All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Restricting access to Proxmox Web interface with nginx
as we have been talking about Proxmox a lot lately and some people really seemed to be interested in tutorials regarding this, I'll give it a try.
I'd like to share my setup of restricting/securing the access to the webinterface by putting it behind a proxy.
I also make use of an officially signed certificate to get rid of browser warnings, even if I am the only one who uses that ^^
it is simply about not having a login option which makes use of PAM credentials on a well known port directly exposed to the public and therefore root credentials may be brute forced that way.
this whole thing is nothing new and the initial part relies on this blog-post: https://www.iezzi.ch/proxmox-ve-restricting-web-ui-access/ so credits have to go over there.
yet I ran into some troubles using the vnc console correctly and such things, so I derived my own setup by using a simple get var as a tag and for easier memory rewriting that to a base-path like /admin - which as a side-effect results in an forbidden on the main domain without that path, hiding the webinterface even further.
this has been tested and is in use with debian wheezy and jessie as base system and proxmox V3 and V4
now let's get started and first of all, keep your system up to date ;-)
apt-get update && apt-get dist-upgrade
then install nginx (going with light here, as we only need few functions at all)
apt-get install nginx-light
generate a certificate, something like startssl/wosign comes in handy, place it somewhere like /etc/ssl/<your.domain.com>.crt (this is optional, but will be referring to this later)
now edit nginx config
nano /etc/nginx/nginx.conf
and add this inside the http { } block, before the includes
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
create a file named .htpasswd in /etc/nginx
nano /etc/nginx/.htpasswd
and fill in some basic auth credentials like
username:y9bRy0Futz1hc
now open the default nginx vhost example
nano /etc/nginx/sites-available/default
and replace the whole content with the following (sorry cloudflare won't let me post this directly)
http://pastebin.com/raw/HZmZ2ZZ4
make sure to replace every instance of <your.domain.com> with that domain of yours pointing to your server...
if you won't use ssl, you may leave out the redirect and ssl options itself and only create a listen 80 block.
restart nginx and point your browser to
if this works, it should ask you first for http auth before letting you login to proxmox itself.
you now should disable the direct public access for proxmox by creating a default file
nano /etc/default/pveproxy
with this content
ALLOW_FROM="127.0.0.1" DENY_FROM="all" POLICY="allow"
and restart the service pveproxy for sure ;-)
done. https://yo.ur.i.p:8006 shouldn't work anymore and access via your domain should now be secured via basic auth additionally.
comes with no guarantee at all, please feel free to ask question or point out anything I may have missed or done wrong :-)
Comments
Oh Lord! Could you please finally get a paypal donation button for your signature? To provide you with drinks or whatever? I was looking for exactly that solution and you just saved my time. Again. Thank you!
Haha, no problem, will send you my paypal mail via PM, just got thirsty again... ;-)
Well, i prefer Firewalls and Nginx which blocks IP's instead of htaccess.
But using that also, Proxmox uses by default shitty ciphers, better setup nginx as reverse proxy.
Also you can set the ciphers globally in the nginx config.
>
personally I don't use nginx for anything else on that hostnodes, so might be not much of a matter at all where to place it...
but I have to agree, there probably is room for improvement. on other things too ;-)
I just use the firewall in proxmox (or an external firewall) to block anything coming in from the internet apart from maybe a couple trusted IP's
Great tutorial -- always nice to have alternative options for securing the web portal.
Nice!
To give something to all the caddy lovers around here, I tried to adapt it.
But still got some weird problem with the proxied websocket connection...
@Bochi Well, I am using that config, works well: https://wiki.x8e.net/doku.php?id=proxmox_nginx
I use built into Proxmox firewall and restrict access only to my IP's. Works great. Also enable two factor authentication for additional security.
But still got some weird problem with the proxied websocket connection...
sounds like a good idea, I can't be much of a help though, because I haven't looked into caddy much for now. while it's very interesting I simply haven't found the time and need yet ;-)
I am often using different pc in different offices, which are mostly on dsl connections with changing IPs. I'd need to involve a vpn or something like that in addition (which isn't always possible or preferred at all) to restrict IP based.
yes, that's definitely a good choice either and may become standard for a lot of logins shortly.
This is what we need on LEB. Not interviews. +1
I have to agree - @Falzo: Whenever you feel bored - Write a tutorial for us!
Oops! I think we might have fixed it in the last couple months. Want to try again? Feel free to post an issue if there's still a bug.
Indeed. I'll certainly look forward to reading some useful blog posts at LEB for a change.
Good stuff, @Falzo!
Well, thing is: The control panel works fine with a very minimal config, just as I expected it from caddy.
The only problem so far arises from the WebSocket connection used by noVNC, when the proxy seems to not come back with a proper 101 (switching protocols) but with a 200 instead. Have to look into this again!
According to the rules, that'd "make it stand out," which isn't allowed
(if it wasn't, I'd paste a 1000 px by 1000px PayPal and Bitcoin donation button)
Just realized I bought tip-me.ca... What to do with it