1.0.3 - suggestions to next versions

[koffu]

Hello all!

First of all, I want to say many thanks to the development team.
Second, I'd like to express my opinion about some things in the new versions of panel.

After upgrade to 1.0.3 I did not like phpMyAdmin vs FileManager on admin login page. WebMail is nice idea, but can not be said about the rest, I think, because sometimes I see bruteforce attempts and tries to found phpMyAdmin location.
Please see new look in attachment.

My patch is:

Code:

--- /var/www/ispcp/gui/themes/omega_original/index.tpl.orig    2010-01-09 01:39:17.000000000 +0200
+++ /var/www/ispcp/gui/themes/omega_original/index.tpl    2010-01-09 01:55:10.000000000 +0200
@@ -81,14 +81,7 @@
       <tr>
        <td width="244" align="right" class="login"><table width="300" border="0" cellspacing="2" cellpadding="2">
   <tr>
-    <td align="center" width="100"><a href="{TR_PMA_SSL_LINK}" target="_self" title="phpMyAdmin"><img src="{THEME_COLOR_PATH}/images/login/phpmyadmin.png" width="28" height="30" border="0" alt="phpMyAdmin"></a></td>
-    <td align="center" width="100"><a href="{TR_FTP_SSL_LINK}" target="_self" title="Filemanager"><img src="{THEME_COLOR_PATH}/images/login/filemanager.png" width="33" height="30" border="0" alt="Filemanager"></a></td>
-    <td align="center" width="100"><a href="{TR_WEBMAIL_SSL_LINK}" target="_self" title="WebMail"><img src="{THEME_COLOR_PATH}/images/login/webmail.png" width="32" height="30" border="0" alt="WebMail"></a></td>
-  </tr>
-  <tr>
-    <td align="center" width="100"><a class="login" href='{TR_PMA_SSL_LINK}'>phpMyAdmin</a></td>
-    <td align="center" width="100"><a class="login" href='{TR_FTP_SSL_LINK}'>Filemanager</a></td>
-    <td align="center" width="100"><a class="login" href='{TR_WEBMAIL_SSL_LINK}'>WebMail</a></td>
+    <td align="left" width="100"><a href="{TR_WEBMAIL_SSL_LINK}" target="_self" title="WebMail"><img src="{THEME_COLOR_PATH}/images/login/webmail.png" width="32" height="30" border="0" alt="WebMail"></a><a class="login" href='{TR_WEBMAIL_SSL_LINK}'>WebMail Access</a></td>
   </tr>
</table></td>
        <td width="197" align="right" class="login" style="vertical-align:top;">Powered by <a class="login" href="http://www.isp-control.net" target="_blank">ispCP Omega</a></td>

With every version I changing

Code:

/etc/apache2/sites-available/00_master.conf

So, I made a few changes and now file is:

Code:

<VirtualHost 192.168.0.1:80>

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

... skipped...
</VirtualHost>

Code:

<VirtualHost 192.168.0.1:443>

SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

... skipped...
</VirtualHost>

Now admin panel, phpmyadmin, webmail, file manager working via SSL.

[joximu]

Hi

the three symbols (webmail, webftp and pma) were added this year... so we won't kick them again :-)

but - maybe we need a switch/config otion to let the admin decide which shortcuts should be displayed.

But on the other side: every admin can configure it's own front page... :-)

/J

[MicCo]

(01-10-2010 09:38 AM)joximu Wrote:  Hi

the three symbols (webmail, webftp and pma) were added this year... so we won't kick them again :-)

but - maybe we need a switch/config otion to let the admin decide which shortcuts should be displayed.

But on the other side: every admin can configure it's own front page... :-)

/J

Yeah, joximu is right, due that some of us was also likeing the "Your IP are : xxx.xxx.xxx.xxx and logget" but hade to see that is gone.

[kilburn]

"security through obscurity" is never *real* security...

[koffu]

(01-10-2010 10:20 PM)kilburn Wrote:  "security through obscurity" is never *real* security...

Yes, but I think phpMyAdmin would be reachable only after user login and it would be better if the link would be dynamic, not static.
This is only my opinion.

And what you think about SSL changes?

[kilburn]

Quote:Yes, but I think phpMyAdmin would be reachable only after user login and it would be better if the link would be dynamic, not static.

Requiring users to be logged-in to the panel before allowing them to access phpmyadmin would imply that webmasters must have full control over the domain. As of now, the owner of a domain can give mysql rights to the webmaster without allowing him to create/delete emails, ftp accounts, etc.. Thus, I think that the current setup is better...

SSL support is planned for 1.1.0 (your patch assumes that the user has created the corresponding keys, which is unnacceptable because many users would fail to do so).

[koffu]

(01-11-2010 05:56 PM)kilburn Wrote:  [quote]
SSL support is planned for 1.1.0 (your patch assumes that the user has created the corresponding keys, which is unnacceptable because many users would fail to do so).

This is good.
Users always can create self-signed openssl certificate, which can be created by simple command with copy&paste

Code:

openssl req -x509 -days 365 -nodes -new -newkey rsa:2048 -out /etc/ssl/certs/server.crt -keyout /etc/ssl/private/server.key

SSL support can be enabed simple by copy of :80 VirtualHost and changing it with VirtualHost :443 and add to :80 redirect.

[joximu]

There are several ways of introducing SSL:
- only the panel
- also for customer

both ways can be implemented in different ways/levels of complication :-)

/J

[koffu]

I suggest use for control panel only

The way, where I can define parameters for user VirtualHost, except .htaccess and direct editing?

[joximu]

(01-11-2010 07:21 PM)koffu Wrote:  I suggest use for control panel only

as a first step...

(01-11-2010 07:21 PM)koffu Wrote:  The way, where I can define parameters for user VirtualHost, except .htaccess and direct editing?

??? you mean

/etc/apache2/ispcp/<host>.conf

??

/J