Jump to content
Froxlor Forum

Maintenance Release froxlor 2.0.24 - New UI/UX, quick and easy webinstaller, command line tool & more


d00p

Recommended Posts

Dear froxlor community,

we are excited to announce the release of froxlor 2.0! This release includes several improvements and new features, which we have summarized below for you:
 

Redesigned UI: The appearance of the user interface has been completely modernized. The redesigned froxlor is now even more user-friendly, efficient and customizable.
We've added a global search for general data as well as for searching functions and configuration options. Custom column selection for listings has been added. And of course, it's all 100% responsive.

Revamped installation routine: The froxlor installation has been improved in many ways it is now easier, faster than ever and looks better.
Now you can activate SSL and PHP-FPM from within the installation process and start using froxlor in minutes.

Improved security features: With expanded and enhanced security features like modern password hashing-algorithms we have made froxlor a better place for your data. On top of that, the code has been completely reviewed and restructured to make security fixes easier, CSFR-tokens on forms have been implemented to make Cross Site transactions more secure, and much more.

CLI tool: With the new froxlor CLI tool, you can now use froxlor via the command line – great for automation!
For example, complete the installation process, check and run updates, (re)configure services and more.

 

Changes in 2.0:

New features:

  • [API] new MysqlServer Command to allow multiple MySQL servers to be used by customers
  • [API] optional requests via api.php?/module/function/
  • [UI] Global-search
  • [UI] Customize visibility of table-columns
  • [CLI] new bin/froxlor-cli tool (installer, updater, helper scripts and cron)
  • [Distros] added Debian Bookworm (12)* and Ubuntu 22.04 (Jammy Jellyfish)

Breaking changes:

  • PHP-7.4+ and php-gmp extension are now required
  • [API] auth via HTTP-Auth, old format with apikey/secret in the request is no longer possible
  • [UI] auto-update must be enabled explicitly in lib/config.inc.php
  • [Config] proftpd needs to be re-configured (or simply add `OpenSSL` to `SQLAuthTypes` in `/etc/proftpd/sql.conf`)
  • [Config] dovecot needs to be re-configured (or simply comment out `default_pass_scheme ...` in `/etc/dovecot/dovecot-sql.conf.ext`)
  • [Distros] removed Debian Stretch / Ubuntu Xenial and CentOS
  • [APT package] default installation path is now /var/www/html/froxlor.
    If you are updating, your froxlor installation will be moved there from /var/www/froxlor!


Changes in minor releases:

2.0.10 security release

  • enforce password requirements set in settings for directory-protection
    [CWE-521: Weak Password Requirements]
  • add missing use statement for error-reporting to include the dbms version
    [CWE-391: Unchecked Error Condition]
  • validate existence of language in admin-templates
    [CWE-840: Business Logic Errors]
  • verify cronjob interval is one of the fixed available values
    [CWE-96: Static Code Injection]
  • fix possible privilege escalation from customer to root when specifying custom error documents in directory-options
    [CWE-94: Code Injection]

2.0.11 security / bugfix release

  • add new email-domain-overview for better overview of multiple email-domains/addresses
  • fix let's encrypt dns validation check
  • backup possible remote-db-server databases in backup-cron
  • check for existing fields when setting/updating tablelisting-columns
    [CWE-352: Cross-Site Request Forgery (CSRF)]
  • corrected validation of import-settings data to avoid injecting malicious content
    [CWE-94: Code Injection]

2.0.12 bugfix release

  • fix wrong function-defintion/call in Nginx cron
  • fix setting/resetting table-column preferences

2.0.13 maintenance release

  • keep search-fields/text in pagination links of displaying a search-result
  • specify clearly which tls settings are being overwritten/ignored depending on the 'Override system TLS settings' flag when adding/updating Domains
  • type-safe comparsion of md5-compatibility hash-validation
    [CWE-305: Authentication Bypass by Primary Weakness]
  • fix email-domain navigation and descriptions
  • update dependencies

2.0.14/2.0.15 maintenance release

  • use correct parameter in PowerDNS::cleanDomainZone(), fixes #1104
  • add 'Passing HTTP AUTH BASIC' header option when using FCGID
  • require php-gd extension for better/secure validating uploaded images
  • add Spanish language (#1105)
  • avoid socket length limitations leading to cut-off/invalid filename for very long domain and/or loginnames, fixes #1108
  • corrected checkLocalGroup() validation if setting did not change, fixes #1111
  • open newsfeed-links in a new tab, fixes #1112
  • fix incorrect indexed array sorting in case of FTP-domain-usernames; fixes #1114
  • add certificate metadata to db table to allow filter/sort of 'Issuer', 'Valid from' and 'Valid until' properties
  • correctly retriggered certificate issue on froxlor-vhost alias-domain changes, fixes #1115

2.0.19 maintenance release

  • don't run cron tasks if requirements return non-success; fixes #1122
  • respect no-try_files setting also in protected directories
  • put php-fpm directives in Directory-directive in apache2; fixes #1120
  • strictly check whether field to select is the id or the email-address b/c is cases of email-addresses starting with a digit this is somehow used as value for the id field and return the wrong entity
  • fix adding mysql-server to customers without any prior assigned mysql-server, fixes #1123
  • fix issues with displaying set value if path-mode is 'dropdown'
  • trigger rebuild of config files after changing only ip-settings in domains
  • add copy-system-details-to-clipboard button on admin dashboard; fixes #1126
  • Allow admins to edit openbasedir_path for domains (#1125)
  • set default value of 'openbasedir_path' to 0 in SubDomain.add() like we do in Domains.add()
  • set default value for email_quota to settings-default in EmailAccounts.add(); fixes #1132
  • Disable autocomplete on 2FA input element (#1133)
  • introduce http-request rate-limit

2.0.20 maintenance release

  • Fix typo in English privileged_passwd by @n-thumann in #1136
  • Fix IPv6 address in cookie domain by @n-thumann in #1137
  • Add same loginfail restrictions for entering 2fa code as for user/pwd login
  • Remove superfluous try_files in nginx config if php-backend (non-fastcgi) is used
  • Fix missing idna encode adding/editing email-account/email-forwarder
  • Secure filename of local-archive in webupdate
  • Show 0 value of resource-fields if value is empty, fixes #1149
  • Re-enable fcgid/php-fpm activation-validate-check

2.0.21 maintenance release

  • Correcting Nginx location match, fixes #1153
  • remove hidden fields from login/passwd-reset; refs #1102
  • adjust log-levels in API methods
  • exclude password fields from being filtered/escaped by AntiXSS, fixes #1150
  • Fix typo in pathDescriptionSubdomain; #1156
  • validate generated config-json parameter string

2.0.22 maintenance release

  • [API] validate non-empy admin-name in Admins.update()
  • [API] fix optional-flag for IpsAndPorts.add() and IpsAndPorts.update()
  • rework path to certificates non-ecc/ecc, regardless of current setting
  • adjust proftpd config for debian 12 bookworm
  • correctly redirect to last-page if session is timed out and remove passing script/qrystr url parameters
  • correct validation of hostingplan name and description
  • add config-diff CLI Command; #1168

2.0.23 bugfix release

  • [API] validate non-empy admin-name in Admins.update()
  • [API] fix optional-flag for IpsAndPorts.add() and IpsAndPorts.update()
  • rework path to certificates non-ecc/ecc, regardless of current setting
  • adjust proftpd config for debian 12 bookworm
  • correctly redirect to last-page if session is timed out and remove passing script/qrystr url parameters
  • correct validation of hostingplan name and description
  • add config-diff CLI Command by @bashgeek in #1168

2.0.24 maintenance release

  • fix API permission error in navigation when customer-hide-options include 'domains'; fixes #1183
  • fix vhost-cleaning regex for nginx-location directives; fixes #1185
  • added catalan language
  • NOTE: This is the last release in the 2.0 series. Stay tuned for announcements about froxlor-2.1

 

See also our Migration Guide for more information.

We hope you enjoy froxlor 2.0 and look forward to your feedback.
 

Download: 2.0website

Documentation at https://docs.froxlor.org/.


Visit https://www.froxlor.org and join our Discord channel (https://discord.froxlor.org) for support, help, participation or just to chat

Thank you,
the froxlor team

  • Like 1
Link to comment
Share on other sites

nach einem manuellen upgrade auf php7.4

(https://prepaid-host.com/de/blog/php-7-4-auf-debian-11-10-9-installieren)

und dem enablen von php7.4 im apache (a2enmod) konnte ich mich einloggen. Daraufhin wurde natürlich wieder der Pfad der virtuellen domain auf /var/www/froxlor geändert, so dass ich dies nochmal manuell anpassen musste und dann in der config über das neue Frontend.

Ich hoffe es funktioniert nun auch alles.

 

Beste Grüße,

Michael

Link to comment
Share on other sites

Bravo! 👏👏👏👏

I had no idea that you're working on Froxlor revamp. It's been a nice surprise. Thank you!

For the moment I just upgraded one of the two servers, the one with less services just in case. The only thing I had to do was commenting out the default_pass_scheme = CRYPT option

Kudos to all the team @d00p

P.D. I'm just curious about the new path to /var/www/html/ . Why of that change?

Nevermind I see that that it was a frequent request https://github.com/Froxlor/Froxlor/issues/1068

  • Like 1
Link to comment
Share on other sites

really loving froxlor until now, but this quite unannounced and unstoppable update breaks my neck on several systems, would have preferred a clear update-path without auto-breaking systems.

Link to comment
Share on other sites

7 hours ago, hk@ said:

really loving froxlor until now, but this quite unannounced and unstoppable update breaks my neck on several systems, would have preferred a clear update-path without auto-breaking systems.

"unnanounced update" - literally in the announcement thread...hilarious.

Sorry you are having so much trouble - we've tried to test as much as possible but due to the support for various settings-combination we can never be sure to hit everything - hence we try to provide fixes as soon as possible.

Maybe in your case it would be a better idea to mark the froxlor debian package as hold and wait a few weeks

Link to comment
Share on other sites

29 minutes ago, Meth0d said:

What is the equivalent of froxlor_master_cronjob.php --letsencrypt for the new /bin/froxlor-cli froxlor:cron ?

And should this not also be moved to /var/www/html/froxlor ?

image.png.5412e580e437c60009f63035c203bd8f.png

 

Yes, there will be updater-procedures and a cli tool to do that in the upcoming version - it's a lot currently, please give us some time

Link to comment
Share on other sites

On 1/11/2023 at 8:33 AM, d00p said:

"unnanounced update" - literally in the announcement thread...hilarious.

Sorry you are having so much trouble - we've tried to test as much as possible but due to the support for various settings-combination we can never be sure to hit everything - hence we try to provide fixes as soon as possible.

Maybe in your case it would be a better idea to mark the froxlor debian package as hold and wait a few weeks

well, it is a major update - obviously - new installs, new requirements, several changes in paths, scripts etc.
announcements in the forum are usually not checked on a daily basis, we found out (and still find out) the hard way getting updates via apt which break a lot of things. holding packages would have been an option if we only had known beforehand...
(or major updates might choose to take an explicit path for packaging not going into autoupdates)

Link to comment
Share on other sites

16 hours ago, d00p said:

We did not remove anything related to that - if I remember correctly you created something on your own for your needs

Thats nice to read! Because my additions / pull request was not merged I have to dig to the code once more and try to implement again. I think git cannot help me here - the differences between 10.x and 2.x are too big. I will try to install a 2.x parallel to the existing 10.38 (using a different database) and try to implement again. I am not lucky about changes that ignores different paths on different distributions in the installer (not configurable in installation), but it is solveable...

Link to comment
Share on other sites

28 minutes ago, df8oe said:

I am not lucky about changes that ignores different paths on different distributions in the installer (not configurable in installation), but it is solveable...

care to tell us what exactly you mean? what paths?

Link to comment
Share on other sites

  • 2 weeks later...

Thank you for this revamp, Froxlor looks so good now!
The darkmode is a blessing to my tired eyes.

Everything worked flawlessly, even the change of the ACME path (I had /var/www/froxlor before and it auto-changed it to /var/www/html/froxlor with one manual command. Had me frightened for a bit but it worked).

  • Thanks 1
Link to comment
Share on other sites

  • d00p changed the title to Security Release froxlor 2.0.10 - New UI/UX, quick and easy webinstaller, command line tool & more
  • 2 weeks later...
1 minute ago, negrusti said:
bin/froxlor-cli froxlor:config-services --apply='{"http":"nginx","dns":"x","smtp":"x","mail":"x","ftp":"x","distro":"focal","system":[]}'

This command at the very least must create backups of configuration files before overwriting them...

so it does...see the files with suffix .frx.bak

Link to comment
Share on other sites

7 minutes ago, negrusti said:

Is there a way to set auto-upgrade to 1.x versions only? Not loving the new UI/UX at all and want to keep the auto-uprade functional

1) there is no 1.x version only 0.10.x

2) there is no downgrade

3) sorry you dont like the new UI/UX

4) auto-update/web-ui update is still there, see docs: https://docs.froxlor.org/latest/general/migration-guide.html#auto-update-via-webinterface

5 minutes ago, negrusti said:

no such files in /etc/nginx/ after that command was run. nginx.conf was overwritten by default nginx version of that file

Yes, you are right, the nginx.conf is missing the backup=true parameter in the configfiles, sorry we've missed that

Link to comment
Share on other sites

re. UI my main complaint is there is way too much white space (yes I know it is good for conventional sites). What used to be a concise view is now several pages of scrolling. Previous UI was awesome BTW and one of the main reasons I chose Froxlor some years ago. Are there any plans of refining that?

Link to comment
Share on other sites

4 minutes ago, negrusti said:

re. UI my main complaint is there is way too much white space (yes I know it is good for conventional sites). What used to be a concise view is now several pages of scrolling. Previous UI was awesome BTW and one of the main reasons I chose Froxlor some years ago. Are there any plans of refining that?

You are free to create your own views/templates/theme

Link to comment
Share on other sites

About the config file backups; I put my /etc/ folder under git version control. No remote repo or anything, just the ability to see and commit changes locally. There's also a project called 'etckeeper', which does the same. I never tried it though. I do it manually.

I performed the upgrade to 2.0.10 about a week ago. Aside from the courier-imap thing, it went fine (on Debian 11). One small notable thing is that the proftpd SQLAuthType change mentioned in the migration guide, wasn't necessary for me.

And FYI: I saw this various times:

sh: line 1: /etc/init.d/bind9: No such file or directory
[error] Error while running `/etc/init.d/bind9 reload`: exit code (127) - please check your system logs

I don't know why it calls the sysv script.

Link to comment
Share on other sites

  • d00p changed the title to Maintenance Release froxlor 2.0.24 - New UI/UX, quick and easy webinstaller, command line tool & more
  • d00p unpinned this topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...