ApisCP

ApisCP is the Apis Networks Control Panel, a hosting platform since 2002 engineered to help you achieve more. Once installed, ApisCP’s adaptive firewall activates by protecting all facets from WordPress to SSH for added peace of mind. This is a multi-tenant platform in which each account is partitioned from one another and may be optionally controlled via resource enforcement. 1-click installation and automatic updates are provided for WordPress, Discourse, Ghost, Drupal, and Laravel.

Skip down to installation for a quickstart.

Features

Beyond the basics, ApisCP implements several features unique to its stack.

  • Platform integrity checks

ApisCP is a self-healing platform. Once a month it scrubs your server looking for irregularities. Any changes are automatically corrected. Integrity checks can fix a broken server in most cases.

  • Automatic updates

Let’s work together to make the web safe. ApisCP automatically deploys updates for system packages, panel core, platform improvements, WordPress core/plugins/themes, Ghost, Discourse, Drupal, and Laravel. Every month you’ll receive a reminder of what sites have failed automatic updates to help you manage your server.

  • Principle of least-privilege

Single-user sites are so 2000. ApisCP modernizes your layout by utilizing a variety of user accounts governed by discretionary access controls built into Linux. Each site has a dedicated web user that is separate from your user accounts. A bad WordPress shouldn’t wreck your day.

  • Delegated whitelisting

Empower sites with the ability to protect themselves from the omnipotent eye of Rampart. Delegated whitelisting allows Site Administrators to whitelist a configurable threshold of IP addresses such that one user’s bad mail credentials doesn’t block access for everyone else.

  • Synthetic filesystems

Each account runs its own filesystem comprised of a variety of service layers. BoxFS is an opaque, composite filesystem that restricts visibility to each account and provides a copy-up behavior that restricts tampering of system files. Services, PHP included, are jailed to these synthetic roots with negligible performance degradation.

  • Resource constraints

Restrict memory, CPU, I/O bandwidth, and process limits through cgroups, a native Linux feature that reliably enforces resource limits across modern Linux distributions.

  • Scoped administration

Complex administrative tasks are simplified into Scopes, automation with error checking. Modify server configuration in a straightforward, safe manner.

  • Polyglottal DNS

ApisCP speaks a variety of DNS implementations, including PowerDNS and DigitalOcean (and CloudFlare if you want!).

  • FLARE updates

Stay ahead of threats with FLARE, a rapid update facility part of ApisCP. FLARE checks 50 times a day to ensure you’re up-to-date. When we push an emergency update, your server automatically updates as long as you permit us.

  • Self-corrective monitoring

We’ll do our best to heal spikes in server traffic without impacting your day. What we can’t heal, Argos pushes to your notification medium of choice. Argos is a good boi! After all, we named this feature after Odysseus’ loyal companion.

Software Included

Package Version License
ApisCP 3.20 Proprietary
PHP 7.40 PHP
MariaDB 10.40 GPL-2.0
PostgreSQL 13 PostgreSQL
Apache 2.40 Apache
Ansible 2.90 GPL-3.0
Node 6.0.0-13.1.0+ MIT
Python 2.1.3-3.6.8+ Python Software Foundation
Ruby 1.8.5-2.6.5+ Ruby
Go 1.2.2-1.12.13+ BSD-style
git 2.18 GPL-2.0
TimescaleDB 2.50 Apache/TSL
Postfix 3.40 IBM
Dovecot 2.30 MIT
WordPress 5.1+ GPL-2.0
WP-CLI 2.30 MIT
Ghost 3.0+ MIT
Discourse 2.2+ GPL-2.0
Laravel 6.1+ MIT
Drupal 8.7+ GPL-2.0
fail2ban 0.10 GPL-2.0
HAProxy 1.80 GPL-2.0
Phusion Passenger 5.30 MIT
mod_evasive 1.0-dev GPL-2.0
rspamd 2.40 Apache
SpamAssassin 3.40 Apache
Redis 5 BSD
Monit 5.25 AGPL-3.0

Creating an App using the Control Panel

Click the Deploy to DigitalOcean button to create a Droplet based on this 1-Click App. If you aren’t logged in, this link will prompt you to log in with your DigitalOcean account.

Deploy to DO

Creating an App using the API

In addition to creating a Droplet from the ApisCP 1-Click App using the control panel, you can also use the DigitalOcean API. As an example, to create a 4GB ApisCP Droplet in the SFO2 region, you can use the following curl command. You need to either save your API access token) to an environment variable or substitute it in the command below.

curl -X POST -H 'Content-Type: application/json' \
         -H 'Authorization: Bearer '$TOKEN'' -d \
        '{"name":"choose_a_name","region":"sfo2","size":"s-2vcpu-4gb","image": "apisnetworks-apiscp-8-3"}' \
        "https://api.digitalocean.com/v2/droplets"

Getting Started After Deploying ApisCP

This application includes a 30-day Pro license to use ApisCP. After 30 days, your server will continue to protect itself against malicious activity as well as host your sites, but you won’t be able to access your panel. Visit my.apiscp.com to purchase a license or contact help@apisnetworks.com for questions.

Configuration

A prebuilt image is provided, which immediately protects itself from threats once turned on. Login to the server using your DigitalOcean credentials to begin installation. Configuration settings are available in /root/apnscp-vars.yml, which influence how the panel initially behaves. Any setting, with the exception of MariaDB and PostgreSQL, may be changed at a later time.

  • apnscp_admin_email: SSL issuance and panel communication.
  • system_hostname: SSL issuance and server identification on mail transactions. This should be a fully-qualified domain name (e.g. “mydomain.apiscp.com” or “apiscp.com”). DNS should also resolve to this host. See “Bootstrapping” section of SSL.md for tips on setting up SSL if a domain doesn’t have hosted DNS yet.
  • user_daemons: open a limited port range to allow sites to run services, such as Discourse or Redis.

Installation

  1. Run nano /root/apnscp-vars.yml to edit Bootstrapper configuration.
  2. Make changes. See recommended settings above as a guide.
  3. Run systemctl start bootstrapper-resume to replay installation, personalizing your instance.
    • tail -f /root/apnscp-bootstrapper.log will show installation progression real time. It won’t take more than a few minutes to complete.
    • If you see “failed=1” get in touch with us (help@apisnetworks.com).
  4. Visit https://:2083 to login to the panel.

After installation

Logging in

By default, the username is “admin” and password randomly generated. ApisCP will attempt to send an email with your credentials, but these can be just as easily reset from the command-line:

Resetting admin credentials

cpcmd auth:change-username NEWUSER
cpcmd auth:change-password 'NEWPASSWORD'
cpcmd common:set-email NEW@EMAIL.COM

Adding a site

Adding your first site is a breeze! ApisCP is tuned from the start for optimal performance, so stress less on tuneables - which still exist in config.ini - and focus on your sites.

  1. Visit https://:2083/ to login to the panel.
  2. Navigate to Nexus to create your first site.
  3. Kick your feet back to relax! Use SSO to sign into the site. Setup SSL, email, or install WordPress at your leisure.

See INSTALL.md for additional help.

Importing from other backups

ApisCP is able to read backups from other mediums. See Migrations.md for an updated list of supported mediums.

DNS

A “null” driver is configured by default, which disables DNS integration. The DigitalOcean DNS driver is an excellent option if you’re hosting just your sites. For hosting a variety of users, we recommend using PowerDNS.

  1. Create a Personal Access Token.
  2. Configure ApisCP to use DigitalOcean for DNS:cpcmd scope:set dns.default-provider digitalocean cpcmd scope:set dns.default-provider-key 'abcdef1234567890'

Scopes

Many settings may be simply adjusted after install through Scopes. Scopes do the heavy lifting for you, just focus on the invocation! Scopes have a few methods: get, set, info, list.

  • get: get the current Scope setting

Example: cpcmd scope:get net.hostname

  • set: set a Scope setting (variadic)

Example: cpcmd scope:set mail.enabled false

Example: cpcmd scope:set system.sshd-port '[22,43130]'

  • info: get information on a Scope, including purpose

Example: cpmd scope:info cp.headless

  • list: enumerate all available Scopes

Example: cpcmd scope:listThe following Scopes are commonly used:

  • mail.smart-host: set upstream mail relay
  • cp.headless: disable panel frontend, rely on CLI helpers
  • system.timezone: change the system timezone to your region
  • rampart.blacklist: add an address or CIDR to a permanent list
  • rampart.whitelist: add an address or CIDR to a permanent list
  • apache.block10: alter global settings to block all HTTP/1.0 (often sloppy spam) clients from accessing the server
  • cp.bootstrapper: change Bootstrapper settings, upcp -sb re-runs the Bootstrapper to apply changes

config.ini provides other features to tune. Always use cpcmd config:set cp.config section name value to alter this file in a safe manner.

Extending ApisCP

ApisCP supports a variety of features beyond what’s listed above. Make the most of your ApisCP experience with the following additions:

Hacking

ApisCP is a cornucopia of features to explore! cpcmd -o yaml misc:list-commands is a fun starting point. If you need to scratch that itch, check out the following features:

Stop by the ApisCP Discord server if you have any questions. See you there!