How To Install And Secure Webmin On Ubuntu 18.04 LTS With SSL

By bhagwatchouhan
How To Install And Secure Webmin On Ubuntu 18.04 LTS With SSL

Webmin is one of the popular web-based system administration interfaces for Unix. We can manage the system services using the appropriate Webmin modules. The popular and official modules available for Webmin includes cron, bind8, apache, mysql, dovecot, postfix, postgrey, fail2ban, and syslog. We can install these modules based on the actual needs and manage the associated services from the Webmin itself without using the shell. Webmin makes it easy to administer the system using the graphical interface. The most recent version of Webmin while writing this tutorial is 1.930. We will install the same as part of this tutorial.

This tutorial provides the steps required to install Webmin on the popular Linux distribution Ubuntu. It provides all the steps required to install and use Webmin on Ubuntu 18.04 LTS. The steps should be similar for other Linux systems and Ubuntu versions.

Updates: The newer version of this tutorial is available at How To Install And Secure Webmin On Ubuntu 20.04 LTS With SSL.

 

Prerequisites

Ubuntu Server - You have root access or permissions to use sudo on the Ubuntu Server to continue with this tutorial.

Firewall - Make sure that the port 10000 is open. Webmin runs on port 10000 by default.

 

Download & Install - Debian

We can download the Debian package distributed by Webmin as shown below.

# Download Webmin
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.930_all.deb

Install the packages required by Webmin as shown below.

# Install dependent packages
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python

Now install Webmin using the Debian package downloaded by us in the previous step as shown below.

# Install Webmin
sudo dpkg --install webmin_1.930_all.deb
# Output
----
---- Setting up webmin (1.930) ... Webmin install complete. You can now login to https://hostname:10000/ as root with your root password, or as any user who can use sudo to run commands as root.
Processing triggers for mime-support (3.60ubuntu1) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... Processing triggers for systemd (237-3ubuntu10.29) ... Processing triggers for ureadahead (0.100.0-21) ...

It shows the URL to access Webmin - https://hostname:10000. We can also access the Webmin using the IP address - https://xx.xx.xx.xx:10000. Make sure to replace the xx.xx.xx.xx with 127.0.0.1 on localhost and your actual IP on the remote server. It will show the security risk warning as shown in Fig 1.

Webmin Security Warning

Fig 1

Accept the risk and continue to access Webmin. It will show the login screen as shown in Fig 2.

Webmin Login

Fig 2

 

Install - Repository

We can also install Webmin using the official repository on both Debian and non-Debian based systems. We can install Webmin using the Webmin APT repository on Ubuntu as shown below. I have used the nano editor for demonstration purposes. You can use any editor of your choice.

# Add repository
sudo nano /etc/apt/sources.list
# Add these lines at last deb http://download.webmin.com/download/repository sarge contrib deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib
# Save and exit the editor

Save the file using the Nano text editor by pressing CTRL + O, then press Enter to write the file. Press CTRL + X to close the editor.

Install the GPG key as shown below. We need the GPG key to trust the repository.

# Navigate to your preferred directory
cd ~
# Download the GPG Key wget http://www.webmin.com/jcameron-key.asc
# Add the Key apt-key add jcameron-key.asc
# Output OK

Now we can install the most recent version of Webmin as shown below.

# Refresh the packages index
sudo apt-get update
# Install Webmin >sudo apt-get install webmin -y

Similar to the previous section, we can access the webmin using the hostname - https://hostname:10000 OR IP address - https://xx.xx.xx.xx:10000. Make sure to replace the xx.xx.xx.xx with your actual IP. It will show the security risk warning as shown in Fig 1. Accept the risk and continue to access Webmin as shown in Fig 2. It will show the login screen as shown in Fig 3.

 

Secure Webmin

Now login to Webmin using your root or sudo user credentials. You can also change the root credentials for Webmin using the command as shown below.

# Change Webmin password
sudo /usr/share/webmin/changepass.pl /etc/webmin <username> <password>
# Example sudo /usr/share/webmin/changepass.pl /etc/webmin root pass123

The above command will change the root user password for Webmin. Now login to your Webmin. It will show the dashboard as shown in Fig 3.

Webmin Dashboard

Fig 3

Now click on Webmin -> Webmin Configuration -> SSL Encryption and force SSL redirect as shown in Fig 4.

Webmin Force SSL

Fig 4

 

Install Self-Signed SSL Certificate

In this section, we will install a self-signed certificate and configure Webmin to use the same. It can be done as shown below.

# Navigate to your preferred directory
cd ~
# Create directory to store certs sudo mkdir -p /mydata/secure/certs
# Install self-signed SSL certificate sudo openssl req -newkey rsa:4096 -days 1826 -nodes -x509 -keyout server.key -out server.crt
# Additional Details - It will ask Generating a RSA private key ..................++++ ........................................................................................................................++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [AU]:<Country Code> State or Province Name (full name) [Some-State]:<State> Locality Name (eg, city) []:<City> Organization Name (eg, company) [Internet Widgits Pty Ltd]:<Org Name> Organizational Unit Name (eg, section) []:<Org Unit Name> Common Name (e.g. server FQDN or YOUR name) []:<FQDN> Email Address []:<Email>

This installs the self-signed SSL certificate at the current directory. Now we also need to generate the PEM file for Webmin and secure this certificate as shown below.

# Generate PEM
sudo bash -c 'cat server.crt server.key | tee server.pem'
sudo chmod 600 server.pem server.key server.crt
sudo chown root:bin server.pem server.key server.crt
ls -l server.*
# File permissions -rw------- 1 root bin 2147 Oct 4 10:43 server.crt -rw------- 1 root bin 3272 Oct 4 10:43 server.key -rw------- 1 root bin 5419 Oct 4 10:48 server.pem

Now configure the Webmin to use our self-signed SSL certificate and restart it as shown below.

# Configure Webmin
sudo nano /etc/webmin/miniserv.conf
# Default keyfile value keyfile=/etc/webmin/miniserv.pem
# Update the value of keyfile configuration keyfile = /mydata/secure/certs/server.pem
# Save and exit the editor
# Restart Webmin sudo systemctl restart webmin
# Check Status sudo systemctl status webmin

If you access Webmin from the Browser, it will use your self-signed certificate. It will show the same warning as we saw in Fig 1 for first-time access.

 

Configure Let's Encrypt

In this section, we will configure the pre-installed SSL certificate to avoid the browser warning as we saw in the first section of this tutorial. The same browser warning will be displayed for both default and self-signed SSL certificates and we have to add the browser exception to access Webmin. We can use the well-known SSL certificate provider to avoid this issue. The SSL certificates issued by Let's Encrypt are free and recognized by almost all the browsers.

This section assumes that you have already installed the SSL certificate from Let's Encrypt either for Apache or Nginx and able to access your website securely. You can also follow How To Install Let's Encrypt For Apache On Ubuntu to install the SSL certificate provided by Let's Encrypt.

Below listed is a sample script to deploy the Let's Encrypt SSL certificate of Apache virtual host to Webmin. The steps should be the same for Nginx. I have used the path /data for the demonstration. Make sure to change it based on your preferences.

# Copy the certificate
sudo cp /etc/letsencrypt/live/example.com/cert.pem /mydata/secure/certs/lecert.pem
# Copy private key sudo cp /etc/letsencrypt/live/example.com/privkey.pem /mydata/secure/certs/lekey.pem
# Navigate to certs directory cd /mydata/secure/certs/
# Generate PEM sudo bash -c 'cat lecert.pem lekey.pem | tee leserver.pem' sudo chmod 600 lecert.pem lekey.pem leserver.pem sudo chown root:bin lecert.pem lekey.pem leserver.pem
# Check file permissions ls -l leserver.pem
# File permissions -rw------- 1 root bin 2147 Oct 4 10:43 leserver.crt -rw------- 1 root bin 3272 Oct 4 10:43 leserver.key -rw------- 1 root bin 5419 Oct 4 10:48 leserver.pem
// Restart Webmin sudo service webmin restart
// Clean certificate and key
sudo rm /mydata/secure/certs/lecert.pem
sudo rm /mydata/secure/certs/lekey.pem

You can either run the above commands manually or make a bash script. Also, the script can be added to the renew hook of the SSL certificate.

// Configure Webmin
sudo nano /etc/webmin/miniserv.conf
# Update the value of keyfile configuration keyfile = /mydata/secure/certs/leserver.pem
# Save and exit the editor
# Restart Webmin
sudo systemctl restart webmin
# Check Status
sudo systemctl status webmin

This is how we can use the existing SSL certificate generated by Let's Encrypt for the existing website.

 

Webmin - Apache - Reverse Proxy

We can optionally access the Webmin by configuring reverse proxy on port 80/443 as a regular web app by configuring the webserver. This will avoid opening an additional port for Webmin i.e. 10000 and maintaining SSL certificate for Webmin. It can be done for the Apache Web Server as shown below. You can also refer to How To Install Apache 2 On Ubuntu 18.04 LTS and Configure Virtual Host On Apache.

# Primary domain
<VirtualHost *:80>
	ServerName example.com
	ServerAlias www.example.com
	ServerAdmin admin@example.com
	ProxyPass / http://localhost:10000/
	ProxyPassReverse / http://localhost:10000/
</VirtualHost>
# OR - Subdomain <VirtualHost *:80> ServerName example.com ServerAlias webmin.example.com ServerAdmin admin@example.com ProxyPass / http://localhost:10000/ ProxyPassReverse / http://localhost:10000/ </VirtualHost>
# OR - Subdirectory
<VirtualHost *:80> ... ServerName example.com ServerAlias www.example.com ServerAdmin admin@example.com ... ProxyPass /webmin http://localhost:10000/ ProxyPassReverse /webmin http://localhost:10000/ # Optional ProxyPassReverseCookieDomain /webmin/ http://localhost:10000/ ProxyPassReverseCookiePath /webmin/ http://localhost:10000/ ... ... </VirtualHost>

You must enable the proxy_http module of the Apache Web Server as shown below.

# Enable Proxy
sudo a2enmod proxy_http
# Test configuration sudo apache2ctl configtest
# Reload Apache sudo systemctl reload apache2

Also, update your virtual host file for port 443 to securely access Webmin. Now reload Apache to apply the changes. You can follow How To Install Let's Encrypt For Apache On Ubuntu.

 

Webmin Nginx - Reverse Proxy

We can also configure reverse proxy using the Nginx server block to access Webmin on port 80/443 as shown below. You can also refer to How To Install And Configure Nginx on Ubuntu 18.04 LTS.

# Subdirectory
location /webmin/ {
	# proxy_buffering off;
	proxy_pass http://127.0.0.1:10000/;
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-For $http_x_forwarded_for;
	proxy_redirect http://$host:10000/ http://$host/webmin/;
}
# OR Subdirectory location /webmin/ { # proxy_buffering off; proxy_pass http://localhost:10000/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }
# OR - Primary domain or subdomain
location / {
# proxy_buffering off;
proxy_pass http://127.0.0.1:10000/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_redirect http://$host:10000/ http://$host/; }

 

Webmin - Reverse Proxy

Update the Webmin configuration to disable ssl and allow referers. Also, make sure to use the FQDN or the domain name used to access the website. We can configure Webmin for the primary domain and subdomain as shown below.

# Update config
sudo nano /etc/webmin/config
# Add at last ..... ..... referers=example.com
# Save and exit the editor
Update miniserv
sudo nano /etc/webmin/miniserv.conf
# Configure SSL
...
ssl=0
...
...
ssl_redirect=0
# Save and exit the editor
# Restart Webmin
sudo systemctl restart webmin

We can also configure Webmin for subdirectory as shown below.

# Update config
sudo nano /etc/webmin/config
# Subdirectory configuration - add at last
.....
..... relative_redir=0 referers=example.com webprefix=/webmin webprefixnoredir=1
# Save and exit the editor
Update miniserv
sudo nano /etc/webmin/miniserv.conf
# Configure SSL
...
ssl=0
...
...
ssl_redirect=0
# Optional cookiepath=/webmin
# Save and exit the editor
# Restart Webmin
sudo systemctl restart webmin

 

Summary

In this tutorial, we have installed Webmin using the Debian package and also installed it using the official Webmin repository. We have also secured the Webmin by enabling strict SSL and installing a self-signed certificate. I have also explained how to use an existing SSL certificate and configure it for Webmin. The last two sections explained how to access Webmin from port 80/443 as a regular site using the reverse proxy by updating the virtual host of Apache or server block on Nginx.

Share this blog:

Profile picture for user bhagwatchouhan
bhagwatchouhan