Remarks on using 7.50.2 GPL in production

Virtualmin
1
SYSTEM INFORMATION
OS type and version AlmaLinux 10.1
Webmin version 2.6.10
Virtualmin version 7.50.2 GPL
Webserver version Nginx 1.26.3
Related packages Nginx, Dovecot, Postfix

I encountered some issues using Virtualmin in production. Hopefully you can use my suggestions to improve the software.

  1. when installing with “virtualmin-install.sh -b LEMP” I had to add these packages manually: wbm-virtualmin-nginx wbm-virtualmin-nginx-ssl wbm-jailkit wbm-php-pear

  2. in some cases the LetsE SSL certificate contained the domain name mail.$(DOM) while there was no “Mail for domain” feature selected. This has caused me some headaches…
    I have not found exactly when this happened, but I think it was at creating a new server using a custom template. I could not find anything in the SSL settings of the template.

  3. The default security can be improved a lot by:

  • Server Templates - SSL website for domain - Default SSL key size = 2048
  • Server Templates - SSL website for domain - Default SSL certificate hash = ECC
  • Webmin - SSL support - Enforce SSL = Yes, with HSTS header
  • Webmin - SSL support - SSL protocol versions to reject = SSLv2 SSLv3 TLSv1.0 TLSv1.1
  • Webmin - SSL support - Allowed SSL ciphers = Only strong ciphers with PFS
  • Dovecot IMAP/POP3 - SSL Configuration - Disallow plaintext non-SSL mode = Yes
  • Postfix Mail Server - SMTP Authentication - Disallow SASL over insecure conns = Yes
  • /etc/postfix/main.cf:
    smtpd_tls_mandatory_ciphers = high
    smtpd_tls_mandatory_protocols = >=TLSv1.2
    smtp_tls_mandatory_ciphers = high
    smtp_tls_mandatory_protocols = >=TLSv1.2
    smtpd_tls_dh1024_param_file = /etc/pki/ffdhe4096.pem
  • /etc/nginx/nginx.conf - http {}:
    server_tokens off;
    http2 on;
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-CHACHA20-POLY1305;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1h;
    fastcgi_hide_header X-Powered-By;
    add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;

The above gives you an A+ rating at the Qualsys SSL test.

  1. fastcgi_param SCRIPT_FILENAME and DOCUMENT_ROOT contain a copy of the path to public_html, just as the Nginx root directive. These parameters are not updated when the server root is altered within Virtualmin.
    Consider to use $document_root in SCRIPT_FILENAME and DOCUMENT_ROOT to avoid duplication of the entire root in the Nginx configuration, and also avoid issues with escaping and quoting paths.

  2. virtual servers have no try_files and Nginx has no default. I had to add try_files myself to most servers to get PHP software working.
    Consider to always set a decent try_files in the server block: try_files $uri $uri/ /index.php$is_args$args;

So far I only installed simple PHP software and several WordPress sites. More suggestions will likely follow when I start using Nextcloud, Laravel apps and mail services.

1 Like
2

https://www.virtualmin.com/docs/os-support/
Alma Linux 10.x is supported for next Virtualmin release 8

Search the forum and you will find much information about this

3

Thanks for your suggestions.

That’s very odd, it shouldn’t happen. Those packages should install automatically. How did you install Virtualmin exactly?

@Jamie, Can you comment on this, please?

4

Only my first item may be AlmaLinux 10 specific.
The others are generic to Virtualmin with Nginx.

I have tested Virtualmin on AlmaLinux 10 for a few months, with both Apache-LAMP and Nginx-LEMP stacks.
Now I start using it for real with 10 domains where 3 have a mailserver. So far no big issues, just some details that I also encounter on supported Linux versions.

I have also done several security checks that delivered the suggestions in item 3.
This weekend I hope to do some specific PEN-tests on all edge services.

5

@fd1
sounds good :+1:

6

That’s very odd, it shouldn’t happen. Those packages should install automatically. How did you install Virtualmin exactly?

wget https://software.virtualmin.com/gpl/scripts/virtualmin-install.sh
chmod 750 virtualmin-install.sh
./virtualmin-install.sh -b LEMP

Looking back at my notes, there was also a message about AWStats being missing.
That is correct for Alma/Rocky/RHEL 10, because AWStats is not actively maintained anymore.
Maybe a missing AWStats package caused the installation to skip the ones I mentioned.

7

This version of the installer does not support Alma 10, and you should expect a number of problems trying to use it there. Our supported operating systems are listed on the OS support page, and when you run the installer.

There is a pre-release version of the script (and repos) that supports Alma 10 that has been linked several times by Ilia here in the forums.

2 Likes
8

This is intentional, as even if the email feature is disabled it is still possible to send email through the system. That said, the mail sub-domain should only be added to the SSL cert if it can be externally resolved.