If you skip this step, the ISPConfig installation will fail.
Installing ISPConfig on Ubuntu Linux
- compute
- hosting
- ISPconfig
- Ubuntu-Linux-Instance
ISPConfig is an open source, transparent, free, stable and secure administration tool, available in more than 20 languages. ISPConfig simplifies the management of various web hosting services such as DNS configuration, domain name management, email, or FTP file transfer. It can be used to manage a single server, multiple servers for larger setups or even mirrored clusters.
Before you start
To complete the actions presented below, you must have:
- A Scaleway account logged into the console
- Owner status or IAM permissions allowing you to perform actions in the intended Organization
- An SSH key
- An Instance running on Ubuntu For performance reasons, we recommend using an Instance with at least 4 GB of RAM.
- A domain or subdomain pointed to your Instance
- Set the hostname and reverse DNS of your Instance to a valid FQDN
Installing ISPConfig
-
Connect to your Instance via SSH.
-
Update and upgrade the software already installed on the Instance.
apt update && apt upgrade -y -
Change the default shell.
/bin/sh
is a symlink to/bin/dash
, but ISPConfig requires bash as shell. Reconfigure it to/bin/bash
:dpkg-reconfigure dash -
Answer the following question, with No:
Use dash as the default system shell (/bin/sh)?
Important -
Disable and remove AppArmor as it might cause conflicts during the installation of ISPConfig:
update-rc.d -f apparmor removeapt-get remove apparmor apparmor-utils -
Install Postfix, Dovecot, MariaDB, rkhunter, binutils and other required software on the Instance.
apt install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo -yDuring the installation, you will be asked some questions regarding the configuration of Postfix, answer them as follows:
General type of mail configuration:
Internet SiteSystem mail name:
server.yourdomain.com (Your FQDN)
-
Edit the file
/etc/postfix/master.cf
by uncommenting the line-o smtpd_client_restrictions=permit_sasl_authenticated,reject
in both,submission
andsmtps
, sections and leave everything thereafter commented. Make sure to place the whitespaces before each line, as they are required:[...]submission inet n - - - - smtpd-o syslog_name=postfix/submission-o smtpd_tls_security_level=encrypt-o smtpd_sasl_auth_enable=yes-o smtpd_client_restrictions=permit_sasl_authenticated,reject# -o smtpd_reject_unlisted_recipient=no# -o smtpd_client_restrictions=$mua_client_restrictions# -o smtpd_helo_restrictions=$mua_helo_restrictions# -o smtpd_sender_restrictions=$mua_sender_restrictions# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject# -o milter_macro_daemon_name=ORIGINATINGsmtps inet n - - - - smtpd-o syslog_name=postfix/smtps-o smtpd_tls_wrappermode=yes-o smtpd_sasl_auth_enable=yes-o smtpd_client_restrictions=permit_sasl_authenticated,reject# -o smtpd_reject_unlisted_recipient=no# -o smtpd_client_restrictions=$mua_client_restrictions# -o smtpd_helo_restrictions=$mua_helo_restrictions# -o smtpd_sender_restrictions=$mua_sender_restrictions# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject# -o milter_macro_daemon_name=ORIGINATING[...] -
Save the file, exit your text editor and restart postfix.
service postfix restart
Configuring MariaDB
-
Open the file
/etc/mysql/mariadb.conf.d/50-server.cnf
in a text editor and comment-out the linebind-address
as following to enable connections from other hosts. Also add the valuesql-mode="NO_ENGINE_SUBSTITUTION"
as this SQL mode is required by ISPConfig3:[...]# Instead of skip-networking the default is now to listen only on# localhost which is more compatible and is not less secure.#bind-address = 127.0.0.1# Requred SQL Mode for ISPConfig3sql-mode ="NO_ENGINE_SUBSTITUTION"[...] -
Initialize the MariaDB server:
mysql_secure_installationYou will be asked several questions that should be answered as following:
Enter current password for root (enter for none):
Press EnterSet root password? [Y/n]
YNew password:
Enter the new MariaDB root passwordRe-enter new password:
Repeat the passwordRemove anonymous users? [Y/n]
YDisallow root login remotely? [Y/n]
YReload privilege tables now? [Y/n]
Y
-
Set the password authentication method to Native.
echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root -
Open the file
/etc/mysql/debian.cnf
and add your password to the configuration.# Automatically generated for Debian scripts. DO NOT TOUCH![client]host = localhostuser = rootpassword = MY_SECRET_PASSWORDsocket = /var/run/mysqld/mysqld.sock[mysql_upgrade]host = localhostuser = rootpassword = MY_SECRET_PASSWORDsocket = /var/run/mysqld/mysqld.sockbasedir = /usrReplace
MY_SECRET_PASSWORD
with the password you have set in a previous step. -
Save the file, exit your text editor and restart the MariaDB service:
service mysql restart
Configuring antivirus
- Install Amavisd-new, SpamAssassin, ClamAV and the additional software required for these services:
apt install amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey -y
- Stop Amavisd-new fom loading the SpamAssassin filter library internally, if you wish to free up some RAM.
service spamassassin stopupdate-rc.d -f spamassassin remove
- Update the antivirus signatures and start the service:
freshclamservice clamav-daemon start
Setting up the web server
-
Install the Nginx web server, fcgiwrap, HHVM and PHP7.0 with its different modules:
apt install nginx fcgiwrap php7.0 php7.0-common php7.0-fpm php7.0-gd php7.0-mysql php7.0-imap php7.0-cli php7.0-cgi php-pear mcrypt imagemagick libruby php7.0-curl php7.0-intl php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl memcached php-memcache php-imagick php-gettext php7.0-zip php7.0-mbstring php-soap php7.0-soap -yImportantIt is possible to reduce the list of PHP modules, if you do not require all of them.
-
Open the file /etc/php/7.0/fpm/php.ini in a text editor, add the line
cgi.fix_pathinfo=0
and edit your timezone. The file should look like the following example:[...]; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. $; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not $; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Se$; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A sett$; of zero causes PHP to behave as before. Default is 1. You should fix your s$; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.; http://php.net/cgi.fix-pathinfocgi.fix_pathinfo=0[...][Date]; Defines the default timezone used by the date functions; http://php.net/date.timezonedate.timezone ="Europe/Paris"[...] -
Install phpMyAdmin.
apt install phpmyadmin php-mbstring php-gettext -yDuring the installation you will be asked if you want to configure a web server automatically, skip this step as Nginx is used. Wen asked if the database should be configured with dbconfig-common, choose yes and press Enter to generate a random password. Alternatively you can choose your own password when prompted.
ImportantOnce ISPConfig is installed, you can access phpMyAdmin at
http://YOUR_FQDN.TLD:8081/phpmyadmin
. -
Install
certbot
to manage Let’s Encrypt SSL certificates:apt install software-properties-common -yadd-apt-repository universeadd-apt-repository ppa:certbot/certbotapt updateapt install certbot -yOnce installed create a Let’s Encrypt account by running the following command and answering the questions:
certbot register
Configuring storage
-
Install the PureFTPd FTP-server and quotas by running the following command.
apt install pure-ftpd-common pure-ftpd-mysql quota quotatool -yOnce installed, open the file
/etc/default/pure-ftpd-common
in your favorite text editor and make enableVIRTUALCHROOT
by setting the value to true:[...]# VIRTUALCHROOT:# whether to use binary with virtualchroot support# valid values are "true" or "false"# Any change here overrides the setting in debconf.VIRTUALCHROOT=true[...]Enable TLS by typing:
echo 1 > /etc/pure-ftpd/conf/TLSIn order to use an SSL certificate is required. To create one, a corresponding directory must be created first. Run the following command to create it.
mkdir -p /etc/ssl/private/Then generate the certificate by running the following command:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pemAnswer the questions to generate the request:
Country Name (2 letter code) [AU]:
Enter the two-letter country code of your country. For example FRState or Province Name (full name) [Some-State]:
Enter the name of your region. For example Ile de FranceLocality Name (eg, city) []:
Enter the name of your locality or city. For example: ParisOrganization Name (eg, company) [Internet Widgits Pty Ltd]:
Enter the name of your company or organization. For example: ScalewayOrganizational Unit Name (eg, section) []:
Enter the name of your unit or department. For example: Documentation & TutorialsCommon Name (e.g. server FQDN or YOUR name) []:
Enter the FQDN of your instance. For exeample: ispcp.mydomain.tldEmail Address []:
Enter your email address. For example: me@mydomain.tld
Update the permissions of the SSL certificate:
chmod 600 /etc/ssl/private/pure-ftpd.pemRestart PureFTPd:
service pure-ftpd-mysql restart -
Edit the
/etc/fstab
file by addingusrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0
it should look like the following example:# Generated by Scaleway's build systemPARTUUID=9d906626-d654-4523-adac-6a66ebcb016f / ext4 rw,relatime,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1PARTUUID=2c2cbf1f-5411-4834-95aa-68674958199c /boot/efi vfat rw,relatime,errors=remount-ro,nofail 0 2Then enable quotas by running the following commands:
mount -o remount /quotacheck -avugmquotaon -avug
Setting up the rest of the stack
-
Install the BIND DNS server, as well as AWStats, vlogger and Webalizer with the following command:
apt install bind9 dnsutils haveged vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl -y -
Open the file
/etc/cron.d/awstats
and edit it as the following example:MAILTO=root/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh# Generate static reports:10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh -
Install Jailkit to chroot your users by running the following commands:
apt install build-essential autoconf automake1.11 libtool flex bison debhelper binutils python -ycd /tmpwget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gztar xvfz jailkit-2.19.tar.gzcd jailkit-2.19echo 5 > debian/compatBuild the Jailkit package by running
./debian/rules binaryThen install the tool and by running the following commands:
cd ..dpkg -i jailkit_2.19-1_*.debrm -rf jailkit-2.19* -
Install Fail2Ban and a UFW Firewall on the Instance:
apt install fail2ban ufw -y -
Create and open the file
/etc/fail2ban/jail.local
in your favorite text editor and paste the following content into it to monitor SSH, PureFTPd and Dovecot:[ssh]enabled = trueport = sshfilter = sshdlogpath = /var/log/auth.logmaxretry = 3[pure-ftpd]enabled = trueport = ftpfilter = pure-ftpdlogpath = /var/log/syslogmaxretry = 3[dovecot]enabled = truefilter = dovecotaction = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]logpath = /var/log/mail.logmaxretry = 3[postfix]enabled = trueport = smtpfilter = postfixlogpath = /var/log/mail.logmaxretry = 3Restart file2ban to apply the configuration.
service fail2ban restart -
Install the Roundcube web mail interface via apt:
apt install roundcube roundcube-core roundcube-mysql roundcube-plugins javascript-common libjs-jquery-mousewheel php-net-sieve tinymce -yWhen asked if you want to configure the database with dbconfig-common, choose
Yes
, then press enter on your keyboard to generate a random password for the Roundcube database.Open the file /etc/roundcube/config.inc.php in a text editor and change the
default_host
value tolocalhost
:$config['default_host'] = 'localhost';Create a symlink to use the SquirrelMail configuration in ISPConfig for Roundcube:
ln -s /usr/share/roundcube /usr/share/squirrelmailImportantAfter installation of ISPConfig, your webmail will be available at
http://YOUR_FQDN:8081/webmail
. -
Download and unpack ISPConfig3 by running the following commands:
cd /tmpwget https://ispconfig.org/downloads/ISPConfig-3.2.8p1.tar.gztar xfz ISPConfig*.tar.gzcd ispconfig3*/install/The installer will guide you to the setup of ISPConfig3 and configures all required services. Start it with the following command:
php -q install.phpThe installer will ask you several questions about the configuration of ISPConfig3. The values in brackets are pre-filled:
Select language (en,de) [en]:
Select the default language for the interface. During installation, you can choose between English (en) and German (de). Other languages can be installed from the admin interface once the software is installed.Installation mode (standard,expert) [standard]:
Select the installation mode: Standard or Expert. You can keep the default value and validate it by pressing on Enter.Full qualified hostname (FQDN) of the server, eg server1.domain.tld [ispcp.mydomain.tld]:
Enter the FQDN of your instance. Normally this value is pre-filled, and you can confirm it by pressing Enter on your keyboard.MySQL server hostname [localhost]:
Enter the hostname of the database server. Since MariaDB is running on the local host, validate the default value by pressing Enter on your keyboard.MySQL server port [3306]:
The MySQL server port. As the server is running on the standard port, validate the default value by pressing Enter on your keyboard.MySQL root username [root]:
The MySQL username. Validate the default value by pressing Enter on your keyboard.MySQL root password []:
Enter the password of the MySQL user that you have configured at the beginning of the tutorial.MySQL database to create [dbispconfig]:
The name of the database ISPConfig will use. Validate the default value by pressing Enter on your keyboard.MySQL charset [utf8]:
The charset of your database. Validate the default value by pressing Enter on your keyboard.ISPConfig Port [8080]:
The port on which ISPConfig will listen. Validate the default value by pressing Enter on your keyboard.Admin password [admin]:
The administrator password. You can keep the default value and change the password after installation from the web interface. Validate the default value by pressing Enter on your keyboard.Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:
Provide an SSL encrypted connection to the admin interface. Validate the default value by pressing Enter on your keyboard.
During setup, you will be asked to enter information about the SSL certificate for the web interface. Enter the required information as done previously.
You can now open a web browser and type https://YOUR*FQDN:8080/ (for example: *
https://ispconfig.example.com:8080/
_). The login screen will appear:Login with the following credentials:
- User: admin
- Password: admin
You are now logged into ISPConfig and can change your password, create users, sites, mailboxes etc.:
For more information on how to manage your websites with ISPConfig, refer to the official documentation.