Jump to content
Froxlor Forum

Security Release froxlor 2.0.10 - New UI/UX, quick and easy webinstaller, command line tool & more


d00p
 Share

Recommended Posts

Dear froxlor community,

we are excited to announce the release of froxlor 2.0! This release includes several improvements and new features, which we have summarized below for you:
 

Redesigned UI: The appearance of the user interface has been completely modernized. The redesigned froxlor is now even more user-friendly, efficient and customizable.
We've added a global search for general data as well as for searching functions and configuration options. Custom column selection for listings has been added. And of course, it's all 100% responsive.

Revamped installation routine: The froxlor installation has been improved in many ways it is now easier, faster than ever and looks better.
Now you can activate SSL and PHP-FPM from within the installation process and start using froxlor in minutes.

Improved security features: With expanded and enhanced security features like modern password hashing-algorithms we have made froxlor a better place for your data. On top of that, the code has been completely reviewed and restructured to make security fixes easier, CSFR-tokens on forms have been implemented to make Cross Site transactions more secure, and much more.

CLI tool: With the new froxlor CLI tool, you can now use froxlor via the command line – great for automation!
For example, complete the installation process, check and run updates, (re)configure services and more.

 

Changes in 2.0:

New features:

  • [API] new MysqlServer Command to allow multiple MySQL servers to be used by customers
  • [API] optional requests via api.php?/module/function/
  • [UI] Global-search
  • [UI] Customize visibility of table-columns
  • [CLI] new bin/froxlor-cli tool (installer, updater, helper scripts and cron)
  • [Distros] added Debian Bookworm (12)* and Ubuntu 22.04 (Jammy Jellyfish)

Breaking changes:

  • PHP-7.4+ and php-gmp extension are now required
  • [API] auth via HTTP-Auth, old format with apikey/secret in the request is no longer possible
  • [UI] auto-update must be enabled explicitly in lib/config.inc.php
  • [Config] proftpd needs to be re-configured (or simply add `OpenSSL` to `SQLAuthTypes` in `/etc/proftpd/sql.conf`)
  • [Config] dovecot needs to be re-configured (or simply comment out `default_pass_scheme ...` in `/etc/dovecot/dovecot-sql.conf.ext`)
  • [Distros] removed Debian Stretch / Ubuntu Xenial and CentOS
  • [APT package] default installation path is now /var/www/html/froxlor.
    If you are updating, your froxlor installation will be moved there from /var/www/froxlor!


Changes in minor releases:

2.0.10 security release

  • enforce password requirements set in settings for directory-protection
    [CWE-521: Weak Password Requirements]
  • add missing use statement for error-reporting to include the dbms version
    [CWE-391: Unchecked Error Condition]
  • validate existence of language in admin-templates
    [CWE-840: Business Logic Errors]
  • verify cronjob interval is one of the fixed available values
    [CWE-96: Static Code Injection]
  • fix possible privilege escalation from customer to root when specifying custom error documents in directory-options
    [CWE-94: Code Injection]


See also our Migration Guide for more information.

We hope you enjoy froxlor 2.0 and look forward to your feedback.
 

Download: 2.0website

Documentation at https://docs.froxlor.org/.


Visit https://www.froxlor.org and join our Discord channel (https://discord.froxlor.org) for support, help, participation or just to chat

Thank you,
the froxlor team

 

Debian 12 is not yet released and should be considered unstable. Froxlor will fully support Debian Bookworm after its release.

  • Like 1
Link to comment
Share on other sites

nach einem manuellen upgrade auf php7.4

(https://prepaid-host.com/de/blog/php-7-4-auf-debian-11-10-9-installieren)

und dem enablen von php7.4 im apache (a2enmod) konnte ich mich einloggen. Daraufhin wurde natürlich wieder der Pfad der virtuellen domain auf /var/www/froxlor geändert, so dass ich dies nochmal manuell anpassen musste und dann in der config über das neue Frontend.

Ich hoffe es funktioniert nun auch alles.

 

Beste Grüße,

Michael

Link to comment
Share on other sites

Bravo! 👏👏👏👏

I had no idea that you're working on Froxlor revamp. It's been a nice surprise. Thank you!

For the moment I just upgraded one of the two servers, the one with less services just in case. The only thing I had to do was commenting out the default_pass_scheme = CRYPT option

Kudos to all the team @d00p

P.D. I'm just curious about the new path to /var/www/html/ . Why of that change?

Nevermind I see that that it was a frequent request https://github.com/Froxlor/Froxlor/issues/1068

  • Like 1
Link to comment
Share on other sites

really loving froxlor until now, but this quite unannounced and unstoppable update breaks my neck on several systems, would have preferred a clear update-path without auto-breaking systems.

Link to comment
Share on other sites

7 hours ago, hk@ said:

really loving froxlor until now, but this quite unannounced and unstoppable update breaks my neck on several systems, would have preferred a clear update-path without auto-breaking systems.

"unnanounced update" - literally in the announcement thread...hilarious.

Sorry you are having so much trouble - we've tried to test as much as possible but due to the support for various settings-combination we can never be sure to hit everything - hence we try to provide fixes as soon as possible.

Maybe in your case it would be a better idea to mark the froxlor debian package as hold and wait a few weeks

Link to comment
Share on other sites

29 minutes ago, Meth0d said:

What is the equivalent of froxlor_master_cronjob.php --letsencrypt for the new /bin/froxlor-cli froxlor:cron ?

And should this not also be moved to /var/www/html/froxlor ?

image.png.5412e580e437c60009f63035c203bd8f.png

 

Yes, there will be updater-procedures and a cli tool to do that in the upcoming version - it's a lot currently, please give us some time

Link to comment
Share on other sites

On 1/11/2023 at 8:33 AM, d00p said:

"unnanounced update" - literally in the announcement thread...hilarious.

Sorry you are having so much trouble - we've tried to test as much as possible but due to the support for various settings-combination we can never be sure to hit everything - hence we try to provide fixes as soon as possible.

Maybe in your case it would be a better idea to mark the froxlor debian package as hold and wait a few weeks

well, it is a major update - obviously - new installs, new requirements, several changes in paths, scripts etc.
announcements in the forum are usually not checked on a daily basis, we found out (and still find out) the hard way getting updates via apt which break a lot of things. holding packages would have been an option if we only had known beforehand...
(or major updates might choose to take an explicit path for packaging not going into autoupdates)

Link to comment
Share on other sites

16 hours ago, d00p said:

We did not remove anything related to that - if I remember correctly you created something on your own for your needs

Thats nice to read! Because my additions / pull request was not merged I have to dig to the code once more and try to implement again. I think git cannot help me here - the differences between 10.x and 2.x are too big. I will try to install a 2.x parallel to the existing 10.38 (using a different database) and try to implement again. I am not lucky about changes that ignores different paths on different distributions in the installer (not configurable in installation), but it is solveable...

Link to comment
Share on other sites

28 minutes ago, df8oe said:

I am not lucky about changes that ignores different paths on different distributions in the installer (not configurable in installation), but it is solveable...

care to tell us what exactly you mean? what paths?

Link to comment
Share on other sites

  • 2 weeks later...

Thank you for this revamp, Froxlor looks so good now!
The darkmode is a blessing to my tired eyes.

Everything worked flawlessly, even the change of the ACME path (I had /var/www/froxlor before and it auto-changed it to /var/www/html/froxlor with one manual command. Had me frightened for a bit but it worked).

  • Thanks 1
Link to comment
Share on other sites

  • d00p changed the title to Security Release froxlor 2.0.10 - New UI/UX, quick and easy webinstaller, command line tool & more

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...