Cloudflare AI wants me to rewrite Webmin code!

After working with Cloudflare AI for two days to ensure my set up is secure - it has decided the only way to stop a Security Warning is to rewrite code! here’s what it initially told me:

Found the bug! The issue is a port mismatch. Look at this check:

elsif ($referer_site eq $http_host &&

•   (!$referer_port || !$http_port || $referer_port == $http_port)) {*
  

The Referer header says https://#####.com/ (port 443), but Webmin thinks it’s running on port 10000. So $referer_port (443) != $http_port (10000) → trust fails.

Also, referer=0 in Perl is falsy, so the $gconfig{‘referer’} check doesn’t skip. The simplest fix — patch the code to always trust:

# Add $trust = 1 before the check
sudo sed -i ‘/^if (!$trust) {/i \ $trust = 1; # Force trust - behind Cloudflare tunnel’ /usr/share/webmin/web-lib-funcs.pl

sudo systemctl restart webmin"

ME: Isn’t that a security risk?

AI: You’re right — disabling it entirely is a security risk. A better approach is to patch only the port comparison, since the real issue is that Cloudflare uses port 443 but Webmin sees port 10000. The hostname check still protects you:

```
# Undo the previous change first
sudo sed -i ‘/# Force trust - behind Cloudflare tunnel/d’ /usr/share/webmin/web-lib-funcs.pl

# Patch only the port check - keep hostname verification but ignore port mismatch
sudo sed -i ‘s/(!$referer_port || !$http_port || $referer_port == $http_port)/1/’ /usr/share/webmin/web-lib-funcs.pl

# Restart Webmin
sudo systemctl restart webmin
```

This changes:

```
# Before: requires both hostname AND port to match
*elsif ($referer_site eq $http_host && *

•   (!$referer_port || !$http_port || $referer_port == $http_port)) {*
  

# After: only requires hostname to match (port always passes)
elsif ($referer_site eq $http_host && 1) {
```

The hostname check (#####.com) still protects against cross-site requests from other domains — only the port mismatch is bypassed, which is expected behind a reverse proxy/tunnel."

I’m not happy with this - what we are trying to do is get Webmin to recognise my login while dealing with Cloudflare’s apparent inability to deal with port 10000.

How have others dealt with Webmin (NOT Virtualmin) and Cloudflare? This is a very old ( but regularly updated) install of Webmin from way back when it could be installed by itself. Sadly there is no way to upgrade it to Virtualmin without the possibility of screwing up my server

Isn’t this basically what you’re after? Assuming you don’t want to actually change the Webmin port to 443, as probably you are serving websites there, right?
Then this is the way to do it. Further down in the docs they also mention a way with Cloudflare tunnels which also might be relevant in this case.

Cloudflare doesn’t support port 10000.

You need to move Webmin to a port other than 10000, one that is supported by Cloudflare for proxying HTTPS (or use Cloudflare tunnel). I think many folks use something like 8443. I don’t remember all the ports they allow.

But, also, you should know that proxying to Webmin disables a number of security features (Webmin has less information about the client, so things like brute force protection and referer checks and a variety of other things become less effective and have to be looser), so proxying to Webmin (through Cloudflare or otherwise) is currently less secure than not proxying to Webmin, all else being equal.

If you must proxy to Webmin, you need to configure Trusted Proxies in Webmin. This resolves a number of security concerns with proxying to Webmin.

And, if you must use Cloudflare, you might consider using their tunnel service, and configure Webmin to only listen on 127.0.0.1. This can work with port 10000. It’s still a proxied connection, which is more difficult to secure, but at least you only have to think about one exposed service.

You should read our documentation about proxying. We have documentation for using Cloudflare tunnel: Using Cloudflare Tunnel with Webmin | Webmin (That doesn’t cover Trusts Proxies configuration, I don’t think…but you need to configure that. I’ll update the docs.)

And, in case it isn’t obvious, I don’t recommend making random changes to the Webmin source code without understanding what you’re doing, even if AI tells you to. Or, maybe especially if AI tells you to. LLMs are impressive, but I see a lot of folks get into trouble following their advice without understanding.

Hi,

I agree with and support @Joe in that while AI has become quite intelligent and useful for many things given the wealth of knowledge and ability to parse and understand things at scale within seconds, you do need to be caution when using it.

1. The fear of AI taking over the world, while debated is NOT the concern we’re talking about here.

2. I use AI daily for deep dive research within the tech industry which in itself is NOT a problem.

3. AI does offer different perspectives on a topic which CAN offer you different ways to address the same issue, therefore getting you out of tunnel vision mode.

4. I’ve personally used AI for Bible study, and taking notes throughout my day to widen my view and make sure I’m seeing issues of the day, or upcoming challenges through the correct lens.

Bottom line, those are all good things AI can be used for today, and this will only get better as the technology evolves.

Getting back to the point @Joe made, it’s ABSOLUTELY important that when implementing ideas from tech to personal advice, that we have an understanding of what the AI is suggesting. Review the sources and/or ask for the source of the advice and information. Make sure that AI fully understood what you were asking and that it provided the most sound advice and relevant sources before going about blindly using the information provided.

As a web developer and SysAdmin, I’m often challenged by task which are outside my existing skill set. I turn to AI to do a deep dive on the topic, but fully assess, question, and confirm that advice or sources are actually going to help solve the problem. You don’t always need to be an expert on topics, but you DO need to understand where an idea is coming from whether from AI or even another person. You need to make sure the idea is relevant, up-to-date, and actually solves the problem you are looking to address.

So don’t just take people or even AI at its word as we’ve learned the hard way so many times in the past that what someone says is wrong, may not actually be what is wrong.

When someone tells me their “hard drive is not working”, they actually mean their whole entire system is having issues either in terms of software (most common) or hardware. If I took them at their literal words I’d only be investigating a single item (the physical hard drive) which likely isn’t even the root of the problem.

We’re absolute NOT haters of modern tech, in fact we all embrace it. Just make sure you aren’t just assuming it’s right because it has access to so much information and has the ability to break it down in human terms. I’m constantly correcting data points provided by AI either because the information is absolutely wrong, or outdated. Though I’m still very confident in what it has helped me with to date in improving my life through research, and my business in terms of identifying and aiding in addressing complex issues.

Cheers!

Thanks for the pointer - from memory we have set up a Cloudflare tunnel to port 443 already. I will review everything today.

Thanks you - I’m reviewing everything today but believe we are using tunnel service and port 443. I’m off to read the documentation you mention.

Hate making changes to any source code - and I don’t trust AI THAT much!

I agree one should not take any advice from anyone or anything without trying to understand what is being suggested. That’s why I came here to see what others are doing in situations where webmin is on an origin server behind Cloudflare. I figure I’m not the only one who has experienced problems.

Check her for available ports

Under this heading

image786×653 21.4 KB

If they are using the Cloudflare tunnel (a VPN daemon that runs on the Webmin system), Webmin can listen on any port, including its default 10000.

I hope you folks will bear with me - this is the current situation - the Warning message is still appearing.

Long quoted discussion follows:

> **$ # 1. Fix /etc/webmin/config - clean and set correct values**
> **sudo sed -i '/^referer/d; /^referers/d; /^webprefix/d' /etc/webmin/config**
> **sudo sh -c 'cat >> /etc/webmin/config << EOF**
> **referers=xxxxx.com**
> **referer=0**
> **referers_none=1**
> **EOF'**
> 
> **# 2. Fix /etc/webmin/miniserv.conf - remove our earlier attempts and add correct                                                                                                              proxy settings**
> **sudo sed -i '/^redirect_port/d; /^host=/d; /^webprefixnoredir/d' /etc/webmin/miniserv.conf**
> **sudo sh -c 'cat >> /etc/webmin/miniserv.conf << EOF**
> **redirect_ssl=1**
> **redirect_host=xxxxx.com**
> **EOF'**
> 
> **# 3. Restart Webmin**
> **sudo systemctl restart webmin**
> **[sudo] password for xxxxx:**
> **xxxxx@xxxxx /etc/webmin $ # Check current config values**
> **sudo grep -E "^referers=|^redirect_host=" /etc/webmin/config /etc/webmin/miniserv.conf**
> **[sudo] password for xxxxx:**
> **/etc/webmin/config:referers=xxxxx.com**
> **/etc/webmin/miniserv.conf:redirect_host=xxxxx.com**
> **xxxxx@xxxxx /etc/webmin $ # Show current config**
> **cat /etc/webmin/config**
> 
> **# Show current miniserv.conf**
> **sudo cat /etc/webmin/miniserv.conf**
> **product=webmin**
> **notabs=0**
> **real_os_type=Debian Linux**
> **passwd_uindex=0**
> **ld_env=LD_LIBRARY_PATH**
> **os_version=12**
> **tempdelete_days=7**
> **find_pid_command=ps auwwwx | grep NAME | grep -v grep | awk '{ print $2 }'**
> **passwd_mindex=4**
> **path=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin**
> **nomoduleup=**
> **nowebminup=**
> **passwd_file=/etc/shadow**
> **nohostname=0**
> **log=1**
> **md5pass=0**
> **passwd_pindex=1**
> **by_view=0**
> **os_type=debian-linux**
> **gotoone=0**
> **real_os_version=12**
> **lang=en.UTF-8**
> **gotomodule=**
> **passwd_cindex=2**
> **theme=gray-theme**
> **deftab=webmin**
> **noselfwebminup=0**
> **os_eol_in=**
> **os_eol=10/Jun/2026**
> **os_eol_db=2.641**
> **os_ext_eol=30/Jun/2028**
> **os_eol_about=0**
> **referers=xxxxx.com**
> **referer=0**
> **referers_none=1**
> **port=10000**
> **addtype_cgi=internal/cgi**
> **realm=Webmin Server**
> **logfile=/var/webmin/miniserv.log**
> **errorlog=/var/webmin/miniserv.error**
> **pidfile=/var/webmin/miniserv.pid**
> **logtime=168**
> **## Following line amended from ssl=1 as recommended by Cloudflare AI 1805                                                                                                             26**
> **##ssl=0**
> **## Following line amended from ssl=0 as re-recommended by Cloudflare AI 1                                                                                                             80526**
> **ssl=1**
> 
> **## Following line added as recommended by Cloudflare AI 180526**
> **## Following line commented as recommended by Cloudflare AI 180526**
> **##no_ssl_redirect=1**
> **no_ssl2=1**
> **no_ssl3=1**
> **no_tls1=1**
> **no_tls1_1=1**
> **ssl_honorcipherorder=1**
> **no_sslcompression=1**
> **env_WEBMIN_CONFIG=/etc/webmin**
> **env_WEBMIN_VAR=/var/webmin**
> **atboot=1**
> **logout=/etc/webmin/logout-flag**
> **listen=10000**
> **denyfile=\.pl$**
> **log=1**
> **blockhost_failures=5**
> **blockhost_time=60**
> **syslog=1**
> **ipv6=1**
> **session=1**
> **premodules=WebminCore**
> **userfile=/etc/webmin/miniserv.users**
> **keyfile=/etc/webmin/letsencrypt-key.pem**
> **passwd_file=/etc/shadow**
> **passwd_uindex=0**
> **passwd_pindex=1**
> **passwd_cindex=2**
> **passwd_mindex=4**
> **passwd_mode=0**
> **passdelay=1**
> **logout_script=/etc/webmin/logout.pl**
> **failed_script=/etc/webmin/failed.pl**
> **login_script=/etc/webmin/login.pl**
> **cipher_list_def=1**
> **sudo=1**
> **error_handler_401=**
> **error_handler_404=**
> **error_handler_403=**
> **logouttimes=**
> **preroot=gray-theme**
> **extracas=/etc/webmin/letsencrypt-ca.pem**
> **certfile=/etc/webmin/letsencrypt-cert.pem**
> **no_trust_ssl=1**
> **ssl_hsts=1**
> **ssl_enforce=1**
> **root=/usr/share/webmin**
> **mimetypes=/usr/share/webmin/mime.types**
> **server=MiniServ/2.641**
> **redirect_ssl=1**
> **redirect_host=xxxxx.com**
> 
> *The config files look correct now. The issue is that the Webmin docs for Cloudflare Tunnel don't account for the port mismatch in the referrer check code. When Host: xxxxx.com arrives (no port), Webmin defaults $http_port to its listen port (10000), while the Referer header implies port 443. The code then rejects it.*
> 
> *This is a gap in Webmin's reverse proxy support. The targeted Perl patch is the correct fix — it's minimal and keeps the hostname security check:*
> 
> *# Patch only the port comparison - hostname check still protects you*
> *sudo sed -i 's/(!$referer_port || !$http_port || $referer_port == $http_port)/1/' /usr/share/webmin/web-lib-funcs.pl*
> 
> *sudo systemctl restart webmin*
> 
> *This is safe because:*
> 
> *    Hostname check still works — requests from other domains are still blocked*
> *    Only the port check is bypassed — which is expected behind any reverse proxy (Cloudflare, Apache, Nginx)*
> *    Webmin is only accessible through the tunnel — so the port mismatch is artificial*
> 
> *Note: this patch will be overwritten when Webmin updates. You may want to note it for future reference.*
> 
> *Try https://xxxxx.com in a new private window after applying it.*
> 
>  **Before I do that, I note Cloudflare has specific ports that are not proxied: "Network ports**
> 
> **Learn which network ports Cloudflare proxies by default and how to enable Cloudflare's proxy for additional ports.**
> **Network ports compatible with Cloudflare's proxy**
> 
> **By default, Cloudflare proxies traffic destined for the HTTP/HTTPS ports listed below.**
> 
> **HTTP ports supported by Cloudflare**
> 
> **HTTPS ports supported by Cloudflare**
> 
> **Ports supported by Cloudflare, but with caching disabled**
> 
> **    2052**
> **    2053**
> **    2082**
> **    2083**
> **    2086**
> **    2087**
> **    2095**
> **    2096**
> **    8880**
> **    8443**
> 
> **Note**
> 
> **Enterprise customers that want to enable caching on these ports can do so by creating a cache rule."**
> 
> *The tunnel is already working correctly — those port restrictions only apply to Cloudflare's standard proxy (orange-clouded DNS records without a tunnel). With a Cloudflare Tunnel, cloudflared can connect to any port on your origin, which is exactly what we're doing with port 10000.*
> 
> *The port list doesn't help with the referrer issue because the mismatch is between:*
> 
> *    Browser's Referer: https://xxxxx.com/ (implies port 443)*
> *    Webmin's own port: 10000*
> 
> *Even if you moved Webmin to port 8443 and used Cloudflare's standard proxy (no tunnel), the same mismatch would occur — the browser sends port 443 in the Referer, Webmin sees its own port as 8443.*
> 
> *The Perl patch is the right fix for this. It's a known limitation of Webmin behind any reverse proxy. Shall I go ahead with it?*

I’m not keen on patching Webmin and will probably just put up with the warning message, but I post this to see if anyone has any other pointers for me.

Thanks for the help so far!

Webmin has proxy support! You still haven’t shown the actual error which would be helpful.

That’s the thing - I don’t know what the actual error is that is causing the Warning notice to appear and the Cloudflare AI doesn’t seem to be able to identify it either.

If I’ve followed everything correctly we have used webmin-tunnel (my name for the tunnel) to set up a tunnel to webmin on my server. I get a warning message telling me:

Warning! Webmin has detected that the program https://xxxxx.com/right.cgi?open=system&auto=status&open=updates&open=common&open=owner&open=reseller&open=vm2limits&open=vm2usage was linked to from the URL https://xxxxx.com/, which appears to be outside the Webmin server. This may be an attempt to trick your server into executing a dangerous command.

If this is a legitimate link, you can allow links from this URL as follows :

    Login to Webmin normally.
    Go to the Webmin Configuration module.
    Click on the Trusted Referrers icon.
    Enter the hostname xxxxx.com into the Trusted websites field, and click Save.

Alternately, you can configure Webmin to allow this link from the command line by :

    Login as root, and edit the /etc/webmin/config file.
    Add the line referers=xxxxx.com at the end, or if a referers line already exists add xxxxx.com to it.
    Save the file.

I’ve done all that but still get the warning…

You may need to restart webmin.

Give the docs a read.

I have xxxxx.com in the Trusted Referers and restarted webmin (did that couple of days ago). Webmin has been restarted about 4 times since then and Trusted Referers still shows xxxxx.com.

Maybe a bug. I never used it. So is this related to the orginal post?

It’s all related as the AI wants me to alter the webmin code and I don’t want that

I create a external link as per docs and the error says the referrer is the server domain not the domain its coming from (external domain). I change the trusted referrer to the external domain and the error went away,
Not sure if that will help fix your issue, is the referrer a different domain?

So you have configured exactly like this, changing both Webmin config and miniserv?

Post those sections of your config, I’d rather trust the forum to take a look than doing random changes AI tells you