How To Install And Secure Webmin On Ubuntu 18.04 LTS With SSL
It provides all the steps required to install and secure Webmin on Ubuntu 18.04 LTS with an SSL certificate.
Webmin is one of the popular web-based system administration interfaces for Unix. We can manage the system services using the appropriate Webmin modules. The popular and official modules available for Webmin includes
This tutorial provides the steps required to install Webmin on the popular Linux distribution Ubuntu. It provides all the steps required to install and use Webmin on Ubuntu 18.04 LTS. The steps should be similar for other Linux systems and Ubuntu versions.
Updates: The newer version of this tutorial is available at How To Install And Secure Webmin On Ubuntu 20.04 LTS With SSL.
Prerequisites
Ubuntu Server - You have root access or permissions to use
Firewall - Make sure that the port 10000 is open. Webmin runs on port 10000 by default.
Download & Install - Debian
We can download the Debian package distributed by Webmin as shown below.
# Download Webmin
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.930_all.deb
Install the packages required by Webmin as shown below.
# Install dependent packages
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
Now install Webmin using the Debian package downloaded by us in the previous step as shown below.
# Install Webmin
sudo dpkg --install webmin_1.930_all.deb
# Output
----
----
Setting up webmin (1.930) ...
Webmin install complete. You can now login to https://hostname:10000/
as root with your root password, or as any user who can use sudo
to run commands as root.
Processing triggers for mime-support (3.60ubuntu1) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for systemd (237-3ubuntu10.29) ...
Processing triggers for ureadahead (0.100.0-21) ...
It shows the URL to access Webmin - https://hostname:10000. We can also access the Webmin using the IP address - https://xx.xx.xx.xx:10000. Make sure to replace the xx.xx.xx.xx with 127.0.0.1 on localhost and your actual IP on the remote server. It will show the security risk warning as shown in Fig 1.
Fig 1
Accept the risk and continue to access Webmin. It will show the login screen as shown in Fig 2.
Fig 2
Install - Repository
We can also install Webmin using the official repository on both Debian and non-Debian based systems. We can install Webmin using the Webmin APT repository on Ubuntu as shown below. I have used the nano editor for demonstration purposes. You can use any editor of your choice.
# Add repository
sudo nano /etc/apt/sources.list
# Add these lines at last
deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib
# Save and exit the editor
Save the file using the Nano text editor by pressing CTRL + O, then press Enter to write the file. Press CTRL + X to close the editor.
Install the GPG key as shown below. We need the GPG key to trust the repository.
# Navigate to your preferred directory
cd ~
# Download the GPG Key
wget http://www.webmin.com/jcameron-key.asc
# Add the Key
apt-key add jcameron-key.asc
# Output
OK
Now we can install the most recent version of Webmin as shown below.
# Refresh the packages index
sudo apt-get update
# Install Webmin
>sudo apt-get install webmin -y
Similar to the previous section, we can access the
Secure Webmin
Now login to Webmin using your root or
# Change Webmin password
sudo /usr/share/webmin/changepass.pl /etc/webmin <username> <password>
# Example
sudo /usr/share/webmin/changepass.pl /etc/webmin root pass123
The above command will change the root user password for Webmin. Now login to your Webmin. It will show the dashboard as shown in Fig 3.
Fig 3
Now click on Webmin -> Webmin Configuration -> SSL Encryption and force SSL redirect as shown in Fig 4.
Fig 4
Install Self-Signed SSL Certificate
In this section, we will install a self-signed certificate and configure Webmin to use the same. It can be done as shown below.
# Navigate to your preferred directory
cd ~
# Create directory to store certs
sudo mkdir -p /mydata/secure/certs
# Install self-signed SSL certificate
sudo openssl req -newkey rsa:4096 -days 1826 -nodes -x509 -keyout server.key -out server.crt
# Additional Details - It will ask
Generating a RSA private key
..................++++
........................................................................................................................++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:<Country Code>
State or Province Name (full name) [Some-State]:<State>
Locality Name (eg, city) []:<City>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<Org Name>
Organizational Unit Name (eg, section) []:<Org Unit Name>
Common Name (e.g. server FQDN or YOUR name) []:<FQDN>
Email Address []:<Email>
This installs the self-signed SSL certificate at the current directory. Now we also need to generate the PEM file for Webmin and secure this certificate as shown below.
# Generate PEM
sudo bash -c 'cat server.crt server.key | tee server.pem'
sudo chmod 600 server.pem server.key server.crt
sudo chown root:bin server.pem server.key server.crt
ls -l server.*
# File permissions
-rw------- 1 root bin 2147 Oct 4 10:43 server.crt
-rw------- 1 root bin 3272 Oct 4 10:43 server.key
-rw------- 1 root bin 5419 Oct 4 10:48 server.pem
Now configure the Webmin to use our self-signed SSL certificate and restart it as shown below.
# Configure Webmin
sudo nano /etc/webmin/miniserv.conf
# Default keyfile value
keyfile=/etc/webmin/miniserv.pem
# Update the value of keyfile configuration
keyfile = /mydata/secure/certs/server.pem
# Save and exit the editor
# Restart Webmin
sudo systemctl restart webmin
# Check Status
sudo systemctl status webmin
If you access Webmin from the Browser, it will use your self-signed certificate. It will show the same warning as we saw in Fig 1 for first-time access.
Configure Let's Encrypt
In this section, we will configure the pre-installed SSL certificate to avoid the browser warning as we saw in the first section of this tutorial. The same browser warning will be displayed for both default and self-signed SSL certificates and we have to add the browser exception to access Webmin. We can use the well-known SSL certificate provider to avoid this issue. The SSL certificates issued by Let's Encrypt are free and recognized by almost all the browsers.
This section assumes that you have already installed the SSL certificate from Let's Encrypt either for Apache or Nginx and able to access your website securely. You can also follow How To Install Let's Encrypt For Apache On Ubuntu to install the SSL certificate provided by Let's Encrypt.
Below listed is a sample script to deploy the Let's Encrypt SSL certificate of Apache virtual host to Webmin. The steps should be the same for Nginx. I have used the path /data for the demonstration. Make sure to change it based on your preferences.
# Copy the certificate
sudo cp /etc/letsencrypt/live/example.com/cert.pem /mydata/secure/certs/lecert.pem
# Copy private key
sudo cp /etc/letsencrypt/live/example.com/privkey.pem /mydata/secure/certs/lekey.pem
# Navigate to certs directory
cd /mydata/secure/certs/
# Generate PEM
sudo bash -c 'cat lecert.pem lekey.pem | tee leserver.pem'
sudo chmod 600 lecert.pem lekey.pem leserver.pem
sudo chown root:bin lecert.pem lekey.pem leserver.pem
# Check file permissions
ls -l leserver.pem
# File permissions
-rw------- 1 root bin 2147 Oct 4 10:43 leserver.crt
-rw------- 1 root bin 3272 Oct 4 10:43 leserver.key
-rw------- 1 root bin 5419 Oct 4 10:48 leserver.pem
// Restart Webmin
sudo service webmin restart
// Clean certificate and key
sudo rm /mydata/secure/certs/lecert.pem
sudo rm /mydata/secure/certs/lekey.pem
You can either run the above commands manually or make a bash script. Also, the script can be added to the renew hook of the SSL certificate.
// Configure Webmin
sudo nano /etc/webmin/miniserv.conf
# Update the value of keyfile configuration
keyfile = /mydata/secure/certs/leserver.pem
# Save and exit the editor
# Restart Webmin
sudo systemctl restart webmin
# Check Status
sudo systemctl status webmin
This is how we can use the existing SSL certificate generated by Let's Encrypt for the existing website.
Webmin - Apache - Reverse Proxy
We can optionally access the Webmin by configuring reverse proxy on port 80/443 as a regular web app by configuring the webserver. This will avoid opening an additional port for Webmin i.e. 10000 and maintaining SSL certificate for Webmin. It can be done for the Apache Web Server as shown below. You can also refer to How To Install Apache 2 On Ubuntu 18.04 LTS and Configure Virtual Host On Apache.
# Primary domain
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin@example.com
ProxyPass / http://localhost:10000/
ProxyPassReverse / http://localhost:10000/
</VirtualHost>
# OR - Subdomain
<VirtualHost *:80>
ServerName example.com
ServerAlias webmin.example.com
ServerAdmin admin@example.com
ProxyPass / http://localhost:10000/
ProxyPassReverse / http://localhost:10000/
</VirtualHost>
# OR - Subdirectory
<VirtualHost *:80>
...
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin@example.com
...
ProxyPass /webmin http://localhost:10000/
ProxyPassReverse /webmin http://localhost:10000/
# Optional
ProxyPassReverseCookieDomain /webmin/ http://localhost:10000/
ProxyPassReverseCookiePath /webmin/ http://localhost:10000/
...
...
</VirtualHost>
You must enable the proxy_http module of the Apache Web Server as shown below.
# Enable Proxy
sudo a2enmod proxy_http
# Test configuration
sudo apache2ctl configtest
# Reload Apache
sudo systemctl reload apache2
Also, update your virtual host file for port 443 to securely access Webmin. Now reload Apache to apply the changes. You can follow How To Install Let's Encrypt For Apache On Ubuntu.
Webmin Nginx - Reverse Proxy
We can also configure reverse proxy using the Nginx server block to access Webmin on port 80/443 as shown below. You can also refer to How To Install And Configure Nginx on Ubuntu 18.04 LTS.
# Subdirectory
location /webmin/ {
# proxy_buffering off;
proxy_pass http://127.0.0.1:10000/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_redirect http://$host:10000/ http://$host/webmin/;
}
# OR Subdirectory
location /webmin/ {
# proxy_buffering off;
proxy_pass http://localhost:10000/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# OR - Primary domain or subdomain
location / {
# proxy_buffering off;
proxy_pass http://127.0.0.1:10000/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_redirect http://$host:10000/ http://$host/;
}
Webmin - Reverse Proxy
Update the Webmin configuration to disable
# Update config
sudo nano /etc/webmin/config
# Add at last
.....
.....
referers=example.com
# Save and exit the editor
Update miniserv
sudo nano /etc/webmin/miniserv.conf
# Configure SSL
...
ssl=0
...
...
ssl_redirect=0
# Save and exit the editor
# Restart Webmin
sudo systemctl restart webmin
We can also configure Webmin for subdirectory as shown below.
# Update config
sudo nano /etc/webmin/config
# Subdirectory configuration - add at last
.....
.....
relative_redir=0
referers=example.com
webprefix=/webmin
webprefixnoredir=1
# Save and exit the editor
Update miniserv
sudo nano /etc/webmin/miniserv.conf
# Configure SSL
...
ssl=0
...
...
ssl_redirect=0
# Optional
cookiepath=/webmin
# Save and exit the editor
# Restart Webmin
sudo systemctl restart webmin
Summary
In this tutorial, we have installed Webmin using the Debian package and also installed it using the official Webmin repository. We have also secured the Webmin by enabling strict SSL and installing a self-signed certificate. I have also explained how to use an existing SSL certificate and configure it for Webmin. The last two sections explained how to access Webmin from port 80/443 as a regular site using the reverse proxy by updating the virtual host of Apache or server block on Nginx.
