Has anyone used Cloudflare proxy by changing port 10000/20000 for Webmin/Virtualmin and been running various services for a while?
Are there any issues or bugs? hardworking developers have any suggestions?
Thanks in advance for sharing.
Has anyone used Cloudflare proxy by changing port 10000/20000 for Webmin/Virtualmin and been running various services for a while?
Are there any issues or bugs? hardworking developers have any suggestions?
Thanks in advance for sharing.
I suggest not doing it. Just use another name for admin purposes.
But, I believe others have done it without problems. At least I don’t recall any problems once folks understand the Cloudflare is a proxy.
You mentioned “Just use another name for admin purposes”—does that refer to using a separate domain or Webmin account for management? If so, we have already implemented that.
Could you explain why you don’t recommend changing the port to work with Cloudflare? Are you against changing the port, or against using Cloudflare altogether? Is there a specific concern with changing the port or with Cloudflare?
Considering using Cloudflare, we are mainly concerned about having extra protection in case of attacks.
Thank you in advance for your response.
Has nothing to do with accounts. A name is not an account, it’s just a name in DNS (and optionally in an alias in your webserver to validate a Let’s Encrypt cert, if you’re using LE certs and web validation).
There are many ways to do it, the simplest is to create an alias on whatever domain you want to use, so you can get a Let’s Encrypt certificate for it. And just don’t proxy that name. Webmin and Usermin answer on any name, and they’ll use the appropriate certificate, based on the name in the request.
I vaguely expect other issues, and I can’t think of any benefit to proxying Webmin. But, mostly it’s just that everyone who tries seems to break something and panic when they lock themselves out. But, give it a try. Just have a look at /etc/webmin/miniserv.conf
and make a copy of it, in case you lock yourself out.
If you are using Cloudflare for the purpose of “protection”? You would need need to proxy ALL of your DNS entries with them. While there are no issues with proxy to Webmin/Virtualmin there is one people do not realize.
If you are using Virtualmin to host your email server? mail.mydomain.tld along with host.mydomain.tld CAN NOT be proxied.
This alone totally defeats the purpose of using Cloudflare because the IP needs to be exposed.
That is the reason why they put up a warning symbol when changing entries to none proxy.
Hope this helps,
Thank you for your input. We are aware of this situation, so we plan to separate the web-srv and mail-srv.
Indeed, we are considering solutions for dealing with attacks. After several days of testing, including the issuance of LetE’s SSL, everything seems to be functioning normally, so we’d like to hear others’ opinions.
Regardless, thank you for joining the discussion.
I’d like to add a point of view: If the web server and mail server are on the same host and share the same IP, using Cloudflare DNS can offer protection against network attacks, even though the IP is still exposed. This provides more defense compared to not using Cloudflare at all.
Might be better to ask on the Cloudflare community. According to me It’s not related to Virtualmin.
That doesn’t make sense. If your IP is public, Cloudflare can’t do anything about attackers hitting it directly. If you want to say Cloudflare can protect your web services, and only web services, from naive attacks (which is a lot of them), then that’s a reasonable-ish thing to say.
I say “naive”, because an attacker that’s scanning IPs and detects your web services running there will be able to hit the services directly. You could lock it down so it only answers requests from Cloudflare, I guess, but I don’t think most folks do that. Maybe worth looking into, if you’re interested in Cloudflare for security (I think there are several other security measures you should be taking long before looking to Cloudflare, though…they’re mostly only equipped to help with DDoS and some simplistic brute force stuff, they aren’t going to protect an exploitable web application from an attacker).
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.