Proxmox VE: Restricting Web UI access

With the release of Proxmox VE 3.0 back in May 2013, the Proxmox VE web interface does no longer require Apache. Instead, they’re using now a new event driven API server called pveproxy. That was actually a great step ahead, as we all know Apache get’s bulkier every day and the new pveproxy is a much more lightweight solution. But the question arose:

How do I protect my Proxmox VE WebUI with basic user authentication?

 

Basically, we do not trust any web application out there so we better double protect the whole WebUI with plain old basic auth – previously done in Apache by .htaccess.

The main idea:

  • Restrict access to the pveproxy (= Web UI) to localhost
  • Install a local Nginx web proxy server that forwards requests from port 443 to pveproxy’s port 8006 and restrict access to it using HTTP BASIC AUTH

Restrict access to pveproxy

Create a new file /etc/default/pveproxy with the following content:

Restart pveproxy for the changes to take effect:

Nginx web proxy server

Install nginx-light (the lightweight package of Nginx is sufficient):

The following packages will be installed: nginx-common nginx-light

Now, copy over your signed SSL certificate to /etc/nginx/conf.d, in case you already have one. You might as well create a self-signed SSL certificate and SSL certificate key, e.g. (validity of 10 years!):

Create /etc/nginx/sites-available/pveproxy:

Disable the default site and enable pveproxy:

For details, check NGINX HttpSslModule. Note that the certificates could also be placed in another directory (adjust /etc/nginx/nginx.conf accordingly).

Create the htpasswd file in /etc/nginx/htpasswd
I’d recommend to simply create it on another host where you have Apache installed. But in case you have no such tools at hand, check the FAQ: How do I generate an .htpasswd file without having Apache tools installed?

Restart NGINX:

Done! You may now access the Proxmox VE Web UI directly via https://…  – no separate port required as we are using the standard SSL port 443 for our NGINX proxy.

Credits to: Printscreen GmbH, Daniel Mettler – Thanks for helping me out with NGINX!

7 Responses

  1. Hannes Maack
    Dez 23, 2013 - 01:12 AM

    Thanks for providing this guide. 🙂 

  2. Oli
    Dez 28, 2013 - 07:11 PM

    Yes that works, but now the server soncole does not work anymore and says:
    Network error: could not connect to server: xx.xx.xx.xx:5900

  3. Rick
    Jan 10, 2014 - 03:15 PM

    I am curious how this will work, performing this in an already functioning production environment. 
     
    Thanks

  4. Bobby
    Jan 23, 2014 - 07:57 AM

    Absolutely brilliant.  I know about the Console issue, I did have trouble, but now I don’t with this setup.  My subdomain resolves to a private ip, pointing to the reverse proxy.  Originally my reverse proxy was on another server, this will cause a console issue.  The trick is to have nginx on the same machine as Proxmox, and have another machine redirecting if necessary.

  5. ilik
    Jan 24, 2014 - 09:43 AM

    Hi. Really cool article, preciate this very much

    This site has no rating
     

  6. Bernd
    Mrz 21, 2014 - 10:40 AM

     
    Hi, thanks. It works, but my nginx-error-log is flooded with lines such as:
     
    [error] 215277#0: *1453 open() «/etc/nginx/html/api2/json/cluster/tasks» failed …
    Are that internal proxmox requests that are no longer found?

  7. Harry
    Sep 29, 2014 - 10:34 PM

    Hi

    Thank you very much for this brilliant tutorial. One question though. Did anyone have a fix for the console/shell issue. Once I secure the web UI with above’s approach I cannot access the web shell anymore. Bobby said that he got it working. Would you mind sharing your setup/configuration in detail?

    Thx

Leave a Comment

css.php