Webmin is one of the popular web-based system administration interfaces for Unix. We can manage the system services using the appropriate Webmin modules. The popular and official modules available for Webmin includes cron, bind8, apache, mysql, dovecot, postfix, postgrey, fail2ban, and syslog. We can install these modules based on the actual needs and manage the associated services from the Webmin itself without using the shell. Webmin makes it easy to administer the system using the graphical interface. The most recent version of Webmin while writing this tutorial is 1.941. We will install the same as part of this tutorial.
This tutorial provides the steps required to install Webmin on the popular Linux distribution Ubuntu. It provides all the steps required to install and use Webmin on Ubuntu 20.04 LTS. The steps should be similar for other Linux systems and Ubuntu versions.
Prerequisites
Ubuntu Server - This tutorial assumes that you have already installed Ubuntu 20.04 LTS desktop or server version either for local or production usage. You can follow Install Ubuntu 20.04 LTS Desktop, Install Ubuntu 20.04 LTS On Windows Using VMware, and Spin Up Ubuntu 20.04 LTS Server On Amazon EC2 to install Ubuntu 20.04 LTS. It also assumes that you have either root privileges or a regular user with sudo privileges.
Firewall - Make sure that the port 10000 is open. Webmin runs on port 10000 by default. You may use a different port to further tighten the Webmin security.
Download & Install Webmin - Debian Package
This section provides the steps to download the Debian package of Webmin and install it on Ubuntu 20.04 LTS. In this way, we can install Webmin without using the PPA repository. We can download the Debian package distributed by Webmin as shown below.
# Download Webmin wget http://prdownloads.sourceforge.net/webadmin/webmin_1.941_all.deb
Install the packages required by Webmin as shown below.
# Install dependent packages sudo apt-get install libauthen-pam-perl libio-pty-perl apt-show-versions python libapt-pkg-perl python2 python2-minimal python2.7 libpython2-stdlib python2.7-minimal libpython2.7-stdlib libpython2.7-minimal
Now install Webmin using the Debian package downloaded by us in the previous step as shown below.
# Install Webmin sudo dpkg --install webmin_1.941_all.deb
# Output ---- ---- Preparing to unpack webmin_1.941_all.deb ... Unpacking webmin (1.941) over (1.941) ... Setting up webmin (1.941) ... Webmin install complete. You can now login to https://hostname:10000/ as root with your root password, or as any user who can use sudo to run commands as root. Processing triggers for mime-support (3.64ubuntu1) ... Processing triggers for gnome-menus (3.36.0-1ubuntu1) ... Processing triggers for man-db (2.9.1-1) ... Processing triggers for desktop-file-utils (0.24-1ubuntu2) ... Processing triggers for systemd (245.4-4ubuntu3) ...
It shows the URL to access Webmin - https://hostname:10000. We can also access the Webmin using the IP address - https://xx.xx.xx.xx:10000. Make sure to replace the xx.xx.xx.xx with 127.0.0.1 on localhost and your actual IP on the remote server. It will show the security risk warning as shown in Fig 1.
Accept the risk and continue to access Webmin as shown in Fig 2.
It will show the login screen as shown in Fig 3.
Install Webmin - Official Repository
We can also install Webmin using the official repository on both Debian and non-Debian based systems. We can install Webmin using the Webmin APT repository on Ubuntu as shown below. I have used the nano editor for demonstration purposes. You can use any editor of your choice.
# Add repository sudo nano /etc/apt/sources.list
# Add these lines at last deb http://download.webmin.com/download/repository sarge contrib deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib # Save and exit the editor
Save the file using the Nano text editor by pressing CTRL + o, then press Enter to write the file. Press CTRL + x to close the editor.
Now install the GPG key as shown below. We need the GPG key to trust the repository.
# Navigate to your preferred directory cd ~
# Download the GPG Key sudo wget http://www.webmin.com/jcameron-key.asc
# Output ---- ---- jcameron-key.asc 100%[========================================================>] 1.29K --.-KB/s in 0s
2020-06-09 11:17:51 (199 MB/s) - ‘jcameron-key.asc’ saved [1320/1320]
# Add the Key
sudo apt-key add jcameron-key.asc
# Output OK
Now we can install the most recent version of Webmin as shown below.
# Refresh the packages index sudo apt-get update
# Install Webmin sudo apt-get install webmin -y
# Output Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: apt-show-versions libapt-pkg-perl libauthen-pam-perl libio-pty-perl libnet-ssleay-perl libpython2-stdlib libpython2.7-minimal libpython2.7-stdlib perl-openssl-defaults python-is-python2 python2 python2-minimal python2.7 python2.7-minimal unzip Suggested packages: python2-doc python-tk python2.7-doc binutils binfmt-support zip The following NEW packages will be installed: apt-show-versions libapt-pkg-perl libauthen-pam-perl libio-pty-perl libnet-ssleay-perl libpython2-stdlib libpython2.7-minimal libpython2.7-stdlib perl-openssl-defaults python-is-python2 python2 python2-minimal python2.7 python2.7-minimal unzip webmin --- --- Setting up webmin (1.941) ... Webmin install complete. You can now login to https://hostname:10000/ as root with your root password, or as any user who can use sudo to run commands as root. Processing triggers for systemd (245.4-4ubuntu3.1) ... Processing triggers for man-db (2.9.1-1) ... Processing triggers for mime-support (3.64ubuntu1) ...
Similar to the previous section, we can access the webmin using the hostname - https://hostname:10000 OR IP address - https://xx.xx.xx.xx:10000. Make sure to replace the xx.xx.xx.xx with your actual IP. It will show the security risk warning as shown in Fig 1. Accept the risk and continue to access Webmin as shown in Fig 2. It will show the login screen as shown in Fig 3.
Secure Webmin
Now login to Webmin using your root or sudo user credentials. You can also change the root credentials for Webmin using the command as shown below.
# Change Webmin password sudo /usr/share/webmin/changepass.pl /etc/webmin <username> <password>
# Example sudo /usr/share/webmin/changepass.pl /etc/webmin root strongpassword
# Restart Webmin sudo service webmin restart # OR sudo systemctl restart webmin
The above-mentioned commands will change the root user password for Webmin. Now login to your Webmin. It will show the dashboard as shown in Fig 4.
Now click on Webmin -> Webmin Configuration -> SSL Encryption and force SSL redirect as shown in Fig 5.
Install Self-Signed SSL Certificate
In this section, we will install a self-signed certificate and configure Webmin to use the same. It can be done as shown below.
# Navigate to your preferred directory cd ~
# Create directory to store certs sudo mkdir -p /etc/secure/certs
# Install self-signed SSL certificate sudo openssl req -newkey rsa:4096 -days 1826 -nodes -x509 -keyout server.key -out server.crt
# Additional Details - It will ask Generating a RSA private key ........................++++ ..................................................++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [AU]::<Country Code> State or Province Name (full name) [Some-State]:<State> Locality Name (eg, city) []:<City> Organization Name (eg, company) [Internet Widgits Pty Ltd]:<Org Name> Organizational Unit Name (eg, section) []:<Org Unit Name> Common Name (e.g. server FQDN or YOUR name) []:<FQDN> Email Address []:<Email>
This installs the self-signed SSL certificate at the current directory. Now we also need to generate the PEM file for Webmin and secure this certificate as shown below.
# Generate PEM sudo bash -c 'cat server.crt server.key | tee server.pem' sudo chmod 600 server.pem server.key server.crt sudo chown root:bin server.pem server.key server.crt ls -l server.*
# File permissions -rw------- 1 root bin 2155 Jun 9 13:19 server.crt -rw------- 1 root bin 3276 Jun 9 13:18 server.key -rw------- 1 root bin 5431 Jun 9 13:20 server.pem
Now configure the Webmin to use our self-signed SSL certificate and restart it as shown below.
# Configure Webmin sudo nano /etc/webmin/miniserv.conf
# Default keyfile value keyfile=/etc/webmin/miniserv.pem
# Update the value of keyfile configuration keyfile = /etc/secure/certs/server.pem
# Save and exit the editor
# Restart Webmin sudo systemctl restart webmin
# Check Status sudo systemctl status webmin
# Output ● webmin.service - LSB: web-based administration interface for Unix systems Loaded: loaded (/etc/init.d/webmin; generated) Active: active (running) since Tue 2020-06-09 13:22:05 UTC; 4s ago Docs: man:systemd-sysv-generator(8) Process: 21128 ExecStart=/etc/init.d/webmin start (code=exited, status=0/SUCCESS) Tasks: 3 (limit: 4622) Memory: 27.9M CGroup: /system.slice/webmin.service ├─17171 gpg-agent --homedir /root/.gnupg --use-standard-socket --daemon └─21130 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf ---- ----
If you access Webmin from the Browser, it will use your self-signed certificate. Since we are using a self-signed SSL certificate, it will show the same warning as we saw in Fig 1 on the first-time access.
Configure Let's Encrypt
In this section, we will configure the pre-installed SSL certificate to avoid the browser warning as we saw in the first section of this tutorial. The same browser warning will be displayed for both default and self-signed SSL certificates and we have to add the browser exception to access Webmin. We can use the well-known SSL certificate provider to avoid this issue. The SSL certificates issued by Let's Encrypt are free and recognized by almost all the browsers.
This section assumes that you have already installed the SSL certificate from Let's Encrypt either for Apache or Nginx and able to access your website securely. You can also follow How To Install Let's Encrypt For Apache On Ubuntu to install the SSL certificate provided by Let's Encrypt.
Below listed is a sample script to deploy the Let's Encrypt SSL certificate of Apache virtual host to Webmin. The steps should be the same for Nginx. I have used the path /etc/secure/certs for demonstration purposes. Make sure to change it based on your preferences.
# Copy the certificate sudo cp /etc/letsencrypt/live/hostname.com/cert.pem /etc/secure/certs/lecert.pem
# Copy private key sudo cp /etc/letsencrypt/live/hostname.com/privkey.pem /etc/secure/certs/lekey.pem
# Navigate to certs directory cd /etc/secure/certs/
# Generate PEM sudo bash -c 'cat lecert.pem lekey.pem | tee leserver.pem' sudo chmod 600 lecert.pem lekey.pem leserver.pem sudo chown root:bin lecert.pem lekey.pem leserver.pem
# Check file permissions ls -l leserver.pem
# File permissions -rw------- 1 root bin 2147 Oct 4 10:43 leserver.crt -rw------- 1 root bin 3272 Oct 4 10:43 leserver.key -rw------- 1 root bin 5419 Oct 4 10:48 leserver.pem
// Clean certificate and key sudo rm /mydata/secure/certs/lecert.pem sudo rm /mydata/secure/certs/lekey.pem
You can either run the above commands manually or make a bash script. Also, the script can be added to the renew hook of the SSL certificate.
// Configure Webmin sudo nano /etc/webmin/miniserv.conf
# Update the value of keyfile configuration keyfile = /etc/secure/certs/leserver.pem
# Save and exit the editor
# Restart Webmin
sudo systemctl restart webmin
# Check Status sudo systemctl status webmin
This is how we can use the existing SSL certificate generated by Let's Encrypt for the existing website.
Webmin - Apache - Reverse Proxy
We can optionally access the Webmin by configuring reverse proxy on port 80/443 as a regular web app by configuring the webserver. This will avoid opening an additional port for Webmin i.e. 10000 and maintaining SSL certificate for Webmin. It can be done for the Apache Web Server as shown below. You can also refer to How To Install Apache 2 On Ubuntu 20.04 LTS and Configure Virtual Host On Apache.
# Primary domain <VirtualHost *:80> ServerName example.com ServerAlias www.example.com ServerAdmin admin@example.com ProxyPass / http://localhost:10000/ ProxyPassReverse / http://localhost:10000/ </VirtualHost>
# OR - Subdomain
<VirtualHost *:80> ServerName example.com ServerAlias webmin.example.com ServerAdmin admin@example.com ProxyPass / http://localhost:10000/ ProxyPassReverse / http://localhost:10000/ </VirtualHost>
# OR - Subdirectory
<VirtualHost *:80> ... ServerName example.com ServerAlias www.example.com ServerAdmin admin@example.com ... ProxyPass /webmin http://localhost:10000/ ProxyPassReverse /webmin http://localhost:10000/ # Optional ProxyPassReverseCookieDomain /webmin/ http://localhost:10000/ ProxyPassReverseCookiePath /webmin/ http://localhost:10000/ ... ... </VirtualHost>
You must enable the proxy_http module of the Apache Web Server as shown below.
# Enable Proxy sudo a2enmod proxy_http
# Test configuration sudo apache2ctl configtest
# Reload Apache sudo systemctl reload apache2
Also, update your virtual host file for port 443 to securely access Webmin. Now reload Apache to apply the changes. You can follow How To Install Let's Encrypt For Apache On Ubuntu.
Webmin Nginx - Reverse Proxy
We can also configure reverse proxy using the Nginx server block to access Webmin on port 80/443 as shown below. You can also refer to How To Install And Configure Nginx on Ubuntu 20.04 LTS.
# Subdirectory location /webmin/ { # proxy_buffering off; proxy_pass http://127.0.0.1:10000/; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $http_x_forwarded_for; proxy_redirect http://$host:10000/ http://$host/webmin/; }
# OR Subdirectory
location /webmin/ {
# proxy_buffering off;
proxy_pass http://localhost:10000/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }
# OR - Primary domain or subdomain location / { # proxy_buffering off; proxy_pass http://127.0.0.1:10000/; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $http_x_forwarded_for; proxy_redirect http://$host:10000/ http://$host/; }
Webmin - Reverse Proxy
Update the Webmin configuration to disable ssl and allow referers. Also, make sure to use the FQDN or the domain name used to access the website. We can configure Webmin for the primary domain and sub-domain as shown below.
# Update config sudo nano /etc/webmin/config
# Add at last ..... ..... referers=example.com
# Save and exit the editor
Update miniserv
sudo nano /etc/webmin/miniserv.conf
# Configure SSL
...
ssl=0
...
...
ssl_redirect=0
# Save and exit the editor
# Restart Webmin
sudo systemctl restart webmin
We can also configure Webmin for sub-directory as shown below.
# Update config sudo nano /etc/webmin/config
# Subdirectory configuration - add at last ..... ..... relative_redir=0 referers=example.com webprefix=/webmin webprefixnoredir=1
# Save and exit the editor
Update miniserv sudo nano /etc/webmin/miniserv.conf
# Configure SSL ... ssl=0 ... ... ssl_redirect=0 # Optional cookiepath=/webmin
# Save and exit the editor
# Restart Webmin sudo systemctl restart webmin
Summary
This tutorial provided the steps to install Webmin using the Debian package and also install it using the official Webmin repository. We have also secured the Webmin by enabling strict SSL and installing a self-signed certificate. It also explained how to use an existing SSL certificate and configure it for Webmin. The last two sections explained how to access Webmin from port 80/443 as a regular site using the reverse proxy by updating the virtual host of Apache or server block on Nginx.