release froxlor 2.1 - Security and domains enhancements, One-Time-Login-Link and nightlies

[d00p]

Dear froxlor community,

we are pleased to announce the release of froxlor 2.1! Notable new features, improvements and also breaking changes are listed below:

Duplicate domains: You can now easily duplicate domains as admin user. With just one click, specify the new domain-name and select the target-customer and all the compatible settings from the source domain will be used for the new domain. Via the new API call Domains.duplicate(), you can even overwrite any domain-value you like by passing them to the request, just like you would for Domains.add().

Deactivate single domains: It is now possible to deactivate and re-activate single domains. This also deactivates any email-address/account created with that domain.

Deactivate single ftp-accounts: As well as domains, users can now enable or disable a specific ftp-account.

One-Time Login links: Admin users are now able to generate a one-time login-link for customers via CLI or API, which start a customer session automatically without the customer entering any login credentials. This comes in handy especially when using third-party interfaces / portals to integrate a link to the customers froxlor dashboard. You can also specify the validity time for the link (from 10 up to 120 seconds) and a comma-separated list of IP addresses to restrict the request-source. The corresponding added API call is Froxlor.generateLoginLink().

CustomerBackup is now DataDump: The CustomerBackup API calls and its integration in the UI has been renamed to DataDump to clarify the difference between a one-time data-extraction/dump and backups. This also paves the path for a possible Backup-feature in the future.

Additionally, if the php-gnupg extension is present, you have the ability to encrypt your data-exports with your pgp-key.

OTP for critical settings: We've added an OTP requirement for some of the critical/system-related settings in order to enhance security. To change these specific settings, 2FA/OTP has to be enabled system-wide and activated for the current admin user. More details see https://docs.froxlor.org/v2.1/admin-guide/settings/#_1-3-settings-that-require-otp-validation

Custom page for unmanaged/unknown domains: In case a domain is pointing to your server but is not yet added to froxlor a customizable notice is now displayed instead of the froxlor login page. You can specify your own content for the file as admin in "Email- & File-templates".

New update channel 'nightly': We now create nightly-builds for every successful push to the git-repository. If you want to participate in testing the current development state, you are now able to do so without the need to have composer/npm and all the dev-tools requirements but just use a pre-built nightly. These packages are only available through the updater of froxlor (either CLI or Web-Update, if enabled). To activate, just select the update-channel 'nightly' (only available in settings-mode 'advanced'). Keep in mind that downgrades are not supported. You can always switch back to the stable or beta channel but you will have to wait until corresponding releases catch up to the nightly-version you have.

 

Changes in 2.1:

New features:

• [API] new Domains.duplicate() command to copy domains
• [API] One-Click One-Time-Login-Link (remote-login) via newFroxlor.generateLoginLink()
• [API] Domains.add()/update() -> added parameter `deactivated`
• [API] Ftps.add()/update() -> added parameter `login_enabled`
• [UI] OTP requirement for specific/system-relevant settings
• [UI] markdown syntax in custom_notes field
• [UI] change password/theme/language is now combined in profile
• [Settings] New update-channel "nightly" (development-versions only, every signed commit to 'main' will be build)
• [CLI] new froxlor:config-diff command
• [other] In order to encrypt data-exports using pgp you need to have the php-gnupg extension installed and activated.
• [other] Domains pointing to the server but are unmanaged by froxlor will now display a corresponding message.

Breaking changes:

• [API] CustomerBackups renamed to DataDump
• [Services] support for lighttpd webserver will be dropped in future 2.1 releases due to no active maintainer and no significant user-base
• [Distros] Debian 10 buster & Ubuntu 18.04 bionic were deprecated as of 2.0.x and are now removed in froxlor-2.1
• [Distros] Gentoo is deprecated due to no active maintainer
• [Config] postfix needs reconfiguration in the file `/etc/postfix/mysql-virtual_mailbox_domains.cf` in order for deactivated domain flag to be recognized

  Alternatively, simply search for the line:

  query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1'

  and replace it with:

  query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' AND deactivated = 0

   

Changes in 2.1.1:

• [DNS] fix wrong result in Domain::getMainSubdomainIds(); #1202
• [Install] fix wrong version being set

Changes in 2.1.2:

• [general] fixed compatibility with older installations
• [DNS] fixed wrong type when dns zone for system-hostname is active
• [UI] fixed non-empty value for file-input fields when using uploaded logos
• [UI] fixed 2fa login when using email validation
• [UI] fixed wrong size-unit for mailquota-dashboard-info
• [UI] fixed possibility to have empty name/surname and empty company
• [Installation] allow more complex passwords to be set (skip escaping)
   

Changes in 2.1.3:

• [CLI] Add manual_config parameter to install json; #1208
• [API] use panel.password_min_length setting for Froxlor.generatePassword() default length parameter
• [general] allow '::1' as valid mysql localhost value
• [UI] fixed bug that lead to select-box values not being changed
• [UI] fixed bug that lead to an error when using custom.css
   

Changes in 2.1.4:

• [UI] Don't show stats-icon for domains with redirect
• [Cron] hide goaccess output in traffic cron and keepalive database connection for long-running log-analysis
• [Cron/Apache] use same certificate-file if child-domain inherits the parentdomain's certificate data (avoid possible http 421 Misdirected Request)
• [UI] use different language string for password-placeholder when adding a new customer; fixes #1216
• [Install] don't use deprecated 'mysql_native_password' for mysql8; fixes #1214
• [Install] possibility to specify sender address for froxlor as the admin-email address, custom or empty for system-default; fixes #1217
• [general] don't output ipv6 in brackets for system.ipaddress setting as the brackets will be added to the value resulting in an invalid mysql-access-host; fixes #1215
• [settings] use correct validation for dnscheck-resolver; fixes #1220
   

Changes in 2.1.5:

• [Config] disable pam auth in dovecot for debian bookworm
• [general] Check for argon2 support before using constant PASSWORD_ARGON2X; #1228
• [UI] fix incorrect top-5 customers in traffic overview for admins
• [UI] show manual update command if webupdate is disabled
• [Cron] create empty dns-server config if no (dns-enabled) domain is determined; fixes #1230
• [general] set correct channel for update-check if switching from apt-installed stable/testing to nightly
• [API] fix check for allowed_phpconfigs if using mod_php when adding/editing a customer
   

Changes in 2.1.6:

• [general] fix regression bug from "Check for argon2 support before using constant PASSWORD_ARGON2X; #1228"
   

Changes in 2.1.7:

• [UI] backport UI/Callback fixes from 2.2-dev (main); fixes #1235
• [UI] fix regression bug in 'incorrect top-5 customers' sorting in traffic-overview which leads to incorrect customer-links due to wrong indexing in the array; fixes #1236
• [UI] fix adding/editing domains as customer when php is not enabled for the domain
• [Cron] don't add custom-vhost-content to deactivated domain-vhosts
• [Cron] correctly save pass_authorizationheader flag for php-configs if FCGID is used; correctly add 'FcgidPassHeader' for froxlor-vhost itself if set
• [Cron] wrap SetHandler to php-fpm in file-exists check, as we do for customer-domains already
• [API] correctly disabled ssl-related settings when domain update sets ssl-enabled flag to false; fixes #1241
• [general] correctly validate if a symlink is within the customers home-directory if it's not an absolute path; fixes #1242

Changes in 2.1.8:

• [settings] fix "session expires" option, #1246
• [UI] fix missing csrf tokens for some ajax requests 
• [Cron] also add logfiles to virtual-host if it's a redirect

 

See also our Migration Guide for more information.

We hope you enjoy froxlor 2.1 and look forward to your feedback.

Download: froxlor-2.1

Documentation at https://docs.froxlor.org/.

Visit https://www.froxlor.org and join our Discord channel (https://discord.froxlor.org) for support, help, participation or just to chat

Thank you,
the froxlor team

[llucps]

Hi,

After upgrading to Froxlor 2.1 I get this message:

My main domain is not managed by Froxlor, but rather manually, mainly because back in the day Froxlor didn't support SSL wildcards certificates, so I managed the main domain myself.

I'm guessing this is is the reason ?

• [other] Domains pointing to the server but are unmanaged by froxlor will now display a corresponding message

Any idea of how to resolve this? I would like to keep my main domain as it was and not having Froxlor managing it if possible.

Thanks.

[d00p]

@llucps see 

 - also, froxlor manages its own vhost just fine, also with your own wildcard-certificate if required...

[llucps]

umm.. I'm confused, checking the domain on the Settings panel it seems to be correct:

And the apache config file 10_froxlor_ipandport_xxx.xxx.xxx.443.conf:

 

 

[d00p]

Your host squeakyhost.com redirects to www.squeakyhost.com, froxlor does not do a www-redirect itself. Must be something custom on your side.

If www.squeakyhost.com is a configured froxlor-alias (Settings -> froxlor vhost settings -> Domain aliases for froxlor vhost) then you would still see the froxlor login and not an empty page with just a background-color being set.

From the looks of the content of your vhost it seems that the "ServerAlias"-directive has possibly been added via "own vhost settings" 

[llucps]

Yes you're right, it was me that I had that redirection in place. I removed and I've been able to login just fine.

Thank you

[hk@]

thx for the update - that still happened to Debian v10 also

one issue we see: webinterface via admin_configfiles.php?page=configfiles reports Unknown distribution I do suspect this has something to do with Debian v10 running?

to be on the safe side - upgraded v10 to v11, then did a cli-reconfiguration for froxlor, but even then it reports "unknown distribution" there.

please advise on how to get out of this....

[d00p]

25 minutes ago, hk@ said:

thx for the update - that still happened to Debian v10 also

one issue we see: webinterface via admin_configfiles.php?page=configfiles reports Unknown distribution I do suspect this has something to do with Debian v10 running?

to be on the safe side - upgraded v10 to v11, then did a cli-reconfiguration for froxlor, but even then it reports "unknown distribution" there.

please advise on how to get out of this....

 

On 12/8/2023 at 9:52 PM, d00p said:

[Distros] Debian 10 buster & Ubuntu 18.04 bionic were deprecated as of 2.0.x and are now removed in froxlor-2.1

Fix:

UPDATE `panel_settings` SET `value` = 'bullseye' WHERE `settinggroup` = 'system' AND `varname` = 'distribution';

 

[hk@]

1 hour ago, d00p said:

Fix:

UPDATE `panel_settings` SET `value` = 'bullseye' WHERE `settinggroup` = 'system' AND `varname` = 'distribution';

 

thank you again, this worked.
Regarding removal - yeah, but the update came automated and then it is a bit too late to upgrade the distribution beforehand.

#funfact after fixing the above setting, the panel still offers Debian v9 and Ubuntu v16, only v10 (debian) and v18 (ubuntu) have been removed in the dropdown-box.

[d00p]

Just now, hk@ said:

Regarding removal - yeah, but the update came automated and then it is a bit too late to upgrade the distribution beforehand.

maybe then dont blindly/automatically update - or possibly just dont use the froxlor apt-package and update manually after checking the changelog. I'm open for ideas if you have any...

1 minute ago, hk@ said:

#funfact after fixing the above setting, the panel still offers Debian v9 and Ubuntu v16, only v10 (debian) and v18 (ubuntu) have been removed in the dropdown-box.

These were gone since 2.0 already, looks like we've missed these files in the updater to remove them...

[hk@]

On 12/10/2023 at 8:39 PM, d00p said:

maybe then dont blindly/automatically update - or possibly just dont use the froxlor apt-package and update manually after checking the changelog. I'm open for ideas if you have any...

These were gone since 2.0 already, looks like we've missed these files in the updater to remove them...

While I get your regular sarcasm, I'd bring again forward the idea to have different release-paths, if there is only one froxlor repo, the only option to not manually do updates on all servers (and most of the times this works fine) is to use the repo available. I might refer to other repos (like powerdns, sury.org) that offer specific release paths as well as distribution paths.
I see great value in getting security fixes as soon as possible without manual intervention, there is basically no manual alternative besides being on standby 24x7 for all servers in case a security-update hits. This is why we do not read changelogs and do things manually - in case of security - better update first and ask questions later.
Yet - the option to have eg. a 2.0 release repo, 2.1, 2.2 etc - especially if different distributions the panel supports are retired by changing a minor release - would be a good thing to keep things not breaking automagically.
Yes, this is additional administration overhead for the repository and it seems we're the only ones having this issue, so maybe it's not worth it. Currently we do check changelogs as soon as we see updates being delivered, but we would not risk being late for security updates and do things manually later.

Seasons Greetings,
hk

[d00p]

Multiple release-paths only make sense if we would to support multiple versions at once (e.g. 2.0.x, 2.1.x, 2.2.x) - as this is a project done in pure spare time and just having two developers - there's just no manpower for things like that. This would also mean that people installing 2.1.x will never automatically get to a 2.2.x without editing the sources-file, so most users will have an outdated versions after a while

[halfgaar]

Upon upgrade to version 2.1.4 from 2.0.24, I had the same issue as llucps, where it said the domain was not configured. When I removed the www part, it worked.

I then set this setting:

 

 

Then the login shows, but I can't log in. After entering the 2FA, it just redirects back to the login prompt. The inspector shows it's just a '302 Found' with a rendered login prompt. I don't see reasons or HTTP codes given.

Edit: it later started working OK. My browser removes cookies upon exit, so that may be related.

[d00p]

Please use GitHub for bug reports, provide as much details as possible as well as log files and exact steps to reproduce.