v1.21 — Public Release

Public Release

iNetPanel is now open source. This release removes all private repository requirements and prepares the codebase for public access.

Changes

Repository Access

• Removed GitHub Personal Access Token (PAT) from admin settings, update system, and installer
• install_LAMP.sh no longer prompts for authentication — clones directly from the public repo
• Update system (panel_update.php) works without authentication tokens

Bug Fix: Private IP + Cloudflare DNS

• Creating a server hostname DNS record with a private IP (192.168.x, 10.x, 172.16-31.x) now sets proxied: false — Cloudflare cannot proxy traffic to private addresses
• Applies to both the installer (Step 5) and admin Settings > General

Upgrade Notes

• Existing installations with a github_token setting: the token is harmlessly ignored and can be removed from the database
• No breaking changes — all existing functionality works as before

Installation

bash <(curl -s https://inetpanel.tuxxin.com/latest)

Links

• Documentation: https://inetpanel.tuxxin.com
• Issues: https://github.com/tuxxin/iNetPanel/issues
• TiCore Framework: https://ticore.tuxxin.com

v1.20.4 — Critical: FPM Pool Recovery

Critical Fix

Auto-regenerate missing PHP-FPM pools on update

After an update, panel_update.php now checks all domains in the database and regenerates any missing FPM pool configs in /etc/php/{ver}/fpm/pool.d/. This prevents 503 Service Unavailable errors when PHP-FPM reloads and finds an empty pool directory.

If you're seeing 503 errors on all Apache-hosted sites, run the panel update from Settings > Updates — it will automatically detect and recreate missing pool configs, then reload FPM and Apache.

Firewall port range display

Fixed the firewall UI not showing port ranges like 40000-50000/tcp (used by FTP passive mode).

Files Changed

• scripts/panel_update.php — FPM pool safety check + regeneration after every update
• api/firewall.php — Port range regex fix
• TiCore/Version.php — Version bump

v1.20.3 — Hardened update script

Fix

• Hardened rsync ownership handling — Added --chown=www-data:www-data directly to the rsync command so files are synced with correct ownership in a single operation. The post-rsync chown is kept as a safety net. This eliminates the 403 error that occurred in v1.20.1 where the executing (old) update script lacked the ownership fix.

No action needed if you're already running v1.20.2. Update normally from Settings > Updates.

v1.20.2 — Critical: Fix 403 after update

Critical Fix

• 403 Forbidden after panel update — The rsync in panel_update.php runs as root and overwrites file ownership to root:root. Lighttpd/PHP-FPM runs as www-data and cannot read the files, causing a 403 error on all pages. Fixed by restoring www-data:www-data ownership immediately after rsync.

If you are locked out after updating to v1.20.1, SSH into your server and run:

chown -R www-data:www-data /var/www/inetpanel/

Then update again from the admin panel to get this permanent fix.

v1.20.1 — Patch: Migration Fix & Live Clock

Fixes

• Database migrations not running on update — rsync excluded the entire db/ directory including db/migrations/. Now only excludes db/inetpanel.db, db/.installed, and db/.admin_pass. Users updating from v1.20 will now get the stats_history table created automatically, enabling the dashboard resource graph.
• PMA config patching regex warnings — "Unknown modifier" and "Undefined variable $i" warnings during panel update. Switched regex delimiter from / to #.
• Admin header live clock — Clock now ticks live every second, matching the client portal.

If you updated to v1.20 and your dashboard graph shows no data, update again from Settings > Updates to apply this fix.

v1.20 — CLI Tools, Portal Redesign & Installer Hardening

New Features

11 New CLI Commands

• inetp status — Server health summary (uptime, load, disk, RAM, services, SSL, backups)
• inetp benchmark — Quick disk I/O, network speed, PHP opcache, MySQL query benchmarks
• inetp reset_password --username USER — Reset FTP/SSH/MySQL password
• inetp disk_report — Disk usage breakdown per user with top files/directories
• inetp audit — Security audit (permissions, PHP versions, open ports, weak passwords, fail2ban)
• inetp malware_scan --username USER — Scan for PHP backdoors/webshells
• inetp cleanup — Clear temp files, old logs, orphaned FPM pools, stale sessions
• inetp rotate_logs — Force logrotate on all user/system logs
• inetp db_repair — Check and repair all MariaDB tables
• inetp dns_check --domain DOMAIN — DNS propagation, SSL chain, HTTP response, CF tunnel check
• inetp speedtest — Server bandwidth test (curl-based, no dependencies)

Dashboard Resource Graph

• Historical CPU, memory, and network usage with 1h/24h/7d views
• Background stats collector cron (every minute) populates stats_history table
• Smooth Chart.js graphs with time-based x-axis labels

Client Portal Redesign

• Overview: All domains listed in compact table with PHP version, web root, port, disk, status
• Database: List existing databases, create new with username_ prefix, delete modal with PMA link
• Multi-PHP: Change PHP version per domain with dropdown
• Optimize: Image optimization with directory selection and dry-run preview
• Backups: View and download account backups
• File Manager: .htaccess editor with directory tree + password protection
• FTP/SSH and SSH Keys moved to bottom of Overview tab
• Domain dropdown only in File Manager and Optimize tabs
• Live clock in header, user icon

Settings Hostname Verification

• Verify button checks Cloudflare DNS for hostname existence
• Auto-create A record if hostname is available
• Server IP detection with private/public IP notice

VSFTPD Passive Mode Fix

• Configured passive port range (40000–50000) in vsftpd.conf
• Opened passive ports in firewalld
• Fixes FTP upload failures on large batch transfers (GitHub issue #8)

Installer Distribution

• latest file included in repo for web hosting at inetpanel.tuxxin.com/latest

Buy Me a Coffee

• Support widget in sidebar footer (admin) and portal footer

Bug Fixes

WireGuard

• Firewall rule ordering — WG rules now added before restrictive DROP rules
• Peer IP allocation — sequential /32 addresses from WG subnet
• Config validation — prevents duplicate peers and invalid IPs
• Peer cleanup on user deletion
• Uninstall script fixes ListenAddress and port fallback

Installer Hardening

• Lock file now blocks ALL requests (GET and POST) after installation
• stats_history table added to install schema (schema_version bumped to 2)
• MariaDB timezone tables loaded (mysql_tzinfo_to_sql) before setting timezone
• Timezone config only persisted if runtime SET succeeds
• event.target → button parameter fix for Cloudflare test button
• Server IP fallback for DNS record creation
• Null coalescing for POST values

Other Fixes

• Settings hostname verify uses public CloudflareAPI methods (was calling private request())
• Multi-PHP version change uses fastcgi_finish_request() before FPM reload (prevents 500 error)
• Database listing uses sudo /bin/cat for MySQL root password (www-data can't read directly)
• Admin PMA sidebar link routes through auto-login

Files Changed (37 files, +4334 / −290)

v1.19 — Client Portal Overhaul & phpMyAdmin Auto-Login

New Features

Client Portal Overhaul

• Complete redesign with tabbed dashboard: Overview, Database, FTP / SSH, File Manager, Backups, DNS, and Email
• SSH Key Management — generate, import, and delete SSH keys directly from the portal
• .htaccess File Manager — browse directories, edit .htaccess files, and password-protect directories with .htpasswd (supports multiple users)
• Backups tab — view and download your account backups
• Database info — explains username_* prefix convention for creating additional databases

phpMyAdmin Auto-Login

• Token-based signon authentication — one-click login from both admin panel (as root) and client portal (as hosting user)
• Deploys signon.php and patches PMA config automatically on panel update
• Fallback login form prevents redirect loops when accessing PMA directly

Cloudflare DDoS & Development Mode

• Toggle Under Attack Mode and Development Mode per zone from admin DNS page and client portal DNS tab
• Immediate Cloudflare API calls with status feedback

System Config Backups

• Automated backups now include system configuration files: Apache, PHP, MariaDB, lighttpd, fail2ban, WireGuard, SSH, cron, vsftpd, and the panel SQLite database
• Same retention policy as user backups

MySQL Timezone Sync

• Changing timezone in Settings or during installation now updates MariaDB global timezone and persists to /etc/mysql/mariadb.conf.d/99-timezone.cnf

Settings Deep Links

• URL hash navigation: /admin/settings#general, #cloudflare, #updates, etc.
• Hash updates in address bar on tab switch for bookmarking/sharing

Reserved Usernames

• Banned username list (50+ system names) prevents creating hosting accounts with names like root, admin, www-data, mysql, etc.
• Auto-generated usernames from domains are prefixed if they collide with reserved names

Bug Fixes

• Admin PMA sidebar link now routes through /admin/phpmyadmin for auto-login instead of linking directly to port 8443
• Portal PMA no longer falls back to root for regular user sessions
• conf.d/pma_secure.php override patched during panel update

Files Changed (16 files, +1520 / -293)

README.md, TiCore/AccountAuth.php, TiCore/CloudflareAPI.php, TiCore/Version.php, api/account.php, api/accounts.php, api/dns.php, api/settings.php, public/index.php, public/install.php, scripts/panel_update.php, scripts/system/backup_accounts.sh, src/account/portal.php, src/dns.php, src/settings.php, themes/default/sidebar.php

v1.18 — SSH Key Fix, UI Improvements

Bug Fixes

SSH Keys — chown invalid group (Fixes #3)

Hosting users are created with www-data as their primary group, but manage_ssh_keys.sh and fix_permissions.sh used chown user:user which fails because no personal group exists. Changed to chown user:www-data.

SSH Key Delete Button

The delete button in the SSH Keys modal did nothing when clicked. The onclick attribute used double quotes inside a double-quoted HTML attribute, silently breaking the click handler.

Form Autofill on Add Account

Chrome aggressively autofilled the username, domain, and password fields on /admin/add-account with saved login credentials. Fixed with readonly-on-focus trick for text fields and autocomplete="new-password" for password fields.

Files Changed

• scripts/system/manage_ssh_keys.sh — chown fix
• scripts/system/fix_permissions.sh — chown fix + corrected comment
• src/accounts.php — SSH key delete button quote fix
• src/add_account.php — anti-autofill attributes
• TiCore/Version.php — version bump to 1.18

v1.17 — Hook Scripts Fixes

Bug Fixes

Hook Scripts — 3 bugs fixed

1. PHP comment broke entire page JS — A // comment containing ?> prematurely closed the PHP block (a known PHP gotcha where ?> exits PHP mode even inside single-line comments). The nowdoc template assignment never executed, causing a fatal Undefined constant "SITE_TITLE" error that silently killed the <script> block. No buttons, toggles, or API calls worked.

2. Windows CRLF line endings broke bash validation — Windows browsers send \r\n in form data. Bash heredoc closing markers like HOMEEOF\r weren't recognized, causing "unexpected end of file" errors on Save/Validate. Fixed by stripping \r in the save, validate, and hook execution paths.

3. Hook scripts failed silently due to sudo permission — www-data didn't have passwordless sudo for /bin/bash, so hooks logged "a terminal is required to read the password" and failed without any user-visible error. Added a scoped sudoers rule restricted to /bin/bash /tmp/inetp_hook_*.

Files Changed

• src/hook_scripts.php — Fixed PHP comment
• api/hook_scripts.php — Strip \r in save and validate actions
• api/accounts.php — Strip \r in executeHook()
• scripts/panel_update.php — Added sudoers rule for hook execution
• TiCore/Version.php — Version bump to 1.17

v1.16 — Update Notifications & Hook Scripts Fix

Changes

Update Notification Improvements

• Removed duplicate "Update available" banner from sidebar footer — notification now only shows in the header bar
• Added automatic version check on login so the header notification is immediately current
• Header notification auto-clears after a manual panel update (no stale cache)

Bug Fix

• Fixed Hook Scripts page: All buttons (Save, Validate, TiCore Template) and toggle switches were non-functional. The TiCore template contained <?= ?> PHP tags inside a JavaScript template literal — PHP processed them as code, causing a fatal error that silently broke the entire <script> block. Fixed by using a PHP nowdoc + json_encode to safely embed the template.