Webmin dashboard

Odd problem to have, but it is a problem I’ve got. I have 4 Raspberry Pis and 1 mini PC. All run some version of Linux, and all are headless. From a space perspective, this is nice; all the Pis are in a nice little rackmount strip, and the mini PC sits on a shelf in the cabinet. From a management perspective, its less nice. Sure, I can access all of these through a viewer (i.e. VNC Viewer), but managing all those pis through VNC is a little cumbersome. Enter Webmin.

Webmin logo

What’s Webmin and why do I need it?

Webmin is a browser-based interface that allows you to perform maintenance on headless machines without needing to use SSH programs like PuTTY or winSCP. Its surprisingly robust given that its freeware, but it makes remote management a breeze.

I’m not fond of open network ports, so managing all those pis via webmin allows me to close off pretty much all ports but the few that have to be open. After installing Webmin on each machine you can set up a cluster so that you can manage all machines at once. Likewise, you’ll be able to access each machine directly through the master server. Even if you only have one machine to manage, as a Windows-trained user I find Webmin easier to set up and work with than VNC or SSH.

Installation

Installation is straightforward. Here’s what you’ll need:

  • A Linux-based machine and a user with root or sudo access
  • Access to the terminal window (either directly or through SSH or a remote viewer)
  • A working network connection

Step 1: Update and install dependencies

First up make sure your system is up to date. Run two commands:

sudo apt update
sudo apt upgrade -y

Adding the -y in just skips the extra input required from the user to confirm package installation.

Pull in package dependencies:

sudo apt install wget apt-transport-https software-properties-common

Press Y and Enter if prompted to install.

Step 2: Grab and enable the Webmin repository

You can install Webmin from the Raspberry apt process (if using a Pi), but we want to grab the most recent package. To do that:

sudo wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add -

Next add the repository for your OS. For Debian/Ubuntu:

sudo wget http://www.webmin.com/download/deb/webmin-current.deb

Step 3: Install Webmin

Finally, install Webmin.

sudo dpkg --install webmin-current.deb

Follow any prompts, and once complete Webmin will start automatically. To confirm:

sudo systemctl status webmin

Step 4: Configure the firewall (if enabled)

If you have enabled the firewall (and you should), you’ll need to configure it to allow access. If you’re not sure if UFW is enabled:

sudo ufw status

If enabled, you will add a rule to open up port 10000.

sudo ufw allow 10000

We’ll hit on security in a minute, but if you want to only allow access from a specific IP:

sudo ufw allow from your.ip.address to any port 10000

Step 5: Access Webmin

At this point you should be able to access Webmin by going to https://localhost:10000 on the local machine browser, or by going to https://host.ip.address:10000 on another machine on the network.

You’ll get a security warning at first, since Webmin by default has SSL enabled. Move on through it to get to the dashboard.

Setup and Configuration

Since you now have a browser-accessible server that can make changes to your Linux machine, you’ll need to set up a few basic items. You will first secure the server. You’ll also probably want to make it easier to access in your own network.

Securing your server

Big deal: secure your Webmin instance. Why? Because anyone with access to your server can make changes to your machine. Couple of things to consider doing in order to make it a little easier.

  • Don’t make Webmin accessible outside of the network. To access my server, I’ve got to either be on my home network or connected to my VPN.
  • Set up SSL
  • Limit the IP addresses that have access to your server. You can do this either through the Webmin configuration tool, or the UFW firewall. I have my server behind a reverse proxy; all requests for webmin.themays.me are handled, locally, by my DNS server rewrite rules. Since all requests go to the reverse proxy, the firewall on my server machine only allows requests to port 10000 from the IP address of the reverse proxy server. Anything else gets dropped.
  • Configure users with strong passwords and 2FA. More on configuration in a moment.

Configure your SSL Cert

Webmin by default uses its own cert, but you’ll need to rewrite your URL to something that isn’t an IP address. Since you’ve already got a Pi…consider adding Pi Hole or Adguard for DNS rewrites. If not, you’ll need to modify the hosts file on any machine you plan on using to access Webmin.

Once you’ve got the DNS rewrite in place, you should be able to access your instance with https://customaddress:10000. Most likely, though, the browser won’t accept the cert still. If you’re fine with that and you only plan on accessing it locally, you’re good to go. Me, I’d rather get it right all the way. You’ve got a few options.

  • Use a registered domain name to obtain a SSL certificate from LetsEncrypt. You’ll need a domain name with a registrar (GoDaddy, Cloudflare, etc.) and DNS records that point to your registered domain.
  • Grab a free cert from SSLforfree. Once you have downloaded and extracted the cert files you’ll upload them to the Webmin server.

In either scenario, obtaining a cert from a recognized authority will resolve browser warnings. Since I have a registered domain name already and a running Apache web server, I can use LetsEncrypt to secure my Webmin server. In this case, simply go to the Webmin configuration menu. In the config menu, select SSL encryption, then the LetsEncrypt tab. Since Webmin detects and manages the Apache server, the correct paths should be filled out already. Hit request certificate and that should do it.

2FA setup

There are two options for 2FA: Authy or Google Authenticator. To use Authy you’ll need an API key; for ease of use, and since most people likely already have Google Authenticator, I went with Google. Again, head to the Webmin configuration, then select 2 Factor Authentication. You may have to install a few modules to get going, but once successful, head to the Webmin User menu.

Select the user you want to enable 2FA for, and expand the Security and limits options. Hit the Enable 2FA link and follow the prompts.

Special circumstances behind a reverse proxy

So my home network is a little more complicated. Didn’t intend for it be this way, but it is. That being said, because of how I have my network segmented my Webmin server is behind a reverse proxy. Found out that this can make life a little more complicated, but not too much more. If you’re running Webmin behind a reverse proxy, after login your page may not redirect to the dashboard. It will capture the login, but you’ll have to manually refresh the page to get to your dashboard. Took a little research, but from what I can tell it’s on the reverse proxy side, and it’s an easy fix.

Log in to the reverse proxy and head to the virtual host config file for Webmin. If you’ve got HTTPS redirects on, you’ll just need to modify the file for port 443. Change your ProxyPreserveHost setting to “Off”. Done. Now the login redirect works. My host file looks as follows:

<IfModule mod_ssl.c>

    <VirtualHost *:443>

        ServerName webmin.themays.me
        ServerAlias www.webmin.themays.me

        SSLEngine on
        SSLProxyEngine on
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        ProxyPreserveHost Off
        ProxyRequests Off
        ProxyPass / https://myip:10000/
        ProxyPassReverse / https://myip:10000/
    
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        Include /etc/letsencrypt/options-ssl-apache.conf

        SSLCertificateFile /etc/letsencrypt/live/***/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/***/privkey.pem
       
    </VirtualHost>

</IfModule>

Managing all those Pis…cluster setup

Server Index Setup

Now to the point of all of this. Getting all my server management under one “roof”. Once you have webmin up and running on all your machines, head over to your “master” server. Open up the Webmin menu and go to the Webmin Servers Index. If you’ve got all your servers on the same subnet, and the firewall allows communication on ports 10000 and 10001, you can broadcast scan and add servers.

Alternatively, you can manually register a new server with the IP address. Make sure to select the correct OS from the server type dropdown, and under Link type you want to login via Webmin with the username and password. Of note, if you did not define unique hostnames for each server already, you can override the hostname with a description here; this makes identifying which server you’re managing easier.

Once complete, all servers should be in the server index

Importantly, from here you can directly access each server with one click. Another bonus is that since you are accessing the remote server from the master server, any SSL certs are checked at the master server, not the remote server (all my remote servers have SSL disabled).

Cluster Configuration

Next, open the Cluster menu and head to the Cluster Webmin Servers link. Here, if you added each server correctly to the index, you’ll be able to add each server to manage them as a group. Importantly, you can complete bulk Webmin upgrades, module updates, and user updates from here. I hadn’t thought ahead, but all of my servers had different usernames and passwords; with Webmin those users can be synced across devices.

Zack
Author: Zack

Pharmacist, tech guy, pianist, lover of beer, gamer, beach bum. Probably missed something. Just assume I'm into a little bit of everything.

No responses yet

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
page
post
Filter by Categories
Alcoholic Drinks (Cocktails)
Breakfast
Cool Stuff
Desserts
Dinner
Fish and Seafood
Fitness
Gaming
Home and Family
Home Automation
Home Security
Networking
Nutrition
Pasta
Pharmacy
Recipe of the Week
Recipes
Rubs
Salads
Sides
Snacks
Soups
Travel
Uncategorized
Web Hosting