Inject a lightweight fetch hook into settings pages to call store-activation after successful plugin activation responses, reducing premium relock risk after upgrades.
- Use lscpd.0.4.0 on Alma 9/10 and RHEL-family VERSION_ID 9/10
- daemon-reload + retry systemctl start lscpd in setupLSCPDDaemon
- 04_after_install: _restart_lscpd_safe + libxcrypt-compat on EL10 prereqs
Handle the scenario where users install ModSecurity after CyberPanel is already
installed with custom OpenLiteSpeed binaries.
Problem:
- When users click "Install ModSecurity" in CyberPanel UI, the system used
package manager (yum/apt) to install stock ModSecurity
- Stock ModSecurity is NOT ABI-compatible with custom OLS binaries
- This causes immediate server crashes (segfaults) when installed
Solution:
- Detect if custom OLS binary is already installed before installing ModSecurity
- If custom OLS detected, download compatible ModSecurity from cyberpanel.net
- If stock OLS detected, use package manager as usual
Implementation:
- isCustomOLSBinaryInstalled(): Detects custom OLS by scanning binary for markers
- detectBinarySuffix(): Determines Ubuntu vs RHEL binaries needed
- installCompatibleModSecurity(): Downloads, verifies, and installs compatible ModSecurity
- Modified installModSec(): Main entry point - routes to compatible installer if needed
User flow:
1. User with custom OLS clicks "Install ModSecurity" in UI
2. System detects custom OLS binary is installed
3. System writes "Detected custom OpenLiteSpeed binary" to install log
4. System downloads OS-specific compatible ModSecurity from cyberpanel.net
5. System verifies SHA256 checksum
6. System backs up any existing ModSecurity
7. System installs compatible version with OLS restart
8. User sees "ModSecurity Installed (ABI-compatible version).[200]"
Safety features:
- Checksum verification before installation
- Automatic backup of existing ModSecurity
- Graceful OLS restart with timeout handling
- Detailed logging to /home/cyberpanel/modSecInstallLog
This prevents server crashes when users install ModSecurity after custom OLS
binaries are already deployed.
- Change N8N_HOST to 0.0.0.0 (internal bind address, not domain)
- Simplify VHost extraHeaders to ONLY set Origin header
- Remove duplicate X-Forwarded-* headers (OLS adds these automatically)
- Remove N8N_ALLOWED_ORIGINS and N8N_ALLOW_CONNECTIONS_FROM (not needed)
The key issue was duplicate X-Forwarded-Host headers. OpenLiteSpeed proxy
contexts automatically add X-Forwarded-* headers, so explicitly setting
them creates duplicates that cause n8n validation to fail.
Only the Origin header needs explicit configuration in extraHeaders.
This works with the patched OLS binary (MD5: b9c65aa2563778975d0d2361494e9d31)
that forwards Origin headers from the client.
- Changed from pinned version 1.86.1 to latest
- Requires OpenLiteSpeed binaries with Origin header forwarding support
- Compatible with n8n 1.87.0+ which has strict Origin validation
Note: This requires the OpenLiteSpeed binary that includes the Origin
header forwarding patch in the proxy module. The patch is available
in the CyberPanel OpenLiteSpeed distribution.
- Pin n8n to version 1.86.1 to avoid Origin header validation issues
- Change N8N_HOST from 0.0.0.0 to domain for better compatibility
- Add N8N_PROXY_HOPS=1 to fix X-Forwarded-For errors
- Add N8N_ALLOWED_ORIGINS and N8N_ALLOW_CONNECTIONS_FROM for future compatibility
- Fix SetupN8NVhost to remove malformed Origin header setting
n8n versions 1.87.0+ introduced strict Origin header validation that is
incompatible with OpenLiteSpeed proxy (which doesn't forward Origin headers).
Version 1.86.1 works correctly with OLS and SSE push backend.
- Install python-dotenv in virtual environment during CyberPanel setup
- Fixes Django's inability to load .env file on AlmaLinux 8
- Resolves "Access denied for user 'cyberpanel'@'localhost'" errors
- Added to all installation paths (normal, DEV, and after_install)
This ensures Django can properly load database credentials from .env file
on AlmaLinux 8 systems where python-dotenv was missing.
- Updated OS detection logic to include CentOS Stream and Red Hat Enterprise Linux.
- Added support for AlmaLinux 9 and 10, as well as Debian 11, 12, and 13.
- Improved error messages to reflect the expanded list of supported operating systems.
- Adjusted package management handling for Debian to treat it as Ubuntu for compatibility.
- Searchable mailbox dropdown and compose From filter
- Resizable split between message list and reader pane
- Styles for picker, list-detail resizer, sr-only; bump webmail.js to v28
Integrates webmail and emailDelivery apps, mail-server and install/upgrade
paths, cyberpanel_ols 2.7.0-style binaries, and v2.4.5 UI patterns while
preserving v2.5.5-dev behavior (SnappyMail/PUBLIC_ROOT, childPath in
launchChild, hardened downloads and SSH activity modal).
- Make /plugins/<plugin>/settings/ work for incomplete plugin installs by importing plugin views from source and relaxing overly strict proxy checks.
- Sync INSTALLED_APPS from plugin source when installed markers exist but installed copies are incomplete.
- Keep prior plugin store performance improvements (lazy upgrades fetching, fewer GitHub calls).
populateCurrentRecords() always showed Users successfully fetched on every
successful fetch, so delete/edit/ACL/suspend showed two popups. Add optional
suppressSuccessNotify; use silent refresh after mutations and on initial load.
- robust_delete_administrator: use ORM delete when webauthn_credentials exists; else SQL DELETE after optional webauthn row cleanup and recursive child admins
- Fixes MySQL 1146 ProgrammingError on submitUserDeletion for installs without webauthn migrations
- JSON responses use application/json; errors include deleteStatus for listUsers UI
- After invalid/missing HomeDirectory id, resolve home_dir from best path like auto mode
- Handle MultipleObjectsReturned on path lookup; use get_or_create for UserHomeMapping
- Clear errors for ACL.DoesNotExist and IntegrityError (duplicate username)
- Ensure JSON error responses include createStatus and application/json
- Initialize selectedACL in create user template so JSON POST always includes ACL
- Explicit option values; pass default_acl_name from view for ng-init
- Coerce websitesLimit to int; validate selectedACL before ACL.objects.get
- ensure_csrf_cookie on createUser page load
- Optional /etc/cyberpanel/csrf_trusted_origins for HTTPS IP:port panels
- Allow changeUserACL on getUserHomeDirectories (parity with create user page)
- Sync public/static and static copies of userManagment.js with app static
Add _read_lines_from_protected_file: cp via executioner when EACCES/EPERM on read.
Use for settings.py, urls.py, baseTemplate index.html on install/uninstall paths.
- Resolve FTP home paths without duplicating /home/domain; support absolute paths under site home
- Add changeFTPDirectory API and list UI; improve create form path help
- Add setFTPAccountStatus (Status 0/1) with Enable/Disable on list page
- Pure-FTPd MySQL: require Status='1' for authentication in install templates
- Plugin signals for change directory and account status
- CPScripts/ensure_ftp_users_quota_columns.py checks information_schema and
ALTER TABLE users ADD COLUMN for custom_quota_enabled and custom_quota_size
when missing (fixes MySQL 1054 on FTP account creation).
- deploy-ftp-users-custom-quota-columns.sh copies script to CyberCP and runs
repair; restarts lscpd when active.
- upgrade_modules/10_post_tweak.sh runs the repair after upgrade sync.
Replace 'systemctl restart dovecot' with 'doveadm reload' in
virtualHostUtilities, mailUtilities, and renew modules. The nightly
backup scheduler, SSL operations, and weekly cert renewal were
forcefully terminating all client sessions. doveadm reload applies
config changes (including updated SSL certs) without dropping
existing connections. upgrade.py is intentionally left unchanged
as full restarts are appropriate during upgrades.
