ApisCP
ApisCP is the Apis Networks Control Panel, a hosting platform since 2002 engineered to help you achieve more. Once installed, ApisCP’s adaptive firewall activates by protecting all facets from WordPress to SSH for added peace of mind. This is a multi-tenant platform in which each account is partitioned from one another and may be optionally controlled via resource enforcement. 1-click installation and automatic updates are provided for WordPress, Discourse, Ghost, Drupal, and Laravel.
Skip down to installation for a quickstart.
Features
Beyond the basics, ApisCP implements several features unique to its stack.
- Platform integrity checks
ApisCP is a self-healing platform. Once a month it scrubs your server looking for irregularities. Any changes are automatically corrected. Integrity checks can fix a broken server in most cases.
- Automatic updates
Let’s work together to make the web safe. ApisCP automatically deploys updates for system packages, panel core, platform improvements, WordPress core/plugins/themes, Ghost, Discourse, Drupal, and Laravel. Every month you’ll receive a reminder of what sites have failed automatic updates to help you manage your server.
- Principle of least-privilege
Single-user sites are so 2000. ApisCP modernizes your layout by utilizing a variety of user accounts governed by discretionary access controls built into Linux. Each site has a dedicated web user that is separate from your user accounts. A bad WordPress shouldn’t wreck your day.
- Delegated whitelisting
Empower sites with the ability to protect themselves from the omnipotent eye of Rampart. Delegated whitelisting allows Site Administrators to whitelist a configurable threshold of IP addresses such that one user’s bad mail credentials doesn’t block access for everyone else.
- Synthetic filesystems
Each account runs its own filesystem comprised of a variety of service layers. BoxFS is an opaque, composite filesystem that restricts visibility to each account and provides a copy-up behavior that restricts tampering of system files. Services, PHP included, are jailed to these synthetic roots with negligible performance degradation.
- Resource constraints
Restrict memory, CPU, I/O bandwidth, and process limits through cgroups, a native Linux feature that reliably enforces resource limits across modern Linux distributions.
- Scoped administration
Complex administrative tasks are simplified into Scopes, automation with error checking. Modify server configuration in a straightforward, safe manner.
- Polyglottal DNS
ApisCP speaks a variety of DNS implementations, including PowerDNS and DigitalOcean (and CloudFlare if you want!).
- FLARE updates
Stay ahead of threats with FLARE, a rapid update facility part of ApisCP. FLARE checks 50 times a day to ensure you’re up-to-date. When we push an emergency update, your server automatically updates as long as you permit us.
- Self-corrective monitoring
We’ll do our best to heal spikes in server traffic without impacting your day. What we can’t heal, Argos pushes to your notification medium of choice. Argos is a good boi! After all, we named this feature after Odysseus’ loyal companion.
Software Included
| Package | Version | License |
|---|---|---|
| ApisCP | 3.20 | Proprietary |
| PHP | 7.40 | PHP |
| MariaDB | 10.40 | GPL-2.0 |
| PostgreSQL | 13 | PostgreSQL |
| Apache | 2.40 | Apache |
| Ansible | 2.90 | GPL-3.0 |
| Node | 6.0.0-13.1.0+ | MIT |
| Python | 2.1.3-3.6.8+ | Python Software Foundation |
| Ruby | 1.8.5-2.6.5+ | Ruby |
| Go | 1.2.2-1.12.13+ | BSD-style |
| git | 2.18 | GPL-2.0 |
| TimescaleDB | 2.50 | Apache/TSL |
| Postfix | 3.40 | IBM |
| Dovecot | 2.30 | MIT |
| WordPress | 5.1+ | GPL-2.0 |
| WP-CLI | 2.30 | MIT |
| Ghost | 3.0+ | MIT |
| Discourse | 2.2+ | GPL-2.0 |
| Laravel | 6.1+ | MIT |
| Drupal | 8.7+ | GPL-2.0 |
| fail2ban | 0.10 | GPL-2.0 |
| HAProxy | 1.80 | GPL-2.0 |
| Phusion Passenger | 5.30 | MIT |
| mod_evasive | 1.0-dev | GPL-2.0 |
| rspamd | 2.40 | Apache |
| SpamAssassin | 3.40 | Apache |
| Redis | 5 | BSD |
| Monit | 5.25 | AGPL-3.0 |
Creating an App using the Control Panel
Click the Deploy to DigitalOcean button to create a Droplet based on this 1-Click App. If you aren’t logged in, this link will prompt you to log in with your DigitalOcean account.
Creating an App using the API
In addition to creating a Droplet from the ApisCP 1-Click App using the control panel, you can also use the DigitalOcean API. As an example, to create a 4GB ApisCP Droplet in the SFO2 region, you can use the following curl command. You need to either save your API access token) to an environment variable or substitute it in the command below.
curl -X POST -H 'Content-Type: application/json' \
-H 'Authorization: Bearer '$TOKEN'' -d \
'{"name":"choose_a_name","region":"sfo2","size":"s-2vcpu-4gb","image": "apisnetworks-apiscp-8-3"}' \
"https://api.digitalocean.com/v2/droplets"
Getting Started After Deploying ApisCP
This application includes a 30-day Pro license to use ApisCP. After 30 days, your server will continue to protect itself against malicious activity as well as host your sites, but you won’t be able to access your panel. Visit my.apiscp.com to purchase a license or contact [email protected] for questions.
Configuration
A prebuilt image is provided, which immediately protects itself from threats once turned on. Login to the server using your DigitalOcean credentials to begin installation. Configuration settings are available in /root/apnscp-vars.yml, which influence how the panel initially behaves. Any setting, with the exception of MariaDB and PostgreSQL, may be changed at a later time.
Recommended settings
- apnscp_admin_email: SSL issuance and panel communication.
- system_hostname: SSL issuance and server identification on mail transactions. This should be a fully-qualified domain name (e.g. “mydomain.apiscp.com” or “apiscp.com”). DNS should also resolve to this host. See “Bootstrapping” section of SSL.md for tips on setting up SSL if a domain doesn’t have hosted DNS yet.
- user_daemons: open a limited port range to allow sites to run services, such as Discourse or Redis.
Installation
- Run
nano /root/apnscp-vars.ymlto edit Bootstrapper configuration. - Make changes. See recommended settings above as a guide.
- Run
systemctl start bootstrapper-resumeto replay installation, personalizing your instance.tail -f /root/apnscp-bootstrapper.logwill show installation progression real time. It won’t take more than a few minutes to complete.- If you see “failed=1” get in touch with us ([email protected]).
- Visit https://
:2083 to login to the panel.
After installation
Logging in
By default, the username is “admin” and password randomly generated. ApisCP will attempt to send an email with your credentials, but these can be just as easily reset from the command-line:
Resetting admin credentials
cpcmd auth:change-username NEWUSER
cpcmd auth:change-password 'NEWPASSWORD'
cpcmd common:set-email [email protected]
Adding a site
Adding your first site is a breeze! ApisCP is tuned from the start for optimal performance, so stress less on tuneables - which still exist in config.ini - and focus on your sites.
- Visit https://
:2083/ to login to the panel. - Navigate to Nexus to create your first site.
- Kick your feet back to relax! Use SSO to sign into the site. Setup SSL, email, or install WordPress at your leisure.
See INSTALL.md for additional help.
Importing from other backups
ApisCP is able to read backups from other mediums. See Migrations.md for an updated list of supported mediums.
DNS
A “null” driver is configured by default, which disables DNS integration. The DigitalOcean DNS driver is an excellent option if you’re hosting just your sites. For hosting a variety of users, we recommend using PowerDNS.
- Create a Personal Access Token.
- Configure ApisCP to use DigitalOcean for DNS:
cpcmd scope:set dns.default-provider digitalocean cpcmd scope:set dns.default-provider-key 'abcdef1234567890'
Scopes
Many settings may be simply adjusted after install through Scopes. Scopes do the heavy lifting for you, just focus on the invocation! Scopes have a few methods: get, set, info, list.
- get: get the current Scope setting
Example: cpcmd scope:get net.hostname
- set: set a Scope setting (variadic)
Example: cpcmd scope:set mail.enabled false
Example: cpcmd scope:set system.sshd-port '[22,43130]'
- info: get information on a Scope, including purpose
Example: cpmd scope:info cp.headless
- list: enumerate all available Scopes
Example: cpcmd scope:listThe following Scopes are commonly used:
mail.smart-host: set upstream mail relaycp.headless: disable panel frontend, rely on CLI helperssystem.timezone: change the system timezone to your regionrampart.blacklist: add an address or CIDR to a permanent listrampart.whitelist: add an address or CIDR to a permanent listapache.block10: alter global settings to block all HTTP/1.0 (often sloppy spam) clients from accessing the servercp.bootstrapper: change Bootstrapper settings,upcp -sbre-runs the Bootstrapper to apply changes
config.ini provides other features to tune. Always use cpcmd config:set cp.config section name value to alter this file in a safe manner.
Extending ApisCP
ApisCP supports a variety of features beyond what’s listed above. Make the most of your ApisCP experience with the following additions:
- WHMCS addon courtesy Lithium Hosting
- Blesta addon available in Blesta 4.8+
- SpamHaus DQS plugin. Requires rspamd spam filter.
- Bacula automated backups
- Configuring push monitoring
Hacking
ApisCP is a cornucopia of features to explore! cpcmd -o yaml misc:list-commands is a fun starting point. If you need to scratch that itch, check out the following features:
Stop by the ApisCP Discord server if you have any questions. See you there!