I have my Webmin set up on port 2053 with Cloudflare, so I can control IP access externally through CloudFlare - if I do it in my server firewall or in Webmin I have no way to access it if I am on the road.
This does appear to create a security hole though: if someone accesses Webmin via my server’s IP, they can bypass CloudFlare. It strikes me that I could solve this problem by using Webmin’s Internal redirect URL overrides to redirect requests to my server’s IP on port 2053 to Webmin’s web address, but I cannot figure out how I am supposed to enter this. Can you explain it to me?
That’s not the point. The IP restriction (which is the best form of security) does depend on CloudFlare in my setup - as I said, if I implement this within Webmin or my server firewall I cannot access Webmin on the road, while CloudFlare allows me to temporarily add my IP. Even though I have all other security features apart from 2FA enabled as a backup (including Fail2Ban), I still would like to prevent bypassing of the IP restriction. I just need to know how to enter the Internal redirect overrides.
Isn’t the restriction done by Webmin, if your on the road and you get a different IP then you will need to update Webmin as cloudflare is bypasses.
Maybe I’ve read this wrong.
No it isn’t - if it was I would not be able to get into it in the first place when I am on the road. I restrict the 2053 port in Cloudflare, so I can add my IP as needed. But Cloudflare only works on the web address, not the IP address - hence my desire to redirect Webmin’s IP address to the web address.
In any case, even if you don’t understand what I’m trying to achieve, can somebody please just answer my simple question as to how to redirect Webmin’s IP to its web address?
I do not use CloudFlare, so may not be the best person to give advice … but am trying to fully understand your environment.
is this correct — you have a URL, say, example.com, that has its DNS hosted at CloudFlare, so users hit CF and then CF sends them (tunnels them?) to your real server using the real IP of the server.
if someone somehow finds out the IP of the real server, they can connect to ANY port on that server, including 80 and 443 and 2053.
what happens today if someone connects to port 80 directly into the server using its IP address (again the visitor/hacker somehow has discovered the IP of the server itself)? I am trying to draw comparisons to http/https traffic VS webmin traffic.
just guessing here — does CF tell you what IPs they use as they connect into you, so you can tell the difference between a direct connection (bad) and a connection coming thru CF (good)?
also I think I read that paid CF accounts have more features than a free account – do you have a paid or free account?
You basically have it right, but they can only connect to Webmin via port 2053, so that’s the only one I need to protect - 80 and 443 are open for real web traffic. And I am already redirecting server IP hits on these ports to the web address in Apache (it cannot bind to port 2053 though).
And no matter how much you pay, Cloudflare cannot protect the server IP - it only works via the DNS.
while you now have an answer to your specific question, I am not sure it fully solves your actual issue …
lets say your actual server is at 1.2.3.4 … all I need to do is edit my PCs HOST file to have webmin.mydomain.com locally defined as 1.2.3.4 and I’m in Not sure now to protect from that.
on the other hand, I too learned something really neat (miniserv’s musthost config item) — thanks Ilia !!
With Ilia’s trick, Webmin will block access to anything other than the web URL, and that is protected by Cloudflare. So I don’t see how what you are suggesting would work.
Not sure now to protect from that.