How To Install And Secure Webmin On Ubuntu 20.04 LTS With SSL

Webmin is one of the popular web-based system administration interfaces for Unix. We can manage the system services using the appropriate Webmin modules. The popular and official modules available for Webmin includes cron, bind8, apache, mysql, dovecot, postfix, postgrey, fail2ban, and syslog. We can install these modules based on the actual needs and manage the associated services from the Webmin itself without using the shell. Webmin makes it easy to administer the system using the graphical interface. The most recent version of Webmin while writing this tutorial is 1.941. We will install the same as part of this tutorial.

This tutorial provides the steps required to install Webmin on the popular Linux distribution Ubuntu. It provides all the steps required to install and use Webmin on Ubuntu 20.04 LTS. The steps should be similar for other Linux systems and Ubuntu versions.

Prerequisites

Ubuntu Server - This tutorial assumes that you have already installed Ubuntu 20.04 LTS desktop or server version either for local or production usage. You can follow Install Ubuntu 20.04 LTS Desktop, Install Ubuntu 20.04 LTS On Windows Using VMware, and Spin Up Ubuntu 20.04 LTS Server On Amazon EC2 to install Ubuntu 20.04 LTS. It also assumes that you have either root privileges or a regular user with sudo privileges.

Firewall - Make sure that the port 10000 is open. Webmin runs on port 10000 by default. You may use a different port to further tighten the Webmin security.

Download & Install Webmin - Debian Package

This section provides the steps to download the Debian package of Webmin and install it on Ubuntu 20.04 LTS. In this way, we can install Webmin without using the PPA repository. We can download the Debian package distributed by Webmin as shown below.

# Download Webmin
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.941_all.deb

Install the packages required by Webmin as shown below.

# Install dependent packages
sudo apt-get install libauthen-pam-perl libio-pty-perl apt-show-versions python libapt-pkg-perl python2 python2-minimal python2.7 libpython2-stdlib python2.7-minimal libpython2.7-stdlib libpython2.7-minimal

Now install Webmin using the Debian package downloaded by us in the previous step as shown below.

# Install Webmin
sudo dpkg --install webmin_1.941_all.deb

# Output
----
----
Preparing to unpack webmin_1.941_all.deb ...
Unpacking webmin (1.941) over (1.941) ...
Setting up webmin (1.941) ...
Webmin install complete. You can now login to https://hostname:10000/
as root with your root password, or as any user who can use sudo
to run commands as root.
Processing triggers for mime-support (3.64ubuntu1) ...
Processing triggers for gnome-menus (3.36.0-1ubuntu1) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for desktop-file-utils (0.24-1ubuntu2) ...
Processing triggers for systemd (245.4-4ubuntu3) ...

It shows the URL to access Webmin - https://hostname:10000. We can also access the Webmin using the IP address - https://xx.xx.xx.xx:10000. Make sure to replace the xx.xx.xx.xx with 127.0.0.1 on localhost and your actual IP on the remote server. It will show the security risk warning as shown in Fig 1.

Accept the risk and continue to access Webmin as shown in Fig 2.

It will show the login screen as shown in Fig 3.

Install Webmin - Official Repository

We can also install Webmin using the official repository on both Debian and non-Debian based systems. We can install Webmin using the Webmin APT repository on Ubuntu as shown below. I have used the nano editor for demonstration purposes. You can use any editor of your choice.

# Add repository
sudo nano /etc/apt/sources.list

# Add these lines at last
deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

# Save and exit the editor

Save the file using the Nano text editor by pressing CTRL + o, then press Enter to write the file. Press CTRL + x to close the editor.

Now install the GPG key as shown below. We need the GPG key to trust the repository.

# Navigate to your preferred directory
cd ~

# Download the GPG Key
sudo wget http://www.webmin.com/jcameron-key.asc

# Output
----
----
jcameron-key.asc                 100%[========================================================>]   1.29K  --.-KB/s    in 0s      

2020-06-09 11:17:51 (199 MB/s) - ‘jcameron-key.asc’ saved [1320/1320]

# Add the Key
sudo apt-key add jcameron-key.asc

# Output
OK

Now we can install the most recent version of Webmin as shown below.

# Refresh the packages index
sudo apt-get update

# Install Webmin
sudo apt-get install webmin -y

# Output
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  apt-show-versions libapt-pkg-perl libauthen-pam-perl libio-pty-perl libnet-ssleay-perl libpython2-stdlib libpython2.7-minimal
  libpython2.7-stdlib perl-openssl-defaults python-is-python2 python2 python2-minimal python2.7 python2.7-minimal unzip
Suggested packages:
  python2-doc python-tk python2.7-doc binutils binfmt-support zip
The following NEW packages will be installed:
  apt-show-versions libapt-pkg-perl libauthen-pam-perl libio-pty-perl libnet-ssleay-perl libpython2-stdlib libpython2.7-minimal
  libpython2.7-stdlib perl-openssl-defaults python-is-python2 python2 python2-minimal python2.7 python2.7-minimal unzip webmin
---
---
Setting up webmin (1.941) ...
Webmin install complete. You can now login to https://hostname:10000/
as root with your root password, or as any user who can use sudo
to run commands as root.
Processing triggers for systemd (245.4-4ubuntu3.1) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for mime-support (3.64ubuntu1) ...

Similar to the previous section, we can access the webmin using the hostname - https://hostname:10000 OR IP address - https://xx.xx.xx.xx:10000. Make sure to replace the xx.xx.xx.xx with your actual IP. It will show the security risk warning as shown in Fig 1. Accept the risk and continue to access Webmin as shown in Fig 2. It will show the login screen as shown in Fig 3.

Secure Webmin

Now login to Webmin using your root or sudo user credentials. You can also change the root credentials for Webmin using the command as shown below.

# Change Webmin password
sudo /usr/share/webmin/changepass.pl /etc/webmin <username> <password>

# Example
sudo /usr/share/webmin/changepass.pl /etc/webmin root strongpassword

# Restart Webmin
sudo service webmin restart
# OR
sudo systemctl restart webmin

The above-mentioned commands will change the root user password for Webmin. Now login to your Webmin. It will show the dashboard as shown in Fig 4.

Now click on Webmin -> Webmin Configuration -> SSL Encryption and force SSL redirect as shown in Fig 5.

Install Self-Signed SSL Certificate

In this section, we will install a self-signed certificate and configure Webmin to use the same. It can be done as shown below.

# Navigate to your preferred directory
cd ~

# Create directory to store certs
sudo mkdir -p /etc/secure/certs

# Install self-signed SSL certificate
sudo openssl req -newkey rsa:4096 -days 1826 -nodes -x509 -keyout server.key -out server.crt

# Additional Details - It will ask
Generating a RSA private key
........................++++
..................................................++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]::<Country Code>
State or Province Name (full name) [Some-State]:<State>
Locality Name (eg, city) []:<City>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<Org Name>
Organizational Unit Name (eg, section) []:<Org Unit Name>
Common Name (e.g. server FQDN or YOUR name) []:<FQDN>
Email Address []:<Email>

This installs the self-signed SSL certificate at the current directory. Now we also need to generate the PEM file for Webmin and secure this certificate as shown below.

# Generate PEM
sudo bash -c 'cat server.crt server.key | tee server.pem'
sudo chmod 600 server.pem server.key server.crt
sudo chown root:bin server.pem server.key server.crt
ls -l server.*

# File permissions
-rw------- 1 root bin 2155 Jun  9 13:19 server.crt
-rw------- 1 root bin 3276 Jun  9 13:18 server.key
-rw------- 1 root bin 5431 Jun  9 13:20 server.pem

Now configure the Webmin to use our self-signed SSL certificate and restart it as shown below.

# Configure Webmin
sudo nano /etc/webmin/miniserv.conf

# Default keyfile value
keyfile=/etc/webmin/miniserv.pem

# Update the value of keyfile configuration
keyfile = /etc/secure/certs/server.pem

# Save and exit the editor

# Restart Webmin
sudo systemctl restart webmin

# Check Status
sudo systemctl status webmin

# Output
● webmin.service - LSB: web-based administration interface for Unix systems
     Loaded: loaded (/etc/init.d/webmin; generated)
     Active: active (running) since Tue 2020-06-09 13:22:05 UTC; 4s ago
       Docs: man:systemd-sysv-generator(8)
    Process: 21128 ExecStart=/etc/init.d/webmin start (code=exited, status=0/SUCCESS)
      Tasks: 3 (limit: 4622)
     Memory: 27.9M
     CGroup: /system.slice/webmin.service
             ├─17171 gpg-agent --homedir /root/.gnupg --use-standard-socket --daemon
             └─21130 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf
----
----

If you access Webmin from the Browser, it will use your self-signed certificate. Since we are using a self-signed SSL certificate, it will show the same warning as we saw in Fig 1 on the first-time access.

Configure Let's Encrypt

In this section, we will configure the pre-installed SSL certificate to avoid the browser warning as we saw in the first section of this tutorial. The same browser warning will be displayed for both default and self-signed SSL certificates and we have to add the browser exception to access Webmin. We can use the well-known SSL certificate provider to avoid this issue. The SSL certificates issued by Let's Encrypt are free and recognized by almost all the browsers.

This section assumes that you have already installed the SSL certificate from Let's Encrypt either for Apache or Nginx and able to access your website securely. You can also follow How To Install Let's Encrypt For Apache On Ubuntu to install the SSL certificate provided by Let's Encrypt.

Below listed is a sample script to deploy the Let's Encrypt SSL certificate of Apache virtual host to Webmin. The steps should be the same for Nginx. I have used the path /etc/secure/certs for demonstration purposes. Make sure to change it based on your preferences.

# Copy the certificate
sudo cp /etc/letsencrypt/live/hostname.com/cert.pem /etc/secure/certs/lecert.pem
# Copy private key
sudo cp /etc/letsencrypt/live/hostname.com/privkey.pem /etc/secure/certs/lekey.pem

# Navigate to certs directory
cd /etc/secure/certs/

# Generate PEM
sudo bash -c 'cat lecert.pem lekey.pem | tee leserver.pem'
sudo chmod 600 lecert.pem lekey.pem leserver.pem
sudo chown root:bin lecert.pem lekey.pem leserver.pem

# Check file permissions
ls -l leserver.pem

# File permissions
-rw------- 1 root bin 2147 Oct  4 10:43 leserver.crt
-rw------- 1 root bin 3272 Oct  4 10:43 leserver.key
-rw------- 1 root bin 5419 Oct  4 10:48 leserver.pem

// Clean certificate and key
sudo rm /mydata/secure/certs/lecert.pem
sudo rm /mydata/secure/certs/lekey.pem

You can either run the above commands manually or make a bash script. Also, the script can be added to the renew hook of the SSL certificate.

// Configure Webmin
sudo nano /etc/webmin/miniserv.conf

# Update the value of keyfile configuration
keyfile = /etc/secure/certs/leserver.pem

# Save and exit the editor

# Restart Webmin
sudo systemctl restart webmin

# Check Status
sudo systemctl status webmin

This is how we can use the existing SSL certificate generated by Let's Encrypt for the existing website.

Webmin - Apache - Reverse Proxy

We can optionally access the Webmin by configuring reverse proxy on port 80/443 as a regular web app by configuring the webserver. This will avoid opening an additional port for Webmin i.e. 10000 and maintaining SSL certificate for Webmin. It can be done for the Apache Web Server as shown below. You can also refer to How To Install Apache 2 On Ubuntu 20.04 LTS and Configure Virtual Host On Apache.

# Primary domain
<VirtualHost *:80>
	ServerName example.com
	ServerAlias www.example.com
	ServerAdmin admin@example.com
	ProxyPass / http://localhost:10000/
	ProxyPassReverse / http://localhost:10000/
</VirtualHost>

# OR - Subdomain
<VirtualHost *:80>
	ServerName example.com
	ServerAlias webmin.example.com
	ServerAdmin admin@example.com
	ProxyPass / http://localhost:10000/
	ProxyPassReverse / http://localhost:10000/
</VirtualHost>

# OR - Subdirectory
<VirtualHost *:80>
	...
	ServerName example.com
	ServerAlias www.example.com
	ServerAdmin admin@example.com
	...
	ProxyPass /webmin http://localhost:10000/
	ProxyPassReverse /webmin http://localhost:10000/
	# Optional
	ProxyPassReverseCookieDomain /webmin/ http://localhost:10000/
	ProxyPassReverseCookiePath /webmin/ http://localhost:10000/
	...
	...
</VirtualHost>

You must enable the proxy_http module of the Apache Web Server as shown below.

# Enable Proxy
sudo a2enmod proxy_http

# Test configuration
sudo apache2ctl configtest

# Reload Apache
sudo systemctl reload apache2

Also, update your virtual host file for port 443 to securely access Webmin. Now reload Apache to apply the changes. You can follow How To Install Let's Encrypt For Apache On Ubuntu.

Webmin Nginx - Reverse Proxy

We can also configure reverse proxy using the Nginx server block to access Webmin on port 80/443 as shown below. You can also refer to How To Install And Configure Nginx on Ubuntu 20.04 LTS.

# Subdirectory
location /webmin/ {
	# proxy_buffering off;
	proxy_pass http://127.0.0.1:10000/;
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-For $http_x_forwarded_for;
	proxy_redirect http://$host:10000/ http://$host/webmin/;
}

# OR Subdirectory
location /webmin/ {
	# proxy_buffering off;
	proxy_pass http://localhost:10000/;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

# OR - Primary domain or subdomain
location / {
	# proxy_buffering off;
	proxy_pass http://127.0.0.1:10000/;
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-For $http_x_forwarded_for;
	proxy_redirect http://$host:10000/ http://$host/;
}

Webmin - Reverse Proxy

Update the Webmin configuration to disable ssl and allow referers. Also, make sure to use the FQDN or the domain name used to access the website. We can configure Webmin for the primary domain and sub-domain as shown below.

# Update config
sudo nano /etc/webmin/config

# Add at last
.....
.....
referers=example.com

# Save and exit the editor

Update miniserv
sudo nano /etc/webmin/miniserv.conf

# Configure SSL
...
ssl=0
...
...
ssl_redirect=0

# Save and exit the editor

# Restart Webmin
sudo systemctl restart webmin

We can also configure Webmin for sub-directory as shown below.

# Update config
sudo nano /etc/webmin/config

# Subdirectory configuration - add at last
.....
.....
relative_redir=0
referers=example.com
webprefix=/webmin
webprefixnoredir=1

# Save and exit the editor

Update miniserv
sudo nano /etc/webmin/miniserv.conf

# Configure SSL
...
ssl=0
...
...
ssl_redirect=0
# Optional
cookiepath=/webmin

# Save and exit the editor

# Restart Webmin
sudo systemctl restart webmin

Summary

This tutorial provided the steps to install Webmin using the Debian package and also install it using the official Webmin repository. We have also secured the Webmin by enabling strict SSL and installing a self-signed certificate. It also explained how to use an existing SSL certificate and configure it for Webmin. The last two sections explained how to access Webmin from port 80/443 as a regular site using the reverse proxy by updating the virtual host of Apache or server block on Nginx.