Webmin: Cannot login through nginx reverse proxy

authentication nginx webmin reverse-proxy

288

Try this solution, it works for me well:

/etc/webmin/config:

webprefix=/webmin
webprefixnoredir=1
relative_redir=0   # pay attention on this
referer=www.examle.com

/etc/webmin/miniserv.conf:

cookiepath=/webmin

nginx config:

location /webmin/ { 
    proxy_pass http://localhost:10000/;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Do not add proxy_set_header Host $host;, it won't work.

Webmin should be available on http://www.examle.com/webmin/

Source

288

ms123

Updated on September 18, 2022

Comments

ms123 almost 2 years

I'm looking for a way to create programmatically a reeder-like list (like here http://reederapp.com/mac/_screens/img/2.png - the list with the article's summary). What is the kind of element used? Is there any example that shows how to do that?

Thanks a lot
- rob mayoff over 12 years
  
  Are you talking about the list on the left or the list in the middle? Do you want to do it on iOS or on Mac OS X?
- BBB almost 9 years
  
  For what its worth, my configuration is the same as serverfault.com/questions/443482/proxying-webmin-with-nginx (as is my problem, only this fix doesn't work for me). I also found this article helpful and have tried these suggestions: serverfault.com/questions/98987/…
- closetnoc almost 9 years
  
  If you look at your paths in the example you are giving, the problem appears to lie within the proxy itself. As a side note, this is a security risk that you are opening up. Make sure that you have secure usernames and hardened passwords and keep an eye on your Webmin log.
- BBB almost 9 years
  
  Thanks... I'll look more at the proxy, but any suggestions? I just posted the nginx code above for review. Thanks for the note on security... I think I'm good because webmin is behind an internal auth setup, uses good usernames and strong passwords, and two factor auth is enabled.
- closetnoc almost 9 years
  
  The only quick thing I see is that you may want to try removing the trailing slashes in your proxy settings such as proxy_redirect 127.0.0.1:10000 site.example.com/webmin and proxy_pass 127.0.0.1:10000. Your failed attempt had two // slashes. Worth a try.
- BBB almost 9 years
  
  Many thanks! Removing the trailing slash from proxy_pass got rid of the double slash in the log and added 'webmin' (I tried removing it from each place separately, and the trailing slashes on proxy_redirect had no effect on the log. BEFORE: [client ip] - - [27/Jul/2015:00:21:13 -0400] "POST //session_login.cgi HTTP/1.0" 401 2854 AFTER: [client ip] - - [27/Jul/2015:00:21:53 -0400] "GET /webmin/session_login.cgi HTTP/1.0" 401 2854 [client ip] - - [27/Jul/2015:00:22:06 -0400] "POST /webmin/session_login.cgi HTTP/1.0" 401 2854
- closetnoc almost 9 years
  
  Glad it works!! You were smart to try each piece one at a time. That indicates to me that you will be a great webmaster/IT professional! It is a scientific approach- reason and deduction.
- BBB almost 9 years
  
  Thanks :-) Unfortunately... it's not fixed. It does show /webmin/ instead of a double slash, which seems logical, but I'm not actually sure it's better. example.com/webmin/ should be proxied to example.com:10000 (i.e. example.com/webmin/test/ should show up as example.com:10000/test in the log... the /webmin shouldn't be part of the URL passed to port 10000. At least, maybe. I'm still playing but the browser behavior (aka the problem) hasn't changed.
- closetnoc almost 9 years
  
  Ah! NUTS!! I will have to think on this a bit. Nginx did not exist when I was doing network stuff, but it seems simple enough.
- closetnoc almost 9 years
  
  I am in chat. Juggling between two people though... when it rains it pours.
- closetnoc almost 9 years
  
  I noticed that in serverfault.com/questions/443482/proxying-webmin-with-nginx the proxy_redirect was below the proxy_pass but you have it the other way around here... not sure what difference that makes yet. Something to try.
BBB almost 9 years

Set-Cookie: testing=1; path=/; httpOnly
BBB almost 9 years

pragma: no-cache Expires: Thu, 1 Jan 1970 00:00:00 GMT
BBB almost 9 years

Cache-Control: no-store, no-cache, must-revalidate
BBB almost 9 years

Cache-Control: post-check=0, pre-check=0
Mike -- No longer here almost 9 years

That suggests that maybe you have the system in a special testing-only mode. The cookie that should be returned should be a unique value to the user depending on who is logged in unless logins are tracked in a server database by IP address which I don't recommend because if someone logs in on a LAN then another computer connected to the same LAN would be logged in automatically because the IP address of both computers to the world is the same.
BBB almost 9 years

This definitely isn't my expertise, and there may be something wrong here... but presumably there'd be a unique session identifier if I were logged in. Either way, it seems like its set to not cache (and cache is a false expiration date-- in the past). (I think?) I did a quick search, and it seems like testing=1 may be something the webmin folks left in there, but I'll check it out more thoroughly.
closetnoc almost 6 years

It appears there may be some typos. I am not sure if they are deliberate. Can you double check? Cheers!!