Skip to main content

apnscp Tuneables

Tuneable configuration options in apnscp. Default settings and explanations.

apnscp Tuneables

All changes must be made to config/custom/config.ini. config/config.ini is updated periodically with apnscp releases.

;   apnscp master configuration   ;
; ************ WARNING ************
; SET NEW VALUES IN conf/custom/config.ini
; cpcmd config_set apnscp.config <section> <name> <value>
; ************ WARNING ************

;;; Core configuration that affects all aspects of apnscp
; Use env DEVELOPMENT=1 environment variable to trigger debug
debug = ${DEVELOPMENT}
; Display backtraces on (1) error, (2) warning, (3) info, (4) debug/deprecated
; all higher numbers imply lower class reporting; 4 produces backtrace on all
; backtrace occurs when debug set to true.
; Set to -1 to disable backtrace on apnscp-generated events,
; but continue to display PHP error/warning/notice backtraces
; Global temp directory, reflected within virtual domains
temp_dir = /tmp

; In multiserver setups behind a proxy (cp-proxy),
; trust the following source IP or network for X-Forwarded-For
; See
http_trusted_forward =
; Root directory that stores all
filesystem_virtbase = /home/virtual
; Filesystem template location
filesystem_template = /home/virtual/FILESYSTEMTEMPLATE

; A path that is shared across all sites as read/write
filesystem_shared = /.socket

; Location for run files
run_dir = storage/run

;locale = 'en_US.UTF-8'
; system default, overrides php.ini
;timezone = 'America/New_York'
; Send a copy of all unhandled errors generated in apnscp
;bug_report =

; Brand name for the panel, for white-label
; apnscp version
; apnscp system user
; preload backend modules
; increases backend initialization but checks for errors

; Default apnscp theme
theme = "apnscp"
; Allow custom themes
; See
allow_custom = false
; Override apnscp JS
override_js = false

; Enable soap? Disabling also disables server-to-server migrations
enabled = 1
; WSDL name, located under htdocs/html/
wsdl = "apnscp.wsdl"

;;; Backend
; Location for apnscpd backend socket
; specify an absolute path to store outside of apnscp
socket = storage/run/apnscp.sock
; Maximum number of backend workers permitted
max_workers = 5
; Minimum number of idle backend workers
min_workers = 1
; Workers to spawn initially
start_workers = 1
; Max backlog per worker
max_backlog = 20
; Make panel a headless installation, no front-end loaded
; Driven entirely by CLI
headless = false

;;; apnscp brute-force deterrent
; max auth attempts before all auth is rejected
limit = 20
; duration to retain anvil statistics
ttl = 900
; minimum number of permitted logins before anvil kicks in
min_attempts = 3
; Whitelist for Anvil attempts
; Accepts networks and single IP addresses, separate with a comma
whitelist =

;;; DAV
; Enable DAV
enabled = 1
; Allow non-DAV browser requests + interface
browser = 1

;;; Ticket system + system generated emails
; send a small, MMS-suitable, message when a high
; priority ticket is opened or reopened to here
short_copy_admin =
; System email to dispatch internal issues such as
; certificate renewal failures or tickets
copy_admin = apnscp@${HOSTNAME}
; Address used to send emails
from_address = apnscp@${HOSTNAME}
; From name for above address
from_name = apnscp
; No-reply used for password reset and login alerts
from_no_reply_address = apnscp@${HOSTNAME}
; Generalied reply-to address for ticket system
reply_address = apnscp+tickets@${HOSTNAME}

; Maximum duration an idle session is valid
ttl = 15 minutes

;;; Backend cache
; In multi-server installations, use the following
; memcached server as an aggregate cache otherwise
; local memcached is used
super_global_host =
super_global_port =

; SG password. Super global, if defined, is reachable
; over network and thus open to abuse. See also
super_global_password =

; Local apnscp cache. Socket only; never use TCP
; as it contains sensitive data
socket_perms = 0600

;;; Let's Encrypt SSL
; When signing a certificate use LE staging server
; X1 X509 authority key identifier - shouldn't change
; Perform a DNS check on each hostname to ensure it is reachable
; If any hostname fails the ACME challenge, e.g. DNS points elsewhere, renewal
; will fail. Keep this on unless you know what you're doing
; Include alternative form of requested certificate
; e.g. includes and includes
; This requires that verify_ip=true
; Additional hostnames to request SSL for
; Day range a certificate may renew automatically. lookahead is max days to renew
; before expiry; lookbehind is min days to renew.
; A lower bracker (lookbehind) is necessary to ensure defunct domains
; are not continuously renewed - or attempted for renewal - against LE's servers.
; Set lookbehind to a large negative int (-999) to attempt to renew all defunct
; certificates.
; Set lookahead to a large positive int (999) to force reissue for all certificates.
; Default settings attempt renewal 10 times, once daily.
; Send a notification email to [crm] => copy_admin on certificate renewal failure

;;; DNS + IP assignent
; When adding IP-based sites, range from which IP addresses
; may be allocated. Supports comma-delimited and CIDR notation
; Hosting nameservers sites should use when hosted through the panel
; Leave empty to disable a NS checks
; Nameserver that responds authoritatively for any account hosted
; *NOTE*: this should point to the nameservers you use for
; your domain
; Recursive nameservers used to verify visibility of DNS records
; A single internal master responsible for handling rndc/nsupdate and internal DNS queries
; Primary IP address of the server used in multi-homed environments, leave blank to autodiscover
; Primary IPv6 address of the server used in multi-homed environments, leave blank to autodiscover
; DNS providers that apnscp supports. Each provider
; beyond what is provided here must be located under Opcenter/Dns/Providers/
; Unless defined and unless dns,provider set in configuration
; No DNS will be provided for domain
; If set in, use cpcmd config_set dns.default-provider
; Optional global provider key, same form as dns,provider
; If set in, use cpcmd config_set dns.default-provider-key
; UUID to assign this server. UUIDs are used to collaborate with different servers
; to determine whether to remove a DNS zone, e.g. moving server -> server with different
; UUIDs will persist the records when the domain is deleted from Server A so long as the DNS UUID
; differs
; Default TTL value for newly created DNS records

; List of mail providers.
; "builtin" relies on Postfix "null" for testing
; Default provider to use for mail
; Domain to masquerade as when sending mail
; Affects "Message-ID" generation + non-fully qualified addresses
sending_domain = "${HOSTNAME}"
; rspamd installed on server. Used for spam filtering + DKIM signing requests

; ProxySQL in front of MySQL. Requires updating authentication on both ends.
; Only available for localhost/

; Storage multiplier if over quota
; Time in seconds amnesty is applied
; Min wait time, in seconds, between requesting amnesty

; Nameserver verification check before allowing a domain
; to be added. Enable on multi-user setups to prevent a user
; from adding and routing all server mail for
; to the user account.
; Notify admin whenever a domain is added to any account.
; Setting dns_check and notify to false is only recommended
; on a single-user installation.

; Include embedded Terminal for users
; Enable users to run daemons

; When using a multi-server reverse proxy, use this URL
; to query the domain database server
; See
;  +  Auth::Redirect
; When redirecting a login request elsewhere, format the
; redirection as this FQDN, e.g.
; if server = foo and server_format = <SERVER>, then
; redirect:
; Leaving blank implies SERVER_NAME
; Minimum acceptable password length
; Force password requirements check, implies min_pw_length
; Allow admin API commands, add/delete/edit/suspend/activate/hijack
; Disable to provide added security if a permission exploit were discovered
; Allow suspended accounts the ability to login to the panel?
; Retain password in session for SSO to webmail
; Special key to encrypt all seen sessions. In multi-server setups this value
; MUST be the same across ALL servers. On new installs this is set automatically
; by the Bootstrapper

; ClamAV is installed on system

; Base URL for all support articles. If you would like to self-host
; contact for information on mirroring KB
; In multi-panel installations, use cp_entry as reverse proxy
; See
; Aggregate system status portal used in login portal. Requires Cachet
; See and set to URL before api/

; Include usage statistics to help development of apnscp

;;; Cron
; Minimum cron resolution time, in seconds, for apnscpd
; Maximum number of workers, each worker takes up between 24-32 MB
; Disable Horizon and use a primitive single-runner queue manager, frees up 40-60 MB
; As a percentage of run-queue capacity. Run if 1-minute load < <CPU Count> * <LOAD_LIMIT>

;;; Account management
; default plan name, symlinks from plans/.skeleton
; Configuration directives not listed in plans/default/<svc>
; will terminate execution
strict_svc_config = 1
; Relative to resources/ or an absolute path
plan_path = templates/plans
; require IP addresses be bound to the server before allocating to site

;;; Server brute-force deterrent
; Default jail prefix for all fail2ban jails
prefix = "f2b-"
; Default driver for rampart, iptables or ipset
driver = iptables

;;; Account resource enforcement
; location for cgroup controllers
; default controller support

;;; Apache
; Bind to all available interfaces
; Requires manual configuration in httpd-custom.conf
; Window to allow multiple HTTP build/reload requests
; to coalesce. Set to "now" to disable.
reload_delay='2 minutes'

;;; Server-to-server xfer
status_email = apnscp@${HOSTNAME}