Webmin is a web-based system configuration interface tool for Unix-based systems. This interface allows us, as the system administrators of Unix/Linux servers, to administer some of our Linux system’s functionalities through a web browser, without having to do it through Unix command prompt.
There are lots of system administration tasks we can do via Webmin interface, such as setting up Apache web server, BIND DNS server, Sendmail / Procmail / Postfix mail server, creating Unix user accounts, setting up automated tasks through cron jobs, etc. On this article, we will cover how to set up SSL tunnels using Webmin.
Also read : How to install Webmin.
What is SSL?
Secure Sockets Layer (SSL), and its successor Transport Layer Security (TLS) but frequently still referred to as SSL, is a protocol for encrypting data over TCP/IP network. The protocol allows clients and servers to authenticate themselves to each other, using SSL certificates which are normally issued by a reputable certificate authority (CA). The encryption prevents the data to be intercepted / captured and read by anyone to has the ability to “sniff” the traffic in between.
Most applications have built-in SSL capabilities, such as web servers (HTTPS) and newer mail servers (e.g. IMAP, POP3), however some older mail servers do not support built-in SSL encryption by default.
What is Stunnel?
Stunnel is actually a proxy process which is designed to add SSL/TLS encryption functionality to existing clients and servers without any changes in the program’s code. This allows system administrators to establish SSL connections to applications which do not have SSL support by default. It converts an un-encrypted connection into an SSL-encrypted one, and normally set up to be run from a super-server or service dispatcher process/daemon such as inetd or xinetd.
Webmin has an SSL Tunnels module, which allows us to set up super-server services which run STunnel to start some applications. The module will automatically detect if you have super-server inetd and/or xinetd installed, read the configuration and set up the SSL tunnels for the applications / services managed by inetd and/or xinetd.
This article contains the step-by-step instructions on how we can enable and configure the SSL Tunnels module on Webmin. We will need a physical server or a virtual machine with Webmin already installed. Below instructions are based on a virtual machine running Ubuntu 16.04 LTS (64-bit) operating system and Webmin 1.801 (latest version of WebMin at the time of writing this article) hosted in SimplerCloud.
Let’s log in to our Webmin control panel interface, which is normally located at this URL:
The IP-ADDRESS should be the IP address of your server where Webmin is installed.
Click on “Login” to go to the Webmin control panel’s main interface.
If Stunnel is not yet installed on our server, we will need to install the Stunnel package first, before we can configure the SSL Tunnels module. We can install Stunnel using the “Software Package” module on Webmin. From Webmin control panel’s main interface, navigate to System > Software Packages.
Under “Software Package”, search for the Stunnel package on the repository depending on the operating system you use (e.g. RPM for CentOS/Red Hat Enterprise Linux or APT/DPKG for Ubuntu/Debian). Since we are using Ubuntu 16.04 for our testing environment, under the “Install a New Package” section, select “Package from APT” and click on the “Search APT ..” button.
Find packages matching stunnel, and click Enter.
A list of packages which is close to the search keyword will be shown. What we need is the “stunnel4” package as shown on below screenshot. Click the package to select it.
The screen will then go back to the previous section, with the “stunnel4” pre-filled under the “Package from APT” section. Click on the “Install” button.
The stunnel4 package will then be installed. You will be able to see the status of the installation on the Webmin control panel screen. You will be notified with the installation is completed.
In addition to STunnel, we also need to install xinetd because the SSL Tunnels module will run under xinetd. To install xinetd, go to Webmin control panel > System > Software Packages and search for the xinetd package.
Click “Install” to install the xinetd package.
Wait until the installation is completed.
Configuring the SSL Tunnels Module
Once we have installed Stunnel and xinetd packages on the server, we can then proceed to configure the SSL Tunnels module. If this is the first time you configure the module, from Webmin control panel’s main interface, navigate to Un-used Modules > SSL Tunnels.
When you first accessing the module in an Ubuntu environment, you will see an error message saying that the STunnel command (/usr/sbin/stunnel) was not found on the system.
This is because in Ubuntu environment, the Stunnel binary file is located on /usr/bin/stunnel instead of /usr/sbin/stunnel. So we have to configure the module to look for the binary file on the correct folder. Click on the “Module Config” link.
Under the “Path to stunnel executable” option, change the location from /usr/sbin/stunnel to /usr/bin/stunnel. Click the “Save” button.
If you see message similar to “No SSL tunnels are currently setup to run from inetd or xinetd.“, that means the SSL Tunnels module has been configured properly.
Note that once you have configured the SSL Tunnels module, after you logout and re-login, or after you click the “Refresh Modules” option, the SSL Tunnels module will be shown under “Networking” section and no longer under “Un-used Modules”.
Creating An SSL Tunnel
For us to protect certain services with SSL encryption, we need to create an SSL tunnel for each of the services. There are two different ways on how we can create the tunnel, one way is to run a server process like inetd does, and another way is to setup the tunnel to run on a different port to connect to the actual service running on the original port in non-SSL mode. Let’s try the second method, which is simpler.
On this example, we want to create SSL tunnel for an existing POP3 service, which traditionally runs on a non-SSL port of 110. We are running Dovecot to run POP3 service on this environment, and although Dovecot itself now support SSL for POP3 protocol, we are not going to use the feature and we are running Dovecot only on the traditional non-SSL port of 110.
Firstly, let’s decide on the SSL port we want to use for this. There is a standard port 995 for encyrpted POP3, so we will use that. Note that the new SSL port we are going to set up (e.g. port 995) should be available and not being used by other services on the server.
Original non-SSL port: 110
New SSL port: 995
To create the SSL tunnel, go to the SSL Tunnels module from Webmin control panel’s main interface: Networking > SSL Tunnels, and then click “Add new SSL tunnel”.
Under the “Create SSL Tunnel” option, put a descriptive name for the SSL tunnel under “Service name”, e.g. ssl-pop3, and put the intended port number to be used for the SSL tunnel (e.g. 995). Under “Tunnel destination options”, select “Connect to remote host” and under “Remote hostname”, put localhost, which is the server itself. Note that the SSL tunnel can also be created and setup to connect to a remote server instead of localhost. Under “Remote port”, put the original port number of the service (e.g. 110 for POP3). Click on “Create”.
You will see the newly created SSL tunnel on the list. Click on “Apply Changes” to apply the changes.
That’s it, the SSL tunnel for the POP3 service (originally on port 110) is now created and running on port 995. To verify that the connection to the SSL tunnel can be established, login to the server via SSH and from the shell prompt, use below command to test:
openssl s_client -connect localhost:995
We can see that the SSL tunnel is established and we can connect to the existing Dovecot POP3 service through the SSL tunnel. Enjoy!
Disclaimer : This is another great guest post article by Indra Pramana from SimplerCloud.com, a cloud servers provider from Singapore with solutions built from the ground up to provide truly real-time, scalable and easily managed cloud infrastructure for start-ups, developers and business throughout Asia.