Update: 🍺 apnscp v3.0 released! Release notes.

Refer to pre-alpha TR announcement for installation + tutorial

The next release leg toward 3.0 final has been released. This beta marks the last significant release before 3.0 expected to launch by early November. Likewise no major features will be introduced, instead focusing on shoring up any bugs introduced over the frenetic release schedule.

Changes have slowed down considerably, from 120+ in alpha to just 63 this release. Among those changes are several notable highlights,

  • apnscp PHP upgrade from 7.1 -> 7.2 (migration notes)
  • AWS Route 53 DNS provider
  • Discourse web app support
  • Improved ruby module
  • Wordpress plugin/theme automatic update bypass list
  • Rampart O(1) scaling
  • Passenger helper, run Node/Ruby/Python in standalone mode
  • Bootstrapper job support. Changes are sent over email to panel admin.
  • Expanded config options

Route 53 DNS support

Configure a domain to use Route 53 for DNS. It supports basic tasks, including region assignment, but no support yet for health checks yet. A provider can be assigned for the domain using either Nexus in the panel or CLI,

EditDomain -c dns,provider=aws -c dns,key='[key:123,secret:456]' domain.com

More information is available in the module documentation.

Discourse availability

Discourse forum software is now available via Web > Web Apps. It required some additional modules, namely redis and git, to properly implement. Updates within Discourse that are simply git tags lay the foundation for embedded version control in an upcoming release.

On low memory machines (<= 2 GB), enable low memory mode, which disables ancillary services such as ClamAV virus scanning that can place undue pressure on Discourse.

cpcmd config_set apnscp.low-memory 1

Improved Ruby module

Ruby module API is consistent with node, sporting ruby_do(), ruby_install(), ruby_get_lts(), among other niceties.

Bypassing Wordpress theme/plugin updates

Wordpress now supports per-account bypass lists for plugin/theme updates. Core updates are still governed by version lock (Web > Web Apps), which propagates now to plugin/themes. In addition, a newline-delimited list named .wp-update-skip in the Wordpress document root restricts which plugins/themes are processed for updates. Format can be of type:name or simply name, e.g.


If a theme or plugin is named "advanced-custom-fields", then it will never be updated. If a theme is named "avada", it will not be updated but if a plugin is named "avada" it will. Same applies to a plugin named "wordfence".

Rampart O(1) scaling

Rampart has switched to ipset for blacklisting hosts, which shows no degradation as the number of entries increases up to the tens of thousands. Hopefully no one will ever come under such an attack to necessitate 45,000 different address blocks, but any opportunity to speed up a server is a plus.

Bootstrapper job support

apnscp has integrated Bootstrapper jobs into its API. These are used primarily for panel reconfiguration discussed below, but also confer a cool feature - change digests. Whenever a configuration value is altered in the panel and a job initiated, the panel admin (cpcmd common_set_email email@address.com) will get a brief summary of what components were run and what changed.

Expanded config

config supports 17 tunable options now, including putting apnscp into headless mode so as to reduce its attack vector (no panel frontend), configuring default SSL, and setting up Argos.

cpcmd config_list will show all available options. Here are some common examples that you will find useful.

Requesting SSL

For example, let's request SSL for a server that responds to both testing.apnscp.com and testing.apisnetworks.com,

cpcmd config_set net.ssl '[testing.apnscp.com,testing.apisnetworks.com]'

That's all there is to it now.

Enable nightly panel updates

cpcmd config_set apnscp.nightly-updates 1

apnscp will update every night at ~3 AM or whatever cron.start-range is configured as.

Whitelist an IP address

cpcmd config_set rampart.whitelist

or to view currently whitelisted addresses,

cpcmd config_get rampart.whitelist

Alternatively the parameter may be omitted to default to the authenticated client IP,

cpcmd config_set rampart.whitelist

Beta -> Final changes

  • Documentation
  • Unit tests
  • Bugs

No significant changes are planned for the next release with an emphasis on shoring up any bugs introduced during development. Features will pick back up by apnscp 3.1 in Q1 2019.


  • REL: apnscp 3.0 beta
  • NEW: Passenger support (Webapps)
  • NEW: template gemrc/Muttrc.local (Opcenter\Provisioning)
  • NEW: account port helper
  • NEW: exception_upgrade($level) automatically upgrade any message of $level to an exception (Error Reporter)
  • NEW: cron.notify, cron.start-range, system.integrity-check configurables (Admin\Settings)
  • NEW: apache.php-version, Argos, apnscp.headless, apnscp.nightly-updates configurables (Opcenter\Config)
  • NEW: hash()- create hmac hash of session (Auth)
  • NEW: apnscp.headless, toggle panel headless mode from CLI (Opcenter\Config)
  • NEW: update() alternative hook, verify alternatives installed (Yum::Synchronizer)
  • NEW: BootstrapperTask, run a bootstrapper play (Lararia\Jobs)
  • NEW: setTee() - add a tee file for program output (Util_Process)
  • NEW: AWS Route 53 DNS module
  • NEW: -p|--plan support. Bind a plan to a new site. artisan opcenter:plan manages plans. (AddDomain, artisan)
  • NEW: ipset firewall support (Opcenter\Net)
  • NEW: admin settings
  • NEW: system.apnscp-restart command
  • FIX: tolerate 1-letter subdomains (Regex)
  • FIX: clicking checkbox within dropdown closes dropdown (apnscp.js)
  • FIX: crontab disallowed when crontab,enabled=0. enabled=0 used as internal marker for whether crontab is running or should run (Opcenter\Service\Crontab)
  • FIX: queue processing ignored when [cron] => low_memory=true (Lararia)
  • FIX: apnscp.restart namespace (Admin\Settings)
  • FIX: setUserConfigurationField()- $group overwritten within loop (Opcenter\Database)
  • FIX: active session can be leaked when tee is used (Util_Process::Tee)
  • FIX: pass HOSTNAME environment var when apnscpd is run in foreground (apnscpd)
  • FIX: implement missing PostgreSQL alternatives (Yum::Synchronizer)
  • FIX: session clobbering (apnscpSession)
  • FIX: only destroy active session if session ID mismatch (SOAP)
  • FIX: PHP 7.2 compat. Disable automatic Cookie: header in CLI to facilitate switching of session ID (Auth)
  • FIX: validate database prefix collisions (Opcenter\Database)
  • FIX: inheritence (Console\Commands\PlatformRollback)
  • FIX: force session as array (apnscpSession)
  • FIX: prefer cur/, but accept new/ on site creation (Module Skeleton)
  • CHG: use db map for older platforms (Opcenter\Apache)
  • CHG: populate mainwebsite_html, all_domains, all_subdomains helper paths (Opcenter\Web)
  • CHG: SHIM no longer starts sessions automatically (apnscpSession)
  • CHG: propagate auto-logout status to impersonated sessions (Auth)
  • CHG: install pg_config alternative outside scope of official RPM (Yum::Synchronizer)
  • CHG: refactor support module. Add pgsql database generation (Webapps)
  • CHG: run clear-compiled after update (upcp.sh)
  • CHG: cleanup failed/successful webapp installs notification (Lararia\Jobs)
  • CHG: extra file sanity checks (File Manager)
  • CHG: pass --extra-vars as json (Jobs\BootstrapperTask)
  • CHG: when omitting a section in inifiles and no section is named in file, import variables into global space (Map)
  • CHG: rename system.apnscp-restart to apnscp.restart (Opcenter\Config)
  • CHG: reduce exponential backoff growth rate (Auth_Anvil)
  • CHG: log offending IP (Auth_Anvil)
  • CHG: add timestamp property (Auth_Info_User)
  • CHG: use stderr in backend instead of stdout (Error Reporter)
  • CHG: whitelist earlier. Save whitelist status (Auth_Anvil)
  • CHG: PHP 7.2 compatibility fixes
  • CHG: PHP 7.2 compatibility fixes
  • CHG: prefixExists()- gracefully handle situation in which db map has not been populated yet (Opcenter\Database)
  • CHG: remove date suffix from Bootstrapper log. Defer to logrotate (upcp)
  • CHG: up proclimit back to 100 to avoid npm/yarn installation issues (cgroup)
  • CHG: method signatures
  • CHG: installDatabaseService()- cleanup random password generation (Support\Sql)
  • CHG: return native types instead of macros (License)
  • CHG: check if zone exists before altering IP (Transfer)
  • CHG: automatically run migrate (upcp)
  • CHG: add release annotation (changelogparser)
  • REM: sessions (lservicelib)
  • REM: extraneous constructor call after impersonating subordinate user (Nexus, Manage Users)