Webmin jumpstart – initial setup of the web server
Currently I’m also working with Webmin again after a long time – which could be a free alternative to Plesk. Of course some important steps have to be taken after the installation. These I would like to show here in a nutshell:
Activate the firewall
First you have to install iptables, because without iptables the firewall won’t be able to work
apt-get install -y iptables
Afterwards you can reset the firewall via Module->Linux-Firewall. In the following step you select “Block all except SSH, IDENT, ping and high ports on interface”. The reset takes care of some default rules.
Attention: DROP leads to an error message with this configuration, so the correct selection for DROP is “Do nothing”.
Fail2Ban
Next we take care of Fail2Ban which we also have to install first. This can also be done comfortably directly via Webmin.
Then we activate the appropriate jails (especially sshd and auth) under “Filter Action Jails”.
PHP configuration
Afterwards we adjust the settings for PHP under Tools->PHP-Configuration->Manager->Ressource Limits.
If necessary, it may be necessary to do this via SSH (nano). The file should be located under /etc/php/7.4/fpm/php.ini. Afterwards the Apache2 and php-fpm server must be restarted.
MariaDB configuration
Usually a MySQL database is needed for almost every application, so the creation of such a database under Webmin is also an important point.
Under Servers->MySQL Database we can adjust the settings of our MariaDB and also create new users and databases. For the latter we first create a new database user WITHOUT RIGHTS under User Permissions. Then we create a new database under the previous main menu. Only after that we give the user the permissions for the newly created database under “Database Permissions”.
There are also many other settings that can be made here. However, the explanations would be too extensive here and databases are a very separate topic I will gladly optimize your MariaDB database for a reasonable hourly rate.
Create domains / vHost
Of course, the corresponding domain must be accessible via the Apache web server. For this purpose we have to create a corresponding new vHost under Servers->Apache. As “Document Root” (directory of files for the internet) you can choose a new path or simply choose the existing root directory /var/www/html.
You should create a vHost for port 80 (http) and one on port 443 (https) separately.
After that you can simply upload your files to the server using the upload tool or otherwise. If you upload as root, you should of course change the owner of the files later. This is possible e.g. as follows:
apt-get install sudo
sudo chown -R www-data:www-data /var/www/html
sudo chmod -R g+rwX /var/www/html
Tip: Under the Tools tab there is an upload/download tool and also a file manager with which individual files can be edited.
SSL
Of course we now have to get an SSL certificate for our new host. This can be done under Webmin->Webmin-Configuration->SSL-Encryption->Lets Encrypt. As directory you have to enter the “Document Root” – in our example “/var/www/html”
Then open the corresponding vHost (Port 443) under Servers->Apache and select the SSL tab. Here you activate SSL and upload the appropriate certificate files. If this is not done you will get the error “ssl_error_rx_record_too_long” later.
If your domain is also the hostname, the files should have these paths:
/etc/webmin/letsencrypt-cert.pem
/etc/webmin/letsencrypt-key.pem
/etc/webmin/letsencrypt-ca.pem
After that you have to restart the Apache2 service under System->Bootup and Shutdown.
Install important modules
Your web server will need some important modules in most cases, you can install them as follows:
apt-get install -y php-curl
apt-get install -y php-dom
apt-get install -y php-mbstring
apt-get install -y php-imagick
apt-get install -y php-zip
apt-get install -y php-gd
apt-get install -y php-opcache
wget https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_amd64.deb
dpkg -i mod-pagespeed-stable_current_amd64.deb
systemctl restart apache2
If you want you can also activate the AdminConsole of mod_pagespeed, for this you have to edit the corresponding file:
nano /etc/apache2/mods-available/pagespeed.conf
and add the following content (fixed IP address)
Order allow,deny
Allow from localhost
Allow from 127.0.0.1
Allow from 123.123.123.123
SetHandler pagespeed_admin
Order allow,deny
Allow from localhost
Allow from 127.0.0.1
Allow from 123.123.123.123
SetHandler pagespeed_global_admin
After that Apache has to be restarted again:
systemctl restart apache2
After that, the pagespeed admin is available at example.com/pagespeed_admin.
In the Apache webserver the corresponding vHost should also be adjusted with “Edit Directives” to avoid 404/403 errors when using mod_rewrite (e.g. with WordPress):
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride All
allow from all
# Options None
Require all granted
DirectoryIndex index.php
</Directory>
Webmin Hardening
Under Webmin->Webmin Configuration->IP Access Control you should additionally change the firewall to “only allow from listed addresses”. Of course this requires a fixed IP address.
localhost
127.0.0.1
IP_DES_HOSTS
EURE_IP
Note: Webmin has only one www-user and therefore seems to me by default not suitable or safe for multiple/different users/customers on one host system. However, for a single customer on one system it is an interesting alternative.