Add plogical/cyberpanel_python.py with resolve_cyberpanel_python() and
ensure_cyberpanel_bin_python_shim() (symlink to system Python when venv
binary is absent). Call shim before writing root crontab on install/upgrade,
and from IncBackups/IncScheduler.py so existing jobs self-heal. IncBackups
views use resolved interpreter for backupUtilities. Upgrade._python_for_manage
delegates to resolve_cyberpanel_python().
LiteSpeed CyberPanel vhost serves /static/ from public/static while
collectstatic writes to STATIC_ROOT. Merge after collectstatic and ensure
webmail assets so /webmail/ Angular loads. Hook install/upgrade staticContent,
deploy scripts, and upgrade.sh; fix Django --noinput flag; restore lscpd
ownership on public/static after chown root. SnappyMail: require index.php on
install and validate tree after unzip on upgrade.
- recover_database_credentials: read root password from JSON mysqlPassword
when present; try cyberpanel password from settings.py then FTP/DNS/Postfix
configs; refuse DROP/CREATE or random passwords unless
CYBERPANEL_ALLOW_DB_CREDENTIAL_RESET=1 (legacy recovery).
- Pre-upgrade MariaDB: GRANT root privileges without IDENTIFIED BY so the
existing root password hash is not rewritten.
Add install_utils.get_lsphp_install_suffixes() (Alma 9/10+, EL9+,
Ubuntu 24.04+, Debian 13+ use 74–85; older OS keep 71–85).
installCyberPanel.installAllPHPVersions uses the matrix and installs
every listed lsphp on Ubuntu (fixes 74 skipped by slice).
upgrade.get_available_php_versions loads the same helper from install/.
Extend PHP-FPM restart loops to 8.4/8.5 and CloudLinux list to 85.
Clarify /usr/bin/php symlink priority comments in install.py.
Re-run install_and_enable_list_unsubscribe_header_plugin from plogical.snappymail_plugin_utilities after snappymail_cyberpanel.php; keep bundled plugin under install/snappymail/plugins/.
- Add install/snappymail/plugins/list-unsubscribe-header (upstream GitHub plugin)
- Add plogical/snappymail_plugin_utilities.py to copy into snappymail + legacy rainloop data roots and merge enabled_list
- Run after SnappyMail CyberPanel installer in install.py and upgrade.py
- InstallMailBoxFoldersPlugin now merges plugins instead of replacing enabled_list; also installs list-unsubscribe
Roundcube is not shipped by CyberPanel core; SnappyMail is the bundled webmail.
Remove duplicate Trusted IPs management from dashboard Recent SSH Logs;
use actionable alert count on the tab (exclude info-only SSH tips).
Add sshSecurityWhitelistUtilities with normalized IP matching for logs
and analyzeSSHSecurity. Wire whitelist API routes, firewall ban guard,
and login hooks. Firewall tab remains the canonical trusted-IP editor.
- mailUtilities: insert CyberCP first on sys.path (dnspython dns shadowing); Rspamd log under /var/log/cyberpanel; log before ServiceManager; dnf on EL8/9; append package stderr
- emailPremium: Rspamd admin UI without cloud addon gate; JsonResponse; fetchRspamdSettings unlocked
- emailDelivery: AutoField PKs; 0001_initial SeparateDatabaseAndState for int FK to loginSystem
- mailUtilities: insert CyberCP first on sys.path (dnspython dns shadowing); Rspamd log under /var/log/cyberpanel; log before ServiceManager; dnf on EL8/9; append package stderr
- emailPremium: Rspamd admin UI without cloud addon gate; JsonResponse; fetchRspamdSettings unlocked
- emailDelivery: AutoField PKs; 0001_initial SeparateDatabaseAndState for int FK to loginSystem
Add runtime table self-healing for catch-all/plus/pattern email features and make upgrade SQL idempotent on existing latin1 installations by avoiding failing FK creation while preserving forwarding compatibility.
Add runtime table self-healing for catch-all/plus/pattern email features and make upgrade SQL idempotent on existing latin1 installations by avoiding failing FK creation while preserving forwarding compatibility.
CyberPanel previously added _dmarc at the apex (p=none) in two code paths and _dmarc on every child subdomain, which conflicts with a single externally managed policy (e.g. Cloudflare) and violates RFC 7489 (one TXT RRset per name). Comment out automatic DMARC creation so operators set one record at _dmarc.<apex> only.
CyberPanel previously added _dmarc at the apex (p=none) in two code paths and _dmarc on every child subdomain, which conflicts with a single externally managed policy (e.g. Cloudflare) and violates RFC 7489 (one TXT RRset per name). Comment out automatic DMARC creation so operators set one record at _dmarc.<apex> only.
- dnsUtilities: correct createDNSRecordCloudFlare argument order (priority, ttl)
- vhostConfs/ApacheVhosts: OLSLBConf uses real docRoot and acme-challenge path for child vhosts (vhRoot is parent domain)
- virtualHostUtilities: defer ChildDomains save until after SSL/Apache; cleanup ORM row on failure; createDomain CLI exits 0/1 with 1,/0, stdout
- websiteFunctions: submitDomainCreation waits on subprocess and returns failure JSON on error
- dnsUtilities: correct createDNSRecordCloudFlare argument order (priority, ttl)
- vhostConfs/ApacheVhosts: OLSLBConf uses real docRoot and acme-challenge path for child vhosts (vhRoot is parent domain)
- virtualHostUtilities: defer ChildDomains save until after SSL/Apache; cleanup ORM row on failure; createDomain CLI exits 0/1 with 1,/0, stdout
- websiteFunctions: submitDomainCreation waits on subprocess and returns failure JSON on error
When removing a child domain, matching only the apex label (e.g. vscode)
left mail.* and www.* (and MX/TXT/DMARC) records in the parent zone.
Normalize record names to FQDN under the zone and delete the subdomain
FQDN plus any names under it.
When removing a child domain, matching only the apex label (e.g. vscode)
left mail.* and www.* (and MX/TXT/DMARC) records in the parent zone.
Normalize record names to FQDN under the zone and delete the subdomain
FQDN plus any names under it.
Add modular application packages with backup-aware install/upgrade/downgrade,
DNF-backed version lists with TTL caching, and HTML bootstrap for faster loads.
Improve the version picker (labels, selection state, background meta refresh) and
route applicationMeta through shared page meta cache. Update static assets and
cache buster for manageServices.js. Repository also includes related updates to
serviceManager, upgrade tooling, website functions, and user management from this
development tree.
Add modular application packages with backup-aware install/upgrade/downgrade,
DNF-backed version lists with TTL caching, and HTML bootstrap for faster loads.
Improve the version picker (labels, selection state, background meta refresh) and
route applicationMeta through shared page meta cache. Update static assets and
cache buster for manageServices.js. Repository also includes related updates to
serviceManager, upgrade tooling, website functions, and user management from this
development tree.
Wire RabbitMQ into app management UI/actions, optional fresh-install flag handling, and upgrade-safe marker/service reconciliation so new installs and upgrades can expose it reliably.
Wire RabbitMQ into app management UI/actions, optional fresh-install flag handling, and upgrade-safe marker/service reconciliation so new installs and upgrades can expose it reliably.
- Honor downloadAndUpgrade return value; exit 1 instead of printing Upgrade Completed
- Restart lscpd if code update fails so panel is reachable on old tree
- CYBERPANEL_UPGRADE_CLONE_ATTEMPTS (default 2) for transient clone errors
- On rmtree failure, move /usr/local/CyberCP aside instead of aborting when possible
- Export CYBERPANEL_UPGRADE_CLONE_ATTEMPTS from 08_main_upgrade.sh
- Honor downloadAndUpgrade return value; exit 1 instead of printing Upgrade Completed
- Restart lscpd if code update fails so panel is reachable on old tree
- CYBERPANEL_UPGRADE_CLONE_ATTEMPTS (default 2) for transient clone errors
- On rmtree failure, move /usr/local/CyberCP aside instead of aborting when possible
- Export CYBERPANEL_UPGRADE_CLONE_ATTEMPTS from 08_main_upgrade.sh
- Add plogical/phpmyadmin_utils.ensure_phpmyadmin_signin_bridge: restore
phpmyadminsignin.php and tmp/ if missing (fixes 404 on /phpmyadmin/phpmyadminsignin.php).
- Call from databases phpMyAdmin page, fetchDetailsPHPMYAdmin, install, and upgrade PMA paths.
- install/upgrade: use makedirs(..., exist_ok=True) for phpmyadmin/tmp instead of mkdir.
- pluginInstaller: run migrate when migrations/ contains modules OR enable_migrations;
use CyberCP venv python; --noinput for migrate; log non-zero exits.
- Add plogical/phpmyadmin_utils.ensure_phpmyadmin_signin_bridge: restore
phpmyadminsignin.php and tmp/ if missing (fixes 404 on /phpmyadmin/phpmyadminsignin.php).
- Call from databases phpMyAdmin page, fetchDetailsPHPMYAdmin, install, and upgrade PMA paths.
- install/upgrade: use makedirs(..., exist_ok=True) for phpmyadmin/tmp instead of mkdir.
- pluginInstaller: run migrate when migrations/ contains modules OR enable_migrations;
use CyberCP venv python; --noinput for migrate; log non-zero exits.
Handle the scenario where users install ModSecurity after CyberPanel is already
installed with custom OpenLiteSpeed binaries.
Problem:
- When users click "Install ModSecurity" in CyberPanel UI, the system used
package manager (yum/apt) to install stock ModSecurity
- Stock ModSecurity is NOT ABI-compatible with custom OLS binaries
- This causes immediate server crashes (segfaults) when installed
Solution:
- Detect if custom OLS binary is already installed before installing ModSecurity
- If custom OLS detected, download compatible ModSecurity from cyberpanel.net
- If stock OLS detected, use package manager as usual
Implementation:
- isCustomOLSBinaryInstalled(): Detects custom OLS by scanning binary for markers
- detectBinarySuffix(): Determines Ubuntu vs RHEL binaries needed
- installCompatibleModSecurity(): Downloads, verifies, and installs compatible ModSecurity
- Modified installModSec(): Main entry point - routes to compatible installer if needed
User flow:
1. User with custom OLS clicks "Install ModSecurity" in UI
2. System detects custom OLS binary is installed
3. System writes "Detected custom OpenLiteSpeed binary" to install log
4. System downloads OS-specific compatible ModSecurity from cyberpanel.net
5. System verifies SHA256 checksum
6. System backs up any existing ModSecurity
7. System installs compatible version with OLS restart
8. User sees "ModSecurity Installed (ABI-compatible version).[200]"
Safety features:
- Checksum verification before installation
- Automatic backup of existing ModSecurity
- Graceful OLS restart with timeout handling
- Detailed logging to /home/cyberpanel/modSecInstallLog
This prevents server crashes when users install ModSecurity after custom OLS
binaries are already deployed.
Handle the scenario where users install ModSecurity after CyberPanel is already
installed with custom OpenLiteSpeed binaries.
Problem:
- When users click "Install ModSecurity" in CyberPanel UI, the system used
package manager (yum/apt) to install stock ModSecurity
- Stock ModSecurity is NOT ABI-compatible with custom OLS binaries
- This causes immediate server crashes (segfaults) when installed
Solution:
- Detect if custom OLS binary is already installed before installing ModSecurity
- If custom OLS detected, download compatible ModSecurity from cyberpanel.net
- If stock OLS detected, use package manager as usual
Implementation:
- isCustomOLSBinaryInstalled(): Detects custom OLS by scanning binary for markers
- detectBinarySuffix(): Determines Ubuntu vs RHEL binaries needed
- installCompatibleModSecurity(): Downloads, verifies, and installs compatible ModSecurity
- Modified installModSec(): Main entry point - routes to compatible installer if needed
User flow:
1. User with custom OLS clicks "Install ModSecurity" in UI
2. System detects custom OLS binary is installed
3. System writes "Detected custom OpenLiteSpeed binary" to install log
4. System downloads OS-specific compatible ModSecurity from cyberpanel.net
5. System verifies SHA256 checksum
6. System backs up any existing ModSecurity
7. System installs compatible version with OLS restart
8. User sees "ModSecurity Installed (ABI-compatible version).[200]"
Safety features:
- Checksum verification before installation
- Automatic backup of existing ModSecurity
- Graceful OLS restart with timeout handling
- Detailed logging to /home/cyberpanel/modSecInstallLog
This prevents server crashes when users install ModSecurity after custom OLS
binaries are already deployed.
- Change N8N_HOST to 0.0.0.0 (internal bind address, not domain)
- Simplify VHost extraHeaders to ONLY set Origin header
- Remove duplicate X-Forwarded-* headers (OLS adds these automatically)
- Remove N8N_ALLOWED_ORIGINS and N8N_ALLOW_CONNECTIONS_FROM (not needed)
The key issue was duplicate X-Forwarded-Host headers. OpenLiteSpeed proxy
contexts automatically add X-Forwarded-* headers, so explicitly setting
them creates duplicates that cause n8n validation to fail.
Only the Origin header needs explicit configuration in extraHeaders.
This works with the patched OLS binary (MD5: b9c65aa2563778975d0d2361494e9d31)
that forwards Origin headers from the client.
- Change N8N_HOST to 0.0.0.0 (internal bind address, not domain)
- Simplify VHost extraHeaders to ONLY set Origin header
- Remove duplicate X-Forwarded-* headers (OLS adds these automatically)
- Remove N8N_ALLOWED_ORIGINS and N8N_ALLOW_CONNECTIONS_FROM (not needed)
The key issue was duplicate X-Forwarded-Host headers. OpenLiteSpeed proxy
contexts automatically add X-Forwarded-* headers, so explicitly setting
them creates duplicates that cause n8n validation to fail.
Only the Origin header needs explicit configuration in extraHeaders.
This works with the patched OLS binary (MD5: b9c65aa2563778975d0d2361494e9d31)
that forwards Origin headers from the client.
- Changed from pinned version 1.86.1 to latest
- Requires OpenLiteSpeed binaries with Origin header forwarding support
- Compatible with n8n 1.87.0+ which has strict Origin validation
Note: This requires the OpenLiteSpeed binary that includes the Origin
header forwarding patch in the proxy module. The patch is available
in the CyberPanel OpenLiteSpeed distribution.
- Changed from pinned version 1.86.1 to latest
- Requires OpenLiteSpeed binaries with Origin header forwarding support
- Compatible with n8n 1.87.0+ which has strict Origin validation
Note: This requires the OpenLiteSpeed binary that includes the Origin
header forwarding patch in the proxy module. The patch is available
in the CyberPanel OpenLiteSpeed distribution.
- Pin n8n to version 1.86.1 to avoid Origin header validation issues
- Change N8N_HOST from 0.0.0.0 to domain for better compatibility
- Add N8N_PROXY_HOPS=1 to fix X-Forwarded-For errors
- Add N8N_ALLOWED_ORIGINS and N8N_ALLOW_CONNECTIONS_FROM for future compatibility
- Fix SetupN8NVhost to remove malformed Origin header setting
n8n versions 1.87.0+ introduced strict Origin header validation that is
incompatible with OpenLiteSpeed proxy (which doesn't forward Origin headers).
Version 1.86.1 works correctly with OLS and SSE push backend.
- Pin n8n to version 1.86.1 to avoid Origin header validation issues
- Change N8N_HOST from 0.0.0.0 to domain for better compatibility
- Add N8N_PROXY_HOPS=1 to fix X-Forwarded-For errors
- Add N8N_ALLOWED_ORIGINS and N8N_ALLOW_CONNECTIONS_FROM for future compatibility
- Fix SetupN8NVhost to remove malformed Origin header setting
n8n versions 1.87.0+ introduced strict Origin header validation that is
incompatible with OpenLiteSpeed proxy (which doesn't forward Origin headers).
Version 1.86.1 works correctly with OLS and SSE push backend.
Integrates webmail and emailDelivery apps, mail-server and install/upgrade
paths, cyberpanel_ols 2.7.0-style binaries, and v2.4.5 UI patterns while
preserving v2.5.5-dev behavior (SnappyMail/PUBLIC_ROOT, childPath in
launchChild, hardened downloads and SSH activity modal).
Integrates webmail and emailDelivery apps, mail-server and install/upgrade
paths, cyberpanel_ols 2.7.0-style binaries, and v2.4.5 UI patterns while
preserving v2.5.5-dev behavior (SnappyMail/PUBLIC_ROOT, childPath in
launchChild, hardened downloads and SSH activity modal).
- Resolve FTP home paths without duplicating /home/domain; support absolute paths under site home
- Add changeFTPDirectory API and list UI; improve create form path help
- Add setFTPAccountStatus (Status 0/1) with Enable/Disable on list page
- Pure-FTPd MySQL: require Status='1' for authentication in install templates
- Plugin signals for change directory and account status
