Set minimum TLS version

,

You can set the minimum TLS version for each website on our fully managed servers.

Various vulnerabilities have led to experts recommending long ago to disable all versions of SSL and TLS 1.0 (this has always been the default setting on our servers). Meanwhile, websites should no longer be reachable with TSL 1.1, but at least support TLS 1.2.

To set the minimum TLS version, you just have to go to ISPConfig and select the “Minimum TLS version”:

 

Every modern browser supports TLS v1.2, most also TLS v1.3, but since the latter version is still considered experimental, it is a good idea to set the pages to TLS v1.2. If you want to be absolutely sure that your site can be reached with an outdated browser, you must choose TLS v1.1.

To test the SSL settings of your site, you can use one of the two links:

https://www.ssllabs.com/ssltest

https://internet.nl/

Backup-Now for websites and database with ISPConfig

,

You can have automatic backups created on our fully managed servers. Now you also have the possibility to manually trigger a backup of a website or a database.

Backup-Now

You can use it, for example, to back up the database before you make major changes to your project. If something goes wrong, you can restore the freshly created backup.

When you start a manual backup, the oldest backup is deleted afterwards.

Configuring Backups in ISPConfig

You can find the settings for the backups in the Backups tab of your website.

You can set the number of backups to be saved under “Number of backups” between 1 and 10.

You can set the interval to different values:

  • Automatic backups inactive
  • Daily
  • Weekly (every Sunday)
  • Monthly (on the 1st of each month)

If you choose “Automatic Backups inactive”, only manual backups are created via Backup-Now.

Start Backup-Now

To start a manual backup, you just have to click on the button “Backup website now” or “Backup database now” to switch from grey to blue and then save the settings:

 

Until a backup is complete, you cannot trigger another manual backup:

After the backup is complete, you will find the backup as usual under “Existing Backups”.

By the way, you can recognize a backup created by Backup-Now by -manual in its name.

 

Script to install Proxmox 5.x – 7.x on a Dedicated Hetzner Server

The Proxmox-Version depends on your OS: Proxmox 5.x on Debian Jessie, Proxmox 6.x on Debian Buster and Proxmox 7.x on Debian Bullseye.

  • Install Proxmox on your server
  • Let’s Encrypt Certificate for the Proxmox-Interface
  • Option to use Thin-Pool Storage
  • Read the Server-IPs (Single-IP and Subnet) from the Hetzner-Robot
  • Write the Network-Config
  • Option to create private IPs if you use a vSwitch

Notes

You can put your Robot-Credentials in the file robot.conf.php so the script will not ask your for the Robot-Login.

If you just want to generate the network config (even for a different server), see chapter Network-Setup at the end of this page

Installation

Boot your server into the Rescue-Mode, use installimage and choose the minimal Debian-Strech, Debian-Buster Version or Debian Bullseye Version.

Set the HOSTNAME to a FQDN

If you want to use Thin-Pool, use something like:

PART lvm pve all
LV   pve root / ext4 10G

Reboot the server and run the following commands to download the script:

apt -y update
apt -y install php-cli php-curl wget
cd /root
wget https://download.schaal-it.net/hetzner-proxmox.tgz
tar xfz hetzner-proxmox.tgz
cd proxmox

Install Proxmox

To install Proxmox, please read the following notes before running the script.

The directory custom contains several files that are used during the installation.

In the custom directory you will find:

  • etc/aliases
  • etc/cron.d/trim.example
  • etc/sysctl.d/pve.conf
  • root/trim.sh.example
  • root/update-lxc.sh.example
  • ssh (empty)

If you want to install your ssh-key, just put your public-key into ssh/authorized_keys. The installer will copy this file to /root/.ssh/authorized_keys

The files from etc/cron.d calls the responding scripts from root. If you want to use them, rename the file in etc/cron.d and root.

You can also put your own files into the custom-dir and / or change the files. For more informations see the file custom/README.txt.

To finally install proxmox, just run

php install-proxmox.php

The script shows you the detected OS and the Proxmox-Version, that will be installed:

Detected OS: Debian Buster
Install Proxmox-Version: 6.x

You will be asked the following questions:

Full qualified hostname (FQDN) of the server [server]:

Add the full name here (i.e. server.example.com). Otherwise you can not use Let’s Encrypt.

IP of the server [100.150.0.100]:

Make sure that the recognized ip is also the one from your server

Network Card [enp0s31f6]:

Usually, you don’t have to change the detected value.

Do you want to autoconfigure the network? (y,n) [y]:

Choose y to let the script generate the network-config.

Enter your credentials for the Hetzner-API
robot_url [https://robot-ws.your-server.de]:
robot_user []: 
robot_password []:

Enter your robot-credentials if you did not already stored them in robot.conf.php.

Enabled Thin-Pool for Proxmox? (y,n) [n]:

With y the installer will generate a Thin-Pool:

Only one LV found - using pve
Use LV Name for Proxmox Thin-Pool - 'none' to skip [data]:
SSH Port [22]:
SSH PremitRootLogin [yes]:

You you should use the defaults for a Cluster-Setup.

Use Let's Encrypt for the Interface (y,n) [y]:

Choose y if you want a free ssl-cert from Let’s Encrypt for the Backend.

Email to use with Let's Encrypt and in scripts [admin@local]:

Starting with Promox 7 the script does not installs acme.sh for Let’s Encrypt. At the of the installation, you will see a note to run a script after the final reboot.

For more informations read https://pve.proxmox.com/wiki/Certificate_Management#sysadmin_certs_api_gui

Start Proxmox Install? (y,n) [y]:

Finally run the setup.

If your server is connected to a vSwicth:

This server is connected to the vswitch with the ID 4868 [4001]
Add the vswitch to the network-config? (y,n) [y]:
Use Private IP []:
Use Private IP []: 
Netmask [24]:

Choose a private IP like 10.0.0.1 for this server and set the netmask.

copy /etc/network/interfaces to /root/interfaces.save
writing new /etc/network/interfaces

Check the network-confg and reboot your server
Updating /etc/aliases
Adding your authorized_keys

Install finished. You can reboot the server now.

Network-Setup

You can also use network-manual.php to generate a network-config on an existing server.

This will not overwrite your current setup.

Run

php network-manual.php

and answer the questions. You find the generated config in /root/interfaces.generated

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

Please make sure to update tests as appropriate.

Bugtracker

Visit our issue tracker.

Datalog History

,

On our Managed Mail Servers and the Full-Managed Servers you can track and undo changes made in ISPConfig.

However, only the settings are written back and not the contents of websites or similar. For example, if you have deleted a website you can only restore the “basic structure” – the contents of the website have to be restored from backups.

Show Datalog History

You will find the menu item “Show Datalog History” under “Monitor”.

 

The history then looks something like this:

When you select an entry, the corresponding activities are displayed and you have the possibility to undo the change:

 

 

Enhanced spam check for mailboxes

,

On our managed mail servers and full-managed servers you can not only set greylistening for each mailbox to on and off for the spam check, but also for RBL, SPF and spoofing.

SPF and RBL are automatically activated for new mailboxes, greylistening and spoofing are disabled by default.

What do these spam checks do in detail?

SPF

The owner of a domain can specify which servers are allowed to send mails. If delivery via another server is attempted, the mail can be rejected directly. This happens in particular with spam mails if the sender in a mail is forged. Unfortunately, there are also postmasters who define these specifications incorrectly or simply forget to add a new server.

It can also lead to problems with the SPF check if mails are sent via an external mail gateway beforehand.

RBL

Our mail servers check incoming mail across one or more lists of servers that have recently sent spam. Connections from “spam spinners” are rejected directly.

Greylistening

At the first connection the sending mail server gets a message that it should try again in a few minutes. This can reduce spam, but is not always optimal for mailboxes that are used for direct communication with customers. Otherwise it can happen that the customer sends a mail and then you have to explain that the reception can take up to 5 minutes.

If a mail server has passed the other checks on the second attempt, its IP is on a whitelist and mails sent later arrive without greylistening.

Spoofing

Email spoofing refers to the forgery of the email header so that the message gives the impression that it has a different origin or source. Spam distributors often use spoofing to get the recipients of the email to open the message so that they respond to its content.

Set individual checks

Log on to your server in ISPConfig and select the mailbox for which you want to customize the SPF, spoofing, or RBL check.

 

Monitor your server

,

You always have full access to the monitoring of your managed server and can view the data directly in your browser, via your smartphone or an add-on from Firefox / Chrome.

Depending on the monitoring value there are two limit values Warn and Crit. If yours is exceeded, the display changes to orange (Warn) or red (Crit). You can adjust the limits directly in ISPConfig on your managed server..

If the state changes, you will receive a mail after a certain time. You will get the notification if the status changes to OK, Warn or Crit.

Content

Set limit values

top

Log into ISPConfig on your Managed Server and open the “Tools” in the upper right corner. Under Managed Server on the left side you can set the monitoring.

To adjust the values, select one of the checks and then define the limits. For the mail queue it looks like this:

If there are 20 to 29 mails not yet sent on your server, the status changes to Warning. If 30 or more mails have not yet been sent, the status changes to Critical.

Browser

top

Just open the URL https://monitor.schaal-it.net for monitoring in your browser and log in with your access data.

Smartphone APPs

aNag for Android

top

Grab aNag from the the playstore and start the App.

You can freely choose the name – it only serves to distinguish between different instances.

The other data are:
Instance type: Icinga/Nagios (HTML)
URL: https://monitor.schaal-it.net/cgi-bin/
Username: Your Username
Password: Your Password

easyNag for iPhone & iPad

top

You can download and install easyNag here.

You can use the settings for Android for the individual values.

Add-On for Firefox and Chrome

For Firefox you can use the current version of imoin.

imoin

top

Install the add-on in Firefox via Add-Ons or in Chrome via this Link and set up access:

Version: Nagios Core 4.0.7+
URL: https://monitor.schaal-it.net
Username: Your Username
Password: Your Passwort

Update PHP versions (automatically)

,

On our managed servers you can view the versions of the additional PHP version directly in ISPConfig. If a new version is available, you can update the PHP version or use the “Auto-Update” function. With Auto-Update” enabled, the PHP version will be updated as soon as a newer version is released.

additional PHP versions

Additional PHP versions can be installed in addition to the PHP version of the operating system and then used for individual web pages. PHP versions 5.6, 7.0, 7.1, 7.2 and 7.3 are available on our managed servers. The ionCube loader is always installed with all versions.

Which versions are additionally installed always depends on the operating system of the respective server. For Debian Jessie PHP 5.6 is not an additional version, while for Ubuntu 18 PHP 7.2 is not an additional version. Which versions you see on your server for updates depends on the respective server – the screenshots may look different for you.

show additional PHP versions

Log in to ISPConfig on your server and click on “Tools” in the upper right corner and then “Manage PHP Versions” in the lower left corner. You will be shown the installed versions:

 

You can see at a glance which versions are not updated or whether an installation is currently being updated.

 

 

If an update is available, you will be shown the button “Update” and can immediately start the update. You also have the option to automatically update a version. All you have to do is check the box “Auto-Update” and save the settings.

 

GDPR Plugin for ISPConfig

,

With our ISPConfig GDPR Plugin we have developed an enhancement that allows you and your customers to sign online contracts for data processing.

As an admin, you also have the option of generating agreements or other contracts directly and send them to the client.

You can also export all data stored for a customer in ISPConfig to generate information about the stored data. Of course, every client can also do this himself.

Try the GDPR Plugin for free

You can download the plugin here and test it for 14 days for free. As a license you simply use “TRIAL”.

If you want to use the GDPR Plugin afterwards, you need a license.

Installation

Download the plugin to your server, unpack the archive and change to the directory ispconfig-gdpr.

If you haven’t installed the ionCube load yet, you can do it either with the script install_ioncube.php or manually for all PHP versions and modes.

php -q install_ioncube.php

We have only tested the script on Debian 7-9 and Ubuntu 14-18 so far. If you are using CentOS for example, you may have to install the ionCube-Loader manually

For the manual installation we recommend to use https://www.howtoforge.com/tutorial/how-to-install-ioncube-loader/

If the ionCube-Loader is installed, you start the installation:

php -q install.php

After that you only have to log in to ISPConfig as admin and activate the module GDPR for the user admin (under System / CP User / Edit User). Then log off once and log on again.

Update

Just start

/usr/local/ispconfig/server/scripts/gdpr/gdpr_update.sh

You can also download the current version, unpack the archive, change to the ispconfig-gdpr directory and then call php -q update.php.

Features of the GDPR Plugin:

  • Automatic generation of order processing (GDPR) contracts by a client
  • Automatic generation of order processing (GDPR) contracts by the admin for a client
  • Generated order processing (GDPR) contracts are saved directly as PDF files
  • Ability for the client to revoke an existing agreement
  • Upload option for the admin to provide additional contracts / data for a client
  • Support of several companies
  • Individual templates for generating contracts
  • Individual templates for sending email
  • Ability to store contracts and other data on the hard disk or directly in the database
  • Export function for the data stored for a client (PDF or XML)
  • The GDPR Plugin is integrated in ISPConfig and can be accessed via the ISPConfig Admin/Client Login
  • Standard PDF templates for companies

License

The ISPConfig GDPR Plugin is an extension to ISPConfig and is not subject to the BSD license.

One license costs 80,00 EUR (95,20 EUR incl. 19% Tax) and includes updates for one year after activation of the license.

Customers who already have a license and want to receive further updates after one year can extend the “update time” for another year for 40.00 (47.60 EUR incl. 19% Tax).

Manual

You can download the manual for free here.

ISPConfig GDPR

In order to get ISPConfig GDPR compatible, we think that the default log file storage time for websites should be decreased and the statistics should be turned off. ISPConfig itself has no problems with the GDPR, because you can delete customers at any time and all data stored with this customer will be removed from your server.

With the next ISPConfig release 3.1.12 the storage time of 10 days will be standard for new websites. However, a change for existing websites does not make sense, as the software is also used outside of the EU.

Problem Statistics

The programs for creating web server statistics AWStats and Webalizer, which can be used with ISPConfig, also output the complete IP addresses of website visitors, if no corresponding adjustments have been made to the code.

We consider this to be incompatible with the GDPR and have therefore deactivated the statistics on all our web servers (own and full-managed). To avoid doing this manually for each page, you will find a small bash code at the end, which you can simply run as root on your server. If you don’t have a –defaults-file, you can use -p instead and then enter your root password for MySQL. Of course you can also enter the commands in PHPMyAdmin.

Problem Logfiles

The default setting for log files of all web sites is 30 days. We think that a significantly lower value is sufficient. Here we take 10 days as an example. However, you should certainly ask yourself whether you really need to store the data for that long time. The complete IP is certainly needed in the logfiles to secure the server or to detect problems. But if you haven’t noticed an attack after 10 days, even a longer storage time won’t help much…

Solution

Don’t forget to make the changes on all servers if you have a multi-server setup.

And this is how it works with a single SQL call:

mysql --defaults-file=/etc/mysql/debian.cnf --database=dbispconfig -e "
ALTER TABLE web_domain CHANGE stats_type stats_type varchar(255) DEFAULT ''; 
ALTER TABLE web_domain CHANGE log_retention log_retention INT(11) NOT NULL DEFAULT '10'; 
UPDATE web_domain SET log_retention = '10' WHERE log_retention > 10;
UPDATE web_domain SET stats_type = '';
"

 

ISPConfig Automail

With our plugin ISPConfig Automail you can automatically configure email clients like Thunderbird or Outlook.

If you use one or more mail servers for the domains makes no difference. Just define the appropriate data such as host name and port for each mail server. everything else is done through a small web page that provides an Autoconfig service (Thunderbird) or Autodiscover service (Outlook).

Autoconfig and Autodiscover request XML files via different addresses, to configure the email client according to your specifications.

To use the ISPConfig Automail, you only need a current version of ISPConfig and a website (Apache or nginx).

The plugin consists of two parts

  • the interface plugin for ISPConfig to manage the settings
  • a script to generate the relevant XML documents under the respective domain

In this example example.com is your domain, over which the automatic setup of the mail clients will run. You are free to choose this domain. The domain client.com is the domain that queries example.com for the setup.

Install ISPConfig Automail

cd /tmp
wget https://download.schaal-it.net/ispconfig-automail.tgz
tar xfz ispconfig-automail.tgz
cd automail
php install.php

Activate the plugin

Log in to ISPConfig as admin, go to System / CP User and activate the module automail for the user admin. After you have logged off and on again, the module is available for you.

Remote-User

Create a remote user who can use the “automail functions”. If you have a multi-server setup, you may need to allow remote access.

Configure the plugin

Under Provider-ID you enter a unique ID that identifies your setup. You can use the domain name of your server.

The two Hostnames are the names by which mails are retrieved (IMAP/POP3) and sent (SMTP). If you run everything on the same server, you must enter the same name in both fields.

For Ports, enter the ports that should be used for your mail server.

ISPConfig Automailer Setup

Create the required DNS records

You need an A-record for autoconfig.example.com and autodiscover.example.com pointing to your web server. If you use IPv6, you should also create AAAA records.

Create two entries in each customer domain. A simple CNAME is enough for autoconfig:

autoconfig.client.com. CNAME autoconfig.example.com.

For autodiscover an SRV record is recommended. This will give you a certificate warning during setup, but it is the easiest way to set up any number of customer domains:

_autodiscover._tcp.client.com. SRV 0 0 443 autodiscover.example.com.

Create the website in ISPConfig

Now you have to create the website autoconfig.example.com with PHP support and without auto subdomain in ISPConfig. You should also secure this site using SSL. This is not required for autoconfig, but will be needed later for autodiscover. You can easily use Let’s Encrypt

You have to set the directives for Apache or nginx accordingly:

Apache

ServerAlias autoconfig.*

nginx

location ^~ /config\.php { deny all; }

location / { 
rewrite autodiscover\.xml$ /index.php last; 
rewrite Autodiscover\.xml$ /index.php last; 
rewrite config-v1\.1\.xml$ /index.php last; 
}
server_name autoconfig.*;

With alias or server_name this domain can be used later by any customer or email domain.

Create the alias domain autodiscover.example.com and point it to autoconfig.example.com. You don’t need any redirects, the important thing is that the domain has an SSL certificate. A-Records in DNS are enough to point to your web server so you can use Let’s Encrypt.

Upload the script to the webseite

Upload the files from the website directory from the archive to the newly created website and adjust the data in config.php. Rename the htaccess to .htaccess. If you use nginx, you can also delete the file directly.

Test

You can easily test Autoconfig via wget:

wget http://autoconfig.client.com/config-v1.1.xml?emailaddress=test@client.com -O test

In the file test you will find the result. The email address must exist of course.

For Autodiscover there is the Microsoft Remote Connectivity Analyzer.