Open Source Projects

⚠️ CRITICAL — please read, and enable automatic backups

This release fixes a system-wide bug that can silently break account creation, domain setup, and SSL on servers that were previously working perfectly. If you run iNetPanel, update and read this.

► Enable automatic backups now
Settings → Backups → enable daily automatic backups, and take a manual backup before updating. The failures in this bug are silent — operations report success while doing nothing — so a known-good backup is your safety net.

The bug — full details
- What: php-fpm's systemd unit ships with , which mounts read-only for every process php-fpm spawns. The panel makes privileged system changes — , Apache vhosts, PHP-FPM pools, entries, Let's Encrypt certs — via root helpers launched by php-fpm, and does not escape php-fpm's mount namespace, so all of those writes fail.
- Symptoms: creating an account fails with or ; adding domains / issuing SSL can fail the same way. Until this release the scripts reported success anyway, leaving "phantom" accounts (a row with no Linux user) that then block re-creating that username.
- Why it appeared out of nowhere: is part of the stock php-fpm unit; a routine PHP package update in the past few months enabled it on servers that were fine before. No panel change was involved — a working system simply stops being able to create accounts. It looks like a storage/permission problem but isn't — it happens identically on ext4 and ZFS.

The fix
A php-fpm drop-in sets (keeps and read-only, allows ). New installs get it from the installer before php-fpm first starts; existing installs get it on update.

⚠️ Applying it on an already-affected server
Most servers need no action — the nightly auto-update (runs as root via cron, outside the sandbox) applies this fix automatically. Just make sure auto-update is enabled under Settings → Updates.

To apply it immediately, or if auto-update is off, run once from a root shell:

The web "Update Now" button cannot apply this particular fix — it runs inside php-fpm's read-only sandbox. After the fix applies, php-fpm stops sandboxing and everything (including "Update Now") works normally again. If a username is stuck as a phantom account, delete its row and re-create it.

---

Also in v1.24.4
- now fails loudly when fails (no more phantom accounts) — this is what finally surfaced the bug above.

Full changelog: https://github.com/tuxxin/iNetPanel/compare/v1.24.3...v1.24.4

iNetPanel v1.24.3

Bug-fix release hardening multi-tenant isolation and fixing per-domain PHP switching.

Fixed
- Cross-vhost content contamination. The Cloudflare→Apache origin hop is now pinned to HTTP/1.1 via a managed (), applied idempotently on update (configtest + safe reload, auto-revert on failure) and by the installer for new installs. This prevents HTTP/2 connection coalescing from ever serving one domain's content (e.g. ) under another. Visitors keep HTTP/2/3 from Cloudflare's edge — only the origin hop changes.
- Port-collision isolation. now allocates each vhost port atomically (flock) and scans real usage (ports file + live vhosts), refusing to co-locate two domains on one port. Backup restore re-derives unique, free ports server-side instead of trusting client-submitted values.
- Per-domain PHP version switch. Switching a domain's PHP version now runs through a root action using the correct pool naming, and validates the domain first.

Upgrade
- Existing installs apply the hardening and fixes automatically on update; new installs include them in the installer.

Full changelog: https://github.com/tuxxin/iNetPanel/compare/v1.24.2...v1.24.3

Bug Fixes
- Installer fails on fresh Debian 12 (closes #15). The installer's helper ran commands in a backgrounded subshell that didn't have in PATH, so failed. Added a global PATH export near the top of and switched /// to absolute paths.
- Unusable MariaDB / phpMyAdmin on fresh install (closes #14). Same root cause as #15: when exited early, the installer skipped the sudoers file, phpMyAdmin storage DB, and panel deploy. Without the sudoers rule couldn't read the MariaDB root password — producing "Access denied for user 'root'@'localhost' (using password: NO)". Fix #15 resolves the cascade.
- Same disk usage shown on every domain for multi-domain users. was summing (the whole home dir) and the user's DB total on every row. Now a new SQLite table tracks per-domain file usage, tracks the per-user DB total, and the Accounts page shows each domain's actual files size plus a single Total: badge per user (files across all their domains + MariaDB total).

Performance
- /admin/accounts load time. With 30+ domains and 100 GB+ data the page hung for seconds while ran live for every user. New populates the SQLite cache every 10 minutes via cron, and fires immediately after add/remove/create/delete via background calls. The API now reads cached rows — O(ms) regardless of dataset size.

Docs / Packaging
- README install command now pre-installs for fresh Debian 12 installs ().
- now also generates alongside — same installer, just with the download URL swapped to the main-branch zipball so beta testers pull the latest code instead of the tagged release zip.