Recent Posts ¶

Using Webmin and Usermin with nginx

Ronald MacDonald <ronald@rmacd.com> v1.0, Sat Feb 11 17:17:35 EST 2012

A few of my users have expressed annoyance at not being able to change passwords very easily. I experimented with using LDAP for user administration last year, but half the issue with that was getting it to work along my lookups for various users' chroots. Some users are www-only users, so are more restricted than those using shell-enabled chroots.

Short of allowing shell access (which itself requires users to be basically competent and confident with non pointy-clicky interfaces), I decided I’d give Usermin a whirl. Years ago, when I first started using Linux, Webmin and Usermin eased me in to administration. Now, of course, I haven’t used either for a long time — but there’s a good bit of mileage to be had with allowing secure access to both, for end-users who need some degree of control.

Note

Webmin and Usermin are both available on http://www.webmin.com. For Debian users, I suggest following the recommendations on the Webmin site, and downloading the dpkg from there, rather than from Debian’s main archives. A quick and dirty heads-up for Debian users; all you need is available on http://www.webmin.com/deb.html

Before we begin

The following configuration will set up your Webmin and Usermin installations as follows:

Post-installation configuration

On Debain, all the configuration files are in /etc/webmin and /etc/usermin.

We will need to edit the miniserv.conf and the main config files for both applications.

Webmin configuration

Though not strictly necessary, installing Webmin makes administration of Usermin much easier.

In /etc/webmin/miniserv.conf

We’ll be using nginx to establish and maintain the SSL connection, so we’ll be switching the SSL options off in Webmin and Usermin.

Find each of the following parameters and change them as follows:

ssl=0
syslog=1
ssl_redirect=0

In /etc/webmin/config

webprefix=/webadmin 1
webprefixnoredir=1
referers=www.example.com 2
referers_none=0
1 Change this option if you would prefer to have the installation on a different /path
2 Replace this with your own domain, obviously.

Usermin configuration

In /etc/usermin/miniserv.conf

ssl=0
ssl_redirect=0
blockuser_time=
passwd_blank=
blockuser_failures=
logouttime=60

In /etc/usermin/config

webprefix=/useradmin 1
webprefixnoredir=1
1 Like in the Webmin config, if you’re wanting this on a different /path, then change this.

nginx Configuration

Nginx needs to know two things:

  1. Where do Webmin and Usermin ‘live’
  2. What alterations (if any) should nginx make to returning proxied requests?

Let’s go ahead and set up the nginx config as follows — under your SSL-enabled host configuration:

server {
        listen xxx.xxx.xxx.xxx:443; 1
        server_name www.example.com; 1
        ssl on;

        ssl_certificate /etc/ssl/certs/your_ssl_cert.pem; 2
        ssl_certificate_key /etc/ssl/private/your_ssl_private_key.pem; 2

        ...

        location /webadmin/ { 3
            proxy_redirect http://www.example.com:10000/ https://www.example.com/webadmin/; 3
            proxy_pass http://localhost:10000/;
            proxy_set_header Host $host;
        }

        location /useradmin/ { 3
            proxy_redirect http://www.example.com:20000/ https://www.example.com/useradmin/; 3
            proxy_pass http://localhost:20000/;
            proxy_set_header Host $host;
        }

        ...

}
1 These are likely already set up — if you haven’t done so already, make sure these are set correctly
2 Usual SSL setup, you’ll need to change this unless you’ve already set up SSL on your host
3 Make sure each of the redirects and ‘location’ settings are set correctly.

If you’re having problems, it’s worth doing an strace -s 2048 -p <pid> on the nginx worker process and seeing what comes up after “Location:”. Half the problem is getting Webmin/Usermin to send the redirect correctly, the other part of the puzzle is, of course, making sure nginx is rewriting the Location: redirects before they reach the client.

Both applications should now be available on your SSL-enabled host. If not, back-up and go through the options one more time, before emailing me at ronald@rmacd.com. It may be that your set-up’s just a little different from mine.

NotePlease email me if you got this working (or didn’t!), or just to say hello.

Other configuration options and considerations

  • It’s worth setting up a redirect from your non-SSL host to your SSL one.
  • Webmin and Usermin, because they use their own Perl server to carry out functions — reading the file system, etc. — need to be locked down from default configuration. You’ll find that even if your users' shells are chrooted, Webmin and Usermin will ignore this.
    • Remove the option for users to set their own shells (at Webmin → Usermin Configuration → Usermin Module Configuration → Change User Details)
    • Disallow users from running arbitrary commands Bear in mind that both the “Scheduled processes” and “Running processes” modules allow for arbitrary command execution — and Webmin will simply ignore any chroots.
    • Disallow users from traversing across filesystem, out with own directory (at Webmin → Usermin Configuration → Usermin Module Configuration → File Manager: ‘Allow access to home and directories below’ and set ‘Always follow symlinks’ to ‘No’)
    • Disallow access to unused modules; they confuse users and can cause problems (at Webmin → Usermin Configuration → Module Restrictions). In particular, remove access to ‘Upload and Download’, ‘Mount Filesystems’ and ‘Command Shell’. Others may be kept enabled at your discretion.