It provides all the steps required to install and secure Webmin on Ubuntu 18.04 LTS with an SSL certificate.

How To Install And Secure Webmin On Ubuntu 18.04 LTS With SSL
How To Install And Secure Webmin On Ubuntu 18.04 LTS With SSL
October 04, 2019

Webmin is one of the popular web-based interfaces for system administration for Unix. We can manage the system services using the appropriate Webmin modules. The popular and official modules available for Webmin includes cron, bind8, apache, mysql, dovecot, postfix, postgrey, fail2ban, and syslog. We can install these modules based on the actual needs and manage the associated services from the Webmin itself without using the shell. Webmin makes it easy to administer the system using the graphical interface. The most recent version of Webmin while writing this tutorial is 1.930. We will install the same as part of this tutorial.

This tutorial provides the steps required to install Webmin on the popular Linux distribution Ubuntu. It provides all the steps required to install and use Webmin on Ubuntu 18.04 LTS. The steps should be similar for other Linux systems and Ubuntu versions.

Prerequisites

Ubuntu Server - You have root access or permissions to use sudo on the Ubuntu Server to continue with this tutorial.

Firewall - Make sure that the port 10000 is open. Webmin runs on port 10000 by default.

Download & Install - Debian

We can download the Debian package distributed by Webmin as shown below.

# Download Webmin
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.930_all.deb

Now install Webmin using the Debian package downloaded by us in the previous step as shown below.

# Install Webmin
sudo dpkg --install webmin_1.930_all.deb

# Dependency issues on first install
Selecting previously unselected package webmin.
(Reading database ... 86032 files and directories currently installed.)
Preparing to unpack webmin_1.930_all.deb ...
Unpacking webmin (1.930) ...
dpkg: dependency problems prevent configuration of webmin:
webmin depends on libnet-ssleay-perl; however:
Package libnet-ssleay-perl is not installed.
webmin depends on libauthen-pam-perl; however:
Package libauthen-pam-perl is not installed.
webmin depends on libio-pty-perl; however:
Package libio-pty-perl is not installed.
webmin depends on apt-show-versions; however:
Package apt-show-versions is not installed.
webmin depends on unzip; however:
Package unzip is not installed.
webmin depends on python; however:
Package python is not installed.

dpkg: error processing package webmin (--install):
dependency problems - leaving unconfigured
Processing triggers for systemd (237-3ubuntu10.29) ...
Processing triggers for ureadahead (0.100.0-21) ...
Errors were encountered while processing:
webmin

If you see the dependency issue, then install the dependencies and re-run the installation command as shown below.

# Install Dependencies
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python

# Fix broken
sudo apt-get --fix-broken install

# Installation messages
Setting up webmin (1.930) ...
Webmin install complete. You can now login to https://ip-xx-xx-xx-xx:10000/
as root with your root password, or as any user who can use sudo
to run commands as root.
Processing triggers for mime-support (3.60ubuntu1) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for systemd (237-3ubuntu10.29) ...
Processing triggers for ureadahead (0.100.0-21) ...

It shows the URL to access Webmin - https://ip-xx-xx-xx-xx:10000. We have to remove the prefix ip-, replace the hyphen with the dot and access the Webmin using the URL - https://xx.xx.xx.xx:10000. Make sure to replace the xx.xx.xx.xx with your actual IP. It will show the security risk warning as shown in Fig 1.

Webmin Security Warning

Fig 1

Accept the risk and continue to access Webmin. It will show the login screen as shown in Fig 2.

Webmin Login

Fig 2

Install - Repository

We can also install Webmin using the official repository on both Debian and non-Debian based systems. We can install Webmin using the Webmin APT repository on Ubuntu as shown below. I have used the nano editor for demonstration purposes. You can use any editor of your choice.

# Add repository
sudo nano /etc/apt/sources.list

# Add these lines at last
deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

# Save and exit the edito

Save the file using the Nano text editor by pressing CTRL + O, then press Enter to write the file. Press CTRL + X to close the editor.

Install the GPG key as shown below. We need the GPG key to trust the repository.

# Navigate to your preferred directory
cd ~

# Download the GPG Key
wget http://www.webmin.com/jcameron-key.asc

# Add the Key
apt-key add jcameron-key.asc

# Output
OK

Now we can install the most recent version of Webmin as shown below.

# Refresh the packages index
sudo apt-get update

# Install Webmin
>sudo apt-get install webmin -y

You won't face any dependencies issues in this way as we faced in the previous section. Now access the webmin using the URL - https://xx.xx.xx.xx:10000. Make sure to replace the xx.xx.xx.xx with your actual IP. It will show the security risk warning as shown in Fig 1. Accept the risk and continue to access Webmin. It will show the login screen as shown in Fig 2.

Secure Webmin

Now login to Webmin using your root or sudo user credentials. You can also change the root credentials for Webmin using the command as shown below.

# Change Webmin password
sudo /usr/share/webmin/changepass.pl /etc/webmin <username> <password>

# Example
sudo /usr/share/webmin/changepass.pl /etc/webmin root pass123

The above command will change the root user password for Webmin. Now login to your Webmin. It will show the dashboard as shown in Fig 3.

Webmin Dashboard

Fig 3

Now click on Webmin -> Webmin Configuration -> SSL Encryption and force SSL redirect as shown in Fig 4.

Webmin Force SSL

Fig 4

Install Self-Signed SSL Certificate

In this section, we will install a self-signed certificate and configure Webmin to use the same. It can be done as shown below.

# Navigate to your preferred directory
cd ~

# Create directory to store certs
sudo mkdir -p /mydata/secure/certs

# Install self-signed SSL certificate
sudo openssl req -newkey rsa:4096 -days 1826 -nodes -x509 -keyout server.key -out server.crt

# Additional Details - It will ask
Can't load /home/ubuntu/.rnd into RNG
139622783795648:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/ubuntu/.rnd
Generating a RSA private key
..................++++
........................................................................................................................++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:<Country Code>
State or Province Name (full name) [Some-State]:<State>
Locality Name (eg, city) []:<City>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<Org Name>
Organizational Unit Name (eg, section) []:<Org Unit Name>
Common Name (e.g. server FQDN or YOUR name) []:<FQDN>
Email Address []:<Email>

This installs the self-signed SSL certificate at the current directory. Now we also need to generate the PEM file for Webmin and secure this certificate as shown below.

# Generate PEM
sudo bash -c 'cat server.crt server.key | tee server.pem'
sudo chmod 600 server.pem server.key server.crt
sudo chown root:bin server.pem server.key server.crt
ls -l server.*

# File permissions
-rw------- 1 root bin 2147 Oct 4 10:43 server.crt
-rw------- 1 root bin 3272 Oct 4 10:43 server.key
-rw------- 1 root bin 5419 Oct 4 10:48 server.pem

Now configure the Webmin to use our self-signed SSL certificate and restart it as shown below.

# Configure Webmin
sudo nano sudo nano /etc/webmin/miniserv.conf

# Default keyfile value
keyfile=/etc/webmin/miniserv.pem

# Update the value of keyfile configuration
keyfile = /mydata/secure/certs/server.pem

# Save and exit the editor

# Restart Webmin
sudo systemctl restart webmin

# Check Status
sudo systemctl status webmin

If you access Webmin from the Browser, it will use your self-signed certificate. It will show the same warning as we saw in Fig 1 for first-time access.

Configure Let's Encrypt

In this section, we will configure the pre-installed SSL certificate to avoid the browser warning as we saw in the first section of this tutorial. The same browser warning will be displayed for both default and self-signed SSL certificates and we have to add the browser exception to access Webmin. We can use the well-known SSL certificate provider to avoid this issue. The SSL certificates issued by Let's Encrypt are free and recognized by almost all the browsers.

This section assumes that you have already installed the SSL certificate from Let's Encrypt either for Apache or Nginx and able to access your website securely. You can also follow How To Install Let's Encrypt For Apache On Ubuntu to install the SSL certificate provided by Let's Encrypt.

Below listed is a sample script to deploy the Let's Encrypt SSL certificate of Apache virtual host to Webmin. The steps should be the same for Nginx. I have used the path /data for the demonstration. Make sure to change it based on your preferences.

# Copy the certificate
sudo cp /etc/letsencrypt/live/example.com/cert.pem /mydata/secure/certs/lecert.pem
# Copy private key
sudo cp /etc/letsencrypt/live/example.com/privkey.pem /mydata/secure/certs/lekey.pem

# Navigate to certs directory
cd /mydata/secure/certs/

# Generate PEM
sudo bash -c 'cat lecert.pem lekey.pem | tee leserver.pem'
sudo chmod 600 lecert.pem lekey.pem leserver.pem
sudo chown root:bin lecert.pem lekey.pem leserver.pem

# Check file permissions
ls -l leserver.pem

# File permissions
-rw------- 1 root bin 2147 Oct 4 10:43 leserver.crt
-rw------- 1 root bin 3272 Oct 4 10:43 leserver.key
-rw------- 1 root bin 5419 Oct 4 10:48 leserver.pem

// Restart Webmin
sudo service webmin restart

// Clean certificate and key
sudo rm /mydata/secure/certs/lecert.pem
sudo rm /mydata/secure/certs/lekey.pem

You can either run the above commands manually or make a bash script. Also, the script can be added to the renew hook of the SSL certificate.

// Configure Webmin
sudo nano /etc/webmin/miniserv.conf

# Update the value of keyfile configuration
keyfile = /mydata/secure/certs/leserver.pem

# Save and exit the editor

# Restart Webmin
sudo systemctl restart webmin

# Check Status
sudo systemctl status webmin

This is how we can use the existing SSL certificate generated by Let's Encrypt for the existing website.

Webmin - Apache - Reverse Proxy

We can optionally access the Webmin by configuring reverse proxy on port 80/443 as a regular web app by configuring the webserver. This will avoid opening an additional port for Webmin i.e. 10000 and maintaining SSL certificate for Webmin. It can be done for the Apache Web Server as shown below. You can also refer to How To Install Apache 2 On Ubuntu 18.04 LTS and Configure Virtual Host On Apache.

# Primary domain
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin@example.com
ProxyPass / http://localhost:10000/
ProxyPassReverse / http://localhost:10000/
</VirtualHost>

# OR - Subdomain
<VirtualHost *:80>
ServerName example.com
ServerAlias webmin.example.com
ServerAdmin admin@example.com
ProxyPass / http://localhost:10000/
ProxyPassReverse / http://localhost:10000/
</VirtualHost>

# OR - Subdirectory
<VirtualHost *:80>
...
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin@example.com
...
ProxyPass /webmin http://localhost:10000/
ProxyPassReverse /webmin http://localhost:10000/
# Optional
ProxyPassReverseCookieDomain /webmin/ http://localhost:10000/
ProxyPassReverseCookiePath /webmin/ http://localhost:10000/
...
...
</VirtualHost>

You must enable the proxy_http module of the Apache Web Server as shown below.

# Enable Proxy
sudo a2enmod proxy_http

# Test configuration
sudo apache2ctl configtest

# Reload Apache
sudo systemctl reload apache2

Also, update your virtual host file for port 443 to securely access Webmin. Now reload Apache to apply the changes. You can follow How To Install Let's Encrypt For Apache On Ubuntu.

Webmin Nginx - Reverse Proxy

We can also configure reverse proxy using the Nginx server block to access Webmin on port 80/443 as shown below. You can also refer to How To Install And Configure Nginx on Ubuntu 18.04 LTS.

# Subdirectory
location /webmin/ {
# proxy_buffering off;
proxy_pass http://127.0.0.1:10000/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_redirect http://$host:10000/ http://$host/webmin/;
}

# OR Subdirectory
location /webmin/ {
# proxy_buffering off;
proxy_pass http://localhost:10000/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

# OR - Primary domain or subdomain
location / {
# proxy_buffering off;
proxy_pass http://127.0.0.1:10000/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_redirect http://$host:10000/ http://$host/;
}

Webmin - Reverse Proxy

Update the Webmin configuration to disable ssl and allow referers. Also, make sure to use the FQDN or the domain name used to access the website. We can configure Webmin for the primary domain and subdomain as shown below.

# Update config
sudo nano /etc/webmin/config

# Add at last
.....
.....
referers=example.com

# Save and exit the editor

Update miniserv
sudo nano /etc/webmin/miniserv.conf

# Configure SSL
...
ssl=0
...
...
ssl_redirect=0

# Save and exit the editor

# Restart Webmin
sudo systemctl restart webmin

We can also configure Webmin for subdirectory as shown below.

# Update config
sudo nano /etc/webmin/config

# Subdirectory configuration - add at last
.....
.....
relative_redir=0
referers=example.com
webprefix=/webmin
webprefixnoredir=1

# Save and exit the editor

Update miniserv
sudo nano /etc/webmin/miniserv.conf

# Configure SSL
...
ssl=0
...
...
ssl_redirect=0
# Optional
cookiepath=/webmin

# Save and exit the editor

# Restart Webmin
sudo systemctl restart webmin

Summary

In this tutorial, we have installed Webmin using the Debian package and also installed it using the official Webmin repository. We have also secured the Webmin by enabling strict SSL and installing a self-signed certificate. I have also explained how to use an existing SSL certificate and configure it for Webmin. The last two sections explained how to access Webmin from port 80/443 as a regular site using the reverse proxy by updating the virtual host of Apache or server block on Nginx.

Write a Comment

Click on the captcha image to get new code.
Discussion Forum by DISQUS