Deployment Overview of ISPConfig on Server¶

Prerequisites and Basic Requirements¶

The following requirements must be met on the target server before deployment:

Operating System: Ubuntu (specifically jammy or compatible versions supporting apt package management).
Privileges: Root access or sudo privileges are required to install packages, configure the firewall, and manage Docker containers.
Domain Configuration: The server must be configured to resolve the Fully Qualified Domain Name (FQDN) defined in the deployment.
Ports: The following TCP ports must be open and accessible:
22: SSH access.
80: HTTP (used for SSL certificate validation).
443: HTTPS (external access to the panel).
8080: Internal ISPConfig service port.

The ISPConfig panel is accessible via the following Fully Qualified Domain Name (FQDN) format:

The hostname of the server is automatically set to match this FQDN during the installation process.

The application and its components are deployed in the following locations:

ISPConfig Interface: /usr/local/ispconfig/interface
ISPConfig Configuration: /usr/local/ispconfig/interface/lib/config.inc.php
ISPConfig Temporary Files: /usr/local/ispconfig/interface/temp
PHPIDS Temporary Files: /usr/local/ispconfig/interface/lib/classes/IDS/tmp
Nginx Proxy Configuration: /root/nginx
Nginx User Configuration: /data/nginx/user_conf.d
Docker Compose File: /root/nginx/compose.yml
Installation Log: /root/ispconfig-ai-run.log

The ISPConfig application is installed using the official autoinstaller script with specific flags to configure a minimal setup.

Installer Source: The installer is downloaded from https://www.ispconfig.org/downloads/ispconfig-ai.tar.gz.
Installation Flags:
--use-nginx: Enables Nginx as the web server.
--no-roundcube: Disables the Roundcube webmail installation.
--no-mail: Disables mail server configuration.
--no-dns: Disables DNS server configuration.
--no-ftp: Disables FTP server configuration.
--unattended-upgrades: Enables automatic security updates.
--i-know-what-i-am-doing: Bypasses interactive warnings.
Execution: The installer is executed via php -q /tmp/ispconfig-ai/ispconfig.ai.php with the flags listed above.
Version: The installation uses the latest version available at the time of the script execution, determined dynamically by the installer.

Security measures are implemented via the UFW firewall and specific user permissions.

Firewall (UFW):
The ufw service is enabled.
Allowed TCP ports: 22, 80, 443, 8080.
User Permissions:
The web server user is set to www-data.
The config.inc.php file is owned by root with group www-data and permissions 0640.
Temporary directories are owned by www-data with permissions 0770.

The application uses a MariaDB database for its configuration and data storage.

Database Name: dbispconfig
Database Host: localhost
Database Port: 3306
Database User: ispconfig
Database Password: admin123
Root User: root
Root Password: admin123
Storage Location: The database is hosted locally on the server.
Image: The deployment pulls a corporate MariaDB image from docker-srv.hostkey.com/docker-anonymous/bitnami/mariadb:latest.

A Docker container is deployed to handle reverse proxying and SSL certificate management.

Container Image: jonasal/nginx-certbot:latest
Deployment Method: Docker Compose
Compose File Location: /root/nginx/compose.yml
Network Mode: host
Volumes:
nginx_secrets: Mounted to /etc/letsencrypt (external volume).
/data/nginx/user_conf.d: Mounted to /etc/nginx/user_conf.d.
Environment Variables:
CERTBOT_EMAIL: [email protected]
Restart Policy: unless-stopped
Command: The container is started using docker compose up -d in the /root/nginx directory.

Nginx is configured as the reverse proxy to handle external traffic and SSL termination.

Proxy Configuration:
External traffic on port 443 is handled by the Dockerized Nginx-Certbot container.
The proxy forwards requests to the internal ISPConfig service at http://127.0.0.1:8080.
SSL/TLS:
Managed by the nginx-certbot container.
Certificates are stored in the nginx_secrets volume at /etc/letsencrypt.
Internal Nginx:
A host-level Nginx instance listens on port 8080 without SSL.
Configuration file: /etc/nginx/sites-available/ispconfig.vhost.
Default and ACME sites on the host Nginx are removed to prevent conflicts.

File and directory permissions are strictly set to ensure security and proper functionality.

Directories:
/usr/local/ispconfig: 0755 (Owner: root, Group: root)
/usr/local/ispconfig/interface: 0755 (Owner: root, Group: root)
/usr/local/ispconfig/interface/lib: 0755 (Owner: root, Group: root)
/usr/local/ispconfig/interface/temp: 0770 (Owner: www-data, Group: www-data)
/usr/local/ispconfig/interface/lib/classes/IDS/tmp: 0770 (Owner: www-data, Group: www-data)
Files:
/usr/local/ispconfig/interface/lib/config.inc.php: 0640 (Owner: root, Group: www-data)

Key configuration files and data directories are located as follows:

ISPConfig Main Config: /usr/local/ispconfig/interface/lib/config.inc.php
Nginx Proxy Config: /root/nginx/compose.yml
Nginx User Config: /data/nginx/user_conf.d/ispconfig<Server ID>.hostkey.in.conf
Host Nginx Site Config: /etc/nginx/sites-available/ispconfig.vhost
Database Credentials: Stored within the ISPConfig configuration and managed via the MariaDB service.

The following ports are configured and open for connections:

Port 22: SSH (Secure Shell)
Port 80: HTTP (Redirected/Used for SSL validation)
Port 443: HTTPS (ISPConfig Panel Access)
Port 8080: Internal ISPConfig Service (Not directly exposed to the public internet)

Service management is handled via Docker Compose for the proxy and standard service commands for the host components.

Docker Proxy Service:
Start/Restart: docker compose up -d (executed from /root/nginx)
Stop: docker compose down (executed from /root/nginx)
Host Nginx Service:
Reload: systemctl reload nginx
Restart: systemctl restart nginx
ISPConfig Updates:
Updates are managed via the ISPConfig interface or by re-running the autoinstaller script with update flags.
Unattended upgrades are enabled for system packages.