Virtualmin virtual-server module version 6.04 released

22 posts / 0 new
Last post
#1 Sun, 10/07/2018 - 23:36
Joe
Joe's picture

Virtualmin virtual-server module version 6.04 released

Howdy all,

I've rolled out version Virtualmin virtual-server module 6.04 to all repos.

Changes since 6.03-2:

  • Before a DNS zone is updated, BIND will be told to freeze it and thaw afterwards. This ensures that dynamic updates are preserved.
  • Dovecot and Postfix per-IP SSL certificate setup can now be configured on a per-template basis.
  • Redirects for / created using the UI are automatically adjusted to exclude Let's Encrypt validation paths.
  • Various bugfixes, script updates, typos, and minor UI improvements.

As always, let us know if you run into any problems.

Cheers,

Joe

Tue, 10/09/2018 - 23:07
Joe
Joe's picture

Oh, one more thing that I failed to mention specifically in the initial changes list. It's a "bug fix", but probably has surprising consequences for some users, and might still be quirky since it's complicated logic):

When creating a new VirtualHost entry (when creating a new domain website), the logic to decide whether to use an IP or an * for the host portion of the definition has been inverted to prefer an IP over an *.

For example, in versions prior to 6.04, if Virtualmin found any VirtualHost sections with a host:port of *:80 or *:443 (or whatever *:port), it would use * for all subsequent domains created. Because of the way Apache determines which site to serve, this led to confusing results for a lot of people. Generally, mixing * and IP-based virtual hosts is a bad idea, but there are circumstances where it is warranted...but, because it is confusing and difficult to get right, having Virtualmin prefer * over IPs led to it being a common source of confusion.

So, that logic has been inverted. Now, if you have any IP-based VirtualHost sections, Virtualmin will use IP addresses. If you have all *-based VirtualHost sections, it will use *. If you have none, it will use IP addresses. This is, we believe, more what people expect and will result in less confusion...except for anyone relying on the old behavior (this can't be a large number, since it's such an odd configuration, but if you're one of them and have problems, let me know and we'll try to sort out a way to make it work).

In short: This probably won't affect you, and if it does, it probably is just more intuitive and less prone to confusing errors. If it does affect you negatively, let me know.

This, we hope, will eliminate the longstanding "the wrong site shows up" issue that people occasionally have with Virtualmin; usually after an OS upgrade or after installing a new Apache package that re-adds some default VirtualHost configuration (but, also, sometimes people would follow tutorials on the web and add an *-based "default" website, without understanding what that can do to other domains).

--

Check out the forum guidelines!

Wed, 01/16/2019 - 23:29 (Reply to #2)
aaronroydhouse

It is fine to change this, but it should be a setting that defaults to the old behavior on existing systems, and the new behavior on new installs.

We just experienced this since upgrading to 6.05. When a new virtual server, and it took down all websites on a server because they all went to the one site with the IP address instead of the websites with '*'/Any. I could no way in virtualmin to fix it, but I manually edited the apache config back to a '*' instead of the IP address, and that fixed it. I can't see any system setting to revert this behavior on existing servers, so this is a basically a breaking change that totally trashed our servers until fixed by manual hacks to the config files :-(

Tossing in a breaking change that totally trashes a server is not a good decision IMHO :-(

Wed, 01/16/2019 - 23:38 (Reply to #3)
aaronroydhouse

This "Decide automatically" option "Address format for Apache virtual hosts" is broken. Previous Virtualmin behavior was port 80 sites got '*:80' and SSL sites got 'ip-address:443'. So we only have '*:80' for port 80 sites, yet 'Decide automatically' opted to 'decide' to start using 'ip-address:80' which buggered the whole server.

It doesn't seem like we can opt for 'Always use *' or 'Always use IP' because previous Virtualmin behavior used both. So it seems 6.05 is basically incompatible/unsafe with all our servers? :-(

I see how this change aims to be an improvement, but the lack of upgrade testing seems to have made it a menace wherever it gets installed.

Thu, 02/21/2019 - 00:33 (Reply to #4)
silversword411

aaronroydhouse explained the problem perfectly. If you're just using 80 the old defaults where '*:80'. If you did anything with SSL the defaults were 'IP:443'. Virtualmin has been creating the situation that you are now saying shouldn't happen.

Virtualmin changed the rules of the road, and now just creating a new Virtual Server breaks all other Virtual server apache results. The upgrade script should have auto-fixed the inconsistency since it was going to create a server-breakage after the fact. I'm sure hundreds if not thousands are affected, they just won't find out about it till they try to create a new virtual server...and finding this explanation of why it's happening took me 15mins down 4 other rabbit holes to find.

Call me obtuse, but for the life of me I can't find where using the virtualmin http admin where I can globally change all the settings for all the sites (80 and 443) to either * or ip as you suggest.

Logging into the server (debian) and running grep -i '<virtualhost' /etc/apache2/sites-enabled/*.conf Shows me I have the mismatch.

Virtualmin | select virtual server | Server Configuration | Change IP address makes no changes

Virtualmin | select virtual server | Address and Networking | Change IP address makes no changes to any sites

Can someone write how you're supposed to change all sites to either one or the other using the Virtualmin/Webmin http interface?

PS: you're inconsistent under System Information | IP Address Allocation it says all virtual server have 'ip' when in fact they don't and are mixed * and ip. I'm sure there's other places that are also inconsistent in regards to this. :(

Thu, 10/18/2018 - 04:32
monsieurQ

I completely understand the reasoning here but for what it's worth this update caused havoc for us as outlined here: https://www.virtualmin.com/node/59148

Thu, 10/18/2018 - 08:36
dimitrist

this update, messed up apache, ssl and ips. some virtual hosts lost ssl configuration completely and ipv6 address is missing in most hosts also. (all these were working fine this morning). apache confs are also a mess, need to manually update each one seperately.. :(

Thu, 10/18/2018 - 14:11 (Reply to #7)
Joe
Joe's picture

That's a new one. I'm guessing related to the change in how * VirtualHosts are handled. Can you file a ticket about what happened, with an example of one of the affected VirtualHost sections from your apache config? (What it looked like before and what it looked like after would be super helpful.)

--

Check out the forum guidelines!

Thu, 10/18/2018 - 10:53
regodon

Could you please elaborate on "Dovecot and Postfix per-IP SSL certificate setup can now be configured on a per-template basis." ? I installed Virtualmin on Ubuntu 18.04 and created a virtual server with dedicated IP address, and the master.cf file is missing the "{IP}:smtp" and "{IP}:submission" lines for the dedicated IP address. So Postfix isn't listening on that IP address.

Also, in Virtualmin Configuration -> SSL Settings there aren't present the options "Copy per-IP SSL certificates to Postfix" and Dovecot. Anyway, Dovecot is configured right. The problem happens with Postfix only.

Thu, 10/18/2018 - 14:10 (Reply to #9)
Joe
Joe's picture

"Could you please elaborate on "Dovecot and Postfix per-IP SSL certificate setup can now be configured on a per-template basis." ? I installed Virtualmin on Ubuntu 18.04 and created a virtual server with dedicated IP address, and the master.cf file is missing the "{IP}:smtp" and "{IP}:submission" lines for the dedicated IP address. So Postfix isn't listening on that IP address."

That's unrelated to this change, and won't affect you if you aren't using separate IP addresses for each domain.

That's an installer issue, I suspect, but there shouldn't be a specific IP in the default master configuration..it should just be "smtp" and "submission". I'm not sure why they wouldn't have been generated, though...it's a new issue I haven't seen reported before (so maybe it is somehow related, but it seems like a stretch, since it's not using Virtualmin code to create that configuration...the installer uses the Postfix module directly for that configuration.

That said, Ubuntu 18.04 is still pretty beta (since we've been waiting on the netplan support in Webmin to get more fully fleshed out). It works mostly, but there are still issues I haven't found or fixed. I'll add this one to my list of things to look for when doing test installs, to see if I can reproduce it.

--

Check out the forum guidelines!

Thu, 10/18/2018 - 14:49 (Reply to #10)
regodon

I am using separate IP addresses for each domain. master.cf does contain entries for the default IP address, that's not an issue. When I create a new virtual server with dedicated IP address, usually 3 lines should be added to the master file: smtp-xxxxxx (server dependent transport mapping), {IP}:smtp and {IP}:submission. Only the first line is being created. The other two lines aren't there.

I disabled netplan and installed ifupdown before installing virtualmin, I don't know if it matters.

Where in the source code should I search in order to do some debug? I tried but I found it too complex...

Sun, 10/21/2018 - 14:23
fuerst

May be it is a good idea to change all *:80 to IP:80. I had some redirects in existing VirtualHost's (using *:80) redirecting to a newly created Virtual Server (using IP:80now) instead of their configured destination.

Fri, 11/09/2018 - 03:02
christophe117

it's a big problem for me all my Virtualhost are setup for with *: 80 how can I do? without cutting all my existing sites !!

Mon, 11/12/2018 - 03:21 (Reply to #13)
Joe
Joe's picture

I don't know what you're asking. How is that a problem? If you only use *:80, nothing changes. Virtualmin will continue to use *:80.

If you have them mixed, then you may need to change a configuration option (but we don't recommend using a mix of IP and *, because the way Apache figures out what to display when they are mixed is very confusing and can lead to surprising results when new virtual hosts are added to the configuration).

If you want to force Virtualmin to use a format other than the one it auto-detects (which is explained above), then you can configure it in Virtualmin Configuration->Defaults for New Domains->Address format for Apache virtual hosts.

You can change your Apache configuration at any time to use *:80 or IP:80; Virtualmin will not complain about the change...it'll recognize it and continue to work with the domains. Just make sure you get them all (meaning you have to change *:443 and any other port combos, as well...a VirtualHost is a VirtualHost is a VirtualHost...if you have any mixing and matching you'll likely have surprising behavior somewhere), if you're switching from one to the other, otherwise things will behave confusingly. But, again: If you currently only have *, you don't need to change. Virtualmin will keep using *. Only people who already have a mixed configuration will see any difference at all in how Virtualmin behaves (and may need to adjust something).

--

Check out the forum guidelines!

Wed, 01/16/2019 - 23:49 (Reply to #14)
aaronroydhouse

Previously Virtualmin used to do this when you created a website and SSL website. It mixed both approaches, but not on the same port. This new more consistent approach is fine, but none of the options 'Always using *', 'Always use IP', or 'Decide automatically' is compatible with the old behavior.

<VirtualHost *:80>
</VirtualHost>
<VirtualHost 172.31.0.123:443>
</VirtualHost>
Tue, 11/27/2018 - 06:07
sandstonealan

Exactly the same for us. We have always just accepted VirtualMin's defaults in creating new sites. This led to all http sites being * and all https sites being the IP address. Created a new site after the update and suddenly all visits to http sites get a 403 thrown at them except the new site, which was then receiving all http traffic on our server ip address. It had the IP for both http and ssl, though the original sites didn't change of course. Added another new site before fixing it and that just made it worse having 2 http sites with the ip address there. Changed both http back to * and all is good with the world again. At the very least, it would be helpful to have the option within VirtualMin of choosing * or IP address for any given site / protocol combination. Having to track down the files from the com,mand line and edit them there just takes longer than is ideal.

Wed, 01/16/2019 - 23:42 (Reply to #16)
aaronroydhouse

This is the same disaster we experienced.

Sat, 03/02/2019 - 00:44
silversword411

Can someone walk thru how to fix this issue with the Virtualmin http login?

None of the Change IP address functions in Virtualmin changes anything/fixes this problem.

Sat, 03/02/2019 - 01:36 (Reply to #18)
silversword411

Tried all sites as *:80 using apache global config editor. #FAIL

Tried all sites as IP:80 using apache global config editor. #FAIL

Having some websites with SSL, SSL cert loads cert for another URL causing error #FAIL

I think this is interacting with Virtualmin | System Settings | Virtualmin Configuration | SSL | require SSL.

I've deleted all ssl enabled websites because it kept loading the wrong SSL cert for the website. #FAIL

Now going to the http url redirects to the https url, but gives a ERR_SSL_PROTOCOL_ERROR #FAIL

Can we say global f-up.

No combination of settings will enable websites in apache to load using Virtualmin configuration. #Frustrating

Sat, 03/02/2019 - 01:41
Sun, 10/13/2019 - 10:32
DanielStonek

I moved some virtual servers from Centos 6 / Apache 2.2 to another server Centos 7 / Apache 2.4 All last version of Virtualmin Some of them have SSL enabled, some do not. In Apache 2.2 all VH were IP:80 and IP:443 and that never has been an issue. In new server first installed VHs have SSL enabled: no issues. Problems came when created the first Virtual Host without SSL. Some time has happened, I don't recall exactly but it was something like redirections to the 'first' VS, wrong certifcates. The only solution I found was to switch all from IP to *. I have to do it manually each time I create a new VH, I didn't find how to set default *:port# at templates Is that possible?