# Running Webmin under Apache



## xy16644 (Jul 16, 2009)

I have installed the latest version of Webmin on FreeBSD 7.2 successfully. I now want to set it up so that it runs as a sub directory under Apache. I have *tried* so very hard to follow the instructions at:

http://www.webmin.com/apache.html (scroll down a bit for the sub directory instructions)

but to date I cant get it to work. When ever I browse the URL:

http://www.mydomain.com/webmin I get:


```
HTTP 403 Forbidden
```

I am quite new to FreeBSD and Apache (and Webmin!) so I am battling to troubleshoot this, can someone kindly help? I found the instructions on the web site GREAT for installing Webmin and configuring it with SSL but the Apache instructions just confused me (maybe its because I dont fully understand all the Apache terms!).

Currently my webmin.conf looks as follows:


```
Options Indexes FollowSymLinks
AllowOverride All
order allow,deny
AddHandler cgi-script .cgi
DirectoryIndex index.cgi
Options ExecCGI
SetEnv WEBMIN_CONFIG /etc/webmin
SetEnv WEBMIN_VAR /var/webmin
SetEnv SERVER_ROOT /usr/local/webmin
SetEnv MINISERV_CONFIG /etc/webmin/miniserv.conf
AuthName Webmin
AuthType basic
AuthUserFile /etc/webmin/htusers
require MyUser
```

If theres any info I left out let me know I will post it.

Many MANY thanks! :e


----------



## Voltar (Jul 17, 2009)

http://www.webmin.com/apache.html said:
			
		

> Add the line webprefix=/webmin to /etc/webmin/config.



Looks like you may have missed that one? Also, what does your httpd.conf section look like? It looks like you may have added everything to your webmin configuration file and not Apache?


----------



## xy16644 (Jul 17, 2009)

According to the site you add the line webprefix=/webmin to /etc/webmin/config which I did (I tried with and without this line).

I didn't touch my httpd.conf for webmin. I have it in a separate file called webmin.conf (the one posted above).

This really has me stumped...


----------



## SirDice (Jul 17, 2009)

The webmin config probably lives in /usr/local/etc not /etc/. Ports always install with the prefix /usr/local.

Also have a look at the apache error log, any clues there?


----------



## xy16644 (Jul 17, 2009)

I didnt install Webmin from a port, I downloaded the tar.gz file from Webmins site (yeah I know I should have used the port, at the time I wasn't aware of ports).

If I look in the logfile at /var/log/httpd-error.log it says:


```
[Fri Jul 17 16:28:37 2009] [error] [client 192.168.1.100] client denied by server configuration: /usr/local/webmin
```


----------



## xy16644 (Jul 17, 2009)

The author suggested I try setting Webmin using mod_proxy in Apache.

How do I enable this module in Apache? I tried this:

make config ; make install clean

but it moaned that it was already installed. Fair enough but how do I add on modules post install of the Apache port?


----------



## anomie (Jul 18, 2009)

@xy16644: I suspect a lot of these issues would be corrected if you simply removed your webmin installation and installed the port instead. It doesn't seem like there is a huge investment in your current installation (since it's borked). 

-------

Anyway, the message you are seeing in your error log simply means Apache web server is explicitly or implicitly denying access, based on what he has been _told_ to do (by you or by a default configuration). 

Edit your /usr/local/etc/apache22/httpd.conf (your path may differ) file, and add a little section that looks like: 


```
Alias /webmin "/usr/local/webmin"

<Directory "/usr/local/webmin">

    Options None
    AllowOverride None

    SSLRequireSSL

    Order Deny,Allow
    Deny from all
    Allow from 10.0.50.

</Directory>
```

Except you'll need to 1) check that /usr/local/webmin is world readable/executable; 2) add your own network to the "Allow from..." line; 3) configure SSL settings appropriately if you haven't already.

Afterwards, to access webmin on your host, use https://host.here/webmin.


----------



## xy16644 (Jul 18, 2009)

Thanks anomie.

I followed your advice and completely uninstalled Webmin. I then reinstalled from a port. I also added the section to the httpd.conf file. Only difference is the port installed webmin into /usr/local/lib/webmin.

What are the correct permissions for this folder? 

I took out the SSL bit as I'd like to get it working without encryption first. I also added my IP address to the allow list.

After all that I am STILL getting an HTTP 403 Forbidden. 

I am about to give up...;-( This is the only thing I cant get to work on FreeBSD so far!

How can I troubleshoot this and set it up from the beginning so that I can get webmin running successfully under Apache (with SSL ultimately)?

I really appreciate your help!!


----------



## anomie (Jul 19, 2009)

The correct permissions for /usr/local/lib/webmin should be 755, and it should be owned by www:www. (I think... that may be more generous than necessary, actually. I don't use webmin, so I am not 100%.) 

Don't give up. Anything worth doing is difficult - at first. 

I'd actually be curious to see the tail end of your /var/log/httpd-access.log immediately after a failed attempt. That will shed some more light on the situation.


----------



## xy16644 (Jul 19, 2009)

I set the permissions as follows:


```
chown -R www:www /usr/local/lib/webmin
chmod -R 755 /usr/local/lib/webmin
```

If I run tail -F /var/log/httpd-access.log after attempting to access the http://www.mydomain.com/webmin I get:


```
192.168.0.10 - - [19/Jul/2009:08:22:41 +0100] "GET /webmin/ HTTP/1.1" 403 209 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 1.1.4322; .NET CLR 3.0.30729)"
```

In the httpd.conf file I have added the following section at the end:


```
Alias /webmin "/usr/local/lib/webmin"

<Directory "/usr/local/lib/webmin">

    Options None
    AllowOverride None


    Order Deny,Allow
    Deny from all
    Allow from 192.168.0.

</Directory>
```


----------



## anomie (Jul 19, 2009)

Did the port install anything in /usr/local/etc/apache22/Includes? (Your path may differ a bit.)  

I'm wondering if there may be a conflicting /usr/local/lib/webmin stanza in there.

-------

edit: One more thing. You will likely need to allow CGI... change to: 

```
Alias /webmin "/usr/local/lib/webmin"

<Directory "/usr/local/lib/webmin">

    Options +ExecCGI
    AllowOverride None


    Order Deny,Allow
    Deny from all
    Allow from 192.168.0.

</Directory>
```


----------



## xy16644 (Jul 20, 2009)

I just added the Options +ExecCGI in and now I see a very long list of links under the heading:

Index of /webmin

We must be getting closer?!

The port didn't install anything in /usr/local/etc/apache22/Includes


----------



## anomie (Jul 20, 2009)

OK, so the http 403 issue is solved. 

If you're seeing an index, I think you will need to update your DirectoryIndex directive; and you'll need an AddHandler directive. See the howto you posted for tips on that.  

You may need to set up the authentication directives from your howto as well...

-------

On a bit of a tangent, but I'm just curious: why are you frontending Webmin with Apache? (i.e. Why are you not using Webmin's built in web server?)


----------



## xy16644 (Jul 20, 2009)

I have added the following directives:


```
Options +ExecCGI
AllowOverride None


Order Deny,Allow
Deny from all
Allow from 192.168.0.

AddHandler cgi-script .cgi
DirectoryIndex index.cgi

SetEnv WEBMIN_CONFIG /etc/webmin
SetEnv WEBMIN_VAR /var/webmin
SetEnv SERVER_ROOT /usr/local/lib/webmin
SetEnv MINISERV_CONFIG /etc/webmin/lib/miniserv.conf
```

Now I get this:


```
Access denied : User is not allowed to use the Webmin Configuration module
```


----------



## anomie (Jul 20, 2009)

That's an authentication issue. Carefully go through step #7 from your howto again.


----------



## xy16644 (Jul 20, 2009)

OK so now I have:


```
Options +ExecCGI
AllowOverride None


order deny,allow
deny from all
allow from 192.168.0.

AddHandler cgi-script .cgi
DirectoryIndex index.cgi

SetEnv WEBMIN_CONFIG /usr/local/etc/webmin
SetEnv WEBMIN_VAR /var/webmin
SetEnv SERVER_ROOT /usr/local/lib/webmin
SetEnv MINISERV_CONFIG /etc/webmin/lib/miniserv.conf

AuthName "Webmin"
AuthType Basic
AuthUserFile /usr/local/lib/webmin/htusers
require valid-user
```

and the error is now:

Access denied : User myuser is not allowed to use the Webmin Configuration module

I must be close now!!!!


----------



## xy16644 (Jul 20, 2009)

I should add that I added the user in the htusers file and this is the same user in the webmin.acl


----------



## DutchDaemon (Jul 20, 2009)

xy16644, use 
	
	



```
tags for system output etc. Doing it myself five times now is enough ..
```


----------



## xy16644 (Jul 20, 2009)

Apologies DutchDaemon. I will do that from now on, thanks for pointint it out to me.


----------



## anomie (Jul 20, 2009)

I would triple check this from your howto: 


> ... Inside the <Directory> section. The file /etc/webmin/htusers  must contains users who match up with those in /etc/webmin/webmin.acl.



Note that for the FBSD port, this is likely /usr/local/etc/webmin/webmin.acl. 

-------

Also, what about this (from your howto): 


> Note that the Webmin Users and Webmin Configuration modules will not work, as they configure miniserv.pl and cannot deal with Apache.



??

-------

Finally, I highly recommend doing this over SSL as soon as you get it working -- and then changing the Webmin user's password. (I'm presuming you care about the security of your server!) There are some other things to explore, like digest authentication, but that can be later.


----------



## xy16644 (Jul 20, 2009)

I completely agree about SSL. I will be doing this once I get webmin to work under Apache.

I changed the directory locations accordingly for the htusers and webmin.acl file.

Not sure about this:

Note that the Webmin Users and Webmin Configuration modules will not work, as they configure miniserv.pl and cannot deal with Apache. ???

All I am trying to do is get to the home page once authenticating (when the login prompt appears). 

I'm not sure where to go from here...

Maybe the authors right, rather run mod_proxy and do it that way rather as its simpler. Problem is I can't find anything on enabling this on the net.


----------



## xy16644 (Jul 23, 2009)

Does anyone know how to enable mod_proxy in Apache 2.2? I have Googled this until I turned blue in the face without success! I have loaded a module in the httpd.conf file before but I just cant find out HOW to do the mod_proxy module.

If anyone knows please PLEASE let me know, I would be most grateful.


----------



## SirDice (Jul 24, 2009)

You will need to rebuild apache22:


```
===> The following configuration options are available for apache-2.2.11_7:
     APR_FROM_PORTS=Off (default) "Use devel/apr as APR (preferred)"
     THREADS=Off (default) "Enable threads support in APR"
     MYSQL=Off (default) "Enable MySQL support for apr-dbd"
     PGSQL=Off (default) "Enable PostgreSQL support for apr-dbd"
     SQLITE=Off (default) "Enable SQLite support for apr-dbd"
     IPV6=On (default) "Enable IPv6 support"
     BDB=Off (default) "Enable BerkeleyDB dbm"
     AUTH_BASIC=ON (default) "Enable mod_auth_basic"
     AUTH_DIGEST=ON (default) "Enable mod_auth_digest"
     AUTHN_FILE=ON (default) "Enable mod_authn_file"
     AUTHN_DBD=OFF (default) "Enable mod_authn_dbd"
     AUTHN_DBM=ON (default) "Enable mod_authn_dbm"
     AUTHN_ANON=ON (default) "Enable mod_authn_anon"
     AUTHN_DEFAULT=ON (default) "Enable mod_authn_default"
     AUTHN_ALIAS=ON (default) "Enable mod_authn_alias"
     AUTHZ_HOST=ON (default) "Enable mod_authz_host"
     AUTHZ_GROUPFILE=ON (default) "Enable mod_authz_groupfile"
     AUTHZ_USER=ON (default) "Enable mod_authz_user"
     AUTHZ_DBM=ON (default) "Enable mod_authz_dbm"
     AUTHZ_OWNER=ON (default) "Enable mod_authz_owner"
     AUTHZ_DEFAULT=ON (default) "Enable mod_authz_default"
     CACHE=ON (default) "Enable mod_cache"
     DISK_CACHE=ON (default) "Enable mod_disk_cache"
     FILE_CACHE=ON (default) "Enable mod_file_cache"
     MEM_CACHE=OFF (default) "Enable mod_mem_cache"
     DAV=ON (default) "Enable mod_dav"
     DAV_FS=ON (default) "Enable mod_dav_fs"
     BUCKETEER=OFF (default) "Enable mod_bucketeer"
     CASE_FILTER=OFF (default) "Enable mod_case_filter"
     CASE_FILTER_IN=OFF (default) "Enable mod_case_filter_in"
     EXT_FILTER=OFF (default) "Enable mod_ext_filter"
     LOG_FORENSIC=OFF (default) "Enable mod_log_forensic"
     OPTIONAL_HOOK_EXPORT=OFF (default) "Enable mod_optional_hook_export"
     OPTIONAL_HOOK_IMPORT=OFF (default) "Enable mod_optional_hook_import"
     OPTIONAL_FN_IMPORT=OFF (default) "Enable mod_optional_fn_import"
     OPTIONAL_FN_EXPORT=OFF (default) "Enable mod_optional_fn_export"
     LDAP=OFF (default) "Enable mod_ldap"
     AUTHNZ_LDAP=OFF (default) "Enable mod_authnz_ldap"
     ACTIONS=ON (default) "Enable mod_actions"
     ALIAS=ON (default) "Enable mod_alias"
     ASIS=ON (default) "Enable mod_asis"
     AUTOINDEX=ON (default) "Enable mod_autoindex"
     CERN_META=ON (default) "Enable mod_cern_meta"
     CGI=ON (default) "Enable mod_cgi"
     CHARSET_LITE=ON (default) "Enable mod_charset_lite"
     DBD=OFF (default) "Enable mod_dbd"
     DEFLATE=ON (default) "Enable mod_deflate"
     DIR=ON (default) "Enable mod_dir"
     DUMPIO=ON (default) "Enable mod_dumpio"
     ENV=ON (default) "Enable mod_env"
     EXPIRES=ON (default) "Enable mod_expires"
     HEADERS=ON (default) "Enable mod_headers"
     IMAGEMAP=ON (default) "Enable mod_imagemap"
     INCLUDE=ON (default) "Enable mod_include"
     INFO=ON (default) "Enable mod_info"
     LOG_CONFIG=ON (default) "Enable mod_log_config"
     LOGIO=ON (default) "Enable mod_logio"
     MIME=ON (default) "Enable mod_mime"
     MIME_MAGIC=ON (default) "Enable mod_mime_magic"
     NEGOTIATION=ON (default) "Enable mod_negotiation"
     REWRITE=ON (default) "Enable mod_rewrite"
     SETENVIF=ON (default) "Enable mod_setenvif"
     SPELING=ON (default) "Enable mod_speling"
     STATUS=ON (default) "Enable mod_status"
     UNIQUE_ID=ON (default) "Enable mod_unique_id"
     USERDIR=ON (default) "Enable mod_userdir"
     USERTRACK=ON (default) "Enable mod_usertrack"
     VHOST_ALIAS=ON (default) "Enable mod_vhost_alias"
     FILTER=ON (default) "Enable mod_filter"
     VERSION=ON (default) "Enable mod_version"
     [b]PROXY=OFF (default) "Enable mod_proxy"
     PROXY_CONNECT=OFF (default) "Enable mod_proxy_connect"
     PATCH_PROXY_CONNECT=ON (default) "Patch proxy_connect SSL support"
     PROXY_FTP=OFF (default) "Enable mod_proxy_ftp"
     PROXY_HTTP=OFF (default) "Enable mod_proxy_http"
     PROXY_AJP=OFF (default) "Enable mod_proxy_ajp"
     PROXY_BALANCER=OFF (default) "Enable mod_proxy_balancer"[/b]
     SSL=ON (default) "Enable mod_ssl"
     SUEXEC=OFF (default) "Enable mod_suexec"
     CGID=OFF (default) "Enable mod_cgid"
===> Use 'make config' to modify these settings
```


----------



## xy16644 (Jul 24, 2009)

I ran:


```
make config
```

and in the menu I selected mod_proxy

but when I run:


```
make install clean
```

it complains that Apache22 is already isntalled and stops.

What is the correct way to do this?


----------



## DutchDaemon (Jul 24, 2009)

[cmd=]make deinstall clean && make reinstall clean[/cmd]


----------



## xy16644 (Jul 24, 2009)

I just tried that now DutchDaemon but it still doesn't have mod_proxy installed...


----------



## DutchDaemon (Jul 24, 2009)

What is the output of [cmd=]grep PROXY /var/db/ports/apache22/options[/cmd] and [cmd=]ls /usr/local/libexec/apache22/*proxy*[/cmd]?


----------



## xy16644 (Jul 24, 2009)

grep PROXY /var/db/ports/apache22/options:


```
WITH_PROXY=true
WITHOUT_PROXY_CONNECT=true
WITH_PATCH_PROXY_CONNECT=true
WITHOUT_PROXY_FTP=true
WITHOUT_PROXY_HTTP=true
WITHOUT_PROXY_AJP=true
WITHOUT_PROXY_BALANCER=true
```

ls /usr/local/libexec/apache22/*proxy*:

```
/usr/local/libexec/apache22/mod_proxy.so        /usr/local/libexec/apache22/mod_proxy_html.so
```


----------



## DutchDaemon (Jul 24, 2009)

Then this should be in /usr/local/etc/apache22/httpd.conf:


```
LoadModule proxy_module libexec/apache2/mod_proxy.so
LoadModule proxy_html_module libexec/apache2/mod_proxy_html.so
```

See also http://www.apachetutor.org/admin/reverseproxies (keep the specific FreeBSD path in mind, though)


----------



## xy16644 (Jul 24, 2009)

That got mod_proxy installed, thanks DutchDaemon!

I have added the following to httpd.conf:


```
ProxyPass /webmin/ http://www.mydomain.com:10000/
ProxyPassReverse /webmin/ http://www.mydomain.com:10000/
<Proxy *>
allow from all
</Proxy>
```

But when I try to browse:

http://www.mydomain.com/webmin

I get a 404.

I also edited the following file (as per Webmins instructions on the website):


```
/usr/local/lib/webmin/config
```

and added:

```
webprefix=/webmin
webprefixnoredir=1
referer=www.mydomain.com
```

Why am I getting a 404 when I can browse http://www.mydomain.com:10000 perfectly for webmin?

Surely mod_proxy is just forwarding the request from http://www.mydomain.com/webmin to http://www.mydomain.com:10000


----------



## xy16644 (Jul 24, 2009)

This is interesting, if I try to browse:

http://www.mydomain.com/webmin/ (note slash after webmin)

then I get this:


```
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, admin@mydomain.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.
```

but if I browse:

http://www.bsdpanic.com/webmin

I get the 404


----------



## xy16644 (Jul 24, 2009)

In the logfile:

/var/log/httpd-error.log

it says:


```
[Fri Jul 24 17:16:11 2009] [warn] proxy:
No protocol handler was valid for the URL /webmin/. If you are using a DSO version of mod_proxy,
make sure the proxy submodules are included in the configuration using LoadModule.
```


----------



## DutchDaemon (Jul 24, 2009)

http://www.google.com/search?q="If+you+are+using+a+DSO+version+of+mod_proxy"

You may need more proxy (sub)modules.


----------



## xy16644 (Jul 26, 2009)

*It works!*

After much frustration I ended up rebuilding my server. I managed to get webmin to work as a subdirectory under Apache via mod_proxy in minutes!

Heres my config in case anyone else has problems with this:


```
/usr/local/etc/webmin/config:

webprefix=/webmin
webprefixnoredir=1
referer=localhost

/usr/local/etc/apache22/httpd.conf:


ProxyPass /webmin/ http://www.mydomain.com:10000/
ProxyPassReverse /webmin/ http://www.mydomain.com:10000/

<Proxy *>
allow from all
SSLRequireSSL (optional but I recommend SSL!)
</Proxy>
```

I also made sure when I installed the Apache port that I selected mod_proxy, mod_proxy_connect, mod_proxy_ftp mod_proxy_http, mod_proxy_ajp and mod_proxy_balancer. I'm not sure if ALL these are needed but I installed them anyway.

Thanks to everyone for their help with this...:e


----------

