Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Restricting access to Proxmox Web interface with nginx
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Restricting access to Proxmox Web interface with nginx

FalzoFalzo Member
edited September 2016 in Tutorials

as we have been talking about Proxmox a lot lately and some people really seemed to be interested in tutorials regarding this, I'll give it a try.

I'd like to share my setup of restricting/securing the access to the webinterface by putting it behind a proxy.
I also make use of an officially signed certificate to get rid of browser warnings, even if I am the only one who uses that ^^

it is simply about not having a login option which makes use of PAM credentials on a well known port directly exposed to the public and therefore root credentials may be brute forced that way.

this whole thing is nothing new and the initial part relies on this blog-post: https://www.iezzi.ch/proxmox-ve-restricting-web-ui-access/ so credits have to go over there.

yet I ran into some troubles using the vnc console correctly and such things, so I derived my own setup by using a simple get var as a tag and for easier memory rewriting that to a base-path like /admin - which as a side-effect results in an forbidden on the main domain without that path, hiding the webinterface even further.

this has been tested and is in use with debian wheezy and jessie as base system and proxmox V3 and V4

now let's get started and first of all, keep your system up to date ;-)

apt-get update && apt-get dist-upgrade

then install nginx (going with light here, as we only need few functions at all)

apt-get install nginx-light

generate a certificate, something like startssl/wosign comes in handy, place it somewhere like /etc/ssl/<your.domain.com>.crt (this is optional, but will be referring to this later)

now edit nginx config

nano /etc/nginx/nginx.conf

and add this inside the http { } block, before the includes

         map $http_upgrade $connection_upgrade {
            default upgrade;
            '' close;
        }

create a file named .htpasswd in /etc/nginx

nano /etc/nginx/.htpasswd

and fill in some basic auth credentials like

username:y9bRy0Futz1hc

now open the default nginx vhost example

nano /etc/nginx/sites-available/default

and replace the whole content with the following (sorry cloudflare won't let me post this directly)

http://pastebin.com/raw/HZmZ2ZZ4

make sure to replace every instance of <your.domain.com> with that domain of yours pointing to your server...
if you won't use ssl, you may leave out the redirect and ssl options itself and only create a listen 80 block.

restart nginx and point your browser to

if this works, it should ask you first for http auth before letting you login to proxmox itself.

you now should disable the direct public access for proxmox by creating a default file

nano /etc/default/pveproxy

with this content

ALLOW_FROM="127.0.0.1"
DENY_FROM="all"
POLICY="allow"

and restart the service pveproxy for sure ;-)

done. https://yo.ur.i.p:8006 shouldn't work anymore and access via your domain should now be secured via basic auth additionally.

comes with no guarantee at all, please feel free to ask question or point out anything I may have missed or done wrong :-)

Comments

  • Oh Lord! Could you please finally get a paypal donation button for your signature? To provide you with drinks or whatever? I was looking for exactly that solution and you just saved my time. Again. Thank you!

  • @Amitz said:
    Oh Lord! Could you please finally get a paypal donation button for your signature? To provide you with drinks or whatever? I was looking for exactly that solution and you just saved my time. Again. Thank you!

    Haha, no problem, will send you my paypal mail via PM, just got thirsty again... ;-)

    Thanked by 1Amitz
  • NeoonNeoon Community Contributor, Veteran
    edited September 2016

    Well, i prefer Firewalls and Nginx which blocks IP's instead of htaccess.

    But using that also, Proxmox uses by default shitty ciphers, better setup nginx as reverse proxy.

    Also you can set the ciphers globally in the nginx config.

    Thanked by 1Falzo
  • @Neoon said:

    >

    Also you can set the ciphers globally in the nginx config.

    personally I don't use nginx for anything else on that hostnodes, so might be not much of a matter at all where to place it...

    but I have to agree, there probably is room for improvement. on other things too ;-)

  • I just use the firewall in proxmox (or an external firewall) to block anything coming in from the internet apart from maybe a couple trusted IP's

  • BrianHarrisonBrianHarrison Member, Patron Provider

    Great tutorial -- always nice to have alternative options for securing the web portal.

  • Nice! :)
    To give something to all the caddy lovers around here, I tried to adapt it.
    But still got some weird problem with the proxied websocket connection... :/

  • NeoonNeoon Community Contributor, Veteran
    edited September 2016

    @Bochi Well, I am using that config, works well: https://wiki.x8e.net/doku.php?id=proxmox_nginx

  • bashlykbashlyk Member
    edited September 2016

    I use built into Proxmox firewall and restrict access only to my IP's. Works great. Also enable two factor authentication for additional security.

  • Bochi said: To give something to all the caddy lovers around here, I tried to adapt it.

    But still got some weird problem with the proxied websocket connection... :/

    sounds like a good idea, I can't be much of a help though, because I haven't looked into caddy much for now. while it's very interesting I simply haven't found the time and need yet ;-)

    bashlyk said: I use built into Proxmox firewall and restrict access only to my IP's.

    I am often using different pc in different offices, which are mostly on dsl connections with changing IPs. I'd need to involve a vpn or something like that in addition (which isn't always possible or preferred at all) to restrict IP based.

    bashlyk said: Also enable two factor authentication for additional security.

    yes, that's definitely a good choice either and may become standard for a lot of logins shortly.

  • This is what we need on LEB. Not interviews. +1 :)

    Thanked by 3Falzo Amitz K4Y5
  • @doghouch said:
    This is what we need on LEB. Not interviews. +1 :)

    I have to agree - @Falzo: Whenever you feel bored - Write a tutorial for us! :)

  • @Bochi said:
    Nice! :)
    To give something to all the caddy lovers around here, I tried to adapt it.
    But still got some weird problem with the proxied websocket connection... :/

    Oops! I think we might have fixed it in the last couple months. :) Want to try again? Feel free to post an issue if there's still a bug.

  • @Amitz said:

    @doghouch said:
    This is what we need on LEB. Not interviews. +1 :)

    I have to agree - @Falzo: Whenever you feel bored - Write a tutorial for us! :)

    Indeed. I'll certainly look forward to reading some useful blog posts at LEB for a change.

    Good stuff, @Falzo!

  • BochiBochi Member
    edited September 2016

    @mholt said:

    @Bochi said:
    Nice! :)
    To give something to all the caddy lovers around here, I tried to adapt it.
    But still got some weird problem with the proxied websocket connection... :/

    Oops! I think we might have fixed it in the last couple months. :) Want to try again? Feel free to post an issue if there's still a bug.

    Well, thing is: The control panel works fine with a very minimal config, just as I expected it from caddy.
    The only problem so far arises from the WebSocket connection used by noVNC, when the proxy seems to not come back with a proper 101 (switching protocols) but with a 200 instead. Have to look into this again! :)

    Thanked by 1mholt
  • doghouchdoghouch Member
    edited September 2016

    @Amitz said:
    Oh Lord! Could you please finally get a paypal donation button for your signature? To provide you with drinks or whatever? I was looking for exactly that solution and you just saved my time. Again. Thank you!

    According to the rules, that'd "make it stand out," which isn't allowed :(

    (if it wasn't, I'd paste a 1000 px by 1000px PayPal and Bitcoin donation button)

    Just realized I bought tip-me.ca... What to do with it

Sign In or Register to comment.