Hi all, Due to the required setting of my ISPConfig 3 server, I need to close port 80 Outbound for my server. This makes access to outside port 80 closed hence the ISPConfig 3 cannot be updated. I have checked the Stable update script and found that the main stable PHP script is looking for https to download the latest tar.gz file, however, the initial "ispconfig_update.sh" script is looking via http to find the latest version file. I also double checked and found that it can use HTTPS as well. So my suggestion is that, in file: /usr/local/ispconfig/server/scripts/ispconfig_update.php , change the http to https in following line to allow ISPConfig to get the Version file from https and continue running the PHP update script... Changing from: $new_version = @file_get_contents('http://www.ispconfig.org/downloads/ispconfig3_version.txt') or die('Unable to retrieve version file.'); To: $new_version = @file_get_contents('https://www.ispconfig.org/downloads/ispconfig3_version.txt') or die('Unable to retrieve version file.'); This allows ISPConfig 3 to be updated even if the port 80 is closed as whole process after this step is running through https anyway: What your thought is? Thanks
That is probably correct to make that change. Looks like www.ispconfig.org serves an HSTS header even, so any client which access it on https at all should thereafter fail on http .. of course the php client and shell client will differ and don't carry that info, but in a more integrated setup that is actually designed to fail there. Also if you wish to maintain http access for your server but not have port 80 open, you can run a http proxy. I have a few systems locked down pretty well using squidguard (on pfsense), they can access a few known sites for software install/updates, plus a few internal things, and nothing else.
Thanks @Jesse Norell My server is in AWS and I use AWS Outbound to restrict the ports. But that sounds interesting.Can you give me more info? Can I use squid guard on same server or it has to be in same network but different server. For my home use, I am using Dansguardian which some sort is squid Proxy but have always used that for web block and content keyword to filter access for my kids. I know it can restrict the ports as well, is it same as what you mentioned? Appreciate if you explain me the workflow and things I need to install. Had a look at pfsense want to get a good start point.... Thanks
No, if that server is prohibited from connecting on port 80, it won't matter if http clients connect directly or access a proxy on the local server which tries to connect, they'll both fail. They you're familiar with http proxies, that's really all I was pointing out as a possible good fit for your environment. It may not be, too. But the proxy would definitely have to be on another host which is allowed connections on port 80. Squidguard is a companion to squid, and gives you the ability to configure squid to limit access (eg. allow debian package repositories, ispconfig sources, and nothing else). But there are other proxies and systems which could effect the same job being accomplished, that's just one I happen to have used.
Thanks @Jesse Norell . It is clear now. Will spend sometime on it to see which solution is better for me. Thanks for your time replying to my messages.
This should be changed to https indeed, I thought that we already changed it in the past but apparently this is not the case. Update: Just checked the code, seems as I was partially right, I had changed the URL in dashboard.php in the past and missed the URL in the update script. Fixed that now.
