Odd problem to have, but it is a problem I’ve got. I have 4 Raspberry Pis and 1 mini PC. All run some version of Linux, and all are headless. From a space perspective, this is nice; all the Pis are in a nice little rackmount strip, and the mini PC sits on a shelf in the cabinet. From a management perspective, its less nice. Sure, I can access all of these through a viewer (i.e. VNC Viewer), but managing all those pis through VNC is a little cumbersome. Enter Webmin.
What’s Webmin and why do I need it?
Webmin is a browser-based interface that allows you to perform maintenance on headless machines without needing to use SSH programs like PuTTY or winSCP. Its surprisingly robust given that its freeware, but it makes remote management a breeze.
I’m not fond of open network ports, so managing all those pis via webmin allows me to close off pretty much all ports but the few that have to be open. After installing Webmin on each machine you can set up a cluster so that you can manage all machines at once. Likewise, you’ll be able to access each machine directly through the master server. Even if you only have one machine to manage, as a Windows-trained user I find Webmin easier to set up and work with than VNC or SSH.
Installation
Installation is straightforward. Here’s what you’ll need:
- A Linux-based machine and a user with root or sudo access
- Access to the terminal window (either directly or through SSH or a remote viewer)
- A working network connection
Step 1: Update and install dependencies
First up make sure your system is up to date. Run two commands:
sudo apt update
sudo apt upgrade -y
Adding the -y in just skips the extra input required from the user to confirm package installation.
Pull in package dependencies:
sudo apt install wget apt-transport-https software-properties-common
Press Y and Enter if prompted to install.
Step 2: Grab and enable the Webmin repository
You can install Webmin from the Raspberry apt process (if using a Pi), but we want to grab the most recent package. To do that:
sudo wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add -
Next add the repository for your OS. For Debian/Ubuntu:
sudo sh -c 'echo "deb http://download.webmin.com/download/repository sarge contrib" > /etc/apt/sources.list.d/webmin.list'
Step 3: Install Webmin
Finally, install Webmin. First, update the package lists.
sudo apt update
Next, install webmin.
sudo apt install webmin
Follow any prompts, and once complete Webmin will start automatically. To confirm:
sudo systemctl status webmin
Step 4: Configure the firewall (if enabled)
If you have enabled the firewall (and you should), you’ll need to configure it to allow access. If you’re not sure if UFW is enabled:
sudo ufw status
If enabled, you will add a rule to open up port 10000.
sudo ufw allow 10000
We’ll hit on security in a minute, but if you want to only allow access from a specific IP:
sudo ufw allow from your.ip.address to any port 10000
Step 5: Access Webmin
At this point you should be able to access Webmin by going to https://localhost:10000 on the local machine browser, or by going to https://host.ip.address:10000 on another machine on the network.
You’ll get a security warning at first, since Webmin by default has SSL enabled. Move on through it to get to the dashboard.
Setup and Configuration
Since you now have a browser-accessible server that can make changes to your Linux machine, you’ll need to set up a few basic items. You will first secure the server. You’ll also probably want to make it easier to access in your own network.
Securing your server
Big deal: secure your Webmin instance. Why? Because anyone with access to your server can make changes to your machine. Couple of things to consider doing in order to make it a little easier.
- Don’t make Webmin accessible outside of the network. To access my server, I’ve got to either be on my home network or connected to my VPN.
- Set up SSL
- Limit the IP addresses that have access to your server. You can do this either through the Webmin configuration tool, or the UFW firewall. I have my server behind a reverse proxy; all requests for webmin.themays.me are handled, locally, by my DNS server rewrite rules. Since all requests go to the reverse proxy, the firewall on my server machine only allows requests to port 10000 from the IP address of the reverse proxy server. Anything else gets dropped.
- Configure users with strong passwords and 2FA. More on configuration in a moment.
Configure your SSL Cert
Webmin by default uses its own cert, but you’ll need to rewrite your URL to something that isn’t an IP address. Since you’ve already got a Pi…consider adding Pi Hole or Adguard for DNS rewrites. If not, you’ll need to modify the hosts file on any machine you plan on using to access Webmin.
Once you’ve got the DNS rewrite in place, you should be able to access your instance with https://customaddress:10000. Most likely, though, the browser won’t accept the cert still. If you’re fine with that and you only plan on accessing it locally, you’re good to go. Me, I’d rather get it right all the way. You’ve got a few options.
- Use a registered domain name to obtain a SSL certificate from LetsEncrypt. You’ll need a domain name with a registrar (GoDaddy, Cloudflare, etc.) and DNS records that point to your registered domain.
- Grab a free cert from SSLforfree. Once you have downloaded and extracted the cert files you’ll upload them to the Webmin server.
In either scenario, obtaining a cert from a recognized authority will resolve browser warnings. Since I have a registered domain name already and a running Apache web server, I can use LetsEncrypt to secure my Webmin server. In this case, simply go to the Webmin configuration menu. In the config menu, select SSL encryption, then the LetsEncrypt tab. Since Webmin detects and manages the Apache server, the correct paths should be filled out already. Hit request certificate and that should do it.
2FA setup
There are two options for 2FA: Authy or Google Authenticator. To use Authy you’ll need an API key; for ease of use, and since most people likely already have Google Authenticator, I went with Google. Again, head to the Webmin configuration, then select 2 Factor Authentication. You may have to install a few modules to get going, but once successful, head to the Webmin User menu.
Select the user you want to enable 2FA for, and expand the Security and limits options. Hit the Enable 2FA link and follow the prompts.
Special circumstances behind a reverse proxy
So my home network is a little more complicated. Didn’t intend for it be this way, but it is. That being said, because of how I have my network segmented my Webmin server is behind a reverse proxy. Found out that this can make life a little more complicated, but not too much more. If you’re running Webmin behind a reverse proxy, after login your page may not redirect to the dashboard. It will capture the login, but you’ll have to manually refresh the page to get to your dashboard. Took a little research, but from what I can tell it’s on the reverse proxy side, and it’s an easy fix.
Log in to the reverse proxy and head to the virtual host config file for Webmin. If you’ve got HTTPS redirects on, you’ll just need to modify the file for port 443. Change your ProxyPreserveHost setting to “Off”. Done. Now the login redirect works. My host file looks as follows:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName webmin.themays.me
ServerAlias www.webmin.themays.me
SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost Off
ProxyRequests Off
ProxyPass / https://myip:10000/
ProxyPassReverse / https://myip:10000/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/***/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/***/privkey.pem
</VirtualHost>
</IfModule>
Managing all those Pis…cluster setup
Server Index Setup
Now to the point of all of this. Getting all my server management under one “roof”. Once you have webmin up and running on all your machines, head over to your “master” server. Open up the Webmin menu and go to the Webmin Servers Index. If you’ve got all your servers on the same subnet, and the firewall allows communication on ports 10000 and 10001, you can broadcast scan and add servers.
Alternatively, you can manually register a new server with the IP address. Make sure to select the correct OS from the server type dropdown, and under Link type you want to login via Webmin with the username and password. Of note, if you did not define unique hostnames for each server already, you can override the hostname with a description here; this makes identifying which server you’re managing easier.
Importantly, from here you can directly access each server with one click. Another bonus is that since you are accessing the remote server from the master server, any SSL certs are checked at the master server, not the remote server (all my remote servers have SSL disabled).
Cluster Configuration
Next, open the Cluster menu and head to the Cluster Webmin Servers link. Here, if you added each server correctly to the index, you’ll be able to add each server to manage them as a group. Importantly, you can complete bulk Webmin upgrades, module updates, and user updates from here. I hadn’t thought ahead, but all of my servers had different usernames and passwords; with Webmin those users can be synced across devices.
Updated 1.20.23
Author: Zack
Pharmacist, tech guy, pianist, lover of beer, gamer, beach bum. Probably missed something. Just assume I'm into a little bit of everything.
No responses yet