Install Debian 9

In this setup I use Debian 9 as the base system to install VestaCP.

Minimal setup

Just install a minimal debian system. There is no need to setup any service. I recommend setting the system up and configure at least the basic things covered below. I ret a server and installed proxmox. So my installation is done on a virtual server on my proxmox host. The virtual server has its own public ip. By that I don’t have to expose anything on my proxmox system.

Note The data of the vestacp users are stored within /home. So keep this in mind when creating the partitions. Separating /home is highly recommended!

When the debian installer asks you to select the tasks for the given system, just select the base system tools and the ssh server.

The installer asks you to create a user. Just create one and don’t waste time in setting it up after the installation. You will delete it as soon as you enabled ssh root login with a key. There are many tutorials out there how to configure your ssh server.

After securing and configuring your ssh service, you can delete the created user and the home directory.

Note: Users created without vestacp can not be created in vestacp as vestacp creates system users and this would be in conflict. There are no virtual users like some other setups provide.

Tools installation

After this I install the tools I usually use to do my tasks. And I also install the certificate of my personal authority to make the server trust my own issued certs.

/usr/bin/apt-get -y -qq install git mc unzip zip htop iotop curl nano ntp
/usr/bin/curl -O https://git.haefelfinger.net/philipp.haefelfinger/linuxsetup/raw/master/ssl/haefelfinger-ca.crt
/bin/mkdir -p /usr/local/share/ca-certificates
/bin/cp ./haefelfinger-ca.crt /usr/local/share/ca-certificates/haefelfinger-ca.crt
/usr/sbin/update-ca-certificates

Network configuration

Next you should make sure that your network configuration is ok and set to the static ip you recieved.

auto ens18
iface ens18 inet static
        address A.B.C.D
        netmask 255.255.255.224
        gateway A.B.C.D
        broadcast A.B.C.D
        network A.B.C.D

After setting up the base system I did create a backup of the vm to be able to start over. If you work with a vm as well, I recommend creating such a backup. The same should be done after finishing installation. But backup is another topic on its own that I’m not going to cover here.

Install VestaCP by script

Now it is time to install the vesta control panel. The link leads to a page that helps you to generate the install script parameters to setup vestacp.

First ssh into your server as root or change user to root so you can install the system. You can use curl to fetch the install script. Please make sure it comes from the right location and check the script.

curl -O http://vestacp.com/pub/vst-install.sh

Next use the generated install script to setup the whole system.

bash vst-install.sh --nginx yes --apache yes --phpfpm no --named yes \
 --remi yes --vsftpd yes --proftpd no --iptables yes --fail2ban yes \
 --quota no --exim yes --dovecot yes --spamassassin yes --clamav yes \
 --softaculous no --mysql yes --postgresql no

This shows you a short summary what is going to be installed. I takes some minutes until the script installed all packages and configured the services. After the installation has finished, it prints the URL and password to log in with your admin user. Before adding a new user we h ave to set up a few things.

Update bind to allow dns zone transfer

The installation sets up a primary dns server. But you need to have at least one secondary server that is allowed to transfer the zone. I use dnsmadeeasy as secondary dns server. To allow a zonetransfer, we have to add a few entries to the bind config. This can be done in vesta.

Navigate to Server and then hit Configure on the line of bind9. The you can add the following two lines to the file named.conf.options. This allows the transfer from the given ip addresses and sends notifications to these servers if the zone chnages.

allow-transfer {A.B.C.D; E.F.G.H;};
also-notify {A.B.C.D; E.F.G.H;};

Make sure the restart checkbox is checked and hit save to apply the changes.

Create apache2 template with additional headers

In addition we create some other apache templates. You should add some headers to help the browsers to protect your site. The following example is quite strict and may not be right for all of your pages. Adjust them to your needs.

cd /usr/local/vesta/data/templates/web/apache2
cp default.tpl defaultheaders.tpl
nano defaultheaders.tpl

Just add the header lines below above the IncludeOptional statement.

    <IfModule headers_module>
        Header always set Referrer-Policy "same-origin"
        Header always set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline';"
        Header always set X-Frame-Options "SAMEORIGIN"
        Header always set X-Xss-Protection "1; mode=block"
        Header always set X-Content-Type-Options "nosniff"
    </IfModule>

    IncludeOptional %home%/%user%/conf/web/%web_system%.%domain%.conf*

Do the same for the ssl template.

cp default.stpl defaultheaders.stpl
nano defaultheaders.stpl

Add the headers here as well. You may add additional headers as well.

    <IfModule headers_module>
        Header always set strict-transport-security "max-age=31536000; includeSubDomains"
        Header always set Referrer-Policy "same-origin"
        Header always set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline';"
        Header always set X-Frame-Options "SAMEORIGIN"
        Header always set X-Xss-Protection "1; mode=block"
        Header always set X-Content-Type-Options "nosniff"
    </IfModule>

    IncludeOptional %home%/%user%/conf/web/%web_system%.%domain%.conf*

This template is visible as defaultheaders within the hosting packages. You may add as many templates as you like. Just copy one of the existing templates and modify it to your needs.

Update hosting packages

Here I recommend to remove all packages except default to begin with. Configure the default package and set the values you like for your system.

Adminpanel with SSL

Under Server->Configure you may select the vestacp ssl entry. There you are able to paste the certificate and the private key to upload them to the vesta cp. This should be ok, as you already use a self signed certificate that protects the key during transfer. Yea yea, not 100% but should be fine :-)

I would like to enable let’s encrypt for the admin panel as well but I did not find such an option.

Add a user

Now it is time to add a user to your system. Just create a user and assign a package. Define what services should be available. Now you may impersonate to the new user context and make all adjustments for the given user. The cool part is, that a logout brings you back to your admin and this makes it really easy to configure a user.

On the Web menu of the user you want to edit the domain and enable SSL and Let's encrypt support to have updated and valid ssl certs. This works really well out of the box.

Conclusion

VestaCP provides a really nice panel to manage a small ISP style server.

Here is what I really like:

  • Simple and understandable UI
  • Easy setup with customization options
  • Statistics integration out of the box
  • Let’s encrypt support for user domains
  • All the nice tools like roundcube and phpmyadmin included

What I do not like so far

  • FTP has no TLS enabled by default
  • Adminpanel has no Let’s encrypt support. Sure I can write some scripts and do this manually but that would question my idea of a panel, wouldn’t it?
  • No IPv6 support (As far as I know this is part of the next release)

I can go with this solution but I like to look at another panel and check if this fits better for my personal needs.

I’ll be brave and try a linux distro I never used before to boldly go where no… oh, different movie, my bad :-D

Read on how it went with CentOS Web Panel