Scorance's picture

However, when I go to https://192.168.1.200:12321/webmin/edit_ssl.cgi

both "Enable SSL" and "Redirect to SSL" are set to no.

 

So why does it keep forcing SSL?

Forum: 
Jeremy Davis's picture

Since v14.0 Webmin is hidden behind Stunnel.

If you really wanted to host it via plain HTTP then you could remove it from Stunnel config (and restart the 'stunnel4' service) and remove the binding to localhost (and restart the 'webmin' service). However that is a really BAD idea. If you were to login via plain HTTP, your root user account credentials would be transmitted via plain text across the internet for anyone to intercept! If someone with malicious intent collects those credentials, then they own your server!

So I'd rather not publicly detail the exact steps required as it's important that the config change you are requesting is not easily done by anyone who doesn't understand the implications. However, if you still want to do it, with the info I've provided and a bit of googling and/or some trial and error, it should be relatively easy to work out what needs to be done.

Jeremy Davis's picture

Apologies if that was all just gobbledygook to you...

FWIW, the majority of TurnKey users use TurnKey online, so not being able to easily disable SSL without understanding the implications is a good thing IMO!

Regarding "if it doesn't work, why is it there?", a totally legitimate question. But there is a context and rationale. We don't write or maintain Webmin. We just package it and include it in our appliances for user convenience. Any TurnKey specific changes that we were to make to Webmin means a higher maintenance overhead for us (with arguably limited value).

When we put Webmin behind stunnel, that was done to harden security. Whilst it's not ideal, we decided that having a few irrelevant options within Webmin was a fair price to pay. At least the connection will always be secure, even if some SSL exploit appears (FWIW stunnel gets automated security updates directly from Debian - whereas Webmin security updates rely on us manually updating it).

Unfortunately we always need to make compromises and tough decisions on which way to go and where to target our limited resources. The incredibly broad range of users we have adds complexity to that decision making process. We have users who have never used Linux before (and like the added "usability" features such as Webmin), to high level Linux experts who never even use Webmin, just commandline (and love TurnKey because it "just works" OOTB and reduces their workload and time to production).

Thanks again for your feedback though. We'll consider whether we should write up a doc page (with a big warning at the top) on how to do that.

Jeremy Davis's picture

IMPORTANT SECURITY NOTE

Making this change will mean that your server's root user password will be transmitted in plain text between your browser and your server. This is extremely insecure and should never be done on a server available on the internet! Anyone on the same network (i.e. if available via the internet: anyone, anywhere) could easily capture your password with freely and easily available tools. They would then have complete control of your server and could do anything from destroying it, to stealing data, to spying on you, to installing malicious software that may even infect other computers on the network, etc.

Unless this server is disposable (e.g. just for testing) or completely isolated from everyone other than yourself and users who you trust absolutely, disabling Webmin via HTTPS is a really bad idea!

If this server is not completely isolated (and ideally on it own hardware firewalled subnet or similar) you should consider it unsafe and treat it as if it has already been compromised.

If this server provides any important functionality and/or contains any important and/or sensitive data, then please reconsider your approach. There are almost certainly alternate pathways to resolve the specific issue you are having with use of Webmin via HTTPS.

If you are determined to go ahead with this despite the warning, then I would at least recommend disabling root access to Webmin and create a specific locked down sudo user who only has the specific minimal permissions required for whatever task that they'll need to do.

You've been warned...!


With that important disclaimer out of the way, it's also worth noting that I can't actually test this right now as the only TurnKey server I have handy has already been modified. So please also be warned, that this may not be 100% right and/or complete...

Please also note that this procedure will only apply to v15.x and earlier. Stunnel will be set up somewhat differently in the upcoming v16.0 release.

To remove Webmin from behind Stunnel, edit /etc/stunnel/stunnel.conf and remove the lines:

[webmin]
accept  = 12321
connect = 127.0.0.1:10000
TIMEOUTclose = 0

Then restart Stunnel:

systemctl restart stunnel4

Then edit /etc/webmin/miniserv.conf and find, then change the following config lines (they won't be all together and may not even be in this order) from:

0000
port=10000
listen=10000
inetd_ssl=1
bind=127.0.0.1

to:

port=12321
listen=12321
inetd_ssl=
bind=0.0.0.0

If you're ok with using port 10000 instead of 12321, then you could leave the 'port' and 'listen' values as per default. Alternatively, you could select a completely different port to use (but please don't consider that a "security measure", it's not!).

Then finally restart Webmin:

systemctl restart webmin

Add new comment