Where is the link address in the password reset emails set? i've looked in /usr/local/ispconfig/interface/web/login/lib/lang i can see some of the text content for the emails, but nothing about the actual link.. i have our control panel installed at host.domain.tld, accessible on port 8080. but customers never remember the bit about port settings, and it's annoying to repeatedly remind them, so now i have it reversed proxied, using mypanel.domain.tld on port 80 and 443, so they don't need to set the port in the url. that all works fine, except when they request a password reset.. the email link points to mypanel.domain.tld:8080, so they connect directly to that port, which has a different certificate and they get warnings about it.. i want to remove the port setting in the email, but i can't find where to change it.
Just had a look at the code, you can override it by setting: $conf['interface_base_url'] = 'https://mypanel.domain.tld'; in the interface config.inc.php file.
Don't you mean config.inc.local.php? Because from my experience changes in config.inc.php are reset to default when updating ISPConfig.
Alternatively, if we want to avoid having to create and use proxy for the ISPConfig UI, I would also want to suggest that the ISPConfig installer be improvised so that if port 443 is opted during installation, then server hostname (fqdn) is added to ISPConfig vhost, so that it would work right away. Coding this may not be difficult, and may be I can spare some times doing it, but I am not sure whether it is good to have this option as well?
You can use that as well or change the template instead. Depends on the setting that you are changing.
just got around to giving this a try, tried putting it in config.inc.local.php but just got a blank screen when trying to access the login page.. no errors anywhere that i could find. deleted the file config.inc.local.php again before thinking i might have mistyped the url.. put it directly in the /usr/local/ispconfig/interface/lib/config.inc.php file on 2nd attempt. made sure i got the domain name spelt properly.. access to control panel seems fine now. but password reset link in the email still points to the 8080 port. i guess i could just set it to the host.domain.tld url which is on port 8080, not the mypanel.domain.tld used for the reverse proxy on ports 80 and 443. i've just tried setting the interface_base_url to https://mypanel.domain.tld:443 see if that changes the port number set in the reset emails.. but got to wait now, it won't let me request a new password reset for a while.. the actual domain name in the reset email was already fine before, it was sending the url of the reverse proxy.. it was just the port number that was the problem.
nope. hadn't thought of that.. but ispconfig is listening on 8080, using Listen 8080 and NameVirtualHost *:8080 so i'd have to change the standard ispconfg vhost configuration, and manually create another vhost for mypanel.domain.ltd:8080. the reverse proxy is fine. it works, and it's all done within the ispconfig interface.. it'd rather not be manually creating and managing vhost configurations, the whole point of ispconfig is to manage these for me. one thing i hadn't considered, that i might try, is to set the interface_base_url to hostname.domain.tld, instead of the mypanel subdomain. i don't think that will break anything, and it'll use the right subdomain for the cert on that port. it wouldn't work if i was blocking public access to port 8080 like some admins will be, i'm still allowing access.. it's just easier not having to keep telling clients to remember to put the port setting in the url, which isn't really an issue when they specifically need to click on the actual link they've been sent.
I just tried what @ahrasis suggested. I created an A record for panel.website.tld in my DNS. Then created a subdomain in Sites for panel.website.tld with a Permanent Redirect to ispconfig.server.tld:8080. Make sure that you have Auto-Subdomain set to * so that panel.website.tld gets an SSL. I did it from a different domain name, but I'm sure it would work from the same domain too. panel.server.tld > ispconfig.server.tld:8080 Not sure if that would fix your original problem with the mail, but it would solve the customer getting to the server problem of forgetting the port. I'm gonna keep the setup I just made for when I go live. I like it.
You can have the ISPConfig vhost listening on port 443 as name-based vhost without any proxy. Edit the ispconfig.vhost file, change port to 443 and, add a server name, then restart the web server. Then copy the ispconfig vhost template from install/tpl/ of the ISPConfig tar.gz file to the folder /usr/local/ispconfig/server/conf-custom/install/ and add the same server name line there. take care that you use the file that matches your server type (apache vs. nginx).
that is not quite what i'm trying to do. i already have the subdomain mypanel.domain.tld which is working fine on port 80 and 443. i have the ispconfig interface on hostname.domain.tld port 8080 mypanel.domain.tld is a proxy for hostname.domain.tld i have this config in the apache directives: Code: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} SSLProxyEngine on SSLProxyCheckPeerCN Off SSLProxyCheckPeerName Off RequestHeader set Front-End-Https "On" ProxyPreserveHost On ProxyRequests Off ProxyPass /.well-known/ ! ProxyPass / https://hostname.domain.tld:8080/ ProxyPassReverse / https://hostname.domain.tld:8080/ <Proxy *> Order deny,allow Allow from all </Proxy> that is all working fine.. even with no interface_base_url configured in /usr/local/ispconfig/interface/lib/config.inc.php everything is working as expected. if i request a password reset, i get the email fine, it contains a link to the interface, it even has the hostname for the proxy site, mypanel.domain.tld.. the only problem is that it that the link includes the port setting :8080. the mypanel subdomain does not listen on that port, port 8080 is purely for the default ispconfig interface vhost.
ah. ok.. all the advice i've seen for ispconfig so far is to not create a vhost using the same as the fqdn (ispconfig interface) as that can cause issues with certificate renewals. unless you mean just run the interface on port 443 and drop port 8080?
That's indeed the case and I did not say that you should create a website in ISPConfig but edit the ispconfig vhost instead in an update-safe way.
I'm searching inside the forum for some way to enable port 433 for ISPC panel by using a subdomain "ispc.userdomain.com" for all users. I'm not sure about the solution of nhybgtvfr and what you explains. Is there some way to doing this in only one specific place inside the Apache config, or should I create the subdomains for all users?
Please see post #11 in this thread. I explained what you have to do to use ISPConfig on port 443, you edit just a single file, there you change the port and add the domain name. You will get one domain for all your users ispc.yourcompany.com. Individual domains per user make not much sense in my opinion as it would mess up your SSL LE renewal easily as all user domains would be in the same cert plus it would limit you to a small number of customers. You could have individual per customer websites with a proxy using the approach @nhybgtvfr explained, but it will be a manual setup for each customer and you must ensure that these subdomains get created in DNS as well.
ok thanks, I understand what you explain to do with templates. Although I think it will not work for what I need. I explain better what I wish: I have the 8080 port filtered by firewall according countries, valid CDIR and IPs, depending the case. As the ISCP panel doesn't have a separate access for admin and users, this is working like a partial solution. This is not perfect although allows quite isolation from constant attacks and malicious scan against 8080 port. However, the access through the 8080 port is not comfortable (certificates, etc). And if I change the access to port 443, I wish to have also a criteria to filter all that. And then I think in having a subdomain to force the ISPC access through "ispc.userdomain.com". In that way, the subdomain "ispc." could work in a similar way, because this is easy to be filtered with modsecurity according countries, IPs and CDIR. And the malicious scanning also can be stopped. I wonder if there is some way *to force* the subdomain "ispc.userdomain.com" to access the ISPC panel. I mean something inside the Apache configuration, without necessity to modify all the users DNS zones and without having bad effects for the ISPC updates. * I add: if there is a way to force it, the LE bot will assume there is a subdomain "ispc.userdomain.com" in all users, to create the necessary certificate. Is this right or I'm wrong? thanks!
If you edit the vhost in the way I explained, then the panel can be accessed exclusively on the one subdomain name you enter in the ispconfig vhost file on port 443, so you can filter that easily based on the subdomain. SSL certs make no difference between port 8080 and 443 btw, the browser does not show an error on any of these ports with a valid cert.
in my case, https://userdomain.com:8080/ shows a certificate error. It loads the certificate of the main domain server instead the user cert. Is this not the common behavior?. Please, confirm this point I will try what you explain with the templates. Thanks!
