Hey guys, I have an ispconfig3 installation on an older version of ubuntu in a proxmox lxc container on a server in a co-location facility behind a public static ip. I am upgrading to new servers and will be transferring the lxc over to the new machine. I am now going to have two opnsense routers in front of the servers directing traffic for increased security. My question is this: I am going to be re-assigning the (now public) static ip to the routers control and doing a NAT1:1 to the ispconfig3 lxc container. Due to that I will be changing the ip address of the container to a private ip. So what all do I need to change on ISPC3 for that to continue to work properly? I have seen posts on here about changing the ip completely, but didn't see anything related to just changing the ip of the lxc container while ispconfig will still listen and live (from the outside world) on the same public static it uses now. I'm sorry of I have made this confusing or haven't provided enough info. I just want to preemptively head off any drama at the colo before I get there. Thanks for any help you can provide. I sincerely appreciate your help.
Well, firstly, ISPConfig setup in an LXC is never supported, whether in proxmox VE or else. The best is always running ISPConfig server in a bare or virtual machine instead. Secondly, for the other part of your question, it is not directly related to ISPConfig, so for your question: Normally we do not change anything in ISPConfig settings, since for web sites we usually use * and we do not define any IP address, being local one i.e. LAN or WAN, while for ISPConfig panel and apps we usually maintain the same default. All we need to do is ensure all ports needed to be used from public WAN to access ISPConfig server directly, must be routed or forwarded to it properly, like 80 and 443 for general web server or 8080 and 8081 for ISPConfig panel and its apps. That is all if I understood you correctly.
Hey Ahrasis, Thanks for responding. I didn't see the reply til just recently and thanks for that breakdown. If I could pick your brain a little further let me explain in detail what I am doing and get you to advise me from there. I understand the lxc path isn't supported so we will have to overlook that for now. The details of what I have and what I am doing are: Current setup is ispconfig in an lxc container for the last 8 years under proxmox on an HP DL380 G8 server being a gateway of sorts with one of my static ip's in proxmox and with the container having the public static IP 144.xxx.xxx.22/28 and ISPC3 setup in the control panel with that static ip as per the setup instructions. All websites use * for their listener. New setup I am moving, in the next couple of weeks in the same colo facility, to transfer the lxc container to the new HP DL380G10 server running the newest version of proxmox which will sit with a private ip behind two carp'd opnsense routers which will NAT 1:1 the 144.xxx.xxx.22/28 static to the lxc which I will change to a private ip as well. I also forgot to mention I will be doing the same to the two multi-server setup connected ISPC3 nameservers on different lxc's with the same setup both before and after. My question basically is when I change over and initiate the NAT 1:1, what all in ISPC3 will need to be changed over? I know, obviously the ip of the container, but will I need to change any ip settings for bind9 or in any ISPC3 config files in order to immediately have access to the control panel again, the sites visibility to the world, etc. I just don't want to get to the colo and find out I have a small disaster on my hands trying to get everything live on the new machine. Thanks so much for your time on this and I'm sorry I didn't explain what I was asking better before. Any info will be greatly appreciated.
I would say nothing if your ISPConfig server(s) are using LAN, not directly exposed to the WAN and are actually behind NAT, as routing or forwarding to them are normally handled by the router, and it is always safer thay way.
Ok, that sounds great. I was worried I would have to change a bunch of settings in files for it to continue working. Thanks so much for your time and help with this. I truly appreciate you.
If let#s Encrypt stops working to issue SSL certs, then you must enable the 'Skip let's Encrypt check' checkbox in server settings.
Ok, thanks Till. I didn't even think about that. I haven't had automatic LE services on ISPC3 since the feature was introduced. It never works, I have to do it manually in cli. Thanks again though for reminding me of that. I'll need to add it to the list.
The LE feature works perfectly fine. You might want to follow this checklist to find out why it fails on your system: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/ Most likely, you block requests to your server from your server IP in your network, and that's when you must disable the LE check.
Yes, it does. I just apparently have broken something over time. I knew that a couple of years ago. But thanks for the link, I will investigate it. Again, I truly appreciate you.
