Forum: 

Why doesn't webmin work without SSL?

Scorance's picture

However, when I go to https://192.168.1.200:12321/webmin/edit_ssl.cgi

both "Enable SSL" and "Redirect to SSL" are set to no.

 

So why does it keep forcing SSL?

Jeremy Davis's picture

Since v14.0 Webmin is hidden behind Stunnel.

If you really wanted to host it via plain HTTP then you could remove it from Stunnel config (and restart the 'stunnel4' service) and remove the binding to localhost (and restart the 'webmin' service). However that is a really BAD idea. If you were to login via plain HTTP, your root user account credentials would be transmitted via plain text across the internet for anyone to intercept! If someone with malicious intent collects those credentials, then they own your server!

So I'd rather not publicly detail the exact steps required as it's important that the config change you are requesting is not easily done by anyone who doesn't understand the implications. However, if you still want to do it, with the info I've provided and a bit of googling and/or some trial and error, it should be relatively easy to work out what needs to be done.

Scorance's picture

uhh, if any of that made sense to me I probably wouldn't be using Turnkey.  No offense :\

Scorance's picture

Also, this is internal.  If the settings don't work, why are they there?

Jeremy Davis's picture

Apologies if that was all just gobbledygook to you...

FWIW, the majority of TurnKey users use TurnKey online, so not being able to easily disable SSL without understanding the implications is a good thing IMO!

Regarding "if it doesn't work, why is it there?", a totally legitimate question. But there is a context and rationale. We don't write or maintain Webmin. We just package it and include it in our appliances for user convenience. Any TurnKey specific changes that we were to make to Webmin means a higher maintenance overhead for us (with arguably limited value).

When we put Webmin behind stunnel, that was done to harden security. Whilst it's not ideal, we decided that having a few irrelevant options within Webmin was a fair price to pay. At least the connection will always be secure, even if some SSL exploit appears (FWIW stunnel gets automated security updates directly from Debian - whereas Webmin security updates rely on us manually updating it).

Unfortunately we always need to make compromises and tough decisions on which way to go and where to target our limited resources. The incredibly broad range of users we have adds complexity to that decision making process. We have users who have never used Linux before (and like the added "usability" features such as Webmin), to high level Linux experts who never even use Webmin, just commandline (and love TurnKey because it "just works" OOTB and reduces their workload and time to production).

Thanks again for your feedback though. We'll consider whether we should write up a doc page (with a big warning at the top) on how to do that.

Post new comment