Google Cloud Deployment with WordPress + openlitespeed

#1
Hello guys :)
I decided after many years to move to lite speed (i am new with litespeed).

Starting this journey:
I deploy for one of my clients WordPress with open lite speed:
https://docs.litespeedtech.com/cloud/images/wordpress/

It's much wider and complex from these docs and have the openlitespeed panel himself to optimize.
I am a cPanel user, and my goal was getting rid of the server panel, and use only WordPress server.

I see now it's a little bit more complex if you want to use this deployment on the Google cloud.
(you can still use the WordPress but, have security issues and much more configuration need to be done on the openlitespeed panel)


Really. I don't know from where to start, i have so many questions.
I will try from the hard to the easy:


1. phpmyadmin and openlitespeed admin panel needs ssl secure. (not secure, how i secure them? My website is secure and i generate the SSL + force it)
But phpmyadmin accessible in HTTP :/ (YOU HAVE SSL ON HIM IF YOU GO IN HTTPS BUT ITS NOT FORCED)
Openlitespeed admin panel is much worse and i must close the port 7080 and open it to throw SSH any time.

If i was able to secure both of them with SSL, it's be much better and secure

-------

2. virtual host show “example” and i notice in one of your videos on YouTube you delete the “example” so i got confused maybe this thing needs to be deleted if you deploy the openlitespeed throw GCP:

SCREENSHOT OF THE “EXAMPLE” VIRTUAL HOST I THINK NEED TO BE DELETED (ACCORDING TO YOUR YOUTUBE):
https://ibb.co/0VsxHC7

-------

3. OCSP Stapling and different cipher key for better SSL score:
I notice in one of the articles you provide some tips for people want ecdh key:
https://docs.litespeedtech.com/cloud/images/wordpress/

I see an option for OCSP stapling in the openlitespeed panel (can turn it on in a click button).
But i still afraid, be better ask here maybe someone can help.
Maybe
provide a YouTube video for this issue?

The SSL score of the default deployment is very bad:
https://www.ssllabs.com/ssltest/analyze.html?d=ndlocksmithservice.com&latest

--------

4. Emails from the openlitespeed admin panel?
So one thing very confused me,
It is the email from the openlitespeed admin panel.
The deployment instructions (docs) not mention the litespeed admin panel alerts.

(you show how to do emails only to the WordPress website)
but from my knowledge of other webadmin panels, they send alerts and much more.

Another important things:
Google cloud block port 25 by default (and in the deployment you didn't open it for the client)
so i got very confused.

openlitespeed panel not sending alerts to your emails?
And if the admin panel acutely sending alerts, how can i set up an email alerts on Google Cloud after they block by default port 25?


---------

5. server name:
I notice to option change it in the openlitespeed admin panel but i not was sure...
I know on Google Cloud need to create a script (DHCP Script)
to do stuff like this. (if someone knows the right way, i will be glad to hear it):
https://ibb.co/3c8WpC5

---------

I know it a lot... (and i have much more question but i don't want to make it too much)
Be happy for help and i sure it will help to others :)
 

Cold-Egg

Administrator
#2
hi, let me help to answer all the questions.

1. Those are still secure, it just not using a valid SSL certificate so your browser will show the warning. You can also assign a valid certificate to the web admin > admin > listener if needed.

2. That is not for cloud images. For the image, the listener does not listen for Example virtual host, which means any request will not pass to it. So keeping it or not does not really matter.

3. I didn't check, but the OCSP should not affect the SSL score. In some cases, disabling TLS 1.1 may cause some old browsers failed to visit your site. So it's recommended to keep it on. You can try to disable TLS 1.1 from web admin > listener > SSL, if no user report, then you can keep it off.

4. The web admin is a GUI for you to config the web server, not like a monitoring tool. For wordpress + email issue on GCP, you can check https://docs.litespeedtech.com/cloud/images/wordpress/#how-do-i-change-the-smtp-port-from-25-to-587

5. Not clear what you want to achieve
 
#3
First, thank you a lot of the answer.
About the SSL, i solve the issue with copy the SSL key from ¨wordpress¨ virtual host to the ¨adminlistner¨. (LETSENCRYPT KET)

PhpMyAdmin I made it secure with this explanation from the docs:

https://docs.litespeedtech.com/cloud/images/wordpress/#step-5-redirect-http-to-https

Now the port 7080 secure.
And the PhpMyAdmin page is HTTPS forced :)

-------

About problem number 2:
So, I didn't understand your answer, we can delete the virtual host “Example” like in the video?


This is from the official page of lite speed on YouTube.
I copy the link in the right time, the guy in the video deletes the “Example” virtual host.
Want to clarify with you AGAIN because you didn't give me a clear answer. (TO DELETE IT OR NOT)

As i said before, i deploy the wordpress throw Google Cloud marketplace image.
i think this "Example" virtual host is not neccery and need to be deleted, but better to ask you guys, please if you can give me a strict
answer, it will be much better.
-------
3. OCSP stapling effecting the score if you will go down on the test you will see it, HSTS play a role as well.

I have another website on cPanel and Nginx, you can see the score is high:
https://www.ssllabs.com/ssltest/analyze.html?d=locksmithunit.com&latest

I didn't find a way to remove TLS 1.1 as you said.
But I found something also, and I think it will do the job better.

https://docs.litespeedtech.com/cloud/images/wordpress/#how-do-i-apply-an-ecc-certificate

This shows how to get ECC certificated, what give you high score in the SSLAB test.
Now, if you look on the link, have an automate script + suggestion to add a cron job.

Now my dilemma is.
What about the cronjob and the older certificate i have right now (the RSA certificate).

I need to delete it?

I need to replace the cronjob for the ECC with the RSA cron job? Or the meant to be toghter (2 cronjobs)?
If you look on the link i sent you, i sure you will understand my DILEMA about this.

--------------------------------

4. Emails.

The link you sent meant only to WordPress.
What about the email of the openlitespeed admin panel?
Cronjobs usually send email, and this cant happened throw WordPress.
The plugin WP MAILS will take care only of the emails of WordPress.
If you have another emails need to be sent from the admin panel of openlitespeed, they will not be sent.

The big question is:
If the litespeed admin panel actually have alerts need to be sent as an email.
Can be i am wrong, and the openlitespeed panel didn't design to sent alerts.

-------------------------------------------

5. server name.

I found the option to change the server name, but they not say what the right format + alert about permission, what's make me more afraid to change it:

https://ibb.co/3c8WpC5

if you look on the image inside the link, from the left, I mark you the option to change the server name.

Now.
Don't have any instruction.
From my experience with other panels, usually have recommendation, and they tell you to do something like this:

server.ndlocksmithservice.com

or

host.ndlocksmithunitservice.com

but I little suspect on your platform is not the same case.
With the warning on the top, i got more afraid to change it.
I think your platform dont want a URL they just want a name, for example:

ND Locksmith Service

-------

and that all for now :)
 

Cold-Egg

Administrator
#4
2. Sure you can delete it, won't cause any issues.
3. I didn't compare the score with ecc before. To answer your question, no need to delete the existing certificate, since you will need to manually apply the new ecc cert to the web server. No harm to keep both cronjobs.
4. No alert, I remember it only sent when something happen to lshttpd. Since GCP blogs port 25, you might want to update the mail settings from the system.
5. It's not like a general control panel, it's a panel for controlling the web server only. I did a quick test, input IP + domain works without any permission alert.
 

Attachments

Cold-Egg

Administrator
#5
Also, I did a quick test.
Launch the server and apply Let's Encrypt, SSL report = B
Then I went to web admin > Listener > SSL > SSL protocol, and only enable TLS v1.2 and TLS v1.3, and the score turns to A immediately. No need to bother OCSP and ECC cert.
 
#6
Yes you right.

First i must say thank you, this time you answer me on all the things :)
Even the tickets i got answers very quick, thank you very much.

The only thing left for me right now, is the email. (in WordPress not in the server).
I see in the docs to use wp-smtp mail:
https://docs.litespeedtech.com/cloud/images/wordpress/#how-do-i-change-the-smtp-port-from-25-to-587

In the deployment on GCP Marketplace, i didn't see any port like 25 or 587:
https://ibb.co/yNcCw8G

So i am little confused, how it is possible i can send email with WP-MAIL without open a port?
I believe you're aware of that, after all you publish in the doc's about WP-MAIL.

OR
I am wrong and need to do additional stuff on the cloud firewall and UFW firewall of the machine?
 

Cold-Egg

Administrator
#7
Google Cloud does not place any restrictions on traffic sent to external destination IP addresses using destination TCP ports 587 or 465. So no need to change the firewall. But you might want to set up the wp-smtp + port 587 on your own. :)
 
#8
i still didnt got you,
This what i have:
1669883660836.png

I believe the SMTP host is the domain himself (ndlocksmithservice.com).
This because i didn't create “mail” version as all the panels do (mail.ndlocksmithservice.com)

it's not working
 
#10
https://www.wpbeginner.com/plugins/how-to-set-up-wp-mail-smtp-with-any-host-ultimate-guide/
Not show how to do it on the cloud.

it's can't be you will send an email on Google Cloud without open a port, you didn't open port 25, 587 or 465

in the deployment, you didn't open any port for mailing:
1670158270583.png


You cannot send emails with your own SMTP throw this deployment…
I think the only choice is 3rd provider.
With DNS and API key of course.
Only this way, you can solve the email problems.

But on the machine with this deployment... don't have a chance you be able to send emails via ports: 25, 587 or 465 with your own email system (smtp)
 

Cold-Egg

Administrator
#11
HIHI
The image comes with only the necessary port opened, you can add/delete the firewall rules easily after the server launch. If you check other WordPress solutions on the Google Cloud marketplace, they all apply similar basic rules for the web server only.
 
#12
It's not true my friend...
I have 4 cPanel / WHM deployment with Google Cloud Market Place.
They open all the 3 ports when you buy the product via Google Market Place.
(25, 587 or 465 AND EVEN PORT 26 because google block port 25 by default)

PLUS!
They offer docs instruction how to fix it with Google Cloud (this issue well known, and cPanel cover that):
https://support.cpanel.net/hc/en-us/articles/360051773434-Cannot-Send-Mail-from-Google-Cloud-Server

This problem in a server level, you must include instruction what to do to bypass that…

The only option to do it is with Gmail API with WP-MAIL, and i still not sure about that. (I didn't try it yet)

You must provide instruction to fix the email system on your deployment.
Except that, your deployment is amazing, i never see something work so fast on defaults.

I think, your product going to be one of the biggest on Google Cloud marketplace.
But you must cover all the issues for making it happened.
 

Cold-Egg

Administrator
#13
HI,

I agree the port suggestion needs to be opened by default which may be more convenient, will implement the new firewall rules in the next release. Also, I checked their docs, and the free plan has a limit of daily/monthly, so I'd still recommend using WP Mail SMTP(https://docs.litespeedtech.com/cloud/images/wordpress/#how-do-i-change-the-smtp-port-from-25-to-587) method. I followed https://wpmailsmtp.com/docs/how-to-set-up-the-gmail-mailer-in-wp-mail-smtp/ today and the mail service works on Google Cloud, maybe you can give it a try. Since it's a 3rd party plugin, I will just update the link on our document, instead of creating a new doc for it.
 

Attachments

#14
The Gmail option will work, because it's not work on SMTP, it's work with API key. Maybe no need to open a port for it.
But still it's a nightmare, a client should do it properly if you change the deployment and open a port for him.

By the way,
WP-MAIL can shows green check mark when you're sending an email, but you need to check your email, it's not mean the email pass throw.
Try to do it again, and check your email if you receive a new email... have big chance you didn't receive it.

I'm going to do it with Gmail API + wp-mail and i will text you back on the result.

Thanks for all the help.
 
Top