • Uncomplicated Firewall: This is a good firewall to protect open ports on the operating system when exposed to the internet
  • Varnish: This is a good page caching system but depends on webservice handling
sudo systemctl disable memcached --now
sudo systemctl disable postfix --now
sudo systemctl disable proftpd --now
sudo systemctl disable ufw --now
sudo systemctl disable varnish --now

Important Panel Settings:

  • Panel site backup: https://[domain]/admin/remote-backup
  • Panel domain (default port: 8443): https://[domain]/admin/settings
  • Panel time zone: https://[domain]/admin/instance/settings
  • User 2FA: https://[domain]/security
  • User time zone: https://[domain]/settings

Important Shell Settings:

Redis recommends that the vm.overcommit_memory setting is always 1, and a bind configuration that is not yet available can prevent Redis from starting. You can run the lines below to add vm.overcommit_memory = 1 and net.ipv4.ip_nonlocal_bind = 1 to the /etc/sysctl.conf file, and then apply the configuration by running sysctl -p.

{
  # 1. Handle vm.overcommit_memory
  if grep -q "^vm.overcommit_memory" /etc/sysctl.conf; then
    sudo sed -i 's/^vm.overcommit_memory.*/vm.overcommit_memory = 1/' /etc/sysctl.conf
  else
    echo "vm.overcommit_memory = 1" | sudo tee -a /etc/sysctl.conf
  fi

  # 2. Handle net.ipv4.ip_nonlocal_bind
  if grep -q "^net.ipv4.ip_nonlocal_bind" /etc/sysctl.conf; then
    sudo sed -i 's/^net.ipv4.ip_nonlocal_bind.*/net.ipv4.ip_nonlocal_bind = 1/' /etc/sysctl.conf
  else
    echo "net.ipv4.ip_nonlocal_bind = 1" | sudo tee -a /etc/sysctl.conf
  fi

  # 3. Apply changes immediately
  sudo sysctl -p
}

You can check if Redis shows this recommendation or any other error in its log by running:

sudo tail -f /var/log/redis/redis-server.log

You can check the execution queries that reach Redis with this command: 

redis-cli monitor

Important vhost settings:

Main nginx configuration, including removal of the old GeoIP and updating security header rules:

Redefines nginx rules, including removal of GeoIP, performance and security optimizations, and usually does not impact applications:

sudo tee /etc/nginx/nginx.conf > /dev/null << 'EOF'
user root;
worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 8192;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 2000;
    # multi_accept on;
}

http {
    real_ip_recursive on;
    set_real_ip_from 127.0.0.1;
    real_ip_header X-Forwarded-For;

    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    log_format cloudflare '$http_cf_connecting_ip - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;

    client_max_body_size 64M;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_names_hash_bucket_size 128;
    server_tokens off;
    port_in_redirect off;
    disable_symlinks if_not_owner from=/home/;

    map $scheme $fastcgi_https { ## Detect when HTTPS is used
      default off;
      https on;
    }

    include /etc/nginx/blocked_ips;

    pagespeed off;
    pagespeed XHeaderValue 1;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_prefer_server_ciphers on;
    ssl_conf_command Options KTLS;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    limit_req_zone $binary_remote_addr zone=limit:10m rate=1r/s;
    limit_req_zone $binary_remote_addr zone=static:5m rate=30r/s;

    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;

    brotli on;
    brotli_comp_level 6;
    brotli_static on;
    brotli_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;

    include /etc/nginx/sites-enabled/*.conf;
    
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }
}
EOF

sudo tee /etc/nginx/global_settings > /dev/null << 'EOF'
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff always;
add_header Referrer-Policy strict-origin-when-cross-origin always;
add_header Permissions-Policy "geolocation=(), microphone=(), accelerometer=(), camera=(), gyroscope=(), magnetometer=(), payment=(), usb=(), display-capture=(), midi=()" always;
add_header Content-Security-Policy "img-src https: data:; script-src 'unsafe-inline' 'unsafe-eval'; script-src-elem 'self' 'unsafe-inline' blob: https:; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline' https:; frame-src 'self' blob: https:; worker-src 'self' blob:; frame-ancestors 'self'; object-src 'none'; base-uri about: https:; upgrade-insecure-requests;" always;
add_header alt-svc 'h3=":443"; ma=86400' always;
EOF

sudo find /etc/nginx -type f -exec sed -i '/GEOIP_/Id' {} +
sudo rm -f /etc/nginx/proxy.conf
sudo rm -rf /etc/nginx/geoip
sudo nginx -t && sudo systemctl reload nginx

Installing Specific Systems on CloudPanel:

For YOURLS installations, where it is necessary to change the search for index.php to yourls-loader.php, modify the try_files $uri $uri/ /index.php?$args; entry as follows:

 ### BEGIN custom entry for YOURLS
 try_files $uri $uri/ /yourls-loader.php$is_args$args;
 # try_files $uri $uri/ /index.php?$args;
 ###  END custom entry for YOURLS

Done!

Was this article helpful?

0 out of 0 found this helpful
Return to top

Related articles