Welcome to Centmin Mod Community
Register Now

Installing an email server (Listmonk, PostgreSQL) on a new vhost, in addition to a forum (Xenforo)

Discussion in 'Other Web Apps usage' started by MaximilianKohler, Oct 10, 2023.

  1. MaximilianKohler

    MaximilianKohler Member

    91
    1
    8
    Jun 23, 2023
    Ratings:
    +11
    Local Time:
    4:16 AM
    I set up Centmin mod (on a $5 Hetzner server) to host a Xenforo forum on forum.domain2.com. I already had an email server (running Listmonk) set up on AWS EC2 on mail.domain1.com using these directions.

    Listmonk's only dependency seems to be PostgreSQL. I used it with docker because those were the existing directions (I'm a noobie that manages to follow step-by-step guides), but perhaps it would be easier to do it without docker if I were installing it onto a CMM vhost. But all the guides I've found so far have been using docker.

    My AWS 1 year free tier is ending so I'm thinking that it should be fine and simple enough to do this:
    1. Use these directions https://centminmod.com/nginx_domain_dns_setup.html to create a new vhost for mail.domain1.com
    2. Install PostgreSQL https://community.centminmod.com/th...l-to-version-11-branch-in-123-09beta01.16579/
    3. Somehow connect the Postgres server to the new vhost.
    4. Other configuration? Other conflicts I may have to worry about?


     
    Last edited: Oct 10, 2023
  2. eva2000

    eva2000 Administrator Staff Member

    50,901
    11,799
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,255
    Local Time:
    10:16 PM
    Nginx 1.25.x
    MariaDB 10.x
    That is pretty dated now. I don't use Postgresql so it hasn't been updated that routine. Thanks for reminder for me to look at this routine

    I don't have any experience with Listmonk so wouldn't known if is better. Docker does make all dependencies required easier to install and manage so probably easier to do to.
     
  3. eva2000

    eva2000 Administrator Staff Member

    50,901
    11,799
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,255
    Local Time:
    10:16 PM
    Nginx 1.25.x
    MariaDB 10.x
    FYI, i just updated 130.00beta01's PostgreqSQL routine to use v16 https://community.centminmod.com/threads/24124/ if that is something you want to test. It's provided as is so you'd need to know how to manage, admin and backup and troubleshoot PostgreSQL stuff yourself :)

    PostgreSQL is installed via their own official YUM repo, so reading their official docs or searching for guides or how-tos should cover your needs.

    I would test on a test VPS and not production server, just to see if it works as you intended first.
     
  4. MaximilianKohler

    MaximilianKohler Member

    91
    1
    8
    Jun 23, 2023
    Ratings:
    +11
    Local Time:
    4:16 AM
    The test plan:
    1. Create a snapshot of my current server, then create a new cloud server with that snapshot.
    2. Install PostgreSQL per https://community.centminmod.com/threads/24124/
    3. Install Docker per https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-centos-7
    4. Create a "test1.mysite.com" subdomain pointed to the new IP/server. Won't bother trying to get a 2nd version of the forum running.
    5. Create a new vhost for the test site. I think the directions at https://centminmod.com/nginx_domain_dns_setup.html are outdated or don't show new options from the beta. I think you can simply do centmin menu option 2, then during the "Create a self-signed SSL certificate Nginx vhost?" part, you get more options and when you get 4 options choose "cert with HTTPS default" (option 2 or 4). Then you shouldn't have to worry about http to https redirects.
    6. Install listmonk into "/home/nginx/domains/test1.mysite.com/public". Not sure if that's correct.
    7. Access listmonk via test1.mysite.com.
    After step 1, when I go to the IP address there's a popup to login. After logging in I get the "Centmin Mod Nginx Test Page". Same after step 4 for test1.mysite.com. After step 5 it loads the new html page.

    At the end of step 6 I got an error: https://github.com/knadh/listmonk/issues/1573 + "psql" gives an error.

    I noticed that in both of the sample nginx configs below they use "proxy_pass". So I added "proxy_pass http://localhost:9000;" to my "test1.mysite.com.ssl.conf" and ran "ngxrestart" but it didn't make a difference. I tried with "proxy_pass http://127.0.0.1:9000;" and "proxy_pass http://0.0.0.0:9000;" too.

    ------------------------------------------------------------------------------------------

    Other info:

    I found these two videos helpful for understanding the basics of setting up a vhost:
    I looked at eva's Sendy configs for reference, but didn't understand all the changes/settings, and I don't think the password/IP protection for the login page is necessary/doable, since you only get to /admin after you enter your user & PW on the public page: https://demo.listmonk.app. But perhaps it would make sense to protect the /admin page. Though maybe not since there's a public API anyway?

    Sample nginx configs for listmonk:

    Namecheap vs Cloudflare, DDoS protection:
    I have my current listmonk server on AWS EC2 and the domain & DNS on Namecheap, and my forum on Cloudflare. From what I understand, I should point the Namecheap DNS to Cloudflare's DNS so I can enable Cloudflare's proxy to protect the IP.

    Even though I have my "forum.my2ndsite.com" proxied with Cloudflare, if I simply pointed my Namecheap site/DNS to the same IP via "listmonk.my1stsite.com", that would then expose the IP. People who are using Namecheap's default/basic DNS are just lucky that they haven't been targeted by DDoS yet?

    People in the comments here don't seem to be fans of Cloudflare, so I'm wondering if the extra hassle is even worth it. According to this 2022 Stackoverflow comment, Namecheap has its own CDN - Supersonic CDN. In my Namecheap control panel it doesn't look like Supersonic CDN is enabled, and they want me to pay for their PremiumDNS to get DDoS protection.

    I don't really understand why/if it's necessary, since my server host (Hetzner) has their own DDoS protection. Maybe this thread answers it (Cloudflare specializes in it so should be better).

    Wow, Namecheap's Supersonic CDN was a major problem:
    You can't toggle their CDN for a subdomain (or even a domain) like you can with Cloudflare. I tried to turn on their CDN for test1.mysite.com and it killed my site and permanently deleted all the IP records. Thankfully Namecheap's support is 24/7 and they were able to reverse the changes.

    They said "Currently, our Supersonic CDN can be easily set up with domains that use our Shared hosting or EasyWP only".

    I guess my only option is to switch all the records over to Cloudflare.

    I wonder if there would be any issues with putting a CDN in front of an email server. IE: I wonder if people might get captchas when clicking "unsubscribe" and thus be more likely to mark emails as spam. I also wonder if it may mess with statistics such as open rates.

    I searched the listmonk and mautic (a similar program) issues and the only problems I found with Cloudflare are when you turn on javascript minify. But it looks to have been fixed.
     
    Last edited: Oct 28, 2023
  5. MaximilianKohler

    MaximilianKohler Member

    91
    1
    8
    Jun 23, 2023
    Ratings:
    +11
    Local Time:
    4:16 AM
    I found a good hint here https://stackoverflow.com/questions...isten-tcp-0-0-0-03306-bind-address-already-in for the error I got.
    Code:
    sudo netstat -nlpt |grep 9000
    tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      62239/php-fpm: mast
    I guess "mast" = master. I did a search for "php fpm port 9000 mast" but didn't find much useful info.

    I guess I have to either change the port for php-fpm or listmonk. I'm wondering if it's simple to change for php-fpm or might it cause problems and I should try to change listmonk's port instead?
     
  6. eva2000

    eva2000 Administrator Staff Member

    50,901
    11,799
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,255
    Local Time:
    10:16 PM
    Nginx 1.25.x
    MariaDB 10.x
    Yeah PHP-FPM default port is 9000. So you need to change your listmonk port
     
  7. MaximilianKohler

    MaximilianKohler Member

    91
    1
    8
    Jun 23, 2023
    Ratings:
    +11
    Local Time:
    4:16 AM
    The port issue seems to be resolved, but I'm getting a "502 Bad Gateway nginx" when I visit test1.mysite.com. I'm probably missing something simple but I can't think of anything.

    Enabling Cloudflare's orange proxy for the subdomain results in:
    Code:
    This page isn’t working right now test1.mysite.com redirected you too many times.
    To fix this issue, try clearing your cookies.
    ERR_TOO_MANY_REDIRECTS
    My test1.mysite.com.ssl.conf is:
    Code:
    #x# HTTPS-DEFAULT
     server {
       listen   80;
    #x#   listen   [::]:80;
       server_name test1.mysite.com www.test1.mysite.com;
       return 302 https://test1.mysite.com$request_uri;
       root /home/nginx/domains/test1.mysite.com/public;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    #      
    
    server {
      listen 443 ssl http2;
     
      server_name test1.mysite.com www.test1.mysite.com;
    
      include /usr/local/nginx/conf/ssl/test1.mysite.com/test1.mysite.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/test1.mysite.com/origin.crt;
      #ssl_verify_client on;
     
     
     
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/test1.mysite.com/log/access.log combined buffer=256k flush=5m;
      #access_log /home/nginx/domains/test1.mysite.com/log/access.json main_json buffer=256k flush=5m;
      error_log /home/nginx/domains/test1.mysite.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/test1.mysite.com/autoprotect-test1.mysite.com.conf;
      root /home/nginx/domains/test1.mysite.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
     
      proxy_pass http://127.0.0.1:9000;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/pre-staticfiles-local-test1.mysite.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    I removed
    Code:
      proxy_pass http://127.0.0.1:9000;
    and ran ngxrestart, and now I get the "Welcome to test1.mysite.com Powered by CentminMod Nginx Server"

    I put it back and ran ngxrestart again and I get the 502 bad gateway nginx.
     
  8. eva2000

    eva2000 Administrator Staff Member

    50,901
    11,799
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,255
    Local Time:
    10:16 PM
    Nginx 1.25.x
    MariaDB 10.x
    disable nginx vhost non-https to htps redirect if you have Cloudflare HTTPS auto redirect enabled already
     
  9. MaximilianKohler

    MaximilianKohler Member

    91
    1
    8
    Jun 23, 2023
    Ratings:
    +11
    Local Time:
    4:16 AM
    Hmm, on my forum I have HTTPS default as well, and I also have both "Automatic HTTPS Rewrites" and "Always Use HTTPS" turned ON in Cloudflare, seemingly without issue. I tried anyway to turn both of those Cloudflare options OFF for the listmonk test site and it didn't make a difference. When I enabled the orange proxy it still results in the "too many redirects" error.
     
  10. eva2000

    eva2000 Administrator Staff Member

    50,901
    11,799
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,255
    Local Time:
    10:16 PM
    Nginx 1.25.x
    MariaDB 10.x
    Ensure you have Cloudflare SSL mode set to Full/Full Strict
     
  11. MaximilianKohler

    MaximilianKohler Member

    91
    1
    8
    Jun 23, 2023
    Ratings:
    +11
    Local Time:
    4:16 AM
    I set it to "Full" and that results in this Cloudflare 502 bad gateway error cloudflare-502-bad-gateway-error.png (1693×1370) (freecodecamp.org)

    Not sure if it's related but when setting up the vhost I chose the dummy/test certificate option. But after a bit more research it seems that having a dummy cert should only be an issue if I use "Full (strict)". So there must be some other problem with my configs.

    According to the error logs it seems to be some issue with php fpm https://github.com/knadh/listmonk/issues/1004#issuecomment-1788452695.

    In /home/nginx/domains/test1.mysite.com/log/error.log there's a bunch of
    Code:
    2023/10/31 06:42:57 [error] 62193#62193: *96 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: <IP>, server: test1.mysite.com, request: "GET / HTTP/2.0", upstream: "http://127.0.0.1:9000/", host: "test1.mysite.com"
    I found this related thread -- upstream prematurely closed connection while reading response header from upstream -- where they fixed it by switching servers...

    This thread -- 502 Bad Gateway -- where they solved it by removing "PHPDEBUGMODE=y" from their config (doesn't apply to me).

    Found a suggestion to "restart your FastCGI process or server"
    Code:
    service php-fpm restart
    Redirecting to /bin/systemctl restart php-fpm.service
    
    No change.

    My php-fpm error logs are completely empty /var/log/php-fpm. "cminfo phpstats" doesn't seem to output anything useful.

    This https://community.centminmod.com/threads/how-to-troubleshoot-optimize-php-fpm-server.15317/ seems pretty complicated. It seems that we have to read through this https://www.php.net/manual/en/install.fpm.configuration.php and play around with the values. I'm doubtful that such complicated tweaking is required to run something as simple as listmonk, especially when thousands of people use it and no one else has reported this isssue. It seems more likely that there's still some conflict with php-fpm and listmonk.

    My guess is that it's something as simple as missing a line like this https://support.plesk.com/hc/en-us/...r-while-reading-response-header-from-upstream. But I don't know what the listmonk equivalent would be.

    I haven't gotten a response yet on the listmonk github, so I tried to do some tweaking:

    I found this https://www.digitalreborn.com/fix-nginx-connection-reset-by-peer-upstream/ which seems to be the only page guiding you through tweaking the values. It says to put these two at the same values, and they already are:
    Code:
    /usr/local/nginx/conf/nginx.conf
    keepalive_requests 100000;
    
    /usr/local/etc/php-fpm.conf
    pm.max_requests = 100000
    The permission suggestion seems like it could be a possibility. But I don't have a /var/lib/php/ folder and don't see it listed here https://centminmod.com/configfiles.html.

    There's no session.save_path in either of the php.ini files in /etc/centminmod/php.d.

    For their "change fastCGI timeouts" suggestion, those values don't exist in /usr/local/nginx/conf/nginx.conf.
     
  12. MaximilianKohler

    MaximilianKohler Member

    91
    1
    8
    Jun 23, 2023
    Ratings:
    +11
    Local Time:
    4:16 AM
  13. eva2000

    eva2000 Administrator Staff Member

    50,901
    11,799
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,255
    Local Time:
    10:16 PM
    Nginx 1.25.x
    MariaDB 10.x
    502s probably this. Listmonk needs a port change as PHP-FPM uses 9000.
     
  14. MaximilianKohler

    MaximilianKohler Member

    91
    1
    8
    Jun 23, 2023
    Ratings:
    +11
    Local Time:
    4:16 AM
    You said that on Oct 28, and I did subsequently test that.
     
  15. eva2000

    eva2000 Administrator Staff Member

    50,901
    11,799
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,255
    Local Time:
    10:16 PM
    Nginx 1.25.x
    MariaDB 10.x
    502 bad gateway means nginx failed to connect to the origin backend proxy on listmonk's specified port. Which means listmonk itself isn't running properly and nginx reverse proxy can't connect to it.
     
  16. MaximilianKohler

    MaximilianKohler Member

    91
    1
    8
    Jun 23, 2023
    Ratings:
    +11
    Local Time:
    4:16 AM
    It's gotta be some unique centmin mod/vhost configuration because everyone else is getting it running using the same settings: https://github.com/knadh/listmonk/issues/1590#issuecomment-1812399067

    I even cleared out my config file:
    /usr/local/nginx/conf/conf.d/test1.mysite.com.ssl.conf

    and only put the basic lines that people are sharing and using:
    Code:
    server {
            listen              443 ssl;
            server_name            listmonk.example.com;
    
      location / {
            proxy_pass  http://127.0.0.1:9003;
         proxy_set_header   Host            $http_host;
         proxy_set_header   X-Real-IP       $remote_addr;
         proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for; 
        }
    
    }
    
    server {
        listen              80;
        server_name            listmonk.example.com;
          location / {
    return 301 https://$host$request_uri;
          }
    }
    Ran ngxrestart after any change.
     
  17. eva2000

    eva2000 Administrator Staff Member

    50,901
    11,799
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,255
    Local Time:
    10:16 PM
    Nginx 1.25.x
    MariaDB 10.x
    Have you confirmed the linkmonk instance is running and working on port 9003 ?
     
  18. MaximilianKohler

    MaximilianKohler Member

    91
    1
    8
    Jun 23, 2023
    Ratings:
    +11
    Local Time:
    4:16 AM
    With `docker ps` right? Yes, I checked that: https://github.com/knadh/listmonk/issues/1573#issuecomment-1786297996 - the following comments here also list more things I tried and checked.

    In that example I was first using port 3870, and I also tried 9008, and I'm currently using 5870.
    Code:
    docker ps
    CONTAINER ID   IMAGE                      COMMAND                  CREATED         STATUS                    PORTS                                       NAMES
    f3b9c4a688dc   listmonk/listmonk:latest   "./listmonk"             2 minutes ago   Up 38 seconds             0.0.0.0:5870->9000/tcp, :::5870->9000/tcp   listmonk_app
    f8d43916e568   postgres:13                "docker-entrypoint.s…"   13 days ago     Up 38 seconds (healthy)   0.0.0.0:9432->5432/tcp, :::9432->5432/tcp   listmonk_db
    
    The 9003 above is what the other person was using, but I had/have 5870 correctly in my nginx & listmonk configs.
     
  19. MaximilianKohler

    MaximilianKohler Member

    91
    1
    8
    Jun 23, 2023
    Ratings:
    +11
    Local Time:
    4:16 AM
    Well, I found out that the site loads properly on serverIP:5870 and if I change
    proxy_pass http://127.0.0.1:5870;
    to
    proxy_pass http://listmonk.mydomain.com:5870;

    then it will load on listmonk.mydomain.com:5870. But it gives the 502 error when I visit the site without the port.

    If I set `proxy_pass http://127.0.0.1:5870;` and visit listmonk.mydomain.com:5870 I get:
    Code:
    The connection for this site is not secure
    listmonk.mydomain.com sent an invalid response.
    [Try running Windows Network Diagnostics](javascript:diagnoseErrors()).
    ERR_SSL_PROTOCOL_ERROR
    It seems like it's an issue with the nginx config. But I asked in multiple places and no one seems to know what the problem is:

    I decided to try running nginx inside the docker container, since that's what's currently working for me on another server. I suspected it might conflict with the whole nginx vhost thing https://centminmod.com/nginx_domain_dns_setup.html, and it does seem to conflict with the existing nginx:
    Code:
     ⠋ Container listmonk-nginx-1  Starting                                                                                                                    0.0s
    Error response from daemon: driver failed programming external connectivity on endpoint listmonk-nginx-1 (3cb6a78a56e37d5ebe04046a0f0eb430a155906e94c267cd4832b9fbcee3bd6b): Error starting userland proxy: listen tcp4 0.0.0.0:443: listen: address already in use
    
    ### Reloading nginx ...
    service "nginx" is not running
    [03:49][root@centos7test listmonk]# sudo netstat -nlpt |grep 443
    tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      9628/nginx: master
    
    Again, it's gotta be some unique centmin mod thing because everyone else is getting it running using the same settings.
     
  20. eva2000

    eva2000 Administrator Staff Member

    50,901
    11,799
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,255
    Local Time:
    10:16 PM
    Nginx 1.25.x
    MariaDB 10.x
    If you cleared out SSL certificate and SSL config files as per https://community.centminmod.com/th...addition-to-a-forum-xenforo.24123/#post-97789, then yes you won't have working SSL on the subdomain