"solved" How to secure ISPConfig3.2 panel?

Discussion in 'Installation/Configuration' started by ganewbie, Jan 27, 2021.

  1. ganewbie

    ganewbie Member HowtoForge Supporter

    Hello,
    The perfect server Ubuntu 20.04 apache and ISPConfig 3.2.2
    I have messed up the Now the DNS record while installing the fresh server.
    I have corrected all DNS records now and created sited and they are all secure including for example "server1.example.com"
    Now the question is how do I go back to make the system to use that certificate to secure the panel, mail and ftp?
    Thanks in advance,
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Run ispconfig_update.sh --force and answer yes to reconfigure services.
     
  3. ganewbie

    ganewbie Member HowtoForge Supporter

    It works, thanks a million.
    Now another question, how do I prevent/hide "Apache2 Ubuntu Default Page"?
    is it OK, to redirect to https like any other site? or do you deal with the host's website differently?
    Thanks
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  5. ganewbie

    ganewbie Member HowtoForge Supporter

    Thanks for the quick reply, but I am not sure if I understand.
    After Jesse response, I have a secured "https://server1.example.com" with a valid LE certificate.
    Now if you go open "http://server1.example.com" it will show you
    upload_2021-1-28_5-52-41.png

    How do I hide or prevent this page from showing?
    Thanks,
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Did you create the web for server1.example.com in ISPConfig? If so, you can change the content - though you should not be seeing this default page usually.
     
  7. ganewbie

    ganewbie Member HowtoForge Supporter

    Thanks, Th0m,
    Yes, I have created the site server1.example.com in ISPConfig.
    What do you mean by changing the content?
    I see two different pages for the same site, The default page of ISPconfig3 when I open the https which is good and normal.
    But what bothers me is I see the apache default page when you open http
    How do I show the proper default page in either case
    Thanks again
     
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can change the content in the web folder to show something different.
     
  9. ganewbie

    ganewbie Member HowtoForge Supporter

    Great, but it does not show the content of the web folder. What is in the web folder shows correctly when you view "https" but shows the apache2 default page when you access "http"
    Why?
     
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Can you share the content of the vhost in /etc/apache2/sites-available?
    (Do not mess around with this file, only share the content but don't change anything)
     
  11. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    'apachectl -S' might help as well.
     
    Th0m likes this.
  12. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  13. ganewbie

    ganewbie Member HowtoForge Supporter

    Code:
    root@server1:~# ls -l /etc/apache2/sites-available
    total 52
    -rw-r--r-- 1 root root 1332 Apr 13  2020 000-default.conf
    -rw-r--r-- 1 root root  310 Jan 27 05:48 acme.conf
    -rw-r--r-- 1 root root 3048 Jan 27 05:48 apps.vhost
    -rw-r--r-- 1 root root 6338 Apr 13  2020 default-ssl.conf
    -rw-r--r-- 1 root root 2119 Jan 27 05:48 ispconfig.conf
    -rw-r--r-- 1 root root 3394 Jan 27 05:49 ispconfig.vhost
    -rw-r--r-- 1 root root 2152 Jan 29 09:40 net.mydomain.com.vhost
    -rw-r--r-- 1 root root 8505 Jan 29 09:40 mydomain.com.vhost
    -rw-r--r-- 1 root root 5840 Jan 29 09:40 server1.mydomain.com.vhost
     
  14. ganewbie

    ganewbie Member HowtoForge Supporter

    Could you please clarify what does this command do?
     
  15. ganewbie

    ganewbie Member HowtoForge Supporter

  16. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Issue the command and see.
    If that is not suitable, read the man-page for the command. Or use the built-in help:
    Code:
    apachectl --help
    
    apachectl -h
     
  17. Steini86

    Steini86 Active Member

    Does this happen when you open the site in incognito mode of your browser? If not, its a caching problem ;)
     
  18. ganewbie

    ganewbie Member HowtoForge Supporter

    @steini86
    Incognito, shows the same.
    @Jesse Norell
    Code:
    apachectl -S
    VirtualHost configuration:
    *:8081                 server1.mydomain.com (/etc/apache2/sites-enabled/000-apps.vhost:9)
    *:8080                 server1.mydomain.com (/etc/apache2/sites-enabled/000-ispconfig.vhost:9)
    *:80                   is a NameVirtualHost
             default server server1.mydomain.com (/etc/apache2/sites-enabled/000-default.conf:1)
             port 80 namevhost server1.mydomain.com (/etc/apache2/sites-enabled/000-default.conf:1)
             port 80 namevhost 000default.com (/etc/apache2/sites-enabled/100-000default.com.vhost:7)
                     alias www.000default.com
             port 80 namevhost network.mydomain.com (/etc/apache2/sites-enabled/100-network.mydomain.com.vhost:7)
             port 80 namevhost mydomain.com (/etc/apache2/sites-enabled/100-mydomain.com.vhost:7)
                     alias www.mydomain.com
             port 80 namevhost server1.mydomain.com (/etc/apache2/sites-enabled/100-server1.mydomain.com.vhost:7)
    *:443                  is a NameVirtualHost
             default server mydomain.com (/etc/apache2/sites-enabled/100-mydomain.com.vhost:125)
             port 443 namevhost mydomain.com (/etc/apache2/sites-enabled/100-mydomain.com.vhost:125)
                     alias www.mydomain.com
             port 443 namevhost server1.mydomain.com (/etc/apache2/sites-enabled/100-server1.mydomain.com.vhost:93)
    ServerRoot: "/etc/apache2"
    Main DocumentRoot: "/var/www/html"
    Main ErrorLog: "/var/log/apache2/error.log"
    Mutex default: dir="/var/run/apache2/" mechanism=default
    Mutex mpm-accept: using_defaults
    Mutex fcgid-pipe: using_defaults
    Mutex authdigest-opaque: using_defaults
    Mutex watchdog-callback: using_defaults
    Mutex rewrite-map: using_defaults
    Mutex ssl-stapling-refresh: using_defaults
    Mutex authdigest-client: using_defaults
    Mutex fcgid-proctbl: using_defaults
    Mutex ssl-stapling: using_defaults
    Mutex proxy: using_defaults
    Mutex ssl-cache: using_defaults
    PidFile: "/var/run/apache2/apache2.pid"
    I have found out that the server cirtificate is not getting generated properly.
    What I meant here is
    1- server1.mydomain.com has a valid LE certificate no question.
    2- When I run the command
    Code:
    ispconfig_update.sh --force
    I get the following error
    Code:
    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    
    Checking / creating certificate for server1.mydomain.com
    Using certificate path /etc/letsencrypt/live/server1.mydomain.com
    Server's public ip(s) (X.Y.X.W) not found in A/AAAA records for server1.mydomain.com: 10.10.10.2
    Ignore DNS check and continue to request certificate? (y,n) [n]:y
    So I think the way I configure my server is it has a private IP address and then it is natted to a public IP.
    Could that be the problem.
    In any case, how do I overcome this issue?
    Do I change my setup to have the public on the interface direct and forget about nat.
    The only reason, I set it up this way is for security.
     
  19. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  20. Steini86

    Steini86 Active Member

    The only security benefit you get by this is that only forwarded ports connect to the server. You can achieve the same by using a firewall and only open needed ports.

    This 'can' be a problem. However, disabling the check should be working then. You might also want to disable the check for all web hosts: ("System" -> "Server Config" -> "Web" -> "Skip Lets Encrypt Check").

    Somehow you mixed your vhosts:
    You have a "server1.mydomain.com" configured in 000-default.conf and in 100-server1.mydomain.com.vhost
    You have 000default.com configured as a web but not with ssl? The purpose of a default host is to be a default for SSL, when the vhost does not have ssl enabled (like network.mydomain.com, which has no ssl config)
    I don't know whats inside your /etc/apache2/sites-enabled/000-default.conf, but you could try to delete / move that file and test again.
     

Share This Page