Application Infrastructure Azure

Webmin on Ubuntu 24.04 on Azure User Guide

| Product: Webmin on Ubuntu 24.04 LTS on Azure

Overview

Webmin is a long standing, widely used, open source web based system administration panel for Linux. From a single browser session you can manage users and groups, installed packages, systemd services, cron jobs, the firewall, Apache or nginx, BIND, MySQL/MariaDB, disks and filesystems, and dozens of other aspects of the server, without needing to remember the underlying command line syntax for each. The cloudimg image installs Webmin from the official .deb package and runs it with its own built in web server (miniserv), serving the admin console directly over HTTPS on port 10000 - Webmin's own login is the only gate in front of it. Port 80 is fronted by a minimal nginx instance that serves an unauthenticated health endpoint and redirects everything else to the HTTPS console on port 10000. A unique administrator password is generated on the first boot of every VM, and the self signed TLS certificate is regenerated per VM. Backed by 24/7 cloudimg support.

Webmin has full administrative control of the operating system it runs on. It can create and delete users, install and remove packages, edit the firewall, and read and write almost any file on the server. Treat the admin credentials as root equivalent, and read the security notes in Maintenance before exposing this VM beyond your own management network.

What is included:

  • Webmin 2.651 installed from the official .deb package, running as the webmin systemd service
  • Webmin's own HTTPS console and session login directly on port 10000 (self signed certificate, regenerated per VM on first boot)
  • Port 80 served by nginx: an unauthenticated /healthz endpoint, and a redirect to the HTTPS console for everything else
  • A unique administrator password generated on first boot, recorded in a root only file (username admin)
  • A dedicated Azure data disk at /var/webmin holding Webmin's session cache and action logs
  • webmin.service + nginx.service as systemd units, enabled and active
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a reasonable starting point for administering a handful of servers from this panel; Webmin itself is lightweight. NSG inbound: allow 22/tcp from your management network only, 80/tcp for the health probe, and restrict 10000/tcp (the Webmin admin console) to trusted source IP ranges - do not leave it open to the whole internet, since Webmin has full control of the box. Port 443/tcp is reserved if you later choose to front the console with your own reverse proxy and a trusted certificate (see Maintenance); the appliance does not listen on it by default.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Webmin by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80), then add a custom rule for TCP 10000 restricted to your own IP range. Review the dedicated data disk on the Disks tab, then Review + create -> Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name webmin \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

az vm open-port --resource-group <your-rg> --name webmin --port 80 --priority 1010
az vm open-port --resource-group <your-rg> --name webmin --port 10000 --priority 1020

Restrict the port 10000 NSG rule to your own management IP range rather than leaving it open to *.

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm the services are running

systemctl is-active webmin.service nginx.service

Both report active:

active
active

Webmin runs its own web server (miniserv) bound to all interfaces on port 10000; nginx separately fronts port 80 with a health endpoint and a redirect. The two are independent - Webmin's console is not proxied through nginx.

webmin.service and nginx.service both active, and Webmin listening on port 10000

Step 5 - Retrieve your admin password

The Webmin administrator password is generated uniquely on the first boot of your VM and written to a root only file:

sudo cat /root/webmin-credentials.txt
WEBMIN_URL=https://<vm-ip>:10000/
WEBMIN_USERNAME=admin
WEBMIN_PASSWORD=<unique-per-vm-password>

Store the password somewhere safe - it grants full administrative control of the server. The file is mode 0600 and owned by root, so only an administrator can read it. No default or known password ever ships in the image; Webmin has no way to log in until this file exists.

The root only 0600 credentials file containing the unique per-VM Webmin admin password

Step 6 - Confirm the health endpoint

nginx serves an unauthenticated health endpoint on port 80 for load balancers and probes:

curl -s http://localhost/healthz

Returns ok. A plain request to port 80 for anything else returns HTTP 301 and redirects to the HTTPS console on port 10000:

curl -s -D - -o /dev/null http://localhost/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.24.0 (Ubuntu)
Location: https://<vm-host>:10000/

The /healthz endpoint never requires authentication, so it is safe for an Azure Load Balancer health probe. Webmin's own console on port 10000 returns HTTP 200 for its login page.

The nginx /healthz endpoint returning ok, and the port 80 redirect to the HTTPS console on port 10000

Step 7 - Verify authentication from the command line

Webmin's login is a form post to /session_login.cgi over the TLS console port that establishes a session cookie. The check below authenticates with the correct per-VM password and receives a redirect with a fresh session cookie, while a wrong password stays on the login page. Because the command embeds your unique password, run it interactively rather than from a script - substitute the value of WEBMIN_PASSWORD from Step 5 for <WEBMIN_PASSWORD>:

login() {
  jar=$(mktemp)
  curl -sk -o /dev/null -c "$jar" https://127.0.0.1:10000/session_login.cgi
  status=$(curl -sk -o /dev/null -b "$jar" -c "$jar" -w '%{http_code}' \
    --data-urlencode action=login --data-urlencode user=admin \
    --data-urlencode "pass=$1" --data-urlencode page=/ \
    https://127.0.0.1:10000/session_login.cgi)
  rm -f "$jar"
  [ "$status" = 302 ] && echo "authenticated (302 + session cookie)" || echo "rejected ($status)"
}
login '<WEBMIN_PASSWORD>'

The correct per-VM password prints authenticated (302 + session cookie); a wrong or blank password prints rejected (200) - Webmin re-displays the login form rather than granting a session.

The admin authentication round trip: the correct per-VM password returns 302 with a fresh session cookie, and a wrong password is rejected

Step 8 - Sign in to the console

Browse to https://<vm-public-ip>:10000/. The appliance uses a self signed certificate that is unique to your VM, so accept the browser warning (or, for production, put a trusted certificate in front - see Maintenance). Webmin shows its login page; enter the username admin and the password from Step 5.

The Webmin login page in the browser

Step 9 - The system dashboard

After signing in you land on the Webmin dashboard, showing the server's operating system, uptime, CPU and memory load, disk usage and a search box for every module you have access to.

The Webmin system dashboard after signing in as admin

Step 10 - Manage users and groups

Open System -> Users and Groups to create, edit or remove Unix user and group accounts directly from the browser, including home directories, shells and group membership.

The Webmin Users and Groups module listing the system accounts

Step 11 - Manage running services

Open System -> Bootup and Shutdown (or System -> Running Processes) to see and control every systemd service and process on the box - start, stop, enable or disable services without an SSH session.

The Webmin Bootup and Shutdown / Running Processes view listing systemd services

Step 12 - Confirm data lives on the dedicated disk

Webmin's session cache and action logs are stored under /var/webmin on a dedicated Azure data disk, so they survive OS changes and can be resized independently of the OS disk:

findmnt /var/webmin
TARGET      SOURCE   FSTYPE OPTIONS
/var/webmin /dev/sdc ext4   rw,relatime

Webmin's configuration (/etc/webmin) lives on the OS disk; its identity state - the admin password hash and the TLS certificate - is reset to a locked placeholder on every image build and regenerated fresh on every VM's first boot.

Maintenance

  • This is a privileged appliance. Webmin can manage users, packages, the firewall and almost any file on this server. Restrict port 10000 in the NSG to trusted source IP ranges - never leave it open to the whole internet - and treat the admin password as root equivalent.
  • TLS and your own domain: the appliance ships a per-VM self signed certificate on port 10000, which will always show a browser warning. For production, either replace /etc/webmin/miniserv.pem with your own certificate and key and restart webmin.service, or put a trusted reverse proxy of your own in front (port 443 is reserved in the NSG for this).
  • Password: the admin password is set on first boot. To change it from the command line, use /usr/share/webmin/changepass.pl /etc/webmin admin '<new-password>'; from the console, use Webmin -> Change Language and Theme or the Webmin Users module.
  • Modules: the admin account is granted every installed Webmin module. Use the Webmin Users module (under Webmin) to create additional, more restricted accounts for other administrators.
  • Storage: Webmin's session cache and logs live under /var/webmin on the dedicated data disk; its configuration lives under /etc/webmin on the OS disk.
  • Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically. Webmin itself can be upgraded from within the console (Webmin -> Webmin Configuration -> Software Package Updates) or via apt.

Support

cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.