Skip to content

Deployment Overview of ISPConfig on Server

Prerequisites and Basic Requirements

The deployment of ISPConfig requires a server running an Ubuntu-based Linux distribution. The following components and privileges are necessary for a successful installation:

  • Operating System: Ubuntu (detected via ansible_lsb.codename or ansible_distribution_release).
  • Privileges: Root access is required to install packages, configure the firewall, and manage Docker containers.
  • Network: The server must have a valid IPv4 address and internet connectivity to download packages and Docker images.
  • Ports: The following TCP ports must be open and accessible:
  • 22 (SSH)
  • 80 (HTTP)
  • 443 (HTTPS)
  • 8080 (Internal ISPConfig interface)

FQDN of the Final Panel

The Fully Qualified Domain Name (FQDN) for accessing the ISPConfig panel is constructed using the prefix ispconfig, the unique server ID, and the hostkey.in zone. The format is:

ispconfig<Server ID>.hostkey.in

The panel is accessible via HTTPS on port 443. The internal service listens on port 8080.

File and Directory Structure

The application files, configuration data, and certificates are stored in the following locations:

  • ISPConfig Interface: /usr/local/ispconfig/interface
  • ISPConfig Library: /usr/local/ispconfig/interface/lib
  • ISPConfig Configuration: /usr/local/ispconfig/interface/lib/config.inc.php
  • ISPConfig Temp Directory: /usr/local/ispconfig/interface/temp
  • PHPIDS Temp Directory: /usr/local/ispconfig/interface/lib/classes/IDS/tmp
  • Nginx Proxy Configuration: /root/nginx
  • Nginx User Configuration: /data/nginx/user_conf.d
  • Nginx Secrets Volume: /etc/letsencrypt (mounted in Docker)

Application Installation Process

ISPConfig is installed using the official autoinstaller script (ispconfig.ai.php) with specific flags to configure a minimal setup. The process involves the following steps:

  1. Prerequisite Installation: Essential packages including php-cli, php-mbstring, curl, tar, unzip, nginx, and bind9 are installed via APT.
  2. Download and Extract: The ISPConfig autoinstaller archive is downloaded from https://www.ispconfig.org/downloads/ispconfig-ai.tar.gz and extracted to /tmp/ispconfig-ai.
  3. Script Modification: A specific modification is applied to /tmp/ispconfig-ai/lib/os/class.ISPConfigDebianOS.inc.php to handle version detection correctly.
  4. Execution: The installer is run with the following flags:
    • --use-nginx: Enables Nginx as the web server.
    • --no-roundcube: Disables Roundcube installation.
    • --no-mail: Disables mail server configuration.
    • --no-dns: Disables DNS server configuration.
    • --no-ftp: Disables FTP server configuration.
    • --unattended-upgrades: Enables automatic security updates.
    • --i-know-what-i-am-doing: Confirms the user understands the implications.

The installation log is saved to /root/ispconfig-ai-run.log.

Access Rights and Security

Security is enforced through the Uncomplicated Firewall (UFW) and specific file permissions.

  • Firewall (UFW):
  • UFW is enabled by default.
  • Allowed TCP ports: 22, 80, 443, 8080.
  • User Accounts:
  • The web server user is set to www-data.
  • The root user owns the main ISPConfig directories.
  • Restrictions:
  • The www-data user has read access to the main configuration file (config.inc.php).
  • The www-data user has read/write access to temporary directories.

Databases

The application uses a MariaDB database for its data storage.

  • Database Name: dbispconfig
  • Host: localhost
  • Port: 3306
  • Root Password: admin123
  • ISPConfig User: ispconfig
  • ISPConfig Password: admin123
  • Character Set: utf8

The database is managed via the corporate Bitnami MariaDB image (docker-srv.hostkey.com/docker-anonymous/bitnami/mariadb:latest).

Docker Containers and Their Deployment

A Docker container is deployed to handle SSL termination and reverse proxying using Nginx and Certbot.

  • Image: jonasal/nginx-certbot:latest
  • Deployment Method: Docker Compose
  • Compose File Location: /root/nginx/compose.yml
  • Network Mode: host
  • Restart Policy: unless-stopped
  • Volumes:
  • nginx_secrets (external) mounted to /etc/letsencrypt
  • /data/nginx/user_conf.d mounted to /etc/nginx/user_conf.d
  • Environment:
  • CERTBOT_EMAIL: [email protected]
  • Additional environment variables are loaded from /data/nginx/nginx-certbot.env

The container is started using the command docker compose up -d from the /root/nginx directory.

Proxy Servers

Nginx acts as the reverse proxy for the ISPConfig panel, handling SSL termination via Certbot.

  • Proxy Configuration:
  • The proxy passes traffic from the external port 443 to the internal ISPConfig service at http://127.0.0.1:8080.
  • The configuration file is located at /data/nginx/user_conf.d/ispconfig<Server ID>.hostkey.in.conf.
  • SSL:
  • SSL certificates are managed automatically by the Certbot container.
  • The internal ISPConfig service on port 8080 does not use SSL; it communicates via HTTP.
  • Host Nginx:
  • A local Nginx instance is configured to listen on port 8080 for the ISPConfig interface.
  • The configuration file is located at /etc/nginx/sites-available/ispconfig.vhost.
  • Default and ACME sites on the host Nginx are removed to prevent conflicts.

Permission Settings

File and directory permissions are set to ensure the web server can operate correctly while maintaining security.

Path Owner Group Mode
/usr/local/ispconfig root root 0755
/usr/local/ispconfig/interface root root 0755
/usr/local/ispconfig/interface/lib root root 0755
/usr/local/ispconfig/interface/lib/config.inc.php root www-data 0640
/usr/local/ispconfig/interface/temp www-data www-data 0770
/usr/local/ispconfig/interface/lib/classes/IDS/tmp www-data www-data 0770

Location of Configuration Files and Data

Key configuration files and data locations are as follows:

  • ISPConfig Main Config: /usr/local/ispconfig/interface/lib/config.inc.php
  • ISPConfig Vhost Config: /etc/nginx/sites-available/ispconfig.vhost
  • Docker Compose File: /root/nginx/compose.yml
  • Nginx Proxy Config: /data/nginx/user_conf.d/ispconfig<Server ID>.hostkey.in.conf
  • Installation Log: /root/ispconfig-ai-run.log

Available Ports for Connection

The following ports are configured and available for connection:

  • Port 22: SSH access.
  • Port 80: HTTP (redirected to HTTPS by the proxy).
  • Port 443: HTTPS (ISPConfig panel access).
  • Port 8080: Internal ISPConfig interface (HTTP only, proxied).

Starting, Stopping, and Updating

Service management is handled via systemd for the host services and Docker Compose for the proxy container.

  • Nginx Service:
  • Reload: systemctl reload nginx
  • Restart: systemctl restart nginx
  • Docker Proxy Container:
  • Start/Restart: docker compose up -d (executed from /root/nginx)
  • Stop: docker compose down (executed from /root/nginx)
  • ISPConfig Updates:
  • Updates are managed via the ISPConfig interface or by re-running the autoinstaller with update flags.
  • Unattended upgrades are enabled for system packages.
question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×