Hi,
I have Webmin setup behind an nginx reverseproxy. I'm having redirection problems in many modules.
System: Debian 9
Webmin: 1.870
Authentic Theme: 19.04
This is my nginx config:
location /webmin/ {
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_redirect http://$host:10000/ https://$host/webmin/;
proxy_pass http://127.0.0.1:10000/;
}
In /etc/webmin/config I have set:
webprefix=/webmin
webprefixnoredir=1
referer=www.example.com
An example where I'm having this issues is the Linux IPTables Firewall module.
When I edit a rule and hit the "Save" button https://www.example.com/webmin/firewall/save_rule.cgi is called.
This gives me a HTTP 302 redirect with this location header: /webmin:10000/firewall/index.cgi?version=inet4&table=0 which leads to HTTP 404 at this very location.
I'm also seeing this wrong redirects in, for example, "Scheduled Cron Jobs" or "BIND DNS Server" modules as well.
Hope you can help.
Phil
Is /webmin:10000/firewall/index.cgi?version=inet4&table=0 the HTTP redirect header that's coming from Webmin, or what's getting to your browser after it has passed through Nginx?
This is what is getting to my browser after it passed nginx
That is a very unusual redirect URL, as it seems to be missing the http or https prefix.
Maybe the proxy_redirect line should be :
proxy_redirect http://localhost:10000/ https://$host/webmin/;
Changing proxy_redirect to what you posted makes it worse. After that I can't login anymore because the "Sign in" button redirects me to https://www.example.com:10000/
//edit: I forgot to mention: I also have haproxy in front of nginx wich does ssl-offloading and adding hsts-headers. I don't think this causes the problem, but I will check by installing webmin directly behind nginx without haproxy on a testbox.
//edit2: yep, same problem without haproxy in front.
Sorry, I think the line should be :
proxy_redirect http://127.0.0.1:10000/ https://$host/webmin/;
This also doesn't work :-(
The login "crashes".
When I add a second proxy_redirect: proxy_redirect /webmin:10000/ /webmin/; it seems to work.
I think this cannot be the correct way to fix that issue.
Why does webmin generate a redirect to /webmin:10000/ at all?
//edit: it just seemed to work. I found another strange redirect. See screenshot.
It's hard to say what's happening here unless we can also see the headers returned by Webmin to Nginx, before any modification.
I analyzed the http traffic between nginx and webmin using this line tcpdump -i lo -vvvs 1024 -l -A port 10000.
This is what i get:
10:14:55.479798 IP (tos 0x0, ttl 64, id 19488, offset 0, flags [DF], proto TCP (6), length 692)
localhost.33886 > localhost.webmin: Flags [P.], cksum 0x00a9 (incorrect -> 0xed0a), seq 1:641, ack 1, win 342, options [nop,nop,TS val 287454 ecr 287454], length 640
E...L @.@..!.........^'..!.........V.......
..b...b.GET /firewall/save_policy.cgi?version=inet4&table=0&chain=INPUT&policy=ACCEPT&add=Add%20Rule&_pjax=%5Bdata-dcontainer%5D HTTP/1.0
Host: wbmntst.local
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://wbmntst.local/webmin/firewall/?xnavigation=1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-PJAX: true
X-PJAX-Container: [data-dcontainer]
X-Requested-With: XMLHttpRequest
Cookie: redirect=1; testing=1; sid=377a47b5c3fdbe1d00f794aa8043f039
DNT: 1
10:14:55.479800 IP (tos 0x0, ttl 64, id 44394, offset 0, flags [DF], proto TCP (6), length 52)
localhost.webmin > localhost.33886: Flags [.], cksum 0xfe28 (incorrect -> 0xb588), seq 1, ack 641, win 352, options [nop,nop,TS val 287454 ecr 287454], length 0
E..4.j@[email protected]........'..^.....!1A...`.(.....
..b...b.
10:14:55.515896 IP (tos 0x0, ttl 64, id 44395, offset 0, flags [DF], proto TCP (6), length 84)
localhost.webmin > localhost.33886: Flags [P.], cksum 0xfe48 (incorrect -> 0x2145), seq 1:33, ack 641, win 352, options [nop,nop,TS val 287463 ecr 287454], length 32
E..T.k@[email protected]........'..^.....!1A...`.H.....
..b...b.HTTP/1.0 302 Moved Temporarily
10:14:55.515909 IP (tos 0x0, ttl 64, id 19489, offset 0, flags [DF], proto TCP (6), length 52)
localhost.33886 > localhost.webmin: Flags [.], cksum 0xfe28 (incorrect -> 0xb560), seq 641, ack 33, win 342, options [nop,nop,TS val 287463 ecr 287463], length 0
E..4L!@.@............^'..!1A.......V.(.....
..b...b.
10:14:55.526159 IP (tos 0x0, ttl 64, id 44396, offset 0, flags [DF], proto TCP (6), length 88)
localhost.webmin > localhost.33886: Flags [P.], cksum 0xfe4c (incorrect -> 0x8db8), seq 33:69, ack 641, win 352, options [nop,nop,TS val 287466 ecr 287463], length 36
E..X.l@[email protected]........'..^.....!1A...`.L.....
..b...b.Date: Mon, 1 Jan 2018 09:14:55 GMT
10:14:55.526172 IP (tos 0x0, ttl 64, id 19490, offset 0, flags [DF], proto TCP (6), length 52)
localhost.33886 > localhost.webmin: Flags [.], cksum 0xfe28 (incorrect -> 0xb536), seq 641, ack 69, win 342, options [nop,nop,TS val 287466 ecr 287466], length 0
E..4L"@.@............^'..!1A.......V.(.....
..b...b.
10:14:55.526186 IP (tos 0x0, ttl 64, id 44397, offset 0, flags [DF], proto TCP (6), length 76)
localhost.webmin > localhost.33886: Flags [P.], cksum 0xfe40 (incorrect -> 0x2c4c), seq 69:93, ack 641, win 352, options [nop,nop,TS val 287466 ecr 287466], length 24
E..L.m@.@..<........'..^.....!1A...`.@.....
..b...b.Server: MiniServ/1.870
10:14:55.526189 IP (tos 0x0, ttl 64, id 19491, offset 0, flags [DF], proto TCP (6), length 52)
localhost.33886 > localhost.webmin: Flags [.], cksum 0xfe28 (incorrect -> 0xb51e), seq 641, ack 93, win 342, options [nop,nop,TS val 287466 ecr 287466], length 0
E..4L#@.@............^'..!1A.......V.(.....
..b...b.
10:14:55.526210 IP (tos 0x0, ttl 64, id 44398, offset 0, flags [DF], proto TCP (6), length 71)
localhost.webmin > localhost.33886: Flags [P.], cksum 0xfe3b (incorrect -> 0x3dd3), seq 93:112, ack 641, win 352, options [nop,nop,TS val 287466 ecr 287466], length 19
E..G.n@.@..@........'..^.....!1A...`.;.....
..b...b.Connection: close
10:14:55.526218 IP (tos 0x0, ttl 64, id 19492, offset 0, flags [DF], proto TCP (6), length 52)
localhost.33886 > localhost.webmin: Flags [.], cksum 0xfe28 (incorrect -> 0xb50b), seq 641, ack 112, win 342, options [nop,nop,TS val 287466 ecr 287466], length 0
E..4L$@.@............^'..!1A...#...V.(.....
..b...b.
10:14:55.526229 IP (tos 0x0, ttl 64, id 44399, offset 0, flags [DF], proto TCP (6), length 140)
localhost.webmin > localhost.33886: Flags [P.], cksum 0xfe80 (incorrect -> 0x22e8), seq 112:200, ack 641, win 352, options [nop,nop,TS val 287466 ecr 287466], length 88
E....o@.@...........'..^...#.!1A...`.......
..b...b.Location: /webmin:10000/firewall/edit_rule.cgi?version=inet4&table=0&chain=INPUT&new=1
Here you can see, webmin is returning this weird /webmin:10000/ redirect.
Hi,
It seems to me as theme issue.
Could you please update to the latest theme 19.07 at first and see if issue went away?
I updated authentic theme to version 19.07.
Sadly, this didn't change anything.
Could you please goto theme's configuration and update to the latest development version?
Does it fix your issue? It should!
I used the "Force update theme" function and chose "Install latest development version (beta)" (hope this is what you meant).
This didn't change anything. Still these weird redirects :-(
Can you backup and then remove all /tmp/.webmin? Does it help? If helps, can you send me previously backed-up files?
Does it also happen in Gray Theme?
"Gry Framed Theme" works correctly.
I Backed up /tmp/.webmin and then removed it. Didn't change anything.
This is strange. What is your exact Nginx configuration?
..and when these redirects exactly happen? On the first load or later upon navigating around? How does URL change?
/etc/nginx/conf.d/default.conf:
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location /webmin/ {
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_redirect http://$host:10000/ http://$host/webmin/;
# proxy_redirect /webmin:10000/ /webmin/;
# proxy_redirect :10000/ /;
proxy_pass http://127.0.0.1:10000/;
}
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
I log in, wait until everything has loaded, click "Networking", click "Linux Firewall", click "Add rule" -> strange redirect.
When I, after that, click "Linux Firewall" in the menu again, the URL in my browserwindow changes to: http://wbmntst.local/webmin:10000/firewall/edit_rule.cgi?version=inet4&table=0&chain=INPUT&new=1&xnavigation=1
When clicking "Linux Firewall" again the URL changes back to: http://wbmntst.local/webmin/firewall/?xnavigation=1
Another strange thing: sometimes the "Add Rule" buttons are green (with a + in front), sometimes they are not. Sometimes one of the three is green, sometimes two
Does adding
webprefixnoredir=1
.. into /etc/webmin/config and restarting Webmin makes it work?
Besides, I don't think your proxy configuration is correct. It looks theoretically correct, but that might be the reason why it would fail in practice eventually.
You have:
proxy_redirect http://$host:10000/ http://$host/webmin/;
proxy_redirect http://upstream:port/two/ /one/;
Give it a try. I don't face the issues you're talking about on Apache, with following proxy configuration:
RewriteRule ^/webmin$ /webmin/ [R]
ProxyPass "/webmin" "http://localhost:10000"
ProxyPassReverse "/webmin" "http://localhost:10000"
I'm not even sure that you need _proxy_redirect_ at all. 馃槈
webprefixnoredir=1 is already set
Without proxy_redirect it doesn't work at all. session_login.cgi redirects me to http://wbmntst.local:10000/, so I have to rewrite it.
Changing proxy_redirect http://$host:10000/ http://$host/webmin/; to proxy_redirect http://$host:10000/ /webmin/; doesn't change anything at all (it does the same).
Okay,
Can you post your /etc/webmin/config and /etc/webmin/miniserv.conf as well?
What about:
proxy_redirect http://$host:10000/ /webmin
location /webmin {...}
Without trailing slashes?
With
proxy_redirect http://$host:10000/ /webmin
location /webmin {...}
I'm unable to log in. It redirects me to the login screen.
/etc/webmin/config:
passwd_uindex=0
tempdelete_days=7
passwd_pindex=1
passwd_cindex=2
passwd_file=/etc/shadow
by_view=0
passwd_mindex=4
path=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
find_pid_command=ps auwwwx | grep NAME | grep -v grep | awk '{ print $2 }'
ld_env=LD_LIBRARY_PATH
os_type=debian-linux
os_version=9
real_os_type=Debian Linux
real_os_version=9
lang=en.UTF-8
log=1
md5pass=1
theme=authentic-theme
product=webmin
webprefix=/webmin
webprefixnoredir=1
referer=0
referers=wbmntst.local
referers_none=1
gotoone=0
deftab=webmin
notabs=0
nomoduleup=
nohostname=0
nowebminup=
gotomodule=
/etc/webmin/miniserv.conf:
port=10000
root=/usr/share/webmin
mimetypes=/usr/share/webmin/mime.types
addtype_cgi=internal/cgi
realm=Webmin Server
logfile=/var/webmin/miniserv.log
errorlog=/var/webmin/miniserv.error
pidfile=/var/webmin/miniserv.pid
logtime=168
ppath=
ssl=0
no_ssl2=1
no_ssl3=1
no_tls1=1
no_tls1_1=1
ssl_honorcipherorder=1
no_sslcompression=1
env_WEBMIN_CONFIG=/etc/webmin
env_WEBMIN_VAR=/var/webmin
atboot=1
logout=/etc/webmin/logout-flag
denyfile=\.pl$
log=1
blockhost_failures=5
blockhost_time=60
syslog=1
ipv6=0
session=1
premodules=WebminCore
server=MiniServ/1.870
userfile=/etc/webmin/miniserv.users
keyfile=/etc/webmin/miniserv.pem
passwd_file=/etc/shadow
passwd_uindex=0
passwd_pindex=1
passwd_cindex=2
passwd_mindex=4
passwd_mode=0
preroot=authentic-theme
passdelay=1
login_script=/etc/webmin/login.pl
logout_script=/etc/webmin/logout.pl
failed_script=/etc/webmin/failed.pl
cipher_list_def=1
sudo=1
ssl_redirect=0
sockets=
no_resolv_myname=1
Webmin docs state that you need _cookiepath_, try cookiepath=/webmin in _miniserv.conf_.
Besides, try to remove
referer=0
referers=wbmntst.local
in _config_ and replace it with referer=webmin.
I added cookiepath=/webmin in miniserv.conf, didn't solve the issue.
Then replaced what you stated in config. Didn't solve the issue aswel :-(
Tried not to use proxy_set_header?
When I get to the PC, I'll try to reproduce it.
It works fine in Apache, that's what is strange.
I think, I found the solution..
I set relative_redir=1 in /etc/webmin/config.
Now it seems to work.
I'm still having this same issue. I get the 404 error behind Nginx when trying to access Running Processes. I can see that Webmin (or Nginx not sure which) drops the subdirectory on the cgi call, meaning, from my browser web console, it looks like this:
Request URL: https://www.mydomain.com/webmin/proc/ - 302
Request URL: https://www.mydomain.com/proc/index_size.cgi? - 404
Notice it inserts the "/webmin" properly in the first request then drops the "/webmin" from the second request. This, for me, is the source of most of my inconsistent 404 errors, where webmin seems to be working fine most of the time behind Nginx then in certain instances isn't. Any thoughts on how to fix it? Thanks
What do you get in Gray Theme? Could you double check. It looks like module issue.
That is with the Gray Theme.
In /etc/webmin/config make sure _relative_redir=0_ or it will give you the problems @PhilPhonic and @mobamoba mentioned before.
referer=www.examle.com webprefix=/webmin webprefixnoredir=1 relative_redir=0In /etc/miniserv.conf
trust_real_ip=1 ssl=0 cookiepath=/webmin_(trust_real_ip=1 is to show the correct ip in recent logins)_
If nginx is on the same host as webmin you can make it listen only on loopback with this in miniserv.conf:bind=127.0.0.1Your location block should look like this, nothing more.
With _proxy_set_header Host $host;_ you'll get the login redirect problem!location /webmin/ { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://localhost:10000/; }Make sure you don't have something like this in your server block or the pages will be missing style.
location ~* \.(js|css|ico|png|jpg|jpeg|gif)$ { expires max; add_header Cache-Control public; log_not_found off; }
Clear you browser cache, restart nginx and webmin.
Hope it helps.
only mention here, that if you use https instead of http, you should adapt ssl to 1:
In /etc/miniserv.conf
ssl=1
Not if SSL termination is done on the reverseproxy in front, which is in this case ;-)
you are right, I disabled ssl and adapted nginx and it works as well. Thanks. Keep it easy is good rule.
Again summarized:
proxy_pass https://localhost:10000/; to proxy_pass http://localhost:10000/;ssl=1 to ssl=0Unfortunately there is not much information on how to proxy webmin properly with nginx.
This is my config on centos 7, it works with any theme without errors.
In /etc/webmin/config make sure _relative_redir=0_ or it will give you the problems @PhilPhonic and @mobamoba mentioned before.
referer=www.examle.com webprefix=/webmin webprefixnoredir=1 relative_redir=0In /etc/miniserv.conf
trust_real_ip=1 ssl=0 cookiepath=/webmin_(trust_real_ip=1 is to show the correct ip in recent logins)_
If nginx is on the same host as webmin you can make it listen only on loopback with this in miniserv.conf:bind=127.0.0.1Your location block should look like this, nothing more.
With _proxy_set_header Host $host;_ you'll get the login redirect problem!location /webmin/ { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://localhost:10000/; }Make sure you don't have something like this in your server block or the pages will be missing style.
location ~* \.(js|css|ico|png|jpg|jpeg|gif)$ { expires max; add_header Cache-Control public; log_not_found off; }Clear you browser cache, restart nginx and webmin.
Hope it helps.
thank you so much for this. I tried all of the various guides out there, but this is the only one that worked. This needs to be followed exactly as it is written or it won't work.
Most helpful comment
Unfortunately there is not much information on how to proxy webmin properly with nginx.
This is my config on centos 7, it works with any theme without errors.
In /etc/webmin/config make sure _relative_redir=0_ or it will give you the problems @PhilPhonic and @mobamoba mentioned before.
Clear you browser cache, restart nginx and webmin.
Hope it helps.