Skip to content

Deployment Overview of HestiaCP on Server

Prerequisites and Basic Requirements

The deployment of HestiaCP requires a server running a supported Linux distribution with root privileges. The system must have network access to download installation scripts and dependencies.

  • Operating System: Ubuntu or Debian (specifically Debian 12 is supported for additional packages).

  • Privileges: Root access is required to install system packages, configure the kernel, and run the installation script.

  • Network Ports:

  • Port 8083 is configured for the HestiaCP web interface.

  • Standard ports for web services (HTTP/HTTPS), mail, DNS, and FTP are enabled by default during installation.

  • System Packages: The installation process installs the following essential utilities:

  • curl, wget, gnupg, apt-transport-https, ca-certificates, dnsutils, gawk, xterm, systemd-timesyncd.

  • software-properties-common is installed on Debian 12.

File and Directory Structure

The deployment establishes specific directories for configuration files, data storage, and container management.

  • HestiaCP Installation Directory: /usr/local/hestia

  • Contains the core application binaries and scripts.

  • Cron jobs are managed via /usr/local/hestia/bin/cron.php.

  • Nginx and Certbot Configuration:

  • Configuration directory: /root/nginx

  • Docker Compose file: /root/nginx/compose.yml

  • Environment file: /data/nginx/nginx-certbot.env

  • User configuration directory: /data/nginx/user_conf.d

  • SSL Certificates:

  • Stored in the Docker volume nginx_secrets mounted at /etc/letsencrypt within the container.

Application Installation Process

HestiaCP is installed using a dedicated shell script downloaded from the official repository. The installation is performed non-interactively with specific parameters to enable all core modules.

  1. Kernel Optimization:

  2. The TCP congestion control algorithm is set to bbr (net.ipv4.tcp_congestion_control=bbr).

  3. The default queue discipline is set to fq (net.core.default_qdisc=fq).

  4. Script Download:

  5. For Ubuntu systems, the script is downloaded to /root/hst-install-ubuntu.sh.

  6. For Debian systems, the script is downloaded to /root/hst-install-debian.sh.

  7. Execution:

  8. The installer is executed with the following configuration flags:

    • --hostname: Set to hestiacp{server_id}.hostkey.in.

    • --port: Set to 8083.

    • --email: Configured for administrative notifications.

    • --username: Set to admin.

    • --password: Set via the provided credential variable.

    • Enabled Modules:

    • --apache yes

    • --phpfpm yes

    • --vsftpd yes

    • --named yes

    • --mysql yes

    • --exim yes

    • --dovecot yes

    • --clamav yes

    • --spamassassin yes

    • --iptables yes

    • --fail2ban yes

    • --api yes

    • --interactive no

    • --force

Access Rights and Security

Security measures are implemented through firewall rules, intrusion prevention, and user management.

  • Firewall: iptables is enabled and configured during the installation process.

  • Intrusion Prevention: fail2ban is installed and active to protect against brute-force attacks.

  • User Management:

  • The administrative user admin is created during installation.

  • The system verifies the existence of the admin user before managing cron jobs.

  • Antivirus and Spam:

  • clamav is installed for virus scanning.

  • spamassassin is installed for spam filtering.

Databases

The MySQL database server is installed and configured as part of the standard HestiaCP installation.

  • Service: MySQL is enabled via the --mysql yes flag.

  • Storage: Database files are stored in the default HestiaCP data directories managed by the application.

  • Access: Database connections are handled internally by HestiaCP services and are accessible via the web interface for management.

Docker Containers and Their Deployment

A Docker-based proxy and SSL management solution is deployed alongside HestiaCP using Docker Compose.

  • Container Image: jonasal/nginx-certbot:latest

  • Deployment Method: Docker Compose

  • Compose File Location: /root/nginx/compose.yml

  • Service Configuration:

  • Service Name: nginx

  • Restart Policy: unless-stopped

  • Network Mode: host

  • Environment Variables:

    • CERTBOT_EMAIL: Set to [email protected]

    • Additional variables are loaded from /data/nginx/nginx-certbot.env

  • Volumes:

    • nginx_secrets (external) mounted to /etc/letsencrypt

    • /data/nginx/user_conf.d mounted to /etc/nginx/user_conf.d

To start the container stack, the following command is executed in the /root/nginx directory: 

docker compose up -d

Proxy Servers

The deployment includes an Nginx container configured for SSL certificate management using Certbot.

  • Proxy Software: Nginx (running inside a Docker container).

  • SSL Management: Certbot is integrated to handle SSL certificate generation and renewal.

  • Configuration:

  • The proxy configuration files are stored in /data/nginx/user_conf.d.

  • The container uses the host network mode to bind directly to the server's network interfaces.

  • Custom Domains: The setup supports custom domains via the configuration files in the mounted volume.

Permission Settings

File and directory permissions are set to ensure secure operation of the services.

  • Nginx Directory:

  • Path: /root/nginx

  • Owner: root

  • Group: root

  • Mode: 0755

  • Docker Compose File:

  • Path: /root/nginx/compose.yml

  • Owner: root

  • Group: root

  • Mode: 0644

  • Installation Scripts:

  • Paths: /root/hst-install-ubuntu.sh and /root/hst-install-debian.sh

  • Mode: 0755

Starting, Stopping, and Updating

Service management for the Docker-based components is handled via Docker Compose commands.

  • Start/Restart:

  • Execute docker compose up -d in the /root/nginx directory to start or restart the Nginx and Certbot containers.

  • Stop:

  • Execute docker compose down in the /root/nginx directory to stop the containers.

  • Update:

  • To update the container image, pull the latest version using docker pull jonasal/nginx-certbot:latest and then restart the service with docker compose up -d.

For the HestiaCP core services, standard Linux service management commands (e.g., systemctl) are used to manage the installed packages (Apache, MySQL, Exim, etc.).

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×