mod_headers not enabled by default, causing silent failures for security headers and proxy configurations #1195
Description
Description:
Virtualmin does not enable Apache's mod_headers module during installation or when creating virtual servers. This causes silent failures in several common configurations that Virtualmin itself sets up or recommends.
Specific failure cases:
- Reverse proxy webmail (RequestHeader directives fail silently). When using a reverse proxy configuration for webmail (see related issue), the generated VirtualHost includes:
RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Host "webmail.example.com"
These directives require mod_headers. Without it, Apache either fails to start or silently drops the headers, breaking the proxy context entirely with no obvious error message to the administrator.
2. Security headers. Any security hardening applied via VirtualHost config or .htaccess using Header set directives (e.g. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security) fails silently if mod_headers is not loaded. Virtualmin gives no warning that these directives will be ignored.
3. CORS headers. Any application relying on Header set Access-Control-Allow-Origin will silently fail for the same reason.
Expected behavior: mod_headers should be enabled during Virtualmin installation alongside other foundational modules such as mod_rewrite and mod_ssl. It is a core Apache module present on all supported platforms and has no meaningful downside to being enabled by default.
Additional note: Diagnosing this issue is unnecessarily difficult. Running apache2ctl -M on a Virtualmin system produces suexec-related stderr output that obscures the module list, making it non-obvious whether mod_headers is loaded. The correct diagnostic is:
apache2ctl -M 2>/dev/null | grep headers
If headers_module (shared) does not appear, the fix is:
sudo a2enmod headers sudo systemctl restart apache2
Environment:
- Virtualmin 8.1.0 Professional
- Ubuntu 24.04 LTS
- Apache 2.4.58
Steps to reproduce:
Fresh Virtualmin installation on Ubuntu 24.04
Create a virtual server with SSL and webmail redirect enabled
Add any Header set or RequestHeader set directive to the VirtualHost config
Observe that the directive is silently ignored or causes an Apache error depending on configuration context
Run apache2ctl -M 2>/dev/null | grep headers and observe headers_module is absent
Suggested fix: Add a2enmod headers to the Virtualmin installer or to the post-installation configuration step alongside mod_rewrite, mod_ssl, and other modules that are already enabled by default.