TinyCP – Review, Duo Auth, AWS SES, WP Nginx Config

Hello!

It has yet again been a very long time since I felt compelled to write a blog post. In fact I’m not even sure I can justify calling this my blog anymore rather it’s more “collection of Johnathans random thoughts every 2-3 years”. Still. Here we are and off we go.

Backdrop – ServerPilot.io

I wasn’t looking for a new Hosting CP for my server. I had been using a grandfathered free installation of ServerPilot.io for about 4 years (possibly 5?). It did everything I needed with minimal fuss. Allowed me to create sites, centralised configuration and did most of what I wanted without issue. I started running into issues when I wanted to enable SSL on one of my sites. They do offer a paid upgrade to take care of this for you but I thought I could work around it because I’ve used https://letsencrypt.com in the past. It wouldn’t be too difficult?

Sadly it proved otherwise, trying to force my way around ServerPilots automatic reconfiguration of things any time you save something made it awkward and difficult to the point that I managed to brick the installation. I had been running it on a t2.small instance from AWS for ages and had been meaning to rebuild it anyway and this was the catalyst.

Enter TinyCP

I stumbled across https://tinycp.com/ whilst Googling for a new panel. I’ve used Plesk, cPanel, Webmin and a host of others in the past but they’ve all grown so clunky and complex for what I needed. Host about four websites, all running WordPress and maybe the odd project or two that I work on in the background. I don’t need to run a hosting business from the panel, I just needed something simple that took care of the Web Server, Databases and Email.

TinyCP covers all of those requirements perfectly. I was up and running within about 5 minutes which is testament to how easy the installation was on a fresh install of Ubuntu 18.08. As far as reviews go – I can’t sum it up any more succinctly than that. This is a great little hosting panel that takes care of a range of common tasks, and also has built in automatic configuration with LetsEncrypt. WIN.

Duo Auth

I’m a big fan of Duo Auth, I use it on all of my personal servers. For those not familiar, it gives a Push-To-Client 2FA solution for connectivity via Remote Desktop and SSH. It can do a bunch of other things but those are my main uses. Combining with Private Key SSH on an IP restricted port provides a really strong remote access security posture for your personal projects. Configuration on an Ubuntu 18.08 install with TinyCP is super straight forward too.

I won’t regurgitate it in full but there are a couple of points I want to make.

  • The fact that AWS deploys with Private Key SSH by default you’ll want to use this guide for installation – it should “just work”: https://duo.com/docs/duounix 
  • When following that guide, when you reach the section titled ‘PAM Examples’ and you select the Ubuntu tab, be aware that these are two different options! I made the mistake of thinking both were required and ended up with odd behaviour including Duo prompting for a local password and also prompting me twice for the Duo Push.
  • https://emtunc.org/blog/01/2016/setting-duo-security-ubuntu-server-2fa/ is also a useful resource – it’s written for Ubuntu 14.04 but not much has changed.

TinyCP Deployed with AWS Simple Email Service (SES)

Why SES

Networks in AWS by default have port 25 blocked as standard. This is very sensible behaviour from them and one I’m fully supportive of. It’s still possible to have this restriction lifted but generally speaking there’s no real need to since SES provides an in-effect-free SMTP Relay/SmartHost target. Yes you will need to pay for it if you’re sending thousands of emails a day but if you’re doing that … you’re probably not reading this blog for tips are you? For my purposes (WordPress password resets, the occasional notification email) the free tier is perfect and was a good opportunity to see how flexible TinyCP could be in terms of configuration.

TinyCP Base Setup

TinyCP utilises a combination of Exim4 and Dovecot for it’s email platform and right out of the box, it’s very simple to setup and use. I did have one small issue with getting Outlook to connect on IMAP using STARTTLS but that was resolved by enabling plaintext auth:

doveconf disable_plaintext_auth = yes
service dovecot restart

Note here that the connection is still forced over TLS so plaintext isn’t as scary as it sounds. I don’t plan on using the Mailbox element of TinyCP at all really but I did want to make sure it worked.

Modifications to make it work with SES

Again, I’m not going to regurgitate the already plentiful instructions out there on how to do initial setup in SES. I used this guide specifically: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-exim.html

Where I got confused, was when you dive into your servers Exim4 configuration as it’s done by TinyCP you’ll find two locations of interest:

/etc/exim4/conf.d/
/etc/exim4/exim4.conf

The confusing part here for me was that when you dive into the conf.d directory you’ll find a whole bunch of config which I spent ages rabbit-holing thinking all the config in there was relevant. It isn’t. All of the config you care about should be done in the latter file. /etc/exim4/exim4.conf. Follow the instructions on the link above, and make sure you put it all in the exim4.conf file and you should be golden after a restart of the service.

SES Gotchas

Bear in mind that for new setups, you’ll be in an SES Sandbox – i.e. you can’t email outbound, only to your own verified domains. You’ll need to raise a support case to be removed from the Sandbox.

TinyCP Gotchas

If your server restarts, TinyCP is going to overwrite the exim4.conf file and all your modifications will be lost. I’ve not yet found a sensible way to avoid this. It does have a concept of custom configuration which can be added to the /etc/exim4/exim-custom.conf file however I think this is intended more for run parameters like maximum attachment sizes and the like. To have your own custom Routers/Transports/Auths that you’ll need for AWS SES you really need to add these to the /etc/exim4/exim4.conf file.

I think (I’m not 100% sure) if TinyCP had made use of the split out config files inside /etc/exim4/conf.d/ it would have made this less of an issue but for the time being I’ve made a copy of my customised exim4.conf file, and setup a cron job to copy it in and restart the Exim4 service periodically.

Yes that’s an ugly hack but it works so …

WordPress permalink rewrites with TinyCP and Nginx

Most people will likely use the bundled Apache Web Server that TinyCP ships with, but I prefer Nginx personally, and luckily it ships with that too! That said, some things are inherently different. One of the key ones is that WordPress’ ability to automatically configure your Apache based .htaccess file to do your rewrites for you won’t work.

Thankfully, for each domain configured in TinyCP, they have a custom config section:

You can add the following to make it all tick (props to @brown in the TinyCP Discord for the fuller version of what I came up with):

gzip on;
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
gzip_static on;
}
location ~* \.(jpg|jpeg|ico|png|gif|ico|css|woff2|js)$ {
expires 30d;
access_log off;
add_header Pragma public;
add_header Cache-Control "public";
}

In Closing

I honestly think TinyCP is perfect for everyone who needs a small, lightweight hosting panel for personal projects. There’s scope here I think for its use to explode into larger use cases and compete with the bloating that is becoming evident in the more established hosting panels but from a personal perspective, I’m really keen to see them remain focused on delivering the basics, and delivering it well.

Read More

Transitioning from Windows to Mac

This is more of an introspective blog post than anything else. I’m really just noting down my thoughts on the entire process which has been interesting (to me) to say the least.

I first started using Windows when I was around eight years old with, of course, Windows 3.1. Up to that point I had only ever had experience with DOS systems (and that was mainly limited to ‘cd C:/Games’ and running .bat files to launch Test Drive II!). Windows at that stage of course was a heady mix of File Manager, Minesweeper and of course the old faithful MS-DOS Prompt. It felt like the future, and over the next 15-20 years I lived through each iteration of Windows like most people on the planet. Delighted by Windows 2000. Horrified by Millenium Edition. Main stayed on XP for longer than I care to admit. Avoided Vista. Loved 7. Disliked 8 (although 8.1 was marginally better). Whilst most recently I’ve come to the same conclusion as most technical people across the globe in that Windows 10 is … probably … the best and most well rounded Operating System for the masses that there has ever been. Probably. 🙂

(more…)

Read More

OpenSSH 7 and ssh-dss keys

Quick one, because it’s the type of thing I tend to forget easily. I recently upgraded a VM of mine from Ubuntu 14.04 LTS to 16.04 LTS. I mainly use the VM as an SSH Web Proxy for tunnelling traffic that I’d rather not originate from my machines IP, and also to get past some fairly arcane URL blocks. Ubuntu’s upgrade is quite neat in that it recognises you’re running the upgrade from a shell and splits the process out to a screen session for you lest you become disconnected for Reasons(tm).

That said, the upgrade went smoothly and without issue and my shell session remained connected and everything was fine for a few days.

(more…)

Read More

OpenDNS, YouTube & Parental Controls

Don’t look now, but there appears to be a post on this blog of a mildy technical nature! I know. I was surprised too.

The Internet is a truly wonderful place for children. There are games they can play, videos they can learn from and a plethora of other things that can excite and maintain their interest. I’m 28 years old and have been online since I was around 13, back in the heady days of Dial Up Pay Per Minute and Napster (the less said about the £600 BT Phone Bill for one month the better …). As I was growing up I seen things on the Internet I had never seen before, some of it was a little less than savoury. You can imagine. Thinking back on it now, it was awesome probably a bad thing.

As a ‘growed-up‘ parent, I’m relatively relaxed about the Internet. I work for an ISP. I spend upwards of 70% of my free time in front of a computer. I have no less than 10 Internet connected devices in my home at any one time. I fully understand the Internet and the beast that it can be. Which is why, it came as a bit of a surprise when I had such serious issues with one of it’s core members. YouTube. Not YouTube in itself, but some of the content on there and how difficult it was to stop little eyes and ears seeing and hearing things which are just not appropriate.

(more…)

Read More