Proxmox VE Restricting Web UI access

September 18th, 2013 by Philip Iezzi 3 min read
cover image

With the release of Proxmox VE 3.0 back in May 2013, the Proxmox VE web interface does no longer require Apache. Instead, they're using now a new event driven API server called pveproxy. That was actually a great step ahead, as we all know Apache get's bulkier every day and the new pveproxy is a much more lightweight solution. But the question arose: How do I protect my Proxmox VE WebUI with basic user authentication?

Basically, we do not trust any web application out there so we better double protect the whole WebUI with plain old basic auth - previously done in Apache by .htaccess.

The main idea

  • Restrict access to the pveproxy (= Web UI) to localhost
  • Install a local Nginx web proxy server that forwards requests from port 443 to pveproxy's port 8006 and restrict access to it using HTTP BASIC AUTH

Restrict access to pveproxy

Create a new file /etc/default/pveproxy with the following content:

pveproxy
ALLOW_FROM="127.0.0.1"
DENY_FROM="all"
POLICY="allow"

Restart pveproxy for the changes to take effect:

$ /etc/init.d/pveproxy restart

Nginx web proxy server

Install nginx-light (the lightweight package of Nginx is sufficient):

$ apt-get install nginx-light

The following packages will be installed: nginx-common nginx-light

Now, copy over your signed SSL certificate to /etc/nginx/conf.d, in case you already have one. You might as well create a self-signed SSL certificate and SSL certificate key, e.g. (validity of 10 years!):

$ cd /etc/nginx/conf.d/
$ openssl genrsa -out server.key 2048
$ openssl req -new -key server.key -out server.csr
$ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

Create /etc/nginx/sites-available/pveproxy:

sites-available/pveproxy
server {
        listen          80;
        server_name     hn*.example.com;
        rewrite         ^ https://$hostname.example.com$request_uri? permanent;
}

server {
        listen                  443 ssl;
        server_name             hn*.example.com;
        ssl_certificate         /etc/nginx/conf.d/server.crt;
        ssl_certificate_key     /etc/nginx/conf.d/server.key;
        auth_basic              "Restricted";
        auth_basic_user_file    htpasswd;
        location / { proxy_pass https://127.0.0.1:8006; }
}

Disable the default site and enable pveproxy:

$ rm -f /etc/nginx/sites-enabled/default
$ ln -sf /etc/nginx/sites-available/pveproxy /etc/nginx/sites-enabled/

For details, check NGINX ngx_http_ssl_module. Note that the certificates could also be placed in another directory (adjust /etc/nginx/nginx.conf accordingly).

Create the htpasswd file in /etc/nginx/htpasswd I'd recommend to simply create it on another host where you have Apache installed. But in case you have no such tools at hand, check the FAQ: How do I generate an .htpasswd file without having Apache tools installed?

Restart Nginx:

$ /etc/init.d/nginx restart

Done! You may now access the Proxmox VE Web UI directly via HTTPS - no separate port required as we are using the standard SSL port 443 for our NGINX proxy.

Credits to: Printscreen GmbH, Daniel Mettler - Thanks for helping me out with NGINX!