ISPConfig 3 Update file Version Check

Discussion in 'Installation/Configuration' started by sghazagh, Oct 21, 2019.

  1. sghazagh

    sghazagh Member

    Hi all,
    Due to the required setting of my ISPConfig 3 server, I need to close port 80 Outbound for my server.
    This makes access to outside port 80 closed hence the ISPConfig 3 cannot be updated.
    I have checked the Stable update script and found that the main stable PHP script is looking for https to download the latest tar.gz file, however, the initial "ispconfig_update.sh" script is looking via http to find the latest version file.
    I also double checked and found that it can use HTTPS as well.
    So my suggestion is that, in file: /usr/local/ispconfig/server/scripts/ispconfig_update.php , change the http to https in following line to allow ISPConfig to get the Version file from https and continue running the PHP update script...
    Changing from:
    $new_version = @file_get_contents('http://www.ispconfig.org/downloads/ispconfig3_version.txt') or die('Unable to retrieve version file.');
    To:
    $new_version = @file_get_contents('https://www.ispconfig.org/downloads/ispconfig3_version.txt') or die('Unable to retrieve version file.');

    This allows ISPConfig 3 to be updated even if the port 80 is closed as whole process after this step is running through https anyway:

    What your thought is?
    Thanks
     
    Last edited: Oct 22, 2019
    Steini86 likes this.
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    That is probably correct to make that change. Looks like www.ispconfig.org serves an HSTS header even, so any client which access it on https at all should thereafter fail on http .. of course the php client and shell client will differ and don't carry that info, but in a more integrated setup that is actually designed to fail there.

    Also if you wish to maintain http access for your server but not have port 80 open, you can run a http proxy. I have a few systems locked down pretty well using squidguard (on pfsense), they can access a few known sites for software install/updates, plus a few internal things, and nothing else.
     
  3. sghazagh

    sghazagh Member

    Thanks @Jesse Norell
    My server is in AWS and I use AWS Outbound to restrict the ports.
    But that sounds interesting.Can you give me more info?
    Can I use squid guard on same server or it has to be in same network but different server.
    For my home use, I am using Dansguardian which some sort is squid Proxy but have always used that for web block and content keyword to filter access for my kids. I know it can restrict the ports as well, is it same as what you mentioned?
    Appreciate if you explain me the workflow and things I need to install. Had a look at pfsense want to get a good start point....
    Thanks
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    No, if that server is prohibited from connecting on port 80, it won't matter if http clients connect directly or access a proxy on the local server which tries to connect, they'll both fail.
    They you're familiar with http proxies, that's really all I was pointing out as a possible good fit for your environment. It may not be, too. But the proxy would definitely have to be on another host which is allowed connections on port 80. Squidguard is a companion to squid, and gives you the ability to configure squid to limit access (eg. allow debian package repositories, ispconfig sources, and nothing else). But there are other proxies and systems which could effect the same job being accomplished, that's just one I happen to have used.
     
  5. sghazagh

    sghazagh Member

    Thanks @Jesse Norell . It is clear now. Will spend sometime on it to see which solution is better for me. Thanks for your time replying to my messages.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    This should be changed to https indeed, I thought that we already changed it in the past but apparently this is not the case.

    Update: Just checked the code, seems as I was partially right, I had changed the URL in dashboard.php in the past and missed the URL in the update script. Fixed that now.
     
    sghazagh likes this.
  7. sghazagh

    sghazagh Member

    T
    Thanks @till for prompt action.
     

Share This Page