Webmin 2FA + Cloudflare Tunnel II. -after the new update (2.402)

Webmin
1
SYSTEM INFORMATION
OS type and version Ubuntu 22.04.5 LTS
Webmin version 2.402

Hello @Ilia,

we had a conversation about the theme in the title of this post in the past.
There was no real solution, but if we entered the 2FA code and opened a new browser window we could log in to dash.

in a nutshell:

-the webmin dash is accessed via Cloudflare tunnel, the miniserv listening on localhost
-these were the original topics for this question

+++ @Flopp:

this method (open a second browser window after the 2FA code) no longer works from 2.402

now via SSH I had to disable 2FA in all accounts set to 2FA, because none of the admins have access to it, where the login is done via CF tunnel

trusted referrers set to CF tunnel
that should be fine:

image
image969×306 16.4 KB

here you can find a video about it:
Webmin_2fa_CF tunnel.zip (1.8 MB)

Any ideas, because we have completely lost the possibility of 2FA on all accounts when using CF tunnels?

thanks

2
  1. Is Webmin listening only on 127.0.0.1?
  2. Is Webmin behind an Nginx reverse proxy?
  3. Or, Webmin is listening on a dedicated IP and port 443?
3

thanks for your prompt reply

1. yes

image
image633×215 9.75 KB

2. no - there is no rproxy only the CF tunnel, which is the proxy itself

3. access webmin via Cloudflare tunnel - running cloudflared.service on the server which connects the server to the CF edge via a tunnel

so this setting used to work fine, I had to open two browser windows because the first one wouldn’t go to the login screen, but now it doesn’t work either

4

Ahh! I see now! It’s a completely different type of tunnel! I have never used it myself, so I cannot provide you with an exact solution, until I have a closer look at it.

It’s also not clear what the actual error is. I don’t think you shared any errors from the browser’s console?

Anyway, if you go to “Webmin ⇟ Webmin Configuration: IP Access Control” and try different “Trust levels for proxy headers,” does it change anything?

If not, what exact error message do you see in the browser’s console?

5

@SedonDss I’ve figured this out!

For Cloudflare Tunnel to properly work with Webmin, ensure that:

  1. Your Webmin config /etc/webmin/config has to have referers=your.domain.tld line
  2. Your Cloudflare Webmin config file on your Linux box should have httpHostHeader: your.domain.tld set under originRequest:. The whole config that works for me is:
    tunnel: 00000000-1111-222-3333-444444444444
credentials-file: /root/.cloudflared/00000000-1111-222-3333-444444444444.json

ingress:
  - hostname: your.domain.tld
    service: https://127.0.0.1:10000
    originRequest:
      noTLSVerify: true
      httpHostHeader: your.domain.tld

  - service: http_status:404
  3. And, for redirect after login work you’d also need to make sure that Webmin miniserv.conf file has the following lines:
    redirect_host=your.domain.tld

Documented for better future reference here:

6

This is wild stuff. Y’all not only trust Cloudflare to terminate your TLS connections, you’re letting them run software on your system?

7

I hadn’t heard about cloudflared before today—it can be set up as a systemd daemon on a Linux box.

And, I don’t disagree that trusting Cloudflare is a very controversial topic, yet, my point was to help the user with their request.

1 Like
8

It’s just adding so many more variables, and so many potential points of failure and vector of attack. I dunno. I just like fewer moving parts, where I can understand and read the source for all of them.

2 Likes
9

Hi Joe,

I understand that you think so, but CF is just one thing
there is much worse than them :slight_smile: -especially because of the recent changes in the US, so we will probably move as well, - may be to OVH or wherever, - just EU company should be at the end of the stop

(note we have been using CFs infrastructure for 15 years - so this move will not be just two days)

We operate nearly 60 radio stations in Central Europe and everything is connected by CF Zero trust, we don’t use VPN solutions, which is why we are tied to CF for the time being


Our web infrastructure is only a small part of this.

“cloudflared” is not as nasty as it sounds


Anyway, I appreciate your opinion, even if I don’t agree with it on all points. :+1:

1 Like
10

Hi @Ilia,

thanks for this super detailed help, I will apply it in a few days and report back.

thanks again :+1:

11

Ah, if the service is Open Source, I’m less alarmed.

12

yes exactly what I was thinking as well :slight_smile:

13

Hello @Ilia,

Just for interest, if you have any more ideas


I couldn’t get it to work on our existing CF tunnels, we have remote mgmt. tunnels and in that state there is no local “credentials-file” , -but I put the suggested config in the remote config, but it still didn’t work.

So I created a test server on EC2 with HAProxy in front of everything
 -exactly the same behaviour.

At first I thought it was the tunnel’s specialty, but HAProxy also causes this


I made a video of this test system and here are the Webmin specific confs:
(I don’t hide sensitive data, because it’s just a test environment and in a few days it won’t be)

image
image646×500 13.9 KB

image
image455×776 28.9 KB

video (ZIP) :

14

I’m not sure what’s not working on your end, but we documented it in the Webmin FAQ. When @Jamie updates webmin.com, it will go live. In the meantime, you can use those instructions from the link above, and I’m pretty sure they will work for you.

15

Hello @Ilia ok thanks for the info.

What doesn’t work (on my site), as you can see in the video, is that you can’t go directly from the Webmin login page to the Webmin main page, even after providing correct login data (user/pass)

I need to open a new browser window, - where will be taken to the Webmin main page without identification.

In the video you can see that this is not a CF tunnel now, but a Webmin / JupyterHUB behind HAProxy and the HAProxy monitor page also.

From the HAProxy monitor and JupyterHUB login pages I can get to the app main pages without any problems, but with Webmin it doesn’t happen, the process just stops on the login page until I open it in a new browser window.

The JupyterHUB uses Tornado Webserver, the HAProxy node has its own monitor page with built-in web server.

So this shows me that it is Webmin Miniserver specific, as two other webservers handle this well.
As described above, 2FA cannot be used on Webmin login due to lack of redirection.

I just wanted to clarify this for the future (or for others), because it’s not that inconvenient for us anyway, 2FA is turned off and Webmin is never available from the public internet, so it’s not an issue for us anymore.

Apart from me, only one other user has had this problem in the last 2 years, so it’s not really a relevant issue. :slightly_smiling_face:

16

And just reloading the page didn’t work, or you didn’t try it?

I don’t see how it can be a Webmin issue since it seems to be a problem with other parts of the process.

Thanks, I also hope it helps others. Yet, your setup isn’t standard and has many moving parts. :slight_smile:

17

[quote=“Ilia, post:16, topic:133989, full:true”]

18

That’s absolutely true, but it’s not as unique as you might think, there are others who are as paranoid :wink:

19

@Ilia I tested this out of curiosity.

Here you can see the behavior of other web servers (Tornado & HAProxy buil-in)

When I reload the page, it logs me in
 :+1:

20

No, it doesn’t seem to work for me. Can you upload a video file somewhere it can be streamed directly without zipping it and needing to download it? Besides, there’s no point in compressing an already compressed video file.