CF Tunnel to Webmin miniserv on localhost or AWS local subnet + CWAF on Ubuntu 22.04 AWS

OS type and version Ubuntu Linux 22.04.1 (+ Linux 5.15.0-1028-aws on x86_64)
Webmin version 2.013

Dear Sir @Ilia :slight_smile: .

1. CWAF on U22-04LTS:
That’s why I’m going to start with this salutation, because you’ve always got me out of trouble, but that doesn’t mean I wouldn’t take advice from anyone else. :slight_smile:

Once again I have a problem with the installation of CWAF, which was discovered during a move to an AWS instance.

The installation scripts are running fine, I have attached the installation log.
log: (1.2 KB)

What has changed is the OS version Ubuntu 22.04 and the ModeSec version (V2.9.5).
(APACHE version 2.4.55)
Phenomenon, - COMODOWAF does not appear in the servers menu in the Webmin panel.

2. CF Tunnel:
I don’t know if I’m doing it right, but I’d write about the second question here, maybe this is your “question” AuthTheme)" too. (pls. - if need a separate topic for this question please move it).

Webmin access through a Clodflared tunnel only works with a trick, e.g.

nano /etc/webmin/miniserv.conf
port= custom f.e. in 50-60K
or (on AWS)
bind=AWS internal subnet IP

Make a cloudflared tunnel to server with http://localhost:custom port (or http://aws int.subnetIP…)
(Via the dashboard · Cloudflare Zero Trust docs)

The thing works great as long as you don’t have the Webmin login tied to GoogleAuth. - 2FA…

  • then after entering 6 digits, the login process will not continue in the current browser window
  • open a new window with the Webmin “url” to access the dashboard - done

Help me please will this be a CF issue or can be solved in-house? THX: SD :slight_smile:


I don’t really understand the problem you’re having but if the problem is a redirect to the wrong URL after login, you may want to have a look at Webmin ⇾ Webmin Configuration: Web Server Options page and its Internal redirect URL overrides option.

Sorry, my language was loose

  1. I can access the Webmin login page via CF tunnel with SSL without any problems.
  2. here I enter the user / psw pair
  3. goes to 2FA authentication (GoogleAuth) asks for the 6 digit ID (token) - OK enter …
  4. from here the process does not go to the dashboard… - with the usual Virtualmin start logo
  5. then what I have to do is open a new window “TAB” in this browser and paste the “url” of the previous stuck window and in the new window I can get to the dashboard,

What I also read is that you need to enter the url of the CF tunnel in Webmin Config / Trusted Referrers - I also did this

if I don’t explain it well I can make a short video, THX

Where does it “go” then exactly then? Have you tried logging in using a private tab (where all browser’s extensions are off) or another browser, like Chrome?

It would be best, I think.

I always use a separate browser (Iridium or Brave in incognito mode) to manage tools (e.g. routers, switches, etc.) or to access admin pages.
I don’t use these browsers for anything else. + CCleaner to delete cookies

I have made a video where I first reach a Portainer page via CF tunnel without any problems, then I try the same with Webmin + 2FA setup and you can see how I can reach the dashboard.

The video also shows sensitive data, so I don’t want to share the link here.

I sent you the link privately.
THX again

Alright, thanks for the videoscreencast. I checked it. So, are you running Webmin behind proxy? If so, can I see the proxy config?


I’m a bit late with the answer sorry.
It’s a CloudFlare ZERO Trust thing, you can see what it is, here:

(must be going through CF proxy, because nslookup gives CF IP range - so I cannot provide the proxy config)

We can’t go deep into (proxy) it because it’s CF stuff, but here’s the code for cloudflared:

Actually, nowadays we run all non-traditionally webserver based (80 / 443) stuff via CF tunnel, such as Portainer, Grafana, Kibana, R Server…

so far I have only experienced this problem in Webmin + 2FA (GoogleAuth), the other applications work as expected

with this tunnel thing, we separating our sensitive stuff from the public internet

I set the webserver of the above mentioned applications to “localhost” and give an internal port like 8089 http and the rest is handled by the CF tunnel

I show you what it looks like on the CF dashboard