Installing an email server (Listmonk, PostgreSQL) on a new vhost, in addition to a forum (Xenforo)

I set up Centmin mod (on a $5 Hetzner server) to host a Xenforo forum on forum.domain2.com. I already had an email server (running Listmonk) set up on AWS EC2 on mail.domain1.com using these directions.

---

Listmonk's only dependency seems to be PostgreSQL. I used it with docker because those were the existing directions (I'm a noobie that manages to follow step-by-step guides), but perhaps it would be easier to do it without docker if I were installing it onto a CMM vhost. But all the guides I've found so far have been using docker.

My AWS 1 year free tier is ending so I'm thinking that it should be fine and simple enough to do this:

1. Use these directions https://centminmod.com/nginx_domain_dns_setup.html to create a new vhost for mail.domain1.com
2. Install PostgreSQL https://community.centminmod.com/th...l-to-version-11-branch-in-123-09beta01.16579/
3. Somehow connect the Postgres server to the new vhost.
4. Other configuration? Other conflicts I may have to worry about?

 

The test plan:

1. Create a snapshot of my current server, then create a new cloud server with that snapshot.
   
2. Install PostgreSQL per https://community.centminmod.com/threads/24124/
   
3. Install Docker per https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-centos-7
   
4. Create a "test1.mysite.com" subdomain pointed to the new IP/server. Won't bother trying to get a 2nd version of the forum running.
   
5. Create a new vhost for the test site. I think the directions at https://centminmod.com/nginx_domain_dns_setup.html are outdated or don't show new options from the beta. I think you can simply do centmin menu option 2, then during the "Create a self-signed SSL certificate Nginx vhost?" part, you get more options and when you get 4 options choose "cert with HTTPS default" (option 2 or 4). Then you shouldn't have to worry about http to https redirects.
   
6. Install listmonk into "/home/nginx/domains/test1.mysite.com/public". Not sure if that's correct.
   
7. Access listmonk via test1.mysite.com.

After step 1, when I go to the IP address there's a popup to login. After logging in I get the "Centmin Mod Nginx Test Page". Same after step 4 for test1.mysite.com. After step 5 it loads the new html page.

At the end of step 6 I got an error: https://github.com/knadh/listmonk/issues/1573 + "psql" gives an error.

I noticed that in both of the sample nginx configs below they use "proxy_pass". So I added "proxy_pass http://localhost:9000;" to my "test1.mysite.com.ssl.conf" and ran "ngxrestart" but it didn't make a difference. I tried with "proxy_pass http://127.0.0.1:9000;" and "proxy_pass http://0.0.0.0:9000;" too.

------------------------------------------------------------------------------------------

Other info:

I found these two videos helpful for understanding the basics of setting up a vhost:

• NGINX Fundamentals - Creating a Virtual Host
• How to deploy multiple websites in a single Nginx server | Virtual Host

I looked at eva's Sendy configs for reference, but didn't understand all the changes/settings, and I don't think the password/IP protection for the login page is necessary/doable, since you only get to /admin after you enter your user & PW on the public page: https://demo.listmonk.app. But perhaps it would make sense to protect the /admin page. Though maybe not since there's a public API anyway?

Sample nginx configs for listmonk:

• https://github.com/knadh/listmonk/issues/684#issuecomment-1026480289
• https://github.com/knadh/listmonk/issues/778#issuecomment-1100119710

Namecheap vs Cloudflare, DDoS protection:
I have my current listmonk server on AWS EC2 and the domain & DNS on Namecheap, and my forum on Cloudflare. From what I understand, I should point the Namecheap DNS to Cloudflare's DNS so I can enable Cloudflare's proxy to protect the IP.

Even though I have my "forum.my2ndsite.com" proxied with Cloudflare, if I simply pointed my Namecheap site/DNS to the same IP via "listmonk.my1stsite.com", that would then expose the IP. People who are using Namecheap's default/basic DNS are just lucky that they haven't been targeted by DDoS yet?

People in the comments here don't seem to be fans of Cloudflare, so I'm wondering if the extra hassle is even worth it. According to this 2022 Stackoverflow comment, Namecheap has its own CDN - Supersonic CDN. In my Namecheap control panel it doesn't look like Supersonic CDN is enabled, and they want me to pay for their PremiumDNS to get DDoS protection.

I don't really understand why/if it's necessary, since my server host (Hetzner) has their own DDoS protection. Maybe this thread answers it (Cloudflare specializes in it so should be better).

Wow, Namecheap's Supersonic CDN was a major problem:
You can't toggle their CDN for a subdomain (or even a domain) like you can with Cloudflare. I tried to turn on their CDN for test1.mysite.com and it killed my site and permanently deleted all the IP records. Thankfully Namecheap's support is 24/7 and they were able to reverse the changes.

They said "Currently, our Supersonic CDN can be easily set up with domains that use our Shared hosting or EasyWP only".

I guess my only option is to switch all the records over to Cloudflare.

I wonder if there would be any issues with putting a CDN in front of an email server. IE: I wonder if people might get captchas when clicking "unsubscribe" and thus be more likely to mark emails as spam. I also wonder if it may mess with statistics such as open rates.

I searched the listmonk and mautic (a similar program) issues and the only problems I found with Cloudflare are when you turn on javascript minify. But it looks to have been fixed.

 

I found a good hint here https://stackoverflow.com/questions...isten-tcp-0-0-0-03306-bind-address-already-in for the error I got.

Code:

sudo netstat -nlpt |grep 9000
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      62239/php-fpm: mast

I guess "mast" = master. I did a search for "php fpm port 9000 mast" but didn't find much useful info.

I guess I have to either change the port for php-fpm or listmonk. I'm wondering if it's simple to change for php-fpm or might it cause problems and I should try to change listmonk's port instead?

 

The port issue seems to be resolved, but I'm getting a "502 Bad Gateway nginx" when I visit test1.mysite.com. I'm probably missing something simple but I can't think of anything.

Enabling Cloudflare's orange proxy for the subdomain results in:

Code:

This page isn’t working right now test1.mysite.com redirected you too many times.
To fix this issue, try clearing your cookies.
ERR_TOO_MANY_REDIRECTS

My test1.mysite.com.ssl.conf is:

Code:

#x# HTTPS-DEFAULT
 server {
   listen   80;
#x#   listen   [::]:80;
   server_name test1.mysite.com www.test1.mysite.com;
   return 302 https://test1.mysite.com$request_uri;
   root /home/nginx/domains/test1.mysite.com/public;
   include /usr/local/nginx/conf/staticfiles.conf;
 }

#      

server {
  listen 443 ssl http2;
 
  server_name test1.mysite.com www.test1.mysite.com;

  include /usr/local/nginx/conf/ssl/test1.mysite.com/test1.mysite.com.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;

  # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
  #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/test1.mysite.com/origin.crt;
  #ssl_verify_client on;
 
 
 
  # mozilla recommended
  ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  add_header X-Xss-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  #add_header Referrer-Policy "strict-origin-when-cross-origin";
  #add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;
 
  # enable ocsp stapling
  #resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
  #resolver_timeout 10s;
  #ssl_stapling on;
  #ssl_stapling_verify on;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/test1.mysite.com/log/access.log combined buffer=256k flush=5m;
  #access_log /home/nginx/domains/test1.mysite.com/log/access.json main_json buffer=256k flush=5m;
  error_log /home/nginx/domains/test1.mysite.com/log/error.log;

  include /usr/local/nginx/conf/autoprotect/test1.mysite.com/autoprotect-test1.mysite.com.conf;
  root /home/nginx/domains/test1.mysite.com/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  location / {
  include /usr/local/nginx/conf/503include-only.conf;
 
  proxy_pass http://127.0.0.1:9000;

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Wordpress Permalinks example
  #try_files $uri $uri/ /index.php?q=$uri&$args;

  }

  include /usr/local/nginx/conf/php.conf;
 
  include /usr/local/nginx/conf/pre-staticfiles-local-test1.mysite.com.conf;
  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

I removed

Code:

  proxy_pass http://127.0.0.1:9000;

and ran ngxrestart, and now I get the "Welcome to test1.mysite.com Powered by CentminMod Nginx Server"

I put it back and ran ngxrestart again and I get the 502 bad gateway nginx.

 

Hmm, on my forum I have HTTPS default as well, and I also have both "Automatic HTTPS Rewrites" and "Always Use HTTPS" turned ON in Cloudflare, seemingly without issue. I tried anyway to turn both of those Cloudflare options OFF for the listmonk test site and it didn't make a difference. When I enabled the orange proxy it still results in the "too many redirects" error.

 

I set it to "Full" and that results in this Cloudflare 502 bad gateway error cloudflare-502-bad-gateway-error.png (1693×1370) (freecodecamp.org)

Not sure if it's related but when setting up the vhost I chose the dummy/test certificate option. But after a bit more research it seems that having a dummy cert should only be an issue if I use "Full (strict)". So there must be some other problem with my configs.

According to the error logs it seems to be some issue with php fpm https://github.com/knadh/listmonk/issues/1004#issuecomment-1788452695.

In /home/nginx/domains/test1.mysite.com/log/error.log there's a bunch of

Code:

2023/10/31 06:42:57 [error] 62193#62193: *96 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: <IP>, server: test1.mysite.com, request: "GET / HTTP/2.0", upstream: "http://127.0.0.1:9000/", host: "test1.mysite.com"

I found this related thread -- upstream prematurely closed connection while reading response header from upstream -- where they fixed it by switching servers...

This thread -- 502 Bad Gateway -- where they solved it by removing "PHPDEBUGMODE=y" from their config (doesn't apply to me).

Found a suggestion to "restart your FastCGI process or server"

Code:

service php-fpm restart
Redirecting to /bin/systemctl restart php-fpm.service

No change.

My php-fpm error logs are completely empty /var/log/php-fpm. "cminfo phpstats" doesn't seem to output anything useful.

This https://community.centminmod.com/threads/how-to-troubleshoot-optimize-php-fpm-server.15317/ seems pretty complicated. It seems that we have to read through this https://www.php.net/manual/en/install.fpm.configuration.php and play around with the values. I'm doubtful that such complicated tweaking is required to run something as simple as listmonk, especially when thousands of people use it and no one else has reported this isssue. It seems more likely that there's still some conflict with php-fpm and listmonk.

My guess is that it's something as simple as missing a line like this https://support.plesk.com/hc/en-us/...r-while-reading-response-header-from-upstream. But I don't know what the listmonk equivalent would be.

I haven't gotten a response yet on the listmonk github, so I tried to do some tweaking:

I found this https://www.digitalreborn.com/fix-nginx-connection-reset-by-peer-upstream/ which seems to be the only page guiding you through tweaking the values. It says to put these two at the same values, and they already are:

Code:

/usr/local/nginx/conf/nginx.conf
keepalive_requests 100000;

/usr/local/etc/php-fpm.conf
pm.max_requests = 100000

The permission suggestion seems like it could be a possibility. But I don't have a /var/lib/php/ folder and don't see it listed here https://centminmod.com/configfiles.html.

There's no session.save_path in either of the php.ini files in /etc/centminmod/php.d.

For their "change fastCGI timeouts" suggestion, those values don't exist in /usr/local/nginx/conf/nginx.conf.

 

More clues, I got past the 502 error to a broken page: https://github.com/knadh/listmonk/issues/1573#issuecomment-1793331207

 

You said that on Oct 28, and I did subsequently test that.

 

It's gotta be some unique centmin mod/vhost configuration because everyone else is getting it running using the same settings: https://github.com/knadh/listmonk/issues/1590#issuecomment-1812399067

I even cleared out my config file:
/usr/local/nginx/conf/conf.d/test1.mysite.com.ssl.conf

and only put the basic lines that people are sharing and using:

Code:

server {
        listen              443 ssl;
        server_name            listmonk.example.com;

  location / {
        proxy_pass  http://127.0.0.1:9003;
     proxy_set_header   Host            $http_host;
     proxy_set_header   X-Real-IP       $remote_addr;
     proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for; 
    }

}

server {
    listen              80;
    server_name            listmonk.example.com;
      location / {
return 301 https://$host$request_uri;
      }
}

Ran ngxrestart after any change.

 

With `docker ps` right? Yes, I checked that: https://github.com/knadh/listmonk/issues/1573#issuecomment-1786297996 - the following comments here also list more things I tried and checked.

In that example I was first using port 3870, and I also tried 9008, and I'm currently using 5870.

Code:

docker ps
CONTAINER ID   IMAGE                      COMMAND                  CREATED         STATUS                    PORTS                                       NAMES
f3b9c4a688dc   listmonk/listmonk:latest   "./listmonk"             2 minutes ago   Up 38 seconds             0.0.0.0:5870->9000/tcp, :::5870->9000/tcp   listmonk_app
f8d43916e568   postgres:13                "docker-entrypoint.s…"   13 days ago     Up 38 seconds (healthy)   0.0.0.0:9432->5432/tcp, :::9432->5432/tcp   listmonk_db

The 9003 above is what the other person was using, but I had/have 5870 correctly in my nginx & listmonk configs.

 

Well, I found out that the site loads properly on serverIP:5870 and if I change
proxy_pass http://127.0.0.1:5870;
to
proxy_pass http://listmonk.mydomain.com:5870;

then it will load on listmonk.mydomain.com:5870. But it gives the 502 error when I visit the site without the port.

If I set `proxy_pass http://127.0.0.1:5870;` and visit listmonk.mydomain.com:5870 I get:

Code:

The connection for this site is not secure
listmonk.mydomain.com sent an invalid response.
[Try running Windows Network Diagnostics](javascript:diagnoseErrors()).
ERR_SSL_PROTOCOL_ERROR

It seems like it's an issue with the nginx config. But I asked in multiple places and no one seems to know what the problem is:

• https://lemmy.world/post/8756439
• https://stackoverflow.com/questions...port-at-the-end-but-nginx-502-error-without-i - full summary.

I decided to try running nginx inside the docker container, since that's what's currently working for me on another server. I suspected it might conflict with the whole nginx vhost thing https://centminmod.com/nginx_domain_dns_setup.html, and it does seem to conflict with the existing nginx:

Code:

 ⠋ Container listmonk-nginx-1  Starting                                                                                                                    0.0s
Error response from daemon: driver failed programming external connectivity on endpoint listmonk-nginx-1 (3cb6a78a56e37d5ebe04046a0f0eb430a155906e94c267cd4832b9fbcee3bd6b): Error starting userland proxy: listen tcp4 0.0.0.0:443: listen: address already in use

### Reloading nginx ...
service "nginx" is not running
[03:49][root@centos7test listmonk]# sudo netstat -nlpt |grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      9628/nginx: master

Again, it's gotta be some unique centmin mod thing because everyone else is getting it running using the same settings.