Password check with haveibeenpwned

,

The website haveibeenpwned.com provides, among other things, a list of passwords that have appeared in data leaks.

haveibeenpwned is secure

For verification, the complete password is never sent, but only a small partial hash value.

The pwned passwords function used searches the database of previous data leaks for the presence of a user-supplied password. The password is hashed using the SHA-1 algorithm and only the first 5 characters of the hash are sent.

Integration with ISPConfig

In the Main Config section you can set the maximum number of entries a password may have when querying the haveibeenpwned database in the “Misc” tab.

If a password is entered that is in the database more times than you have allowed, a hint is displayed and the password cannot be used.

Nextcloud with Chrooted-User and Cron-Job

,

If you want to execute the command ‘php occ …’ as a “limited” shell user (chrooted shell = jailkit), you have to make two changes to the Nextcloud configuration. We use our own configuration for this, which is not overwritten during an update and automatically detects whether a request is made via the shell or the website.

On our managed servers, you can view the custom.config.php directly in ISPConfig for the specific website and upload it directly to the config folder via FTP.

This guide only says shell, but that all applies to cron jobs running ‘chrooted’ as well.

To find the mode in which a cron job is executed, open the corresponding cron job in ISPConfig:

In the following example, our website is installed with Nextcloud in the directory /var/www/clients/client3/web1602/web. You can find the directory in ISPConfig for a website in the first part of “Different Document Root” when you open the “Advanced” section.

Adjust values in the Nextcloud configuration

  1. datadirectory
    A chrooted shell user cannot access the complete path of the web page /var/www/clients/client3/web1602/web. Therefore the datadirectory must be “rewritten” if you want to execute “php occ” via the shell. We simply use a custom.config.php for this.
    dbhost
  2. You can not use localhost as the dbhost. PHP uses a connection via the socket file with localhost, because such a connection is the fastest. But in a chrooted shell the socket file is not available and you get the error “Doctrine\DBAL\Exception: Failed to connect to the database”. Either you change the ‘dbhost’ in config.php from ‘localhost’ to ‘127.0.0.1’ (then the connection is always over TCP/IP is slower) or you simply use our custom.config.php.

Create custom.config.php

In the config directory of the Nextcloud installation, create the file custom.config.php or create it on your PC and then upload the created file via FTP into the config directory.

You only need to adjust two values in the custom.config.php for your Nextcloud installation:

$basedir – here you enter the path to your website as it is displayed in ISPConfig and only leave out ‘/web’ at the end.
$dir – this sets the data directory of Nextcloud. In most installations the data directory is located in the document root of the website. If you log in via FTP, you can easily find the directory:

The custom.config.php looks like this in our example:

<?php
$basedir = '/var/www/clients/client3/web1601';
if(php_sapi_name() != 'cli') {
  $dir = $basedir;
} else {
  $dbhost = '127.0.0.1';
  $dir = (!is_dir($basedir)) ? '' : $basedir;
}
$dir .= '/web/data';
$CONFIG['datadirectory'] = $dir;
if($dbhost !== null) $CONFIG['dbhost'] = $dbhost;

Import website and database into ISPConfig

,

Here we show you how you can easily import a website and its database on our managed servers. You can also use this function if you want to move a website to a different managed server.

Requirements

  • Access via FTP or SSH to the source server for importing the website
  • Access via SSH, remote access to the database-server or a database-dump for database-import
  • Website and database on your server (you can easily create them using the wizard and make the same specifications)

Create import

In the section “Websites” you will find the item “Import website” on the left side of your server. If you create a new import via “Import new website”, you only have to fill in the required fields in the following mask.

What do the individual options mean?

Most of the fields are self-explanatory, so we will only give you a few hints about individual options here.

  • Configure CMS: After importing the website, we configure the CMS for the new database connection.
  • Use local dump: If you activate this option, you have to upload a database dump to the /private folder of the new page and then enter the name here. This dump will – opposite to the automatically created ones – not be deleted after the import.
  • Transfer type: You can choose between “FTP” and “Shell”. A connection via “Shell” is in most cases much faster; especially if you want to reimport a website.
  • Port: Depending on the desired transfer method, the default port is automatically set here. If the port of the source server is different, just enter another port here.
  • Folder: This is the complete (!) path to the source folder. On servers with ISPConfig, this is e.g. /web for FTP and a shell user with jailkit or the complete path to the web directory (e.g. /var/www/example.com/web) for a shell user without jailkit.
  • Database server: The name of the source’s database server. If it allows external connections, you can simply enter the name of the server here.
  • Temp. folder: this folder is created on the source server for creating the database dumps, as far as no remote connection to the database server is possible or you do not use a local dump. Caution: if this field remains empty, the dump will be created in the folder of the website. The name is randomly generated, but in principle it is still possible to get to this file during the transfer.

The values for the local database are read automatically and always contain a list of databases and database users that belong to the website you want to import into. You only need to enter the correct password here, as this is stored in encrypted form and therefore cannot be retrieved as plain text.

If the accessibility of the source server does not work when saving, you can deactivate this check via “Do not check for working connections”. Of course, the actual import will only work if the source server is actually reachable.

Import created

If you have created an import, you will see the respective status in the overview and in the import itself you will see the link to a log file, which you can use to view the current status at any time.

Import completed

As soon as the import is finished, you can see which CMS was imported / configured and which data was changed in the config file.

For a website with WordPress it looks like this:

 

Import failed

If the import of a web page was (partially) not possible, you will see the problem directly in the overview and can then fix it. Problems only occur if access data or passwords are incorrect and you have selected “Do not check accessibility”.

Import again

You can restart a created import at any time by setting the “Import again” button. You can also choose not to re-import the entire website, because changes have only occurred in the database.

Supported CMS

The following CMS are configured auotmatically after an import:

  • Joomla 3.x or newer
  • Nextcloud 20.x or newer
  • Shopware 5
  • Shopware 6
  • Magento 2.4
  • WordPress

Note

If you have not used the import of a website for 48 hours, it will be deleted automatically.

Install a webmailer

,

You can install two different webmail on our managed server: RainLoop and Roundcube.

We have switched webmail on our servers to RainLoop for quite some time, since this software seems much more flexible to us and requires significantly less resources.

We have summarized here why we decided to make the switch.

Advantages of RainLoop

  • limit a installation to one client
  • install multiple instances
  • set the instance for each maildomain
  • enable / disable a installation
  • ISPConfig will automaticly handle the required configs for the mail-domains

Install the software

Use the wizard to install a webmail on your site and choose RainLoop or Roundcube.

Install RainLoop

Enter the “Admin User Name”. You can also enter the “Site title” but you can change this in the Rainloop Interface later and press “Save”.

When the installation is finished, you can open the Admin-Page with the shown URL and credentials.

Integrate RainLoop in ISPConfig

Open the “Managed Server” section under “Tools” and select “RainLoop Webmail”.

 

When you add a new record, you can select your installation and optionally limit this installation to one customer. If an installation is assigned to a specific customer, it can only be used by that customer, so you may need an additional installation for other customers.

If you set an installation to inactive, this will immediately affect all mail domains that use this installation – a login is then only possible again when you set the installation back to active or select a different webmail installation for the mail domains.

Once you have saved the new installation, you can select the appropriate webmailer for mail domains:

Once “RainLoop Webmail” is selected for a domain, any user with an email address from that domain can log in through the webmailer.

Install Roundcube

The Support URL is optional. If you run the mailserver on different server, enter the name of the mail-server in the two host-fields and press “Save”.

After the installation, you can can login with your mail-account on the new created website.

Websites with HTTP/3

,

If you are using one of our managed servers with nginx, you can also deliver your websites with HTTP/3.

The concept of HTTP/3

HTTP/3 is not a further development of HTTP/2 (SPDY). HTTP/3 is very different from the other HTTP methods and combines the features of HTTP/2 with User Datagram Protocol (UDP). UDP is used, for example, for DNS queries. The other features of HTTP/2 are fully kept (e.g. parallel streaming of data from different sources).

Differences between HTTP/2 and HTTP/3

In contrast to HTTP/2, the new HTTP/3 protocol uses the UDP protocol instead of TCP to deliver web pages and it’s much faster.

With TCP, there are always multi-stage handshakes between the server and the browser. UDP and the QUIC protocol based on it, on the other hand, act connectionless. Instead of checking for successful delivery, only the integrity of the packet and the transmission is validated by a checksum, if required. This eliminates the so-called head-of-line blocking (data congestion) and thus the need to request missing packets again. The delivery of your page will be much faster.

The transmission is no longer done by IP address, but by an individual ID. If the visitor gets a new IP address on his device (e.g. when switching from mobile data to WLAN) HTTP/3 can continue the download without interruption or reconnection.

Enable HTTP/3

Open the corresponding web page in ISPConfig. Under “Advanced” you can directly enable HTTP/3:

QUIC and HTTP/3 require mandatory HTTPS over TLS 1.3. By the way, if you have set a lower version for “Minimum TLS version”, this does not mean that HTTP/3 will not work then (it is not called max TLS version). If the page is requested via HTTP/3, the encryption is automatically set to TLS v1.3.

Client-side requirements

The browser must support HTTP/3 in order for the visitor to your site to take advantage of it. If the browser does not support HTTP/3 or does not support it completely, your page will be delivered via HTTP/2 as usual.

By the way, the most common (current) browsers already support HTTP/3. Sporadically, however, a strange problem occurs: the browser decides to ignore QUIC and HTTP/3.

current state

Currently HTTP/3 is still under development and not 100% stable. It can happen that some websites do not work properly with HTTP/3. However, according to our observations, all current CMSs run completely without problems.

 

How to transfer contacts from Roundcube to RainLoop

,

If you want to change your webmailer from Roundcube to RainLoop, you only have to backup and import the saved addresses from your mailbox once.

Export contacts

To export your contacts, log in to Roundcube, select “Contacts” on the left and then click on “Export”.

Import contacts

To import the contacts, log in to RainLoop, go to Contacts on the left and select “Import (csv, vcf, vCard)” and then upload the exported contacts.

Webmail change from Roundcube to RainLoop

,

Some time ago we replaced the webmailer Roundcube with RainLoop on our servers.

Roundcube is definitely one of the best OpenSouce solutions in the field of webmail, but in the end we decided to switch to RainLoop, because this software requires far fewer resources, has numerous features “out-of-the-box” that can only be solved with Roundcube via plug-ins and can use multiple mail servers with one installation.

RainLoop and domains

In order to be able to register a mailbox with RainLoop, the corresponding domain must first be created in the admin panel. On our managed servers, this happens automatically for your mail domains, if a RainLoop installation is selected for a mail domain.

If a domain (e.g. gmail.com) is approved by the admin, the user can add his email address to this domain and can then directly switch between different mailboxes (or open them in different tabs in the browser) without having to log in to different webmailers.

Additional authentication options

Instead of logging in with the email address and password, the admin can also allow authentication via Google, Facebook or Twitter.

Contacts

In addition to storing contacts in a local database, each user can also use CardDAV, allowing them to use their contacts synchronously on numerous devices.

If you want to switch from Roundcube to RainLoop, you have to move the stored contacts manually. How to do that is described in How to transfer contacts from Roundcube to RainLoop.

.

Setting up a new website using the wizard

,

If you want to comfortably set up a new site on your managed server, just click the “Add new website using assistant” button at the top of the website overview.

Supported CMS

  • Joomla 3
  • Joomla 4
  • Magento 2.4
  • Shopware 5
  • Shopware 6
  • Typo3 10
  • Nextcloud 20 – 22
  • WordPress
  • Webmailer RainLoop
  • Webmailer Roundcube

Access data and info mail

If you wish, you can send the customer and other recipients an automatically generated mail containing the relevant information about the newly created pages. In any case, after creating the page, the required information will be displayed directly in ISPConfig.

Wizard

If you clicked on “Add new website using assistant”, you will see the following screen:

Available settings

You can make various settings for a new website.

If you want to take over the settings of an existing page, you can select it at the top.

If you also want a CMS to be installed automatically, select it under “Install CMS”.

If you have not selected a “Required configuration”, the appropriate configuration will be used automatically.

When you did not select the PHP version, the default PHP version of the server will be used. The only exceptions to this are CMSs that require a higher version than the standard version. In this case, the wizard automatically selects the appropriate PHP version and sets up the website accordingly.

If the wizard supports the use of Redis for a CMS, the corresponding Redis instance is created and configured accordingly.

Rate limit for incoming and outgoing mails

,

Our managed servers, together with Rspamd, allow you to limit the number of mails that can be sent and/or received.

In the following you will learn how to limit the sending of mails (the receiving is done analogously and is not explained explicitly).

General

You can enable or disable “Ratelimit outgoing mails” and “Ratelimt incoming mails”.

Ratelimit Mails Out

You can limit the amount of mails that can be sent from your server per mailbox in a certain time.

Please note that with CC, BCC or similar each mail counts separately. If you set the value to e.g. 1 / 1 minutes, you could send exactly one mail to one recipient.

Ratelimit Mails In

Here you can limit the amount of mails the server accepts per mailbox in a certain time. Basically you should choose this function carefully, because it would not limit the sending of spam, but only the amount of mails a mailbox can receive.

Rate limit reached

If the rate limit for a mailbox is reached, temporarily no more mails can be sent through it. When trying to send mails, the sender gets a corresponding message.

Define the limit

You can set the limit in three different places:

  1. globally for all emails
  2. for all mailboxes of a domain
  3. individually for one mailbox

Set global limit

Open the corresponding server in ISPConfig under System / Server Config and go to the tab “Mail”.

You can enable or disable “Ratelimit outgoing” and “Ratelimt incoming” and set the corresponding values.

Set limits for a domain

If you open a mail domain in ISPConfig, you can define the corresponding values at the bottom of the page by clicking the button “Ratelimit”.

Ulimited

If you choose “Unlimited”, mailboxes from this domain will not be limited.

Global Limits

With this setting the global values of the server are taken for all mailboxes of this mail domain.

Set limits for a mailbox

In addition to the limits for a domain there is also the option

Use Domain Limits

With this value the limits of the mail domain apply to the mailbox.

Limits for external mails

If you want to define the reception of certain external mails or the sending to them (mailbox or whole domain) differently from the settings above, you can create additional rate limits in ISPConfig under “Email”.

Source

External domain (@example.com) or mailbox (test@example.com)

Type

Incoming – incoming mails from source

Outgoing – outgoing mails to source

In and Out – limit in both directions

Setup a firewall with ISPConfig

,

In the following we show you how you can easily set up a firewall for your server.

Set up a firewall

Go to the System menu and select “Firewall” on the left and then create a new entry.

Open ports

For TCP and UDP ports you can either enter the port numbers yourself or you can use one or more of the predefined placeholders. Of course you can also combine the two and add more ports besides the placeholders.

We always recommend not changing the default value {AUTO} until you are absolutely sure.

Placeholders for ports

There are several predefined placeholders that make it easy for you to release the correct and all ports that need to be accessible.

{AUTO}

If you use {AUTO}, all necessary ports required for the respective server are automatically released. For example, if you have a web-only server, the ports for mail or DNS on it do not need to be shared.

{FTP}

This is used to open the ports for FTP. This not only affects the direct port for FTP, but also the corresponding passive port range.

{MAIL}

Use this placeholder if you are running mail services on your server, e.g. if you log in with Outlook.

{DNS}

This will free the necessary port for the DNS service. This service is the only one you need to free for TCP and UDP.

{WEB}

If you have web pages on the server, you must of course allow access to the web page.

{ISPCONFIG}

If the selected server is running the ISPConfig interface you should also use this placeholder.