Recently, I needed to integrate Cloudflare with a client’s Webmin/Virtualmin server. While the DNS migration seemed straightforward, the integration revealed several challenges with SSL certificates, port access, and subdomain redirects. After working through each issue, here’s the complete solution.
Prerequisites
Before starting, you’ll need:
- Working Webmin/Virtualmin server with SSL certificates
- Domain currently managed through your registrar
- Cloudflare account (free tier works)
- Root access to your server
Exporting DNS from Webmin
First, export your DNS configuration in BIND format. In Webmin, navigate to your domain’s DNS settings and click Manually Edit Records at the bottom. This shows your zone file in BIND format – copy everything to a text file.
When adding your domain to Cloudflare, if it doesn’t automatically scan all records, it’ll ask for a BIND format file. Upload the text file you just created. This ensures all your DNS records transfer correctly.
Configuring DNS in Cloudflare
After importing, verify your DNS configuration matches this structure:
# Main domain and www (Proxy these)
A @ YOUR.SERVER.IP Proxied
A www YOUR.SERVER.IP Proxied
# Mail and FTP (Never proxy these)
A mail YOUR.SERVER.IP DNS only
A ftp YOUR.SERVER.IP DNS only
# Admin subdomains (Proxy these)
A admin YOUR.SERVER.IP Proxied
A webmail YOUR.SERVER.IP Proxied
# MX Records (Always DNS only)
MX @ mail.yourdomain.com (priority: 5)
# Keep all TXT records for SPF, DMARC, DKIMImportant: Delete any wildcard CNAME record (*.yourdomain.com) if present. It conflicts with specific A records.
Update your nameservers at your domain registrar to Cloudflare’s nameservers. DNS propagation takes 15 minutes to 48 hours.
SSL Configuration
After switching to Cloudflare, you’ll encounter ERR_SSL_VERSION_OR_CIPHER_MISMATCH. Fix this immediately:
- Go to SSL/TLS > Overview in Cloudflare
- Set mode to Full (not Full Strict, not Flexible)
- Check Edge Certificates for your Universal Certificate status
Quick Fix: If the certificate stays “Pending” for more than a few minutes, disable Universal SSL and immediately re-enable it. This triggers activation within seconds.
WordPress Configuration
Add this to your wp-config.php before the “stop editing” comment to prevent redirect loops:
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
$_SERVER['HTTPS'] = 'on';
}Handling Webmin and Usermin Ports
Cloudflare only proxies specific ports (80, 443, 2052, 2053, 2082, 2083, 2086, 2087, 2095, 2096, 8080, 8443, 8880). Since ports 10000 and 20000 aren’t supported, we need to change them.
First, check your Apache configurations for existing redirects:
grep -r "RewriteRule.*10000" /etc/apache2/sites-available/
grep -r "RewriteRule.*20000" /etc/apache2/sites-available/Update all domain configurations to use supported ports:
# Update your main domain first
sed -i 's/:10000/:2083/g' /etc/apache2/sites-available/yourdomain.com.conf
sed -i 's/:20000/:2095/g' /etc/apache2/sites-available/yourdomain.com.conf
# Update all domain configs
for conf in /etc/apache2/sites-available/*.conf; do
sed -i 's/:10000/:2083/g' "$conf"
sed -i 's/:20000/:2095/g' "$conf"
done
# Reload Apache
systemctl reload apache2Now update Webmin’s configuration:
# Edit Webmin config
nano /etc/webmin/miniserv.conf
# Change these lines:
port=2083
listen=2083
# Restart Webmin
systemctl restart webminFor Usermin:
# Edit Usermin config
nano /etc/usermin/miniserv.conf
# Change these lines:
port=2095
listen=2095
# Restart Usermin
systemctl restart userminYour admin panel is now accessible at https://yourdomain.com:2083 and webmail at https://yourdomain.com:2095 through Cloudflare’s proxy.
Handling New Domains
When creating new domains in Virtualmin, it automatically adds Apache configs with port 10000 redirects. You have two options:
Option 1: Update each new domain’s Apache config after creation:
sed -i 's/:10000/:2083/g' /etc/apache2/sites-available/newdomain.com.conf
sed -i 's/:20000/:2095/g' /etc/apache2/sites-available/newdomain.com.conf
systemctl reload apache2Verification
Check DNS propagation:
nslookup yourdomain.com
dig yourdomain.comIf you see Cloudflare IPs (like 188.114.96.x or 104.21.x.x), propagation is complete.
Test these access points:
- Main website (should show HTTPS with Cloudflare certificate)
- WordPress admin (should work without redirect loops)
- Webmin at
https://yourdomain.com:2083 - Usermin/Webmail at
https://yourdomain.com:2095
Important Notes
Keep mail-related records on “DNS only” mode – never proxy email traffic. Your Let’s Encrypt certificates will continue working normally with “Full” SSL mode. Cloudflare acts as a proxy and doesn’t interfere with certificate renewal.
This setup provides DDoS protection and CDN benefits while maintaining full Webmin functionality. The port changes work cleanly around Cloudflare’s limitations, keeping admin panels accessible through the proxied connection.