Detect RHEL 8, AlmaLinux 8, Rocky Linux 8, and CloudLinux 8 systems and provide
clear instructions when cgroups v2 needs manual enablement.
These systems have cgroups v2 backported to kernel 4.18 but it's disabled by
default. When detected without cgroups v2 enabled, the system now:
1. Detects RHEL 8 family by checking /etc/redhat-release
2. Verifies if cgroups v2 is mounted (checks 'mount' output for 'cgroup2')
3. If not enabled, logs detailed instructions:
- grubby command to add kernel parameter
- Reboot instruction
- Verification command
- Clear step-by-step guide
Changes:
- _check_rhel8_cgroups_v2(): New method for RHEL 8 family detection
- _ensure_cgroups_enabled(): Calls RHEL 8 check before general checks
- check_cgroup_support(): Returns RHEL 8 status in support dict
- rhel8_family: bool (detected RHEL 8 family)
- rhel8_needs_enablement: bool (cgroups v2 not mounted)
- os_name: str (full OS name from release file)
OS Support Status:
✅ Ubuntu 20.04+ - Native cgroups v2 (kernel 5.4+)
✅ RHEL/Alma/Rocky 9+ - Native cgroups v2 (kernel 5.14+)
⚠️ RHEL/Alma/Rocky/CloudLinux 8 - Needs manual enable (kernel 4.18 backported)
- Add green gradient banner with modern design and animations
- Display text: Full .htaccess support • PHP configuration now works • Zero rule rewrites needed
- Link to https://cyberpanel.net/cyberpanel-htaccess-module
- Include ripple effect on button hover and rotation on close
- Add smart dismissal logic with localStorage persistence
- Show banner once per day with staggered delay for better UX
- Support mobile responsive design with flexible layout
- Position banner properly when multiple notifications are shown
Reduce minimum file size from 1MB to 10KB to allow the module file
(~35KB) to pass validation. The 1MB threshold was too strict and only
appropriate for the main OLS binary. Now displays size in KB or MB
appropriately.
Change download verification to check file existence and size instead of
relying on return code. The wget command succeeds but install_utils.call()
may not return 0. Now verifies downloaded file exists and is at least 1MB.
Integrate custom OLS binaries during installation to enable Apache-style
php_value/php_flag directives in .htaccess files. The installer now:
- Downloads custom OLS binary and module from cyberpanel.net
- Creates backup of existing binaries before replacement
- Installs custom binaries with enhanced .htaccess support
- Configures CyberPanel module in OpenLiteSpeed config
- Gracefully falls back to standard OLS if download fails
- Only installs on x86_64 architecture
Features enabled by custom binaries:
- Apache-style .htaccess support
- php_value and php_flag directives
- Enhanced header control
- Better Apache compatibility
Problem: Bulk fix operations were hitting rate limits (100 backups per scan).
Solution:
- Implemented 10x higher rate limits for API key authenticated requests
- These are trusted requests from the platform for legitimate bulk operations
- Regular file token auth keeps original limits for security
Rate Limit Changes:
- backup-file: 100 → 1000 for API key auth
- get-file: 500 → 5000 for API key auth
- replace-file: 100 → 1000 for API key auth
- rename-file: 50 → 500 for API key auth
- delete-file: 50 → 500 for API key auth
This allows bulk fix operations to process up to 1000 files without hitting rate limits,
while maintaining security for regular scan operations.
Problem: VPS API keys were generated dynamically but never saved to the database,
causing file fix operations to fail with "Invalid token" error.
Root Cause:
- When CyberPanel runs on VPS, it calls platform's /api/vps/generate-api-key/
- The returned API key was used for scan submission but not persisted
- Later file fix operations couldn't validate this API key
Solution:
- Save VPS API key to ai_scanner_settings table whenever obtained
- Modified 4 locations where VPS API key is retrieved:
1. startScan() - Save when initiating a scan
2. getPlatformMonitorUrl() - Save when checking scan status
3. addPaymentMethod() - Save when configuring payment (2 locations)
Implementation:
- Use get_or_create() to ensure scanner settings exist
- Update existing settings if API key is empty or different
- Set is_payment_configured=True for VPS accounts (implicit payment)
- Continue operation even if saving fails (non-blocking)
Result:
- VPS API keys are automatically persisted on first use
- File fixes work without manual database intervention
- All AI Scanner features work seamlessly on VPS instances
Problem: "Failed to backup file before replacement" error when using API key authentication.
Root Cause:
- The externalApp field (which contains the system user for file operations) was sometimes None
- When using API key authentication, the code couldn't determine which user to run commands as
Solution:
- Added fallback logic to ensure we always have a valid user for file operations:
1. First try wp_site.owner.externalApp
2. If not set, try Websites.objects.get(domain).externalApp
3. If still not set, fall back to admin username
- Added detailed error messages and logging throughout backup operations
- Enhanced error reporting to include user context and operation details
- Added validation for backup directory creation with proper error handling
Changes:
- Modified validate_access_token() OPTION 2 and OPTION 3 to ensure external_app is always set
- Enhanced backup and replace operations with better error messages
- Added detailed logging for debugging file operation failures
- Include user context in error messages for easier troubleshooting
This ensures file operations work correctly even when externalApp field is not properly configured.
Problem: File fixes were failing with "Invalid token" even though the platform was sending the correct API key.
Solution:
- Updated validate_access_token() to accept CyberPanel's own API keys for file operations
- Added three validation options:
1. FileAccessToken (temporary tokens for active scans)
2. API key validation with less restrictive admin check
3. Simple validation for platform callbacks (any valid API key + valid scan)
- Added extract_auth_token() helper to support both Bearer and X-API-Key headers
- Created debug endpoints for testing authentication (/api/ai-scanner/test-auth)
- Added test script for validation testing (supports remote servers via env vars)
This fix allows the platform to use CyberPanel's API key to fix files for any scan,
solving the "File access token has expired" issue for older scans.
Usage for remote testing:
CYBERPANEL_SERVER=http://your-server:8001 \
CYBERPANEL_API_KEY=cp_your_key \
CYBERPANEL_SCAN_ID=your-scan-id \
./test_api_key_fix.sh
- Added extract_auth_token() function to handle both Bearer and X-API-Key authentication
- Updated all file operation endpoints to support X-API-Key headers:
- list_files()
- get_file_content()
- scanner_backup_file()
- scanner_get_file()
- scanner_replace_file()
- scanner_rename_file()
- scanner_delete_file()
- Maintains backward compatibility with existing Bearer token authentication
- Added test script to verify both authentication methods work correctly
- Enables permanent API key authentication for file fixes (no more expired token issues)
This change allows the platform to fix files using the permanent CyberPanel API key
instead of temporary file access tokens that expire after ~1 hour.
- Write temp files to /tmp (accessible by all users)
- Website user can read from /tmp for cat command
- No permission issues with cross-directory operations
- Simplifies file operations (no intermediate copy needed)
- Clean up temp file with os.remove() as root
- Fixes: Files becoming empty due to permission issues
- Shell redirection requires shell=True parameter in executioner
- Without shell=True, the > is treated as literal argument
- Fixes: File contents not being replaced
- Change from cp to 'cat temp > target' for replacing file contents
- cat redirection is more reliable for overwriting existing files
- Ensures file contents are actually replaced
- Fixes: Files not being replaced even though cp returns success
- Write to /home/cyberpanel temp first (no user permission issues)
- Copy from /home/cyberpanel to user directory using executioner
- Use cp instead of mv for final file replacement (more reliable)
- Clean up temp files after successful operations
- Fixes: File corruption due to failed mv command via lscpd
- Write content to /home/cyberpanel/scanner_temp_{scan_id}_{timestamp}.tmp first
- Use Python open() instead of shell here-document to avoid:
- lscpd connection reset for large files (>2KB)
- EOF_MARKER conflicts in file content
- Shell command size limits
- Copy temp file to user directory using executioner with user context
- Clean up CyberPanel temp file after copy
- Fixes: [Errno 104] Connection reset by peer when writing large files
- Add bypass check for 'content' field INSIDE isAPIEndpoint block
- Prevents blocking of legitimate JavaScript/PHP code in replace-file API
- Bypass list includes: content, fileContent, configData, rewriteRules, modSecRules
- Security check still applies to other fields in API requests
- Fixes: Replace-file API being blocked by security middleware
- executioner() returns 1 for success, 0 for failure (inverted)
- Fix mkdir check: if mkdir_result != 1 (was != 0)
- Fix cp check: if cp_result[0] != 1 (was != 0)
- Fix double slash in backup path by stripping trailing slash from wp_path
- Add logging to show mkdir_result value for debugging
- Add external_app field to AuthWrapper class
- Get externalApp from website object during authentication
- For FileAccessToken: Use Websites.externalApp
- For API Key: Use WPSites.owner.externalApp
- Update all 5 file operation endpoints to use file_token.external_app
- scanner_backup_file
- scanner_get_file
- scanner_replace_file
- scanner_rename_file
- scanner_delete_file
- Ensures externalApp matches wp_path since they come from same source
- Fixes backup API failing due to incorrect user context
Separate acme.sh certificate issuance and installation steps to ensure
domain configurations are properly stored. Previously, combining --issue
with --cert-file/--key-file/--fullchain-file in a single command caused
acme.sh to skip storing domain configs, breaking automatic renewals and
requiring manual certificate recreation for domain aliases.
Fixes#1583 - Ubuntu 24 permission issues causing 404 errors
Changes:
- Move main public_html permission setting to END of fixPermissions function
- Ensures public_html maintains user:nogroup ownership (not user:user)
- Prevents child domain processing from interfering with main directory permissions
- Changed all async popenExecutioner calls to sync executioner calls
- Reordered operations: permissions first, then ownership
This fixes the issue where clicking "Fix Permissions" in file manager
would incorrectly change public_html group from nogroup to the user's group,
causing 404 errors on Ubuntu 24.
Fixes#1583
The fixPermissions function in file manager was causing sites to become
inaccessible after running "Fix Permissions" on Ubuntu 24. The root causes:
1. Async execution (popenExecutioner) caused race conditions where commands
executed in unpredictable order
2. The public_html directory group was incorrectly changed from 'nogroup'
to the user's group, breaking web server access
Changes:
- Changed all async popenExecutioner calls to sync executioner calls
- Reordered commands to set permissions before ownership
- Ensured public_html directory maintains correct group ownership (nogroup)
- Added comments to clarify the purpose of each step
This ensures the file manager's "Fix Permissions" feature works correctly
on Ubuntu 24 while maintaining proper security.
- Ensure /home/cyberpanel directory exists with proper permissions before download
- Set directory permissions to 755 to allow application write access
- Refactor SCP/SFTP fallback logic to work regardless of debug mode
- Add better status messages during download process
- MySQL restore may return warnings that don't indicate actual failure
- Database restoration verification is handled by subsequent password operations
- Improves reliability of compressed backup restoration
- Changed from checking exit code to verifying file existence and size
- Resolves issue where successful mysqldump was incorrectly reported as failed
- Ensures backup file is created and not empty before marking as successful
- Added configurable compression for database backups using gzip streaming
- Implemented auto-detection in restore function for compressed and uncompressed formats
- Added performance optimizations including --single-transaction and --extended-insert
- Created configuration file for gradual feature rollout with safe defaults
- Added helper functions for checking system capabilities and configuration
- Included comprehensive test suite to verify backward compatibility
- Maintained 100% backward compatibility with existing backup infrastructure
- Add comprehensive backup account overview with visual stats cards
- Display storage usage (total, used, available, percentage) from platform API
- Show last backup run timestamp and status (success/failed)
- Display total backups count and failed backups count
- Add recent backup error logs table with timestamp, website, and error message
- Fetch all stats from platform.cyberpersons.com/Billing/GetBackupStats endpoint
- Beautiful gradient cards for visual presentation of stats
- Progress bar for storage usage visualization
- Conditional display of error logs (only shown if errors exist)
- Add account info card showing SFTP user and plan name
- Graceful fallback to N/A if platform API is unavailable
- Comprehensive error logging for API failures
- Implement timestamp-based filename verification (Method 1)
- Add file size validation with 1KB minimum requirement (Method 2)
- Filter to only check today's backup directory for accuracy (Method 3)
- Add optional SHA256 checksum verification for integrity (Method 5)
- Use find command with size filter for efficient SSH verification
- Fallback to SFTP with comprehensive file validation
- Enhanced logging for all verification steps and failures
- Remove unused 'Yesterday' variable that was never used
- Prevents false positives from old backup files
- Detects corrupted/incomplete backups via size check
- Fix inverted .find() logic that sent notifications when backups SUCCEEDED
- Add 'status': 'failed' field required by platform API
- Change HTTP to HTTPS for BackupFailedNotify endpoint
- Add comprehensive error handling and logging
- Add 30-second timeout on API requests
- Properly handle actualDomain vs site.domain.domain cases
- Remove duplicate code blocks that handled success and "already deployed" cases
- Consolidate deployment logic into single code path
- Add validation for backup plan state before deployment
- Add specific exception handling for API requests and JSON parsing
- Add timeout to API requests (30 seconds)
- Change API endpoint from HTTP to HTTPS for security
- Improve error messages with actionable guidance
- Add comprehensive logging for all error paths
- Clarify return status: status=1 only on full success, status=0 on any failure
- Add early validation for missing SSH public key
- Handle edge case where account is deployed but destination creation fails
- Add specific exception handlers for common failure scenarios
- Support multiple SSH key formats (RSA, Ed25519, ECDSA, DSS)
- Add SSH key validation before connection attempts
- Add connection timeout and proper cleanup with finally block
- Provide actionable error messages for users
- Handle empty backup folders as success instead of error
- Add comprehensive logging for all error paths
- Improve path parsing with bounds checking
