Login redirects to port 10000

[hitmax117]

When using Webmin behind a reverse proxy like nginx the login screen redirects to url.com:10000 instead of url.com after a successful login.

[iliajie]

What is your setup? Do you use SSL?

[gnadelwartz]

if you use reverse proxy, you have to tell it webmin also, see:
http://www.webmin.com/apache.html

Try adding the line "webprefixnoredir=1" to /etc/webmin/config.

[swelljoe]

Pretty sure gnadelwartz suggestion is all that's needed here, so closing this ticket.

[pirate]

After adding "webprefixnoredir=1" to /etc/webmin/config didn't fix it for me, after restarting and clearing all caches I'm still getting redirects to :10000.

[iliajie]

Is it happening behind Apache?

If you globally set Gray Theme (including login prompt, using Webmin/Webmin Configuration/Themes), will it still do redirect?

[pirate]

It's not behind Apache, it's behind a Cloudflare Argo tunnel. Just confirmed it also still happens with the Gray theme set.

[iliajie]

Nick, actually latest Webmin version (1.920+) that ships latest Authentic Theme 19.36+ actually might handle things correctly without being it set webprefixnoredir to 1.

Can you try to make sure that you're running at least Authentic Theme 19.36, then set it by default (including login screen) and change webprefixnoredir option to 0 or drop it completely and restart Webmin service after editing its config file.

Does it help?

[iliajie]

It's also assumed that relative_redir is set to 0 or not present in your config.

[pirate]

I tried both 0 and 1, no luck. Haven't tried the new version yet though, thanks for the help so far!

[iliajie]

What are your Webmin and Authentic Theme versions?

[Duetro]

I have the same problem.

Operating system | CentOS Linux 7.6.1810
Webmin version | 1.930 |
Authentic theme version | 19.39-2

I tried:
relative_redir = unset
webprefixnoredir = unset / 1 / 0

[iliajie]

Check you Apache proxy and do not set ProxyPreserveHost On directive (other proxies should have familiar option), it will cause redirect after login problem. If you want to log real IP, use trust_real_ip option set to 1 in miniserv.conf file, or use UI to change it in Webmin/Webmin Configuration/IP Access Control/Trust remote IP address provided by proxies setting it to Yes.

[groenator]

I have the same issue using caddy, I tried every configuration possible, nothing helped. When I login it redirects to domain:port_number.

This is my caddy config. I disable SSL until I fix the issue, otherwise I get banned by let's encrypt.

# WebMin
webmin.com:80 {
    tls off
    tls email@gmai.com
    proxy / http://127.0.0.1:10000 {
    transparent
    }
    log stdout
    errors stdout                                                                      header / {
        Strict-Transport-Security "max-age=31536000;"
        X-XSS-Protection "1; mode=block"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
    }
}

[iliajie]

#1135

[iliajie]

So basically the developers don't want to fix this. I'm using traefik and I keep being redirected to 10000,

It has been fixed a long time ago. Have you read this? #1135 (comment)

which is great BUT.... WHY IS WEBMIN CHANGING TO HTTP? 443 is https

Webmin doesn't automatically change it. Check your proxy config.

[iliajie]

after trying several combinations of the above advice.

What have you tried?

What Webmin version are you using?

[iliajie]

If you downgrade the package to Webmin 1.942 for testing purposes - does it work then any differently, if so, how exactly?

You can easily downgrade running the following command:

apt-get install --reinstall webmin=1.942

[iliajie]

I don't want to mess with my configuration before knowing what you would like me to do first because right now even though it's a hack at least it works

Keep it then, if you not sure what to do.

My concern with the hack above is, if webmin was updated and removed the http authentication anyone with my admin url could get in.

I don't think we ever remove this feature the way, so anyone could just login. 🙂

[iliajie]

What I said above, you guys don't want to fix it.... if so please just make that clear so we don't have to waste our time going through days of trial and error as that's exactly what I had to do

We fixed that and all others seemed to be able to configure it and were happy about it. There are plenty of people here who uses Traefik, go ahead and ask them first, if they experience the same issue.

.. we now have an unsecure plain text http connection

Assuming that you're running Traefik and Webmin on the same server it is not that insecure, in case initial connection between you and your proxy is in SSL.

I appreciate that you guys do this for free by the way, I really do, and thanks

Most of the time, we don't feel that, unfortunately.

Really!? Is that the reputation you guys want to have!? Sorry but I'm sure you guys can do better - and yes, I would if I could, but I won't learn code overnight

I wonder what would you say if you mis-configuring something?

Sorry but I'm sure you guys can do better - and yes, I would if I could

While you could, we have to.

Please state the limitations of your product and what you guys are willing and not willing to do but I don't find it acceptable to maintain such an insecure config

Why does it work perfectly fine with Apache proxy?

It is a horrible hack and I would keep it for a short period while a solution was found

Think why this is happening in one type of auth and doesn't in the other, and share your ideas.

I hope you take the comment the way it's intended, it's not personal.

We don't take it personal, it's just personalities who work and support it in the end, no matter what.

[wiserweb]

@user897943 2FA is false security! If someone wants to get into your system they can pay $50 to a cell phone agent and have your telephone number ported to another provider. The attacker can then get the 2FA code and enter into the system.

In other words, 2FA is only as secure as the service provider. See the recent Telus/Koodoo leak that occured in Canada where someone was able to get access to a copy of their customer database via a trusted third party. All the security in the world won't do a damn thing if your have a weak link in the chain.

Good luck with your 'security'.

[wiserweb]

@user897943 It's great that you used your imagination to think that I wasn't aware of the existence of 2FA apps.

[wiserweb]

Have a good rest of day.

[iliajie]

Do yourself a favor and uninstall Webmin, no matter what the developer says you are better off without it, if something bad happens do you think the developer will go and fix it for you? Keep dreaming... run the uninstall command and never worry again. You're welcome.

We will consider that you are simply spamming. Any software considered to be secure until proven otherwise!

The fact that you cannot configure services correctly doesn't make them insecure.

We are always taking security issues seriously and patch any found proof issues urgently. If you believe there is a security issue, email us privately to security@ email address, with steps to reproduce an issue, and we will surely be able to fix that as soon as possible or/and even be able to reward your efforts!