Using SSL with Webmin
|| Using SSL with Webmin
Because your Webmin login and password are normally passed between your
browser and the server in unencrypted form, an attacker with access to any
of the networks between the browser and server can easily capture your
Webmin login. To prevent this, Webmin can be configured to use SSL
to encrypt all of its network traffic.
Sunday, 29-Mar-2015 18:02:00 UTC
Running Webmin in SSL mode
To install SSL, follow these steps :
Warning - if you enable SSL support in Webmin, your browser must also support
SSL (such as Netscape and IE). If not, you will not be able to access the
Webmin server. If there is a firewall or proxy between the machine you are
running your browser on and the Webmin server, check that it allows SSL
requests to pass through as well.
- Download the OpenSSL library
OpenSSL is a C library that provides the underlying SSL functions used by
Webmin and many other programs. It is available in RPM format and as a .tar.gz file. When installing from the RPM, you may also need the development RPM in order to compile Net::SSLeay.
Most Linux and BSD distributions now come with OpenSSL RPMs that are
installed as standard or available on the CD. If your distribution has
openssl and possibily openssl-devel packages, use them
- Install the OpenSSL library
If you are installing from the RPM, run the commands :
rpm -i openssl-0.x.y.rpm
rpm -i openssl-devel-0.x.y.rpm
If installing from the source, you will need to compile and install it with the commands :
tar xvzf openssl-0.x.y.tar.gz
./Configure (or ./config in new OpenSSL versions)
- Download the Net::SSLeay Perl module
Net::SSLeay is a module that allows Perl scripts to call the functions in the OpenSSL library. It is available in .tar.gz format from the Webmin site or from the CPAN Perl module archive.
Alternately, you can use the Perl Modules module in Webmin to download an
install Net::SSLeay from CPAN. If this works OK, the next step can be
Some Linux distributions come with an RPM package containing this Perl
module, often named perl-Net-SSLeay. If one is available, install
it instead of compiling the module manually. You may also be able to find
a suitable package at rpmfind.net if your distribution doesn't include one.
However, be aware that any Perl module in RPM format must have been
built for the same version of Perl that you are running, or it won't
- Install the Net::SSLeay module
To install the module, use the commands :
tar xvzf Net_SSLeay.pm-x.yy.tar.gz
If you have installed OpenSSL from the RPM, you may need to run
perl Makefile.PL /usr in order to find the OpenSSL library
- Test the SSL install
If the command perl -e 'use Net::SSLeay' doesn't output any
error message, then the SSL support that Webmin needs is properly
- If Webmin is not installed yet, install it
If you install SSL support first, when Webmin's setup.sh script is
run it will ask you if you want to enable SSL. Just enter y.
The RPM version of Webmin will always automaticlly use SSL mode if possible.
- If Webmin is already installed, turn on SSL
In the Webmin Configuration module (under the Webmin category) an icon
for SSL Encryption should appear. Click on it, and change the SSL option
from Disabled to Enabled.
Using STunnel to protect Webmin
Because many people have trouble installing OpenSSL and the Net::SSLeay
module needed to run Webmin in SSL mode natively, I have created documentation
explaining an alterative method. The STunnel program can convert SSL-encrypt
any network services, such as POP3 or IMAP - or even Webmin. However, only
Webmin versions 1.090 and above will work fully. To set it up, follow these
- Install STunnel
The program is installed as standard with many Linux distributions, or can
be downloaded from www.stunnel.org and
compiled for your system.
- Create a new tunnel
Use Webmin's SSL Tunnels module to create a new tunnel on port 10001 called
ssl-webmin that uses the Connect to remote host mode to
connects to localhost port 10000 (assuming you are running
Webmin on port 10000).
The SSL certificate and key file option should be set to Use
Webmin's cert, and all of the other options left as their defaults.
- Activate the tunnel
Hit the Apply Changes button in the SSL Tunnels module to activate
your new tunnel.
- Configure Webmin so that it knows about the SSL tunnel
Added the line inetd_ssl=1 to /etc/webmin/miniserv.conf and run
/etc/webmin/stop ; /etc/webmin/start.
- Login to Webmin in SSL mode
You should now be able to connect to https://yourhostname:10001/
and login as normal. The old URL on port 10000 will no longer work