search

virtualmin / virtualmin-gpl

Virtualmin web hosting control panel for Webmin
https://www.virtualmin.com
GNU General Public License v3.0
315 stars 97 forks source link

Provide proper apache/nginx proxying instead of redirects to ports for admin/webmail #338

Open skepticalwaves opened 2 years ago

skepticalwaves commented 2 years ago

The redirect to a port 10000/20000 is crazy when we have proxying features available, and conflicts badly when the main domain might be configured in the DNS to point to another server. Here's a simple example of a manual modification I make to make webmail do something more sensible.

<VirtualHost IP:80>

    ServerName webmail.domain.com
    ServerAlias mail.domain.com
    <Location "/">
        Redirect permanent "https://%{HTTP_HOST}%{REQUEST_URI}"
    </Location>

    DocumentRoot /home/domain/public_html
    ProxyPreserveHost On
    ProxyPass /.well-known/ !
    ProxyPass / http://localhost:20000/
    ProxyPassReverse / http://localhost:20000/

</VirtualHost>

<VirtualHost domain:443>

    ServerName webmail.domain.com
    ServerAlias mail.domain.com
    DocumentRoot /home/domain/public_html
    ProxyPreserveHost On
    SSLProxyEngine On
    SSLProxyVerify none 
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    ProxyPass /.well-known/ !
    ProxyPass / https://localhost:20000/
    ProxyPassReverse / https://localhost:20000/

SSLEngine on
SSLCertificateFile /home/domain/ssl.cert
SSLCertificateKeyFile /home/domain/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

    <Directory /home/domain/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    AddType application/x-httpd-php .php
    AddHandler fcgid-script .php
    AddHandler fcgid-script .php7.4
    FCGIWrapper /home/domain/fcgi-bin/php7.4.fcgi .php
    FCGIWrapper /home/domain/fcgi-bin/php7.4.fcgi .php7.4
    </Directory>

</VirtualHost>

Then I disable the rewrite rules, and the aliases in the main auto-generated entries. This proxies the webmail/mail domain to the right port, uses the SSL cert, and makes everything more "normal" in the modern web sense. Same thing easily applies to admin subdomain

iliajie commented 2 years ago

Hi,

Webmin is an admin tool and make it depend on a proxy is not something we can recommend doing in general.

swelljoe commented 2 years ago

I have to agree...It'd mean that if the web server is down for any reason, the user won't be able to use Webmin to recover it.

I'm not opposed to making it easier to switch, I guess, but it shouldn't be the default to put Webmin behind a proxy.

skepticalwaves commented 2 years ago

Sure, I get your reluctance here, but I didn't suggest removing the exposure on port 10000/20000, you can still have that. I'm just suggesting that the subdomains created be modernized to not do the redirect-to-port dance.

jcameron commented 2 years ago

The only catch with proxying is that it would require setting up a separate Apache Virtualhost for the admin and webmail sub-domains, which is a more complex config than the current redirects.