Control panel URL

By default, the control panel runs through the in-built web-server ihttpd. The web-interface URL:

Web-interface URL. Port 1501

https://<server IP address>:1501/dnsmgr

You can configure a URL to open a control panel by the domain name.

There are two ways:

Configure ihttpd;
Configure nginx + ihttpd.

Configuring ihttpd

DNSmanager 6 uses the ihttpd-dns service to run the ihttpd web server.

If you do not plan to use any third-party web applications on your server, change the web-server ports to 80 and 443, e.g.:

configuration file /opt/ispsystem/dnsmanager6/etc/ihttpd.conf

listen {
       ip 10.10.10.10
       port 443
}       
listen {
       ip 10.10.10.10
       port 80
       redirect
}

Details

This configuration allows ihttpd to accept connections on 80 and 443 ports. The redirect will be set from port 80 to port 443.

After you have modified the configuration file, restart the service:

service ihttpd-dns restart

Configuring Nginx + ihttpd

Install Nginx if ISPmanager is already installed on the server. To do so, go to the Settings → Features → Web-server (WWW) → Edit.

In ISPmanager Business, this web-server is installed by default.

If ISPmanager isn't installed on your server, install Nginx manually:

Ubuntu

apt-get install nginx

AlmaLinux

dnf install nginx

Open ports on AlmaLinux

Nginx settings

Add the following lines to the nginx configuration file /etc/nginx/nginx.conf or to the /etc/nginx/conf.d file you created:

Nginx configuration file

server {	

       listen 10.10.10.10:443 ssl;
       server_name my.domain.com;
       ssl_certificate /opt/ispsystem/dnsmanager6/etc/manager.crt;	
       ssl_certificate_key /opt/ispsystem/dnsmanager6/etc/manager.key; 	
 
       set $mgr_proxy "https://10.10.10.10:1501";         
         
       location ^~ /manimg/ { 		
              alias /opt/ispsystem/dnsmanager6/skins/; 	
       } 	
       
       location / { 		
                proxy_pass $mgr_proxy; 		
                proxy_redirect $mgr_proxy /; 		
                proxy_set_header Host $host:$server_port; 		
                proxy_set_header X-Forwarded-For $remote_addr; 		
                proxy_set_header X-Forwarded-Proto $scheme; 		
                proxy_set_header X-Real-IP $remote_addr;                
                proxy_set_header X-Forwarded-Secret mary123;  		
                chunked_transfer_encoding off; 
 	}

 	location ^~ /mancgi/ {
	        proxy_pass $mgr_proxy;
	        proxy_redirect $mgr_proxy /;
	        proxy_set_header Host $host:$server_port;
	        proxy_set_header X-Forwarded-For $remote_addr; 
                proxy_set_header X-Forwarded-Proto $scheme;
	        proxy_set_header X-Real-IP $remote_addr;
	        proxy_set_header X-Forwarded-Secret mary123;
	        chunked_transfer_encoding off;
	}
}

ForwardedSecret — if Nginx is set up, this is a combination of letters and digits constituting a key that is used for checking authentication from certain IP addresses. It helps protect from invalid login attempts.

Note:

The secret phrase specified in the nginx configuration file (proxy_set_header X-Forwarded-Secret directive) must match the phrase specified in the control panel configuration files (dnsmgr.conf, ForwardedSecret directive).

When adding the passphrase to the nginx configuration file, add it to the control panel configuration files (/opt/ispsystem/dnsmanager6/etc/dnsmgr.conf) as well.

Restart the control panel to apply the changes in the configuration file:

/opt/ispsystem/dnsmanager6/sbin/mgrctl -m dnsmgr exit

To open the control panel through the https protocol, configure the redirect. To do so, add the following information to Nginx configuration file:

https redirect

server {
	listen 10.10.10.10:80;
	server_name my.domain.com;
	rewrite ^(.*)$ https://$server_name$1 permanent;
	}

Details

Restart Nginx to apply the changes:

service nginx restart

ihttpd settings

In the ihttpd configuration file /opt/ispsystem/dnsmanager6/etc/ihttpd.conf remove the redirect raw to avoid address cyclic readdressing.

SSL certificates of the address

You can add SSL certificates for addresses or domain name (support is required for Server Name Indication) of the control panel.

Server Name Indication

SSL certificates for platform addresses are required to be able to access the web interface via HTTPS by IP address or domain name.

To manage SSL certificates in the platform, enter Settings → Control panel address → click Certificates.

Adding a Let's Encrypt certificate

Let's Encrypt is a non-profit certifying authority that provides free X.509 certificates for TLS encryption. Encryption is accomplished through an automated process. Certificate creation, verification, signing, installation and renewal are performed automatically. For more details, visit the official website of the service Let’s Encrypt.

Main limitations of Let's Encrypt:

you can order 50 certificates per week (top-level domain (TLD), including its subdomains);
Let's Encrypt certificate validity period is 3 months. This means that Let's Encrypt certificates will be reissued every 3 months.

There are other limitations as well. Read more in the Let’s Encrypt documentation.

Before adding a Let's Encrypt certificate, make sure that the domain name leads to the existing IP address of the platform. When you add a Let's Encrypt certificate, it will verify that you are the owner of the domain.

To add a certificate, enter Settings → Control panel address → click Certificates → click Add:

Certificate type — the method of SSL certificate creation. Select "Let`s Encrypt certificate".
Domain name — Specify the domain names in the certificate.
IP-address — select the platform address to which the certificate will be bound. The list displays the IP addresses that are configured in the Control panel address section.

When ordering a certificate in the directory /opt/ispsystem/dnsmanager6/www/letsencrypt/.well-known/acme-challenge:

A file with the token and validation data is created. The Let's Encrypt verification service performs a query on the domain name and reads this token.
After the SSL certificate is issued, a task is added to the scheduler to check if the SSL certificate needs to be renewed:
Task example
```
## ISPsystem acme.sh certs update task
52 3 * * * /opt/ispsystem/dnsmanager6/sbin/cron-core sbin/mgrctl -m core acmesh.certs.update >/dev/null 2>&1
```
Explanation
- 52 3 * * * — launch schedule: every day at 03:52 AM;
- /opt/ispsystem/dnsmanager6/sbin/cron-core — wrapper script of the platform scheduler, preparing the environment for running internal utilities;
- mgrctl — utility for managing the platform and calling its functions from the command line. For more information, see the Mgrctl utility article;
- m <manager> — determines which control panel the command belongs to. After the key, specify the abbreviated name of the control panel. In the example core — COREmanager;
- acmesh.certs.update — indicates the action for updating SSL certificates obtained via the ACME protocol (Let's Encrypt);
- >/dev/null 2>&1 — redirection of standard output and error stream to /dev/null.

When issuing multiple certificates for third-level domain names and above, an error may occur when issuing a certificate for a large number of subdomains. This is a limitation of Let's Encrypt, certificate issuance will continue after some time (usually within a day).

Supports operation together with Apache and Nginx web servers. If no web server is running, an embedded server is started that will accept requests from Let's Encrypt during domain validation.

Adding an existing certificate

When adding an existing certificate, domain and IP address matching is not checked. In case of a mismatch between the domain name and IP address, such certificate will be marked with a corresponding icon in the list.

To add a certificate, enter Settings → Control panel address → click Certificates → click Add:

Certificate type — select "Existing certificate".
Domain name — the domain name for which the SSL certificate will be issued. The field is not available for modification, the value will be taken from the certificate.
IP-address — select the platform address to which the SSL Certificate will be bound. The list displays the IP addresses that are configured in Settings → Panel addresses.
SSL-certificate — specify your SSL certificate.
SSL-certificate key — specify the key of your SSL certificate.
SSL-certificate chain — specify the SSL certificate chain to be added to the certificate file.

Configuring a certificate for multiple ports

Let's Encrypt only issues a certificate per domain, not per port. If you need to specify a separate domain for each port, you can use separate certificates for that.

To prescribe a certificate for multiple ports:

Add sections for the required ports to the configuration file /opt/ispsystem/dnsmanager6/etc/ihttpd.conf:

listen {
        ip <address>
        redirect
        sni {
                domain_cert etc/manager.crt
                domain_key etc/manager.key
                domains dns.example.com
        }
}

listen {
        ip <address>
        port 443
        redirect

        sni {
                domain_cert etc/manager.crt
                domain_key etc/manager.key
                domains dns.example.com
        }        
}

Details

Restart ihttpd:
```
systemctl restart ihttpd
```

Restart DNSmanager:

/opt/ispsystem/dnsmanager6/sbin/mgrctl -m dnsmgr -R

Deleting the panel address certificate

To delete an SSL certificate, select it in the list and click Delete. The default self-signed certificate will be used for access by IP address.