Setting up HSTS for a website

,

What is HSTS?

HTTP Strict Transport Security (HSTS) is an instruction from the web server that informs the web browser (or other programs) how the connection between the server and the web browser should be handled. This information is sent right at the beginning in the so called “Response Header”.

A simple redirection from HTTP to HTTPS can still be bypassed. The “Strict-Transport-Security” parameter forces the web browser to establish the connection encrypted over HTTPS, ignoring any script that wants to load resources of the domain over HTTP. This means that, for example, cookies or session IDs of the website cannot be collected, nor can the website be redirected to a phishing site.

Why use HSTS?

  • HSTS is a way to increase the security of the connection to your website.
  • The increased security can also have a positive effect on Google’s ranking.

What are the requirements for HSTS?

  • valid SSL certificate for the website and all other subdomains
  • Redirection of all requests from HTTP to HTTPS
  • HSTS max-age must be at least 1 year
  • HSTS includeSubDomains must be enabled
  • HSTS preload must be enabled

What do the individual values for HSTS mean?

HSTS max-age

Time in seconds during which the web browser considers the web page to be a known HSTS host and does not establish connections over HTTP.

HSTS includeSubDomains

Ensures that the HSTS policy is applied not only to the domain, but also to all sub-domains, e.g. example.com and www.example.com.

HSTS preload

Whether to include the web page in the HSTS preload list maintained by Chrome (and used by Firefox and Safari, IE 11, and Edge). When HSTS preload is active, the web browser is forced to access the page over HTTPS because the web browser knows in advance that this page can only be accessed over HTTPS.
Sending the preload directive can cause problems and prevent users from accessing the web page and its subdomains if you reset the page to HTTP.
If HSTS preload is active, you can add your website to the list maintained by Chrome at https://hstspreload.org.

Test HSTS with a website

Before you “arm” HSTS for your website, you should first test your site with HSTS. The following requirements must be met for a test:

  • valid SSL certificate for the website and all other subdomains
  • Redirection of all requests from HTTP to HTTPS

On our managed servers, you can only activate HSTS if you have also set up a valid SSL certificate for the website. Other requirements will be automatically adjusted when you enable HSTS.

If you have activated HSTS, set “HSTS max-age” to one week first for testing purposes to be able to detect any problems. If the test phase is successful and without problems, you can set “HSTS max-age” to one month and extend your tests, or you can activate HSTS completely.

Enable HSTS for a website

If your website has a valid SSL certificate, you can enable HSTS. Log in to ISPConfig and open the corresponding website. Under “Advanced options” you will find the appropriate settings:

 

Use cron snippets

,

Cron snippets work similar to the directive snippets for web pages. These are predefined cron jobs that can be selected when creating a cron job under “Cron Snipet” or in the settings for the web wizard.

Show Cron Snippets

You can find predefined cron snippets in the “System” section under “Cron snippets”.

Create Cron Snippet

To create a new template, select “Add cron snippet”. You will then see the following screen:

Use “Name of Snippet” to set the name that should appear under “Cron template” for the cron jobs.

The values (time and command) are identical to the cron jobs.

With “Cronjob active” you control if the cron job created with this snippet should be set to active. “Active” means that this snippet is displayed in the cron snippet list. If you disable “Customer viewable”, you can only see and use it as admin in the cron snippet list.

Use Cron Snippet

As a client, only the cron snippets that match the cronjob limit (URL, Chrooted, Full) are displayed. As admin you can of course use any snippet for a cronjob and create the corresponding cron job.

Cron Snippets Group

You can combine several cron snippets into one group and create all cron jobs from one group in the settings for the web wizard for a CMS.

Password check with haveibeenpwned

,

The website haveibeenpwned.com provides, among other things, a list of passwords that have appeared in data leaks.

haveibeenpwned is secure

For verification, the complete password is never sent, but only a small partial hash value.

The pwned passwords function used searches the database of previous data leaks for the presence of a user-supplied password. The password is hashed using the SHA-1 algorithm and only the first 5 characters of the hash are sent.

Integration with ISPConfig

In the Main Config section you can set the maximum number of entries a password may have when querying the haveibeenpwned database in the “Misc” tab.

If a password is entered that is in the database more times than you have allowed, a hint is displayed and the password cannot be used.

Nextcloud with Chrooted-User and Cron-Job

,

These instructions do not apply to a Nextcloud installation that you created via the wizard – the wizard creates the corresponding file automatically.

If you want to execute the command ‘php occ …’ as a “limited” shell user (chrooted shell = jailkit), you have to make two changes to the Nextcloud configuration. We use our own configuration for this, which is not overwritten during an update and automatically detects whether a request is made via the shell or the website.

On our managed servers, you can view the custom.config.php directly in ISPConfig for the specific website and upload it directly to the config folder via FTP.

This guide only says shell, but that all applies to cron jobs running ‘chrooted’ as well.

To find the mode in which a cron job is executed, open the corresponding cron job in ISPConfig:

In the following example, our website is installed with Nextcloud in the directory /var/www/clients/client3/web1602/web. You can find the directory in ISPConfig for a website in the first part of “Different Document Root” when you open the “Advanced” section.

Adjust values in the Nextcloud configuration

  1. datadirectory
    A chrooted shell user cannot access the complete path of the web page /var/www/clients/client3/web1602/web. Therefore the datadirectory must be “rewritten” if you want to execute “php occ” via the shell. We simply use a custom.config.php for this.
    dbhost
  2. You can not use localhost as the dbhost. PHP uses a connection via the socket file with localhost, because such a connection is the fastest. But in a chrooted shell the socket file is not available and you get the error “Doctrine\DBAL\Exception: Failed to connect to the database”. Either you change the ‘dbhost’ in config.php from ‘localhost’ to ‘127.0.0.1’ (then the connection is always over TCP/IP is slower) or you simply use our custom.config.php.

Create custom.config.php

In the config directory of the Nextcloud installation, create the file custom.config.php or create it on your PC and then upload the created file via FTP into the config directory.

You only need to adjust two values in the custom.config.php for your Nextcloud installation:

$basedir – here you enter the path to your website as it is displayed in ISPConfig and only leave out ‘/web’ at the end.
$dir – this sets the data directory of Nextcloud. In most installations the data directory is located in the document root of the website. If you log in via FTP, you can easily find the directory:

The custom.config.php looks like this in our example:

<?php
$basedir = '/var/www/clients/client3/web1601';
if(php_sapi_name() != 'cli') {
  $dir = $basedir;
} else {
  $dbhost = '127.0.0.1';
  $dir = (!is_dir($basedir)) ? '' : $basedir;
}
$dir .= '/web/data';
$CONFIG['datadirectory'] = $dir;
if($dbhost !== null) $CONFIG['dbhost'] = $dbhost;

Import website and database into ISPConfig

,

Here we show you how you can easily import a website and its database on our managed servers. You can also use this function if you want to move a website to a different managed server.

Requirements

  • Access via FTP or SSH to the source server for importing the website
  • Access via SSH, remote access to the database-server or a database-dump for database-import
  • Website and database on your server (you can easily create them using the wizard and make the same specifications)

Create import

In the section “Websites” you will find the item “Import website” on the left side of your server. If you create a new import via “Import new website”, you only have to fill in the required fields in the following mask.

What do the individual options mean?

Most of the fields are self-explanatory, so we will only give you a few hints about individual options here.

  • Configure CMS: After importing the website, we configure the CMS for the new database connection.
  • Use local dump: If you activate this option, you have to upload a database dump to the /private folder of the new page and then enter the name here. This dump will – opposite to the automatically created ones – not be deleted after the import.
  • Transfer type: You can choose between “FTP” and “Shell”. A connection via “Shell” is in most cases much faster; especially if you want to reimport a website.
  • Port: Depending on the desired transfer method, the default port is automatically set here. If the port of the source server is different, just enter another port here.
  • Folder: This is the complete (!) path to the source folder. On servers with ISPConfig, this is e.g. /web for FTP and a shell user with jailkit or the complete path to the web directory (e.g. /var/www/example.com/web) for a shell user without jailkit.
  • Database server: The name of the source’s database server. If it allows external connections, you can simply enter the name of the server here.
  • Temp. folder: this folder is created on the source server for creating the database dumps, as far as no remote connection to the database server is possible or you do not use a local dump. Caution: if this field remains empty, the dump will be created in the folder of the website. The name is randomly generated, but in principle it is still possible to get to this file during the transfer.

The values for the local database are read automatically and always contain a list of databases and database users that belong to the website you want to import into. You only need to enter the correct password here, as this is stored in encrypted form and therefore cannot be retrieved as plain text.

If the accessibility of the source server does not work when saving, you can deactivate this check via “Do not check for working connections”. Of course, the actual import will only work if the source server is actually reachable.

Import created

If you have created an import, you will see the respective status in the overview and in the import itself you will see the link to a log file, which you can use to view the current status at any time.

Import completed

As soon as the import is finished, you can see which CMS was imported / configured and which data was changed in the config file.

For a website with WordPress it looks like this:

 

Import failed

If the import of a web page was (partially) not possible, you will see the problem directly in the overview and can then fix it. Problems only occur if access data or passwords are incorrect and you have selected “Do not check accessibility”.

Import again

You can restart a created import at any time by setting the “Import again” button. You can also choose not to re-import the entire website, because changes have only occurred in the database.

Supported CMS

The following CMS are configured auotmatically after an import:

  • Joomla 3.x or newer
  • Nextcloud 20.x or newer
  • Shopware 5
  • Shopware 6
  • Magento 2.4
  • WordPress

Note

If you have not used the import of a website for 48 hours, it will be deleted automatically.

Install a webmailer

,

You can install two different webmail on our managed server: RainLoop and Roundcube.

We have switched webmail on our servers to RainLoop for quite some time, since this software seems much more flexible to us and requires significantly less resources.

We have summarized here why we decided to make the switch.

Advantages of RainLoop

  • limit a installation to one client
  • install multiple instances
  • set the instance for each maildomain
  • enable / disable a installation
  • ISPConfig will automaticly handle the required configs for the mail-domains

Install the software

Use the wizard to install a webmail on your site and choose RainLoop or Roundcube.

Install RainLoop

Enter the “Admin User Name”. You can also enter the “Site title” but you can change this in the Rainloop Interface later and press “Save”.

When the installation is finished, you can open the Admin-Page with the shown URL and credentials.

Integrate RainLoop in ISPConfig

Open the “Managed Server” section under “Tools” and select “RainLoop Webmail”.

 

When you add a new record, you can select your installation and optionally limit this installation to one customer. If an installation is assigned to a specific customer, it can only be used by that customer, so you may need an additional installation for other customers.

If you set an installation to inactive, this will immediately affect all mail domains that use this installation – a login is then only possible again when you set the installation back to active or select a different webmail installation for the mail domains.

Once you have saved the new installation, you can select the appropriate webmailer for mail domains:

Once “RainLoop Webmail” is selected for a domain, any user with an email address from that domain can log in through the webmailer.

Install Roundcube

The Support URL is optional. If you run the mailserver on different server, enter the name of the mail-server in the two host-fields and press “Save”.

After the installation, you can can login with your mail-account on the new created website.

Websites with HTTP/3

,

If you are using one of our managed servers with nginx, you can also deliver your websites with HTTP/3.

The concept of HTTP/3

HTTP/3 is not a further development of HTTP/2 (SPDY). HTTP/3 is very different from the other HTTP methods and combines the features of HTTP/2 with User Datagram Protocol (UDP). UDP is used, for example, for DNS queries. The other features of HTTP/2 are fully kept (e.g. parallel streaming of data from different sources).

Differences between HTTP/2 and HTTP/3

In contrast to HTTP/2, the new HTTP/3 protocol uses the UDP protocol instead of TCP to deliver web pages and it’s much faster.

With TCP, there are always multi-stage handshakes between the server and the browser. UDP and the QUIC protocol based on it, on the other hand, act connectionless. Instead of checking for successful delivery, only the integrity of the packet and the transmission is validated by a checksum, if required. This eliminates the so-called head-of-line blocking (data congestion) and thus the need to request missing packets again. The delivery of your page will be much faster.

The transmission is no longer done by IP address, but by an individual ID. If the visitor gets a new IP address on his device (e.g. when switching from mobile data to WLAN) HTTP/3 can continue the download without interruption or reconnection.

Enable HTTP/3

Open the corresponding web page in ISPConfig. Under “Advanced” you can directly enable HTTP/3:

QUIC and HTTP/3 require mandatory HTTPS over TLS 1.3. By the way, if you have set a lower version for “Minimum TLS version”, this does not mean that HTTP/3 will not work then (it is not called max TLS version). If the page is requested via HTTP/3, the encryption is automatically set to TLS v1.3.

Client-side requirements

The browser must support HTTP/3 in order for the visitor to your site to take advantage of it. If the browser does not support HTTP/3 or does not support it completely, your page will be delivered via HTTP/2 as usual.

By the way, the most common (current) browsers already support HTTP/3. Sporadically, however, a strange problem occurs: the browser decides to ignore QUIC and HTTP/3.

current state

Currently HTTP/3 is still under development and not 100% stable. It can happen that some websites do not work properly with HTTP/3. However, according to our observations, all current CMSs run completely without problems.

 

How to transfer contacts from Roundcube to RainLoop

,

If you want to change your webmailer from Roundcube to RainLoop, you only have to backup and import the saved addresses from your mailbox once.

Export contacts

To export your contacts, log in to Roundcube, select “Contacts” on the left and then click on “Export”.

Import contacts

To import the contacts, log in to RainLoop, go to Contacts on the left and select “Import (csv, vcf, vCard)” and then upload the exported contacts.

Webmail change from Roundcube to RainLoop

,

Some time ago we replaced the webmailer Roundcube with RainLoop on our servers.

Roundcube is definitely one of the best OpenSouce solutions in the field of webmail, but in the end we decided to switch to RainLoop, because this software requires far fewer resources, has numerous features “out-of-the-box” that can only be solved with Roundcube via plug-ins and can use multiple mail servers with one installation.

RainLoop and domains

In order to be able to register a mailbox with RainLoop, the corresponding domain must first be created in the admin panel. On our managed servers, this happens automatically for your mail domains, if a RainLoop installation is selected for a mail domain.

If a domain (e.g. gmail.com) is approved by the admin, the user can add his email address to this domain and can then directly switch between different mailboxes (or open them in different tabs in the browser) without having to log in to different webmailers.

Additional authentication options

Instead of logging in with the email address and password, the admin can also allow authentication via Google, Facebook or Twitter.

Contacts

In addition to storing contacts in a local database, each user can also use CardDAV, allowing them to use their contacts synchronously on numerous devices.

If you want to switch from Roundcube to RainLoop, you have to move the stored contacts manually. How to do that is described in How to transfer contacts from Roundcube to RainLoop.

.

Setting up a new website using the wizard

,

If you want to comfortably set up a new site on your managed server, just click the “Add new website using assistant” button at the top of the website overview.

Supported CMS

  • Joomla 3
  • Joomla 4
  • Magento 2.4
  • Shopware 5
  • Shopware 6
  • SilverStripe 4
  • Typo3 10
  • Nextcloud 20 – 23
  • WordPress
  • Webmailer RainLoop
  • Webmailer Roundcube

Access data and info mail

If you wish, you can send the customer and other recipients an automatically generated mail containing the relevant information about the newly created pages. In any case, after creating the page, the required information will be displayed directly in ISPConfig.

Wizard

If you clicked on “Add new website using assistant”, you will see the following screen:

Available settings

You can make various settings for a new website.

If you want to take over the settings of an existing page, you can select it at the top.

If you also want a CMS to be installed automatically, select it under “Install CMS”.

If you have not selected a “Required configuration”, the appropriate configuration will be used automatically.

When you did not select the PHP version, the default PHP version of the server will be used. The only exceptions to this are CMSs that require a higher version than the standard version. In this case, the wizard automatically selects the appropriate PHP version and sets up the website accordingly.

If the wizard supports the use of Redis for a CMS, the corresponding Redis instance is created and configured accordingly.