Vesta Control Panel - Forum

Dear people

I have been running a VestaCP on a droplet within Digital Ocean, and I am quite satisfied with VestaCP. However, I am looking into creating a multiserver setup for VestaCP to be able to manage multiple servers and have a dedicated mail server for my clients. Looking into the Parent + Slave/Child scenarios it seems intuitive. However, before I attempt such practices I want to discuss the steps with the community, to ensure that my VestaCP setup does not have longterm Issues. And possibly I would like to discuss firewall practices and properly securing my servers.

At the moment by what I understand, I can have multiple instances of VestaCP and controlling them through one. I have the current idea:

[VESTACP MAIN] ---> [VESTACP MAIL-SERVER]
---> [VESTACP SITES-SERVER]
---> [VESTACP FUTURE-SITE-SERVER]
---> [Separate SQL server]

I was wondering do I need all the components because what I need for this server is to just serve my VestaCP application along with VWI. So my setup would include:

[For the VESTACP MAIN]:
Web: Apache | FTP: vsftpd | Email: none | DNS: named | Firewall: iptables + fail2ban | SOFTACULOUS: yes | Additional Repo: remi | File System Quota: Yes | Database: none

[For VESTACP MAIL-SERVER]:
Web: Apache | FTP: none| Email: exim + devcot + spamassasin + clamav | DNS: no| Firewall: iptables + fail2ban | SOFTACULOUS: no| Additional Repo: none | File System Quota: Yes | Database: none

[For VESTACP SITE-SERVERs]:
Web: Nginx + Apache | FTP: none| Email: exim + devcot + spamassasin + clamav | DNS: no| Firewall: iptables + fail2ban | SOFTACULOUS: no| Additional Repo: none | File System Quota: Yes | Database: none

Would it be possible for someone to give me more details in terms of what is possibly the best approach and what should be done in this specific scenario?

In addition, I would like to add additional BruteForce and DDoS attacking using cloudflair.com service. However, I am not sure in terms of how to properly do DNS while I have my own ns1.domain.name, ns2.domain.name.

Finally, what are some of the best-practices to prevent users from accessing their FTP accounts through other URLs, example that I can provide is samplewebsite.com can be used instead of panel.domain.name to access FTP accounts and I would like to create a specific FTP port through URL ftp.domain.name and prevent other domains registered to be able to use FTP protocol over those URLs.

If my questions seems a bit simple, please bear with me, as I am still learning everything that I can in terms of server administration skills. :-D

Many thanks in advance

Hi

I read a lite your post and dont understand somethings

But I can say about FTP, you cant just access FTP from domain1.com and not from domain2.com if both domains resolve to same IP

Because FTP just listen in IP

You may can do it, if you have two ips in the server, and configure your FTP server just to listen in one of those IP so people can access to FTP from domain point to that IP

If not, isnt posible do it

So what I want to accomplish is technically dumbed down to this:

[Server 1 firewalls with VestaCP]
| -----> [Server 2 serves files and php]
| -----> [Server 3 serves MarinaDB]
| -----> [Server 4 serves Mailserver (RoundCube)]

Meaning that VestaCP handles my user inputs and is responsible to deploy sites on different servers containing DB or files where they communicate internally. And a server that communicates with the VestaCP server for mail delivery. Since VestaCP has it's own DNS manager it should be an easy task to do, in theory. But want to know if someone has managed to do this before. I currently looked at DNS clustering (which was not exactly what I was hoping to accomplish). But VestaCP already has methods to provide external Mysql communication from another server. Meaning that I can set up [MarinaDB] on a different computer/droplet and connect it internally to Vesta without exposing it via public IP to outside.

I would like to achieve the same thing with other servers.

Hi, I am new to server administration and came across your post after months and months of searching how to do almost exactly what you say you want to do. I was wondering if you were able to accomplish your scenario. Right now, I am such a noob that when you say the following.... I can't even figure out how that is possible.

At the moment by what I understand, I can have multiple instances of VestaCP and controlling them through one. I have the current idea:

[VESTACP MAIN] ---> [VESTACP MAIL-SERVER]
---> [VESTACP SITES-SERVER]
---> [VESTACP FUTURE-SITE-SERVER]
---> [Separate SQL server]

Right now I just have 1 VPS on which I host multiple (very small) websites that I develop myself for my clients. I manage their accounts myself so backups and other stuff is not a problem. I have around 10 users (sites) hosted. The one VPS I have serves and hosts everything for those ten websites-- email, db, website and dns. I've had a couple of scenarios where 'named' dns went down for a couple of hours and all sites went down with it (I also have my own nameservers). I see how I can do DNS clustering with vesta cp, since I have another VPS which can be used for DNS clustering. Then I looked into ways I could do mirroring for the server, so mysql is also probably easily configurable out of the box with vesta cp. BUT what I can't figure out is how I can have one main Vesta CP to control all others. So if I create a user for my client on the main Vesta CP, how can it be done on the other servers as well?

I would appreciate if you can guide me.

Sorry to drag up an old thread but I see people asking about this on proxmox etc.

The op wants a server that is the users endpoint but Vesta to hold webspace etc on server 2 and 3.

This would basically be a rewrite of the panel.

There is an alternative mind you that I have been thinking about running 2 instances of Vesta/hestiacp, people say it can not be done but it can off the same IP.

You need a third vm running a reverse proxy.

In this example I will say vm1 is reverse proxy, vm2 is panel1 and vm3 is panel2.

For locally created vms (promoxbased)
Vm2 is a standard install
Vm3 is a standard install but with nonstandard ports set for 80, 443 etc

Wm1 would get a request for blaah.com and forward the request to the IP of the VM that blahh.com is hosted.
Now a request comes in for meh.com and vm1 forwards that request to what ever wm that is been hosted

Thus 2 instances can run off the same public IP address, for SSH it's best to use dynamic ports and that requires a separate VM that you can SSH/sfpt to different domains on different local IP addresses.

I say local VM because I do this in my home lab but you could send requests to any VM hosted wherever on the default ports through a reverse proxy.

To automatically update the reverse proxy you have to code some changes and create a file and SSH into the proxy and copy it to it and restart the proxy service so you don't have to manually update every time a new domain is created.

Oh and you can SSH dynamic port/tunnel (can be setup) on the reverse proxy machine.