Lock virtualmin access to a specific domain on linode

Question

I have recently set up a virtual server on linode (debian 7) and would like to block access to the virtualmin install via any domain other than one specified.

I can currently access virtualmin via the linode member url (e.g. example1234.members.linode.com:10000) but I can also access it via domains that are hosted on the server.

How can I block these domains?

Answer 1

Disclaimer:

• I never use webmin in production. In the past, I just installed this software in my devserver but not interested to explored it.

• This solution is tested in this Webmin and Virtualmin version

  # dpkg -l
  ii  webmin               1.710       all      web-based administration interface for Unix systems
  ii  virtualmin-base      1.0-35      all      Meta-package that runs a postinstall script to configure all of the services managed by Virtualmin.
  

Some Background

Virtualmin is a module of web-based management called Webmin. In other words, Virtualmin running on top Webmin. Webmin itself use miniserv.pl as webserver. So, if you want to find out how to restrict based on Host header, you should dig it to miniserv.pl

Webserver miniserv.pl

So, we have bad news and good new. The bad news is this webserver has only basic feature compared with other complex webserver such as nginx or apache. The good news is it was written with Perl - an Scripting Language - contained in just single file /usr/share/webmin/miniserv.pl. This webserver has configuration file in /etc/webmin/miniserv.conf. Unfortunately the documentation about parameter in miniserv.conf was pretty limited (or maybe I use wrong keyword for searching :) ).

So, I decided to examine source code of miniserv.pl. The interested line come from this snippet.

if (defined($header{'host'})) {
    if ($header{'host'} =~ /^\[(.+)\]:([0-9]+)$/) {
        ($host, $port) = ($1, $2);
        }
    elsif ($header{'host'} =~ /^([^:]+):([0-9]+)$/) {
        ($host, $port) = ($1, $2);
        }
    else {
        $host = $header{'host'};
        }
    if ($config{'musthost'} && $host ne $config{'musthost'}) {
        # Disallowed hostname used
        &http_error(400, "Invalid HTTP hostname");
        }
    }

OK, these lines tells us:

Suppose the request come to miniserv.pl with all of these conditions were met

• There is a Host header in HTTP request
• Parameter musthost was defined in miniserv.conf
• Host header value doesn't equal with Parameter musthost

then the request should be rejected with error 400 Invalid HTTP hostname. Yes, those feature was exactly you wanted.

So, if you want to restrict domain to accessing virtualmin interface, you should set parameter musthost in miniserv.conf with allowed domain.

Notes:

Some issue:

• User can bypass your restriction if there are no Host: in request Header.
• When you enable ssl, but user browsed through http (not https), user will print this info:

This web server is running in SSL mode. Try the URL https://your.allowed.domain:10000/ instead.

Update:

The second issue can be prevented by patching file miniserv.pl with patch from OP. The patch will be available in github pull request (credit to OP!!!). Future webmin also have this feature as the webmin already accept the pull request :)