Using Webmin and Usermin with nginx
A few of my users have expressed annoyance at not being able to change passwords very easily. I experimented with using LDAP for user administration last year, but half the issue with that was getting it to work along my lookups for various users’ chroots. Some users are www-only users, so are more restricted than those using shell-enabled chroots.
Short of allowing shell access (which itself requires users to be basically competent and confident with non pointy-clicky interfaces), I decided I’d give Usermin a whirl.
NOTE Webmin and Usermin are both available on http://www.webmin.com. For Debian users, I suggest following the recommendations on the Webmin site, and downloading the dpkg from there, rather than from Debian’s main archives. A quick and dirty heads-up for Debian users; all you need is available on http://www.webmin.com/deb.html
Before we begin
The following configuration will set up your Webmin and Usermin installations as follows:
Webmin: https://www.example.com/webadmin Usermin: https://www.example.com/useradmin
Post-installation configuration
On Debain, all the configuration files are in /etc/webmin
and /etc/usermin
.
We will need to edit the miniserv.conf
and the main config
files for both applications.
Webmin configuration
Though not strictly necessary, installing Webmin makes administration of Usermin much easier.
In /etc/webmin/miniserv.conf
We’ll be using nginx to establish and maintain the SSL connection, so we’ll be switching the SSL options off in Webmin and Usermin.
Find each of the following parameters and change them as follows:
ssl=0
syslog=1
ssl_redirect=0
In /etc/webmin/config
webprefix=/webadmin
webprefixnoredir=1
referers=www.example.com
referers_none=0
Change
webprefix
if you would prefer to have the installation on a different path
Update
referers
to include your own domain
Usermin configuration
In /etc/usermin/miniserv.conf
ssl=0
ssl_redirect=0
blockuser_time=
passwd_blank=
blockuser_failures=
logouttime=60
In /etc/usermin/config
webprefix=/useradmin
webprefixnoredir=1
Like with the Webmin config, change
webprefix
if you would prefer to have the installation on a different path
nginx Configuration
Nginx needs to know two things:
- Where do Webmin and Usermin ‘live’
- What alterations (if any) should nginx make to returning proxied requests?
Let’s go ahead and set up the nginx config as follows — under your SSL-enabled host configuration:
server {
listen xxx.xxx.xxx.xxx:443; // update this
server_name www.example.com; // update this
ssl on;
ssl_certificate /etc/ssl/certs/your_ssl_cert.pem; // update this
ssl_certificate_key /etc/ssl/private/your_ssl_private_key.pem; // update this
...
location /webadmin/ {
proxy_redirect http://www.example.com:10000/ https://www.example.com/webadmin/; // update this
proxy_pass http://localhost:10000/;
proxy_set_header Host $host;
}
location /useradmin/ {
proxy_redirect http://www.example.com:20000/ https://www.example.com/useradmin/; // update this
proxy_pass http://localhost:20000/;
proxy_set_header Host $host;
}
...
}
If you’re having problems, it’s worth doing an strace -s 2048 -p <pid>
on the nginx worker process and seeing what comes up after the Location
header is sent. Half the problem is getting Webmin/Usermin to send the redirect correctly, the other part of the puzzle is, of course, making sure nginx is rewriting the Location
redirects before they reach the client.
Other configuration options and considerations
- It’s worth setting up a redirect from your non-SSL host to your SSL one.
- Webmin and Usermin, because they use their own Perl server to carry out functions — reading the file system, etc. — need to be locked down from default configuration. You’ll find that even if your users’ shells are chrooted, Webmin and Usermin will ignore this.
- Remove the option for users to set their own shells (at Webmin → Usermin Configuration → Usermin Module Configuration → Change User Details)
- Disallow users from running arbitrary commands Bear in mind that both the “Scheduled processes” and “Running processes” modules allow for arbitrary command execution — and Webmin will simply ignore any chroots.
- Disallow users from traversing across filesystem, out with own directory (at Webmin → Usermin Configuration → Usermin Module Configuration → File Manager: ‘Allow access to home and directories below’ and set ‘Always follow symlinks’ to ‘No’)
- Disallow access to unused modules; they confuse users and can cause problems (at Webmin → Usermin Configuration → Module Restrictions). In particular, remove access to ‘Upload and Download’, ‘Mount Filesystems’ and ‘Command Shell’. Others may be kept enabled at your discretion.