- Server Jumbo
- CloudPanel v2.5.3 – [2025-12-04]
- Debian 13
- MariaDB 11.8
cloud-init status --wait
sudo timedatectl set-timezone Asia/Jakarta
apt update && apt upgrade && apt autoremove && apt autoclean && apt cleansystemctl list-unit-files --type=service --state=enabledDebian 13 Server Jumbo
root@milan26:~# systemctl list-unit-files --type=service --state=enabled
UNIT FILE STATE PRESET
apparmor.service enabled enabled
cloud-config.service enabled enabled
cloud-final.service enabled enabled
cloud-init-local.service enabled enabled
cloud-init-main.service enabled enabled
cloud-init-network.service enabled enabled
e2scrub_reap.service enabled enabled
[email protected] enabled enabled
grub-common.service enabled enabled
ssh.service enabled enabled
sshd-keygen.service enabled enabled
systemd-network-generator.service enabled enabled
systemd-networkd-wait-online.service enabled enabled
systemd-networkd.service enabled enabled
systemd-pstore.service enabled enabled
systemd-resolved.service enabled enabled
systemd-timesyncd.service enabled enabled
unattended-upgrades.service enabled enabled
18 unit files listed.
root@milan26:~#
Server Benchmarks
wget -qO- yabs.sh | bashcurl -sL yabs.sh | bashwget -qO- bench.sh | bashcurl -Lso- bench.sh | bashwget -qO- nws.sh | bashDebian 13 & MariaDB 11.8
apt update && apt -y upgrade && apt -y install curl wget sudocurl -sS https://installer.cloudpanel.io/ce/v2/install.sh -o install.sh; \
echo "6eac061df80f08b75224fcd7fce2f115e201696d8a6122e31abf7259a813b462 install.sh" | \
sha256sum -c && sudo DB_ENGINE=MARIADB_11.8 bash install.shsgml-base downgrading
root@milan26:~# apt upgrade
DOWNGRADING:
sgml-base
Summary:
Upgrading: 0, Installing: 0, Downgrading: 1, Removing: 0, Not Upgrading: 0
Download size: 12.0 kB
Space needed: 0 B / 43.8 GB available
Continue? [Y/n]
apt-mark hold sgml-baseDisable
systemctl stop --now memcached php7.1-fpm php7.2-fpm php7.3-fpm php7.4-fpm php8.0-fpm php8.1-fpm php8.2-fpm php8.3-fpm php8.5-fpm postfix proftpdsystemctl disable --now memcached php7.1-fpm php7.2-fpm php7.3-fpm php7.4-fpm php8.0-fpm php8.1-fpm php8.2-fpm php8.3-fpm php8.5-fpm postfix proftpdCloudpanel Servis
root@milan26:~# systemctl list-unit-files --type=service --state=enabled
UNIT FILE STATE PRESET
apparmor.service enabled enabled
chrony.service enabled enabled
cloud-config.service enabled enabled
cloud-final.service enabled enabled
cloud-init-local.service enabled enabled
cloud-init-main.service enabled enabled
cloud-init-network.service enabled enabled
clp-agent.service enabled enabled
clp-nginx.service enabled enabled
clp-php-fpm.service enabled enabled
cron.service enabled enabled
dphys-swapfile.service enabled enabled
e2scrub_reap.service enabled enabled
fail2ban.service enabled enabled
[email protected] enabled enabled
grub-common.service enabled enabled
mariadb.service enabled enabled
nginx.service enabled enabled
php8.4-fpm.service enabled enabled
redis-server.service enabled enabled
ssh.service enabled enabled
sshd-keygen.service enabled enabled
systemd-network-generator.service enabled enabled
systemd-networkd-wait-online.service enabled enabled
systemd-networkd.service enabled enabled
systemd-pstore.service enabled enabled
systemd-resolved.service enabled enabled
ufw.service enabled enabled
unattended-upgrades.service enabled enabled
varnish.service enabled enabled
30 unit files listed.
root@milan26:~#
Debian 17 + Cloudpanel 13
systemd-timesyncd.service > chrony.service
Migrasi WordPress
su - usercd /home/user/htdocs/domain.comwp cli cache clearDorong
rsync -avzP /home/user/htdocs/domain.com/ [email protected]:/home/user/htdocs/domain.com/mariadb-dump -u dbuser_lama -p'pass_lama' nama_db_lama | ssh [email protected] "mariadb -u dbuser_baru -p'pass_baru' nama_db_baru"WP Rocket RAM Cache
id user
rm -rf /home/user/htdocs/domain.com/wp-content/cache/wp-rocket/*
sudo nano /etc/fstab
tmpfs /home/user/htdocs/domain.com/wp-content/cache/wp-rocket tmpfs defaults,size=500M,mode=775,uid=1001,gid=1002 0 0
sudo mount -a
systemctl daemon-reload
chown user:grup /home/user/htdocs/domain.com/wp-content/cache/wp-rocket
df -hCLP Rocket = CloudPanel + WP Rocket > visitor > cloudflare / edge cache > nginx 443 > varnish 6081 / ram cache > nginx 8080 > wp rocket / (disk cache > ram cache) > php > redis > mariadb
sudo deluser --remove-home user
sudo delgroup groupHosts
nano /etc/hosts
127.0.1.1 domain.com www.domain.com
nano /etc/cloud/templates/hosts.debian.tmpl
cloud-init single --name update_etc_hostsCLP Rocket Woo
Vhost Editor
server {
listen 80;
listen [::]:80;
listen 443 quic;
listen 443 ssl;
listen [::]:443 quic;
listen [::]:443 ssl;
http2 on;
http3 off;
{{ssl_certificate_key}}
{{ssl_certificate}}
server_name www.domain.com;
return 301 https://domain.com$request_uri;
}
server {
listen 80;
listen [::]:80;
listen 443 quic;
listen 443 ssl;
listen [::]:443 quic;
listen [::]:443 ssl;
http2 on;
http3 off;
{{ssl_certificate_key}}
{{ssl_certificate}}
server_name domain.com www1.domain.com;
{{root}}
{{nginx_access_log}}
{{nginx_error_log}}
if ($scheme != "https") {
rewrite ^ https://$host$request_uri permanent;
}
location ~ /.well-known {
auth_basic off;
allow all;
}
{{settings}}
location ~/\.git {
deny all;
}
location = /xmlrpc.php {
deny all;
}
# Uncomment the following to exclude admin-ajax.php from basic auth if it breaks frontend functionality.
#location ~* ^/wp-admin/admin-ajax\.php$ {
# auth_basic off;
#}
location ~/(wp-admin/|wp-login.php) {
#auth_basic "Restricted Area";
#auth_basic_user_file /home/site-user/.htpasswd;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
proxy_max_temp_file_size 0;
proxy_connect_timeout 7200;
proxy_send_timeout 7200;
proxy_read_timeout 7200;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
}
location / {
{{varnish_proxy_pass}}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_hide_header X-Varnish;
proxy_redirect off;
proxy_max_temp_file_size 0;
proxy_connect_timeout 720;
proxy_send_timeout 720;
proxy_read_timeout 720;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
}
location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|woff2|eot|mp4|ogg|ogv|webm|webp|zip|swf|map)$ {
# WordPress Multisite Subdirectory
rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 break;
rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 break;
add_header Access-Control-Allow-Origin "*";
add_header alt-svc 'h3=":443"; ma=86400';
expires max;
access_log off;
}
if (-f $request_filename) {
break;
}
}
server {
listen 8080;
listen [::]:8080;
server_name domain.com www1.domain.com;
{{root}}
include /etc/nginx/global_settings;
# Start CLP Rocket Woo
# Path Cache WP Rocket 3.21.1 April 7th, 2026
set $wpr_cache_file "/wp-content/cache/wp-rocket/$host$request_uri/index-https.html";
set $scf_bypass 0;
# Bypass Aturan Default (POST request & URL dengan Parameter/Query String)
if ($request_method = POST) { set $scf_bypass 1; }
if ($args) { set $scf_bypass 1; }
# Bypass Cookies (Versi Super Bersih: Tanpa Cookies Komentar & Tanpa Woo)
if ($http_cookie ~* "(wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|comment_author|woocommerce_cart_hash|woocommerce_items_in_cart|wp_woocommerce_session_)") {
set $scf_bypass 1;
}
# Eksekusi Bypass
if ($scf_bypass = 1) {
set $wpr_cache_file "/bypass-cache-scf";
}
# Debug Header (Sangat berguna untuk cek DevTools)
add_header X-Cache-Engine "CLP-Rocket-Woo";
# Nginx 8080 > WP Rocket (Bypass PHP & DB)
location / {
try_files $wpr_cache_file $uri $uri/ /index.php?$args;
}
# End CLP Rocket Woo
# Wajib tambahkan tanda pagar (#) di bawah ini
# try_files $uri $uri/ /index.php?$args;
index index.php index.html;
location ~ \.php$ {
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files $uri =404;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_param HTTPS "on";
fastcgi_param SERVER_PORT 443;
fastcgi_pass 127.0.0.1:{{php_fpm_port}};
fastcgi_param PHP_VALUE "{{php_settings}}";
}
# WordPress Multisite Subdirectory
if (!-e $request_filename) {
rewrite /wp-admin$ https://$host$uri permanent;
rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 last;
rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 last;
}
if (-f $request_filename) {
break;
}
}Default VCL
root@milan26:~# cat /etc/varnish/default.vcl
vcl 4.0;
import std;
backend default {
.host = "127.0.0.1";
.port = "8080";
.first_byte_timeout = 600s;
}
acl purger {
"localhost";
"127.0.0.1";
"172.17.0.1";
}
sub vcl_recv {
if (req.restarts > 0) {
set req.hash_always_miss = true;
}
#return (pass);
if (req.method == "PURGE") {
if (client.ip !~ purger) {
return (synth(405, "Method not allowed"));
}
if (req.http.X-Cache-Tags) {
ban("obj.http.X-Cache-Tags ~ " + req.http.X-Cache-Tags);
} else {
ban("req.http.host == " +req.http.host+" && req.url ~ "+req.url);
return (synth(200, "Purged"));
}
return (synth(200, "Purged"));
}
if (req.method != "GET" &&
req.method != "HEAD" &&
req.method != "PUT" &&
req.method != "POST" &&
req.method != "TRACE" &&
req.method != "OPTIONS" &&
req.method != "DELETE") {
/* Non-RFC2616 or CONNECT which is weird. */
return (pipe);
}
# We only deal with GET and HEAD by default
if (req.method != "GET" && req.method != "HEAD") {
return (pass);
}
# Set initial grace period usage status
set req.http.grace = "none";
# normalize url in case of leading HTTP scheme and domain
set req.url = regsub(req.url, "^http[s]?://", "");
# collect all cookies
std.collect(req.http.Cookie);
if (req.url ~ "^/admin/" || req.url ~ "/paypal/") {
return (pass);
}
if (req.http.Cookie ~ "(wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|comment_author|woocommerce_cart_hash|woocommerce_items_in_cart|wp_woocommerce_session_)") {
return (pass);
}
# if (req.http.cookie ~ "wordpress_logged_in_") {
# return (pass);
# }
if (req.http.Accept-Encoding) {
if (req.url ~ "\.(jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf|flv)$") {
# No point in compressing these
unset req.http.Accept-Encoding;
} elsif (req.http.Accept-Encoding ~ "gzip") {
set req.http.Accept-Encoding = "gzip";
} elsif (req.http.Accept-Encoding ~ "deflate" && req.http.user-agent !~ "MSIE") {
set req.http.Accept-Encoding = "deflate";
} else {
# unknown algorithm
unset req.http.Accept-Encoding;
}
}
if (req.url ~ "(\?|&)(gclid|cx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {
set req.url = regsuball(req.url, "(gclid|cx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+()%.]+&?", "");
set req.url = regsub(req.url, "[?|&]+$", "");
}
if (req.http.Authorization ~ "^Bearer") {
return (pass);
}
return (hash);
}
sub vcl_hash {
if (req.http.host) {
hash_data(req.http.host);
} else {
hash_data(server.ip);
}
}
sub vcl_backend_response {
set beresp.grace = 3d;
if (beresp.http.content-type ~ "text") {
set beresp.do_esi = true;
}
if (beresp.http.content-type ~ "text") {
set beresp.do_gzip = true;
}
# cache only successfully responses and 404s that are not marked as private
if (beresp.status != 200 && beresp.status != 404 && beresp.http.Cache-Control ~ "private") {
set beresp.uncacheable = true;
set beresp.ttl = 86400s;
return (deliver);
}
# validate if we need to cache it and prevent from setting cookie
if (beresp.ttl > 0s && (bereq.method == "GET" || bereq.method == "HEAD")) {
unset beresp.http.set-cookie;
}
if (!beresp.http.cache-control) {
set beresp.ttl = 0s;
set beresp.uncacheable = true;
}
return (deliver);
}
sub vcl_deliver {
set resp.http.X-Cache-Age = resp.http.Age;
unset resp.http.Age;
# Avoid being cached by the browser.
if (resp.http.Cache-Control !~ "private") {
set resp.http.Pragma = "no-cache";
set resp.http.Expires = "-1";
set resp.http.Cache-Control = "no-store, no-cache, must-revalidate, max-age=0";
}
unset resp.http.X-Powered-By;
unset resp.http.Server;
unset resp.http.X-Varnish;
unset resp.http.Via;
unset resp.http.Link;
unset resp.http.X-Frame-Options;
unset resp.http.X-Content-Type-Options;
unset resp.http.X-Xss-Protection;
unset resp.http.Referer-Policy;
unset resp.http.X-Permitted-cross-domain-policies;
}
sub vcl_hit {
if (obj.ttl >= 0s) {
return (deliver);
}
set req.http.grace = "unlimited (unhealthy server)";
return (deliver);
}
root@milan26:~#
WP Rocket | Varnish IP
<?php
/**
* Plugin Name: WP Rocket | Varnish IP
* Description: Sets a custom Varnish IP to sync WP Rocket’s cache with.
* Plugin URI: https://github.com/wp-media/wp-rocket-helpers/tree/master/compatibility/wp-rocket-compat-varnish-ip/
* Author: WP Rocket Support Team
* Author URI: http://wp-rocket.me/
* License: GNU General Public License v2 or later
* License URI: http://www.gnu.org/licenses/gpl-2.0.html
*
* Copyright SAS WP MEDIA 2018
*/
namespace WP_Rocket\Helpers\compat\varnish_ip;
// Standard plugin security, keep this line in place.
defined( 'ABSPATH' ) or die();
/**
* Return custom Varnish IP
*
* @author Arun Basil Lal
*
* @param (array) $ips Array containing custom Varnish IP's
* @return array
*/
function set_custom_varnish_ip( $ips ) {
if ( ! is_array( $ips ) ) {
$ips = (array) $ips;
}
$ips[] = '127.0.0.1:6081'; // Enter your custom Varnish IP here
// $ips[] = '13.1.2.3:23457'; // Add each new IP as a new line, you can add the port if needed
return $ips;
}
add_filter( 'rocket_varnish_ip', __NAMESPACE__ . '\set_custom_varnish_ip' );
MU Plugins
<?php
/**
* ====================================================================
* CLP ROCKET WOO - PHP CACHE BYPASS & SECURITY HEADERS
* Tujuan: Mencegah Browser & CDN menyimpan cache pada halaman dinamis.
* /wp-content/mu-plugins/bypass-cache-cookies.php
* ====================================================================
*/
// 1. HEADER CONTROL: Paksa No-Cache Berdasarkan Cookie & Status Login
add_action( 'send_headers', function() {
$has_personal_cookie = false;
// Cek apakah ada cookie sakral yang sedang aktif
if ( ! empty( $_COOKIE ) ) {
foreach ( $_COOKIE as $key => $value ) {
if ( preg_match( '/(wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|comment_author|woocommerce_cart_hash|woocommerce_items_in_cart|wp_woocommerce_session_)/', $key ) ) {
$has_personal_cookie = true;
break;
}
}
}
// Jika user login atau bawa cookie belanja, larang browser simpan cache
if ( is_user_logged_in() || $has_personal_cookie || is_admin() ) {
header( 'Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private' );
header( 'Expires: Wed, 11 Jan 1984 05:00:00 GMT' ); // Set kadaluarsa ke masa lalu
}
});
// 2. HEADER CONTROL: Paksa No-Cache Khusus Halaman Sakral WooCommerce
// (Berjaga-jaga jika cookie belum terbentuk tapi user masuk ke halaman kritis)
add_action( 'wp', function() {
if ( function_exists( 'is_woocommerce' ) ) {
if ( is_cart() || is_checkout() || is_account_page() ) {
header( 'Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private' );
header( 'Expires: Wed, 11 Jan 1984 05:00:00 GMT' );
}
}
}, 1 );
// 3. FORM PROTECTION: Pastikan HTML Cache statis selalu bersih dari data pribadi
// (Mencegah nama/email orang sebelumnya nempel di form komentar pengunjung lain)
add_filter( 'comment_form_default_fields', function( $fields ) {
if ( isset($fields['author']) ) $fields['author'] = preg_replace( '/value="[^"]*"/', 'value=""', $fields['author'] );
if ( isset($fields['email']) ) $fields['email'] = preg_replace( '/value="[^"]*"/', 'value=""', $fields['email'] );
if ( isset($fields['url']) ) $fields['url'] = preg_replace( '/value="[^"]*"/', 'value=""', $fields['url'] );
return $fields;
});
// 4. REMOVE CONSENT: Matikan centang simpan cookie di browser untuk komentar
add_filter( 'show_comment_cookies_notice', '__return_false' );