TinyCP – Review, Duo Auth, AWS SES, WP Nginx Config

Hello!

It has yet again been a very long time since I felt compelled to write a blog post. In fact I’m not even sure I can justify calling this my blog anymore rather it’s more “collection of Johnathans random thoughts every 2-3 years”. Still. Here we are and off we go.

Backdrop – ServerPilot.io

I wasn’t looking for a new Hosting CP for my server. I had been using a grandfathered free installation of ServerPilot.io for about 4 years (possibly 5?). It did everything I needed with minimal fuss. Allowed me to create sites, centralised configuration and did most of what I wanted without issue. I started running into issues when I wanted to enable SSL on one of my sites. They do offer a paid upgrade to take care of this for you but I thought I could work around it because I’ve used https://letsencrypt.com in the past. It wouldn’t be too difficult?

Sadly it proved otherwise, trying to force my way around ServerPilots automatic reconfiguration of things any time you save something made it awkward and difficult to the point that I managed to brick the installation. I had been running it on a t2.small instance from AWS for ages and had been meaning to rebuild it anyway and this was the catalyst.

Enter TinyCP

I stumbled across https://tinycp.com/ whilst Googling for a new panel. I’ve used Plesk, cPanel, Webmin and a host of others in the past but they’ve all grown so clunky and complex for what I needed. Host about four websites, all running WordPress and maybe the odd project or two that I work on in the background. I don’t need to run a hosting business from the panel, I just needed something simple that took care of the Web Server, Databases and Email.

TinyCP covers all of those requirements perfectly. I was up and running within about 5 minutes which is testament to how easy the installation was on a fresh install of Ubuntu 18.08. As far as reviews go – I can’t sum it up any more succinctly than that. This is a great little hosting panel that takes care of a range of common tasks, and also has built in automatic configuration with LetsEncrypt. WIN.

Duo Auth

I’m a big fan of Duo Auth, I use it on all of my personal servers. For those not familiar, it gives a Push-To-Client 2FA solution for connectivity via Remote Desktop and SSH. It can do a bunch of other things but those are my main uses. Combining with Private Key SSH on an IP restricted port provides a really strong remote access security posture for your personal projects. Configuration on an Ubuntu 18.08 install with TinyCP is super straight forward too.

I won’t regurgitate it in full but there are a couple of points I want to make.

  • The fact that AWS deploys with Private Key SSH by default you’ll want to use this guide for installation – it should “just work”: https://duo.com/docs/duounix 
  • When following that guide, when you reach the section titled ‘PAM Examples’ and you select the Ubuntu tab, be aware that these are two different options! I made the mistake of thinking both were required and ended up with odd behaviour including Duo prompting for a local password and also prompting me twice for the Duo Push.
  • https://emtunc.org/blog/01/2016/setting-duo-security-ubuntu-server-2fa/ is also a useful resource – it’s written for Ubuntu 14.04 but not much has changed.

TinyCP Deployed with AWS Simple Email Service (SES)

Why SES

Networks in AWS by default have port 25 blocked as standard. This is very sensible behaviour from them and one I’m fully supportive of. It’s still possible to have this restriction lifted but generally speaking there’s no real need to since SES provides an in-effect-free SMTP Relay/SmartHost target. Yes you will need to pay for it if you’re sending thousands of emails a day but if you’re doing that … you’re probably not reading this blog for tips are you? For my purposes (WordPress password resets, the occasional notification email) the free tier is perfect and was a good opportunity to see how flexible TinyCP could be in terms of configuration.

TinyCP Base Setup

TinyCP utilises a combination of Exim4 and Dovecot for it’s email platform and right out of the box, it’s very simple to setup and use. I did have one small issue with getting Outlook to connect on IMAP using STARTTLS but that was resolved by enabling plaintext auth:

doveconf disable_plaintext_auth = yes
service dovecot restart

Note here that the connection is still forced over TLS so plaintext isn’t as scary as it sounds. I don’t plan on using the Mailbox element of TinyCP at all really but I did want to make sure it worked.

Modifications to make it work with SES

Again, I’m not going to regurgitate the already plentiful instructions out there on how to do initial setup in SES. I used this guide specifically: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-exim.html

Where I got confused, was when you dive into your servers Exim4 configuration as it’s done by TinyCP you’ll find two locations of interest:

/etc/exim4/conf.d/
/etc/exim4/exim4.conf

The confusing part here for me was that when you dive into the conf.d directory you’ll find a whole bunch of config which I spent ages rabbit-holing thinking all the config in there was relevant. It isn’t. All of the config you care about should be done in the latter file. /etc/exim4/exim4.conf. Follow the instructions on the link above, and make sure you put it all in the exim4.conf file and you should be golden after a restart of the service.

SES Gotchas

Bear in mind that for new setups, you’ll be in an SES Sandbox – i.e. you can’t email outbound, only to your own verified domains. You’ll need to raise a support case to be removed from the Sandbox.

TinyCP Gotchas

If your server restarts, TinyCP is going to overwrite the exim4.conf file and all your modifications will be lost. I’ve not yet found a sensible way to avoid this. It does have a concept of custom configuration which can be added to the /etc/exim4/exim-custom.conf file however I think this is intended more for run parameters like maximum attachment sizes and the like. To have your own custom Routers/Transports/Auths that you’ll need for AWS SES you really need to add these to the /etc/exim4/exim4.conf file.

I think (I’m not 100% sure) if TinyCP had made use of the split out config files inside /etc/exim4/conf.d/ it would have made this less of an issue but for the time being I’ve made a copy of my customised exim4.conf file, and setup a cron job to copy it in and restart the Exim4 service periodically.

Yes that’s an ugly hack but it works so …

WordPress permalink rewrites with TinyCP and Nginx

Most people will likely use the bundled Apache Web Server that TinyCP ships with, but I prefer Nginx personally, and luckily it ships with that too! That said, some things are inherently different. One of the key ones is that WordPress’ ability to automatically configure your Apache based .htaccess file to do your rewrites for you won’t work.

Thankfully, for each domain configured in TinyCP, they have a custom config section:

You can add the following to make it all tick (props to @brown in the TinyCP Discord for the fuller version of what I came up with):

gzip on;
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
gzip_static on;
}
location ~* \.(jpg|jpeg|ico|png|gif|ico|css|woff2|js)$ {
expires 30d;
access_log off;
add_header Pragma public;
add_header Cache-Control "public";
}

In Closing

I honestly think TinyCP is perfect for everyone who needs a small, lightweight hosting panel for personal projects. There’s scope here I think for its use to explode into larger use cases and compete with the bloating that is becoming evident in the more established hosting panels but from a personal perspective, I’m really keen to see them remain focused on delivering the basics, and delivering it well.

Leave a Reply

Your email address will not be published. Required fields are marked *