Using Webmin and Usermin with nginx

Dev

A few of my users have expressed annoyance at not being able to change passwords very easily. I experimented with using LDAP for user administration last year, but half the issue with that was getting it to work along my lookups for various users’ chroots. Some users are www-only users, so are more restricted than those using shell-enabled chroots.

Short of allowing shell access (which itself requires users to be basically competent and confident with non pointy-clicky interfaces), I decided I’d give Usermin a whirl.

NOTE Webmin and Usermin are both available on http://www.webmin.com. For Debian users, I suggest following the recommendations on the Webmin site, and downloading the dpkg from there, rather than from Debian’s main archives. A quick and dirty heads-up for Debian users; all you need is available on http://www.webmin.com/deb.html

Before we begin

The following configuration will set up your Webmin and Usermin installations as follows:

Webmin: https://www.example.com/webadmin Usermin: https://www.example.com/useradmin

Post-installation configuration

On Debain, all the configuration files are in /etc/webmin and /etc/usermin.

We will need to edit the miniserv.conf and the main config files for both applications.

Webmin configuration

Though not strictly necessary, installing Webmin makes administration of Usermin much easier.

In /etc/webmin/miniserv.conf

We’ll be using nginx to establish and maintain the SSL connection, so we’ll be switching the SSL options off in Webmin and Usermin.

Find each of the following parameters and change them as follows:

ssl=0
syslog=1
ssl_redirect=0

In /etc/webmin/config

webprefix=/webadmin
webprefixnoredir=1
referers=www.example.com
referers_none=0

Change webprefix if you would prefer to have the installation on a different path

Update referers to include your own domain

Usermin configuration

In /etc/usermin/miniserv.conf

ssl=0
ssl_redirect=0
blockuser_time=
passwd_blank=
blockuser_failures=
logouttime=60

In /etc/usermin/config

webprefix=/useradmin
webprefixnoredir=1

Like with the Webmin config, change webprefix if you would prefer to have the installation on a different path

nginx Configuration

Nginx needs to know two things:

  1. Where do Webmin and Usermin ‘live’
  2. What alterations (if any) should nginx make to returning proxied requests?

Let’s go ahead and set up the nginx config as follows — under your SSL-enabled host configuration:

server {
        listen xxx.xxx.xxx.xxx:443;     // update this
        server_name www.example.com;    // update this
        ssl on;

        ssl_certificate /etc/ssl/certs/your_ssl_cert.pem;               // update this
        ssl_certificate_key /etc/ssl/private/your_ssl_private_key.pem;  // update this

        ...

        location /webadmin/ {
            proxy_redirect http://www.example.com:10000/ https://www.example.com/webadmin/;  // update this
            proxy_pass http://localhost:10000/;
            proxy_set_header Host $host;
        }

        location /useradmin/ {
            proxy_redirect http://www.example.com:20000/ https://www.example.com/useradmin/; // update this
            proxy_pass http://localhost:20000/;
            proxy_set_header Host $host;
        }

        ...

}

If you’re having problems, it’s worth doing an strace -s 2048 -p <pid> on the nginx worker process and seeing what comes up after the Location header is sent. Half the problem is getting Webmin/Usermin to send the redirect correctly, the other part of the puzzle is, of course, making sure nginx is rewriting the Location redirects before they reach the client.

Other configuration options and considerations

  • It’s worth setting up a redirect from your non-SSL host to your SSL one.
  • Webmin and Usermin, because they use their own Perl server to carry out functions — reading the file system, etc. — need to be locked down from default configuration. You’ll find that even if your users’ shells are chrooted, Webmin and Usermin will ignore this.
    • Remove the option for users to set their own shells (at Webmin → Usermin Configuration → Usermin Module Configuration → Change User Details)
    • Disallow users from running arbitrary commands Bear in mind that both the “Scheduled processes” and “Running processes” modules allow for arbitrary command execution — and Webmin will simply ignore any chroots.
    • Disallow users from traversing across filesystem, out with own directory (at Webmin → Usermin Configuration → Usermin Module Configuration → File Manager: ‘Allow access to home and directories below’ and set ‘Always follow symlinks’ to ‘No’)
    • Disallow access to unused modules; they confuse users and can cause problems (at Webmin → Usermin Configuration → Module Restrictions). In particular, remove access to ‘Upload and Download’, ‘Mount Filesystems’ and ‘Command Shell’. Others may be kept enabled at your discretion.