Install Froxlor on Debian Jessie

I’ve been dealing with this as I wanted to test out Froxlor as a control panel after going through VestaCP and Sentora so I wanted to share my experience and help out with additional indications given the fact that the official documentation is outdated and partially incorrect.

So first things first. Install Debian Jessie using the minimal or netinstall versions and only enable the SSH server on it. Then once you’re in (su to root if not root already) and start by adding the Froxlor repo to apt with these commands:

#1 create the froxlor.list file:

touch /etc/apt/sources.list.d/froxlor.list

#2 add the repo to the file:

echo ‘deb http://debian.froxlor.org jessie main’ > /etc/apt/sources.list.d/froxlor.list

#3 pull and approve the key:

apt-key adv –keyserver pool.sks-keyservers.net –recv-key FD88018B6F2D5390D051343FF6B4A8704F9E9BBC

Now that this is done, before we proceed with installing Froxlor let’s update and upgrade the Debian installation using apt:

apt-get update && apt-get upgrade

Once everything is up to date we can go ahead and install Froxlor using apt:

apt-get install froxlor

Don’t worry about Apache, MySQL and other services as Froxlor will install all it needs to work. Throughout the installation process you will be prompted to setup the root password for MySQL. Always use a strong and randomly generated password and make sure you store it somewhere safe as you will require it later. You will also be prompted about ProFTPD as the installed needs to know if it should run standalone or from Inetd. Choose “standalone” there and wait for the installer to finish.

This is as far as the official release notes go with installing Froxlor before indicating that we should use the web installer further, however on Debian Jessie with Apache 2.4 this is incorrect, because the Froxlor installer places the /froxlor/ directory in /var/www while the default document root for Apache 2.4 on Debian is /var/www/html. So visiting the URL indicated by the Froxlor docs will result in a 404 error in this case.

There are two ways to resolve this issue. One assumes altering the document root in the Apache config and the other assumes simply moving the directory into the correct location. Since we’re kinda lazy on a Saturday morning we’re going to go the easy way so after Froxlor is installed just run the following command:

mv /var/www/froxlor /var/www/html/

Now that this is settled there’s one more issue which once more isn’t covered in the official docs, namely the fact that upon installations all files are owned by root and in the event of an exploitation, whoever gets write permissions to the /froxlor/ directory will get root level access and that’s bad, really bad. Therefore security wise we will make sure that everything under /var/www/ is owned by www-data which is Apache’s user and enough to do read/writes with unprivileged access so we will also run the following command:

chown -R www-data:www-data /var/www/

Once this is done we’re ready to install Froxlor further using the web installer so past this point you can go ahead and access your hostname/IP in the browser followed by the /froxlor/ directory path as in the following sample:

http://blackhat.pm/froxlor/

(just don’t go to the link above because it’s dead)

If everything was done right you will be prompted with the following screen:Screen Shot 2016-08-05 at 10.11.58

Click on the “Start Install” link and you will be prompted by a screen that evaluates the pre-requisites needed for the installation:

Screen Shot 2016-08-05 at 10.11.32

NOTE: Your PHP version may differ depending on the time of the install. I replaced PHP5 with PHP7 manually so that’s why I have PHP7 displaying.

If every requirement is satisfied then you can continue to the next screen where you will have to fill in the setup credentials:

Screen Shot 2016-08-05 at 10.12.56

Choose your language, leave the MySQL hostname unchanged unless you are using an external database server which accepts connections and change the database nameĀ and username for the unprivileged MySQL account to something else and generate a strong password for it. Under the password for the MySQL root account fill in the password you set when you installed/configured MySQL and for the administrator account change the username to something else rather than admin and generate a strong password for it.

The server name and IP will have multiple values if you have assigned multiple IP’s and/or hostnames, otherwise they will remain unchanged. Next choose the webserver of your choice. I’m going for Apache 2.4.

Once the setup is done and if all values that you filled in or selected were correct you will be prompted with the following screen that confirms successful installation.

Screen Shot 2016-08-05 at 10.15.47

After login you can go ahead and enjoy the pretty powerful backend interface of Froxlor:

Screen Shot 2016-08-05 at 10.16.15

On the next episode I’ll be teaching you how to setup PHP-FPM on Froxlor and I’ll do my best to compile a guide on securing it as well.