You are here
I am currently trying to set up the Turnkey Fileserver as an LXC on my Proxmox host on my local network. Turnkey and some of my other services prefer SSL but I don't want to expose them to the internet so I configured Caddy to assign certs using a DNS challenge with the Cloudflare plugin (my DNS provider). I serve multiple services from this one Proxmox host so this configuration allows me to assign arbitrary subdomains with SSL support like:
fileserver.home.example.tld
homeassistant.home.example.tld
My Caddyfile looks like so:
{ acme_dns cloudflare {$CF_API_TOKEN} } fileserver.home.example.tld { reverse_proxy 192.168.1.100 } fileserver.home.example.tld:12321 { reverse_proxy 192.168.1.100:12321 } fileserver.home.example.tld:10000 { reverse_proxy 192.168.1.100:10000 }
This works fine and the Turnkey Fileserver home page loads fine at the fileserver.home.example.tld domain with and without https, but when I try to open the Webmin portal I get a 502.
I also tried disabling the stunnel4@webmin service entirely and modifying the miniserv config as described here to disable SSL on webmin (not preferable but tried it for the sake of narrowing down the issue) but even without SSL I cannot connect to 192.168.1.100:12321 and get a connection reset response (no status code). From journalctl it looks like webmin is just restarting repeatedly.
To disable webmin SSL I used the following
Disable stunnel for webmin:
systemctl disable stunnel4@webmin systemctl stop stunnel4@webmin
Edit
/etc/webmin/miniserv.conf
with the following:
port=12321 listen=12321 inetd_ssl= bind=0.0.0.0
Edit the webmin service to remove stunnel
systemctl edit webmin
[Unit] After=network-online.target remote-fs.target
Then finally restart the webmin service
systemctl restart webmin
The linked post mentions that v16 changed the config significantly. Is there any steps I missed here when disabling SSL for testing? Is there another approach which allows me to keep SSL without any port forwarding? I am using the debian-10-turnkey-fileserver_16.0.1_amd64.tar.gz template from the repos included with Proxmox.
Edit: The above does appear to work, provided I use the domain name to connect to webmin rather than the ip address. Or I should say it did work, because I went back to try to change a config setting and even after reverting it, the webmin process is still stuck in the previous state of constantly restarting
This just loops
root@fileserver ~# journalctl -f Apr 03 03:25:06 fileserver webmin[773]: Webmin starting Apr 03 03:25:06 fileserver systemd[1]: webmin.service: Succeeded. Apr 03 03:25:07 fileserver systemd[1]: webmin.service: Service RestartSec=1s expired, scheduling restart. Apr 03 03:25:07 fileserver systemd[1]: webmin.service: Scheduled restart job, restart counter is at 60. Apr 03 03:25:07 fileserver systemd[1]: Stopped Webmin Web based Admin UI. Apr 03 03:25:07 fileserver systemd[1]: Starting Webmin Web based Admin UI... Apr 03 03:25:07 fileserver systemd[1]: Started Webmin Web based Admin UI. Apr 03 03:25:07 fileserver perl[775]: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
Edit 2: OK so I got webmin to come up consistently with the following
root@fileserver ~# /etc/webmin/start
Why does this work but not using the systemd service directly? How can I make the systemd service work so that this survives reboots?
The issue is/was the Webmin service file.
The default systemd service file which the initial Webmin package included wasn't ideal - please see the relevant bug for background and details). The TL;DR version is that under LXC the service was a bit buggy and was constantly dying and restarting. But we've fixed it in the more recent packages.
You could manually implement the changes required as per discussion on the bug. Although I recommend that you upgrade the packages as per discussed in a blog post (it's quite old, but the important parts have been updated).
Add new comment