Webmin 2FA + Cloudflare Tunnel II. -after the new update (2.402)

SedonDss · June 30, 2025, 12:41pm

SYSTEM INFORMATION
OS type and version	Ubuntu 22.04.5 LTS
Webmin version	2.402

Hello @Ilia,

we had a conversation about the theme in the title of this post in the past.
There was no real solution, but if we entered the 2FA code and opened a new browser window we could log in to dash.

in a nutshell:

-the webmin dash is accessed via Cloudflare tunnel, the miniserv listening on localhost
-these were the original topics for this question

+++ @Flopp:

this method (open a second browser window after the 2FA code) no longer works from 2.402

now via SSH I had to disable 2FA in all accounts set to 2FA, because none of the admins have access to it, where the login is done via CF tunnel

trusted referrers set to CF tunnel…that should be fine:

here you can find a video about it:
Webmin_2fa_CF tunnel.zip (1.8 MB)

Any ideas, because we have completely lost the possibility of 2FA on all accounts when using CF tunnels?

thanks

Ilia · June 30, 2025, 12:51pm

Is Webmin listening only on 127.0.0.1?
Is Webmin behind an Nginx reverse proxy?
Or, Webmin is listening on a dedicated IP and port 443?

SedonDss · June 30, 2025, 1:04pm

thanks for your prompt reply

1. yes

2. no - there is no rproxy only the CF tunnel, which is the proxy itself

3. access webmin via Cloudflare tunnel - running cloudflared.service on the server which connects the server to the CF edge via a tunnel

so this setting used to work fine, I had to open two browser windows because the first one wouldn’t go to the login screen, but now it doesn’t work either

Ilia · June 30, 2025, 4:22pm

Ahh! I see now! It’s a completely different type of tunnel! I have never used it myself, so I cannot provide you with an exact solution, until I have a closer look at it.

It’s also not clear what the actual error is. I don’t think you shared any errors from the browser’s console?

Anyway, if you go to “Webmin ⇾ Webmin Configuration: IP Access Control” and try different “Trust levels for proxy headers,” does it change anything?

If not, what exact error message do you see in the browser’s console?

Ilia · June 30, 2025, 5:22pm

@SedonDss I’ve figured this out!

For Cloudflare Tunnel to properly work with Webmin, ensure that:

Your Webmin config /etc/webmin/config has to have referers=your.domain.tld line

Your Cloudflare Webmin config file on your Linux box should have httpHostHeader: your.domain.tld set under originRequest:. The whole config that works for me is:

tunnel: 00000000-1111-222-3333-444444444444
credentials-file: /root/.cloudflared/00000000-1111-222-3333-444444444444.json

ingress:
  - hostname: your.domain.tld
    service: https://127.0.0.1:10000
    originRequest:
      noTLSVerify: true
      httpHostHeader: your.domain.tld

  - service: http_status:404

And, for redirect after login work you’d also need to make sure that Webmin miniserv.conf file has the following lines:
```
redirect_host=your.domain.tld
```

That’s it! Enjoy!

Joe · June 30, 2025, 5:26pm

This is wild stuff. Y’all not only trust Cloudflare to terminate your TLS connections, you’re letting them run software on your system?

Ilia · June 30, 2025, 5:37pm

I hadn’t heard about cloudflared before today—it can be set up as a systemd daemon on a Linux box.

And, I don’t disagree that trusting Cloudflare is a very controversial topic, yet, my point was to help the user with their request.

Joe · June 30, 2025, 6:08pm

It’s just adding so many more variables, and so many potential points of failure and vector of attack. I dunno. I just like fewer moving parts, where I can understand and read the source for all of them.

SedonDss · July 1, 2025, 1:03pm

Hi Joe,

I understand that you think so, but CF is just one thing…there is much worse than them -especially because of the recent changes in the US, so we will probably move as well, - may be to OVH or wherever, - just EU company should be at the end of the stop…
(note we have been using CFs infrastructure for 15 years - so this move will not be just two days)

We operate nearly 60 radio stations in Central Europe and everything is connected by CF Zero trust, we don’t use VPN solutions, which is why we are tied to CF for the time being…

Our web infrastructure is only a small part of this.

“cloudflared” is not as nasty as it sounds…

Anyway, I appreciate your opinion, even if I don’t agree with it on all points.

SedonDss · July 1, 2025, 1:12pm

Hi @Ilia,

thanks for this super detailed help, I will apply it in a few days and report back.

thanks again

Joe · July 1, 2025, 1:41pm

Ah, if the service is Open Source, I’m less alarmed.

SedonDss · July 1, 2025, 1:50pm

yes exactly what I was thinking as well

SedonDss · July 15, 2025, 6:19pm

Hello @Ilia,

Just for interest, if you have any more ideas…

I couldn’t get it to work on our existing CF tunnels, we have remote mgmt. tunnels and in that state there is no local “credentials-file” , -but I put the suggested config in the remote config, but it still didn’t work.

So I created a test server on EC2 with HAProxy in front of everything… -exactly the same behaviour.

At first I thought it was the tunnel’s specialty, but HAProxy also causes this…

I made a video of this test system and here are the Webmin specific confs:
(I don’t hide sensitive data, because it’s just a test environment and in a few days it won’t be)

video (ZIP) :

Ilia · July 15, 2025, 8:32pm

I’m not sure what’s not working on your end, but we documented it in the Webmin FAQ. When @Jamie updates webmin.com, it will go live. In the meantime, you can use those instructions from the link above, and I’m pretty sure they will work for you.