Fixed subdomains by default?

[xyladecor]

What do you think about fixed submains like webmail.* phpmyadmin.* ftp.* and antispam.* by default? You could realize this by adding a serveralias in the master.conf or a new subdomains.conf in sites-available with symlink to sites-enabled. After that every hosted domain has these subdomains. It's only a simple if-else function in the subdomain template needed to do that: e.g if subdomain=webmail, phpmyadmin, antispam, or ftp then error "Subdomain already exists!" else generate it?

I don't think it's a security hole, but it's more simple to remember than domain.tld/tools/...

[BeNe]

I think that this make sense. It is very easy to handle and the customers
understands it also simple

But the next is that many websniffer und webcracker search for such
subdomains. Will be also easy to test/hack them.
I take a look at PMA

[ephigenie]

that makes sense on the one hand.
On the other hand we then lost the possibility to secure the panel with SSL.
Wildcard - Certificates are not secure enough and cost a lot of money.

I thought about integrating a wizzard later on to generate the ssl certificate or import an old one. Only for the panel itself for the start - i know there's a lot more on the wishlist ... but lets start somewhere and keep all those things in mind.

Someone suggested to make the subdomains on each customer domain ...
- we would have the same problem with SSL there.

Just one thing that could be an idea - each reseller got it's own panel - access site (has to have an own ip, too to have it SSL secured then)

[xyladecor]

BeNe Wrote:But the next is that many websniffer und webcracker search for such
subdomains. Will be also easy to test/hack them.
I take a look at PMA

But you can change webmail or phpmyadmin to something completly else, protect phpmyadmin with .htaccess or webmail and phpmyadmin with imagecode on the login page? i think that's looks very professional and it's secure. no chance for dictionary attacks and most of the users can hadle it.
maybe for rc2 or rc3? that whould be cool...

[BeNe]

mhhh this would be very cool!
But what about the SSL Problem ?

[xyladecor]

i'll try it.

I got a real .de domain only for the administration-area and these subdomains for all accounts on the server. I'll change it to ssl an look what happens.

[digibyte]

ephigenie Wrote:Just one thing that could be an idea - each reseller got it's own panel - access site (has to have an own ip, too to have it SSL secured then)

I'm absolutely in for this idea. The tools (pma, webmail, ...) are offered by the reseller for the customer, so logically they are "hosted" on the (sub)domain of the reseller.
I see it like this: if you make a new reseller, you have to give a domain name where the panel may be installed. The default value could be resellername.hostname.tld, but this can be changed by the user to admin.reseller.tld. And since it is necessary to login for each different tool (pma, webmail, ...) I prefer to place a link to these tools on the main login page of the panel. Or may be a drop down list with "log into pma", "log into panel", "log into webmail", ...
In this way, there is 1 ip address needed per reseller for SSL, which is no big problem I think and the view of the customer is that everything is centrally managed (in admin.reseller.tld).

What do you think about this?

[ephigenie]

This is how i was thinking to do that

[BeNe]

Fine - the idea is born

[BioALIEN]

You get my +1 for this suggestion. Seems valid, logical and actually useful.