With the release of Proxmox VE 3.0 back in May 2013, the Proxmox VE web interface does no longer require Apache. Instead, they’re using now a new event driven API server called pveproxy. That was actually a great step ahead, as we all know Apache get’s bulkier every day and the new pveproxy is a much more lightweight solution. But the question arose:
How do I protect my Proxmox VE WebUI with basic user authentication?
Basically, we do not trust any web application out there so we better double protect the whole WebUI with plain old basic auth – previously done in Apache by .htaccess.
The main idea:
- Restrict access to the pveproxy (= Web UI) to localhost
- Install a local Nginx web proxy server that forwards requests from port 443 to pveproxy’s port 8006 and restrict access to it using HTTP BASIC AUTH
Restrict access to pveproxy
Create a new file /etc/default/pveproxy
with the following content:
1 2 3 4 5 |
ALLOW_FROM="127.0.0.1" DENY_FROM="all" POLICY="allow" |
Restart pveproxy for the changes to take effect:
1 2 3 |
# /etc/init.d/pveproxy restart |
Nginx web proxy server
Install nginx-light (the lightweight package of Nginx is sufficient):
1 2 3 |
# apt-get install nginx-light |
The following packages will be installed: nginx-common nginx-light
Now, copy over your signed SSL certificate to /etc/nginx/conf.d
, in case you already have one. You might as well create a self-signed SSL certificate and SSL certificate key, e.g. (validity of 10 years!):
1 2 3 4 5 6 |
# cd /etc/nginx/conf.d/ # openssl genrsa -out server.key 2048 # openssl req -new -key server.key -out server.csr # openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt |
Create /etc/nginx/sites-available/pveproxy
:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
server { listen 80; server_name hn*.example.com; rewrite ^ https://$hostname.example.com$request_uri? permanent; } server { listen 443 ssl; server_name hn*.example.com; #ssl on; ssl_certificate /etc/nginx/conf.d/server.crt; ssl_certificate_key /etc/nginx/conf.d/server.key; auth_basic "Restricted"; auth_basic_user_file htpasswd; location / { proxy_pass https://127.0.0.1:8006; } } |
Disable the default site and enable pveproxy:
1 2 3 4 |
# rm -f /etc/nginx/sites-enabled/default # ln -sf /etc/nginx/sites-available/pveproxy /etc/nginx/sites-enabled/ |
For details, check NGINX HttpSslModule. Note that the certificates could also be placed in another directory (adjust /etc/nginx/nginx.conf accordingly).
Create the htpasswd file in /etc/nginx/htpasswd
I’d recommend to simply create it on another host where you have Apache installed. But in case you have no such tools at hand, check the FAQ: How do I generate an .htpasswd file without having Apache tools installed?
Restart NGINX:
1 2 3 |
# /etc/init.d/nginx restart |
Done! You may now access the Proxmox VE Web UI directly via https://… – no separate port required as we are using the standard SSL port 443 for our NGINX proxy.
Credits to: Printscreen GmbH, Daniel Mettler – Thanks for helping me out with NGINX!
Dez 23, 2013 - 01:12 AM
Thanks for providing this guide. 🙂
Dez 28, 2013 - 07:11 PM
Yes that works, but now the server soncole does not work anymore and says:
Network error: could not connect to server: xx.xx.xx.xx:5900
Jan 10, 2014 - 03:15 PM
I am curious how this will work, performing this in an already functioning production environment.
Thanks
Jan 23, 2014 - 07:57 AM
Absolutely brilliant. I know about the Console issue, I did have trouble, but now I don’t with this setup. My subdomain resolves to a private ip, pointing to the reverse proxy. Originally my reverse proxy was on another server, this will cause a console issue. The trick is to have nginx on the same machine as Proxmox, and have another machine redirecting if necessary.
Jan 24, 2014 - 09:43 AM
Hi. Really cool article, preciate this very much
This site has no rating
Mrz 21, 2014 - 10:40 AM
Hi, thanks. It works, but my nginx-error-log is flooded with lines such as:
[error] 215277#0: *1453 open() „/etc/nginx/html/api2/json/cluster/tasks“ failed …
Are that internal proxmox requests that are no longer found?
Sep 29, 2014 - 10:34 PM
Hi
Thank you very much for this brilliant tutorial. One question though. Did anyone have a fix for the console/shell issue. Once I secure the web UI with above’s approach I cannot access the web shell anymore. Bobby said that he got it working. Would you mind sharing your setup/configuration in detail?
Thx