Webmin login keeps looping to session_login.cgi - apache

I've had a working webmin setup on a VPS, however after trying to force it to connect via HTTPS I've done goof somewhere and now whenever I try to login the login page doesn't display correctly (no blue rectange background) and trying to login via https://server1.domain.me:10000 keeps redirecting me to https://server1.domain.me:10000/webmin/session_login.cgi, which is again a login page.
Before it began malfunctioning, I had the following file in /etc/apache2/sites-available
<VirtualHost *:80>
ServerAdmin webmaster#domain.me
ServerName domain.me
ServerAlias www.domain.me
DocumentRoot /var/www/domain.me/
<Directory />
RedirectMatch temp ^/$ /public_html
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/domain.me>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Directory /var/www/domain.me/redmine>
AllowOverride None
order allow,deny
allow from all
RailsBaseURI /redmine
PassengerResolveSymlinksInDocumentRoot on
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerSignature On
RailsEnv production
RailsBaseURI /redmine
</VirtualHost>
When I tried to force webmin (and owncloud if that matters) to use HTTPS I created a new Virtualhost for port 443 using my SSL keys and updated Virtualhost for port 80 to proxy all http://domain.me/webmin to https://server1.domain.me:10000 (I kept commented-out configs for you to see what I've tried):
<VirtualHost *:443>
ServerAdmin webmaster#domain.me
ServerName server1.domain.me
alias /owncloud /var/www/domain.me/owncloud
DocumentRoot /var/www/domain.me/
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/ssl/ssl.crt/server1_domain_me.crt
SSLCertificateKeyFile /etc/ssl/ssl.crt/server1.key
SSLCACertificateFile /etc/ssl/ssl.crt/COMODORSADomainValidationSecureServerCA.crt
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# <Location /webmin>
# RewriteEngine On
# #RewriteRule (.*) https://server1.domain.me:10000/$1 [R,L]
# ProxyPass https://server1.domain.me:10000/
# ProxyPassReverse https://server1.domain.me:10000/
# </Location>
<Directory /var/www/domain.me/owncloud>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
Satisfy Any
<IfModule mod_rewrite.c>
RewriteEngine on
<IfModule mod_ssl.c>
RewriteEngine On
RewriteRule ^/?(.*)$ https://%{HTTP_HOST}/owncloud$
</IfModule>
</IfModule>
</Directory>
# ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
# <Directory "/usr/lib/cgi-bin">
# AllowOverride None
# Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
# Order allow,deny
# Allow from all
# </Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerSignature On
</VirtualHost>
and updated my domain.me virtualhost file to:
<VirtualHost *:80>
ServerAdmin webmaster#domain.me
ServerName domain.me
ServerAlias www.domain.me
#SSLEngine On
SSLProxyEngine On
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
DocumentRoot /var/www/domain.me/
<Directory />
RedirectMatch temp ^/$ /public_html
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/domain.me>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Directory /var/www/domain.me/redmine>
AllowOverride None
order allow,deny
allow from all
RailsBaseURI /redmine
PassengerResolveSymlinksInDocumentRoot on
</Directory>
<Location /owncloud>
ProxyPass https://server1.domain.me/owncloud/
</Location>
<Location /server1>
ProxyPass https://server1.domain.me/webmin/
</Location>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerSignature On
RailsEnv production
RailsBaseURI /redmine
#ProxyPassReverse /owncloud https://server1.domain.me/owncloud/
#ProxyPassReverse /webmin https://server1.domain.me:10000/
</VirtualHost>
I also added the lines webprefix=/webmin, webprefixnoredir=1 and referer=domain.me to /etc/webmin/config
However, something is clearly wrong here because I cannot login to webmin at all. I've been searching the web for an answer for the past 5 hours, tried a lot of thing and still no luck.
Any ideas?

There are 4 critical (and undocumented!) keys to get this to work, as I found through much aggravation!
1) When you edit /etc/webmin/config, make sure there is NO WHITE SPACE at the end of the webprefix=/webmin line. That will fix the problem where the login screen formatting is funky.
2) You need to be extremely precise in your use of slashes in your ProxyPass (and they don't match the official documentation!)
ProxyPass /webmin/ http://localhost:10000/
ProxyPassReverse /webmin/ http://localhost:10000/
3) You need to include cookie ProxyPass lines (again not in the documentation!).
ProxyPassReverseCookieDomain /webmin/ http://localhost:10000/
ProxyPassReverseCookiePath /webmin/ http://localhost:10000/
4) When you browse to Webmin, you MUST INCLUDE a trailing slash!
http://your.domain.name/webmin/
* UPDATE *
Pertaining to point 4:
To make sure the trailing slash is always present when you browse to Webmin, add these lines (prior to your proxy pass, if it matters?). With this added, if you forget to add the slash, Apache will simply do it for you:
RewriteEngine On
RewriteRule ^/webmin$ /webmin/ [R]

I had the same problem. I installed webmin set up apache with it, and after login screen, no redirection happened.But #MUHAHA was right. I set up my webmin with no /webmin directory, no nuthin!
I wrote a CNAME redirection rule in my domain provider. CNAME webmin.example.com to my raspberry pi's dynamic-dns service name.
my webmin.conf file in /etc/apache2/sites-enabled/ directory:
<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName webmin.example.com
ServerAlias webmin.example.com
ProxyPass / http://localhost:10000/
ProxyPassReverse / http://localhost:10000/
ProxyPassReverseCookieDomain / http://localhost:10000/
ProxyPassReverseCookiePath / http://localhost:10000/
</VirtualHost>
after that i installed webmin... you know! :)
an then thanks to #MUHAHA, i changed that line 4043 in /usr/share/webmin/miniserv.pl file
change
&write_data("Location: $prot://$hostport$in{'page'}\r\n");
to
&write_data("Location: $prot://$host$in{'page'}\r\n");
and everythings peachy! Login redirects to the main page with ease!

#Buvinj
Im afraid, that this isnt enough..
To use proper SSL on Proxy, is needed to disable miniservers SSL
/etc/webmin/miniserv.conf
ssl=0
ssl_redirect=1
cookiepath=/webmin
/etc/webmin/config
webprefix=/webmin
webprefixnoredir=1
There are still problems with redirect after login, so this should help:
on webmin host edit file /usr/share/webmin/miniserv.pl
and on line 4043 replace
&write_data("Location: $prot://$hostport$in{'page'}\r\n");
to
&write_data("Location: $prot://$host$in{'page'}\r\n");
Source:
https://sourceforge.net/p/webadmin/discussion/600155/thread/6eb89f60/
But it doesnt work for me, i am redirected to root context (/) after login, not to /webmin context
EDIT:
$prot is always evaluated as http, even if you have ssl_redirect=1 in miniserv.conf
/usr/share/webmin/miniserv.pl
&write_data("Location: https://$hostport$config{'cookiepath'}$in{'page'}\r\n");
Rewrite rule for Location: in headers should also fix this problem.
EDIT2:
https://github.com/webmin/webmin/issues/350
https://github.com/webmin/webmin/issues/351

Related

ProxyPass not overriding .htaccess mod_rewrite

We have an angular app with an apache server which uses .htaccess to rewrite requests to /index.html using
RewriteRule . /index.html [L]
But for a few paths, we want to use /whatever to route to a different domain. However, adding
ProxyPass /whatever whatever.site.com
to sites-enabled doesn't seem to override the .htaccess.
That full file looks like
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
ProxyPass /whatever https://whatever.com
ProxyPassReverse /whatever https://whatever.com
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Any suggestions?
Also, I know for sure that the sites-enabled file above is being used because if I put garbage-text into it the site crashes ;)
Your quoted virtualhost is probably not used for your test request, because proxy would always bypass mod_rewrite rules specified in .htaccess.
Maybe apachectl -S would give you a hint about which vhosts are present / being used. I see this vhost has no ServerName, so unless it's the first or only *:80 it will probably never be used.

.htaccess not working with SSL config

I followed this guide to get a free SSL certificate from StartSSL: https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-with-a-free-signed-ssl-certificate-on-a-vps
I followed it step by step but I don't actually understand it fully as I'm a newbie.
I have .htaccess which stopped working after I put the below code into my 000-default.conf file:
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/apache2/ssl/ssl.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
This is what's in my .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^([a-zA-Z0-9\-]+)$ $1.php
ErrorDocument 404 /404error
</IfModule>
^ It's basically to be able to access a page like this domain/page rather than like this: domain/page.php
So as soon as I add the above code from the 000-default.conf file, the rewrite rule works fine. If I add it in, however, I can no longer access files without the .php at the end. My 404 redirect is also not working.
What is it that's causing the problem?

Moodle apache proxy

I'm having troubles setting up a moodle instance behind an apache proxy.
Here's my apache front-end that proxies to the running server.
NameVirtualHost www.example.com:443
<VirtualHost www.example.com:443>
ProxyPreserveHost On
ProxyRequests Off
ServerName www.example.com
ServerAlias www.example.com
ProxyPass / http://192.168.1.101/
ProxyPassReverse / http://192.168.1.101/
SSLEngine on
SSLCertificateFile /etc/ssl/crt/example.com.crt
SSLCertificateKeyFile /etc/ssl/crt/example.com.key
SSLCACertificatePath /etc/ssl/crt
SSLCertificateChainFile /etc/ssl/crt/example.com.bundle.crt
</VirtualHost>
On the concrete server I've got.
$CFG->wwwroot = 'http://192.168.1.101/classes';
And
<VirtualHost 192.168.1.101:80>
ServerAlias 192.168.1.101
ServerAdmin webmaster#localhost
ServerName 192.168.1.101
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
The thing is that I keep getting that moodle is only accessible from 182.168.1.101 something is not quite matching the expected. I've been able to configure confluence and other platforms but moodle doesn't work.
The concrete error is as follows.
Incorrect access detected, this server may be accessed only through "http://192.168.1.101/classes" address, sorry. Please notify server administrator.
Does anyone know what might be happening?
Its a Moodle error message, the wwwroot in config.php has to match.
You could try
$CFG->wwwroot = 'http://' . $_SERVER['HTTP_HOST'];
Although this might not allow some command line updates in Moodle.
On the proxy server, modify the VirtualHost entry as follows:
ProxyPass / http://192.168.1.101/classes
ProxyPassReverse / http://192.168.1.101/classes
For Moodle, what you set in Moodle's config.php for
$CFG->wwwroot
...has to match your ProxyPass and ProxyPassReverse values in the VirtualHost definition on the Proxy server.
So, what's the URL that points to your front end?
That's what you need to set $CFG->wwwroot to.

Elasticsearch with apache2 ssl proxy

Recently I have been trying to get Elasticsearch to be usable over SSL. This has taken me on a fun route between apache to nginx to apache to nginx and now finally back to apache.
I needed LDAP for authentication which is why I stopped using nginx. I followed this https://gist.github.com/jerrac/0a8bd96e6c42eb84b6f2 for configuring my apache web server. The good thing is that I am able to access it. The bad thing is elasticsearch doesn't work when trying to look for indices. I use elasticsearch-head to make sure it wasn't anything else but it seems like elasticsearch is still being blocked even though I can reach the kibana webpage. Any help would be appreciated.
<VirtualHost *:80>
ServerAdmin systems#example.com
ServerName logstash.example.com
DocumentRoot /var/www/kibana/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/kibana/>
Options -Indexes FollowSymLinks -MultiViews
AllowOverride all
Order allow,deny
allow from all
</Directory>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
#RewriteRule ^/(.*)$ https://logstash.example.com/$1 [R,L]
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin systems#example.com
ServerName logstash.example.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/wildcard.example.com.crt
SSLCertificateKeyFile /etc/ssl/private/wildcard.example.com.key
SSLCACertificateFile /etc/ssl/certs/ca-example.cert
#RewriteEngine on
#RewriteCond %{SERVER_NAME} !=logstash.example.com
#RewriteRule ^/(.*)$ https://logstash.eaxmple.com/$1 [R,L]
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
DocumentRoot /var/www/kibana/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/kibana/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [7-9]" ssl-unclean-shutdown
#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
#<Directory "/usr/lib/cgi-bin">
# AllowOverride None
# Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
# Order allow,deny
# Allow from all
#</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Proxy http://127.0.0.1:9200>
#<Proxy http://logstash.example.com:9200>
ProxySet connectiontimeout=5 timeout=90
</Proxy>
# Proxy for _aliases and .*/_search
<LocationMatch "^(/_aliases|.*/_search|.*/_mapping|/_nodes)$">
#ProxyPassMatch http://logstash.example.com:9200
#ProxyPassReverse http://logstash.example.com:9200
ProxyPassMatch http://127.0.0.1:9200
ProxyPassReverse http://127.0.0.1:9200
</LocationMatch>
# Proxy for kibana-int/{dashboard,temp} stuff (if you don't want auth on /, then you will want these to be protected)
<LocationMatch "^(/kibana-int/dashboard/|/kibana-int/temp).*$">
#ProxyPassMatch http://logstash.example.com:9200
#ProxyPassReverse http://logstash.example.com:9200
ProxyPassMatch http://127.0.0.1:9200
ProxyPassReverse http://127.0.0.1:9200
</LocationMatch>
</VirtualHost>
</IfModule>
You should be able to do https://myserver/index_name/_search/ with the above configuration, if Kibana is working.
Your LocationMatches only allow very small subsets of information. You can either explicitly list your indexes (e.g., /index1/.*|/index2/.*) or come up with a more flexible mapping (e.g., have a known pattern in the index's name).
<LocationMatch "^/(_aliases|index1/.*|index2/.*|_nodes)$">
It is probably worth noting that it is very dangerous to expose your Elasticsearch database, even if it is using SSL because once you allow unfettered access, then they can fetch all data from them (among other risky operations), which defeats the purpose of encrypting the traffic for the most part.

Apache Reverse Proxy not rewriting URLs the way I expect

I am pretty new to Apache and was hoping to setup a reverse proxy to be able to access so the web interfaces of some IP Cameras I have from one site. The basic layout I'm using is below:
/ Cam 1 - 192.168.1.10
Reverse Proxy - 192.168.1.6 -
\ Cam 2 - 192.168.1.11
When I click a link it doesn't resolve correctly, the URL should be http://192.168.1.6/cam1/settings.htm but it resolves to http://192.168.1.6/setting.htm
Not Found
The requested URL /setting.htm was not found on this server.
Apache/2.2.22 (Debian) Server at 192.168.1.6 Port 80
My Config is here, I'm using the standard httpd.conf with the proxy and rewrite modules enabled:
ProxyRequests off
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
<VirtualHost *>
Servername webserver
RewriteEngine on
RewriteRule ^/cam1/(.*)$ http://192.168.1.10$1 [P]
RewriteRule ^/cam2/(.*)$ http://192.168.1.11$1 [P]
ProxyPass /cam1 http://192.168.1.10
ProxyPassReverse /cam1 http://192.168.1.10
ProxyPass /cam2 http://192.168.1.11
ProxyPassReverse /cam2 http://192.168.1.11
</VirtualHost>
Any help would be appreciated.
Cheers,
Adam
In logs you can clearly see that there are some files missing like File does not exist: /var/www/jpg and /var/www/lang so may be this is the reason for your storage issue.I bet you that you missed some configuration while server OR your server msy corrupt these files while running due to some other files.I suggest you to fresh download and then reinstall it.
For future users:
cat /etc/apache2/sites-available/default
<VirtualHost *:80>
ServerAdmin user#work.com.br
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from 192.168.5.25
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyPass /cameras/ http://192.168.5.6/
ProxyPassReverse /cameras/ http://192.168.5.6/