Proxmox VE Restricting Web UI access
With the release of Proxmox VE 3.0 back in May 2013, the Proxmox VE web interface does no longer require Apache. Instead, they're using now a new event driven API server called pveproxy. That was actually a great step ahead, as we all know Apache get's bulkier every day and the new pveproxy is a much more lightweight solution. But the question arose: How do I protect my Proxmox VE WebUI with basic user authentication?
Basically, we do not trust any web application out there so we better double protect the whole WebUI with plain old basic auth - previously done in Apache by .htaccess.
The main idea
- Restrict access to the pveproxy (= Web UI) to localhost
- Install a local Nginx web proxy server that forwards requests from port 443 to pveproxy's port 8006 and restrict access to it using HTTP BASIC AUTH
Restrict access to pveproxy
Create a new file /etc/default/pveproxy
with the following content:
ALLOW_FROM="127.0.0.1"
DENY_FROM="all"
POLICY="allow"
Restart pveproxy for the changes to take effect:
$ /etc/init.d/pveproxy restart
Nginx web proxy server
Install nginx-light (the lightweight package of Nginx is sufficient):
$ apt-get install nginx-light
The following packages will be installed: nginx-common nginx-light
Now, copy over your signed SSL certificate to /etc/nginx/conf.d
, in case you already have one. You might as well create a self-signed SSL certificate and SSL certificate key, e.g. (validity of 10 years!):
$ cd /etc/nginx/conf.d/
$ openssl genrsa -out server.key 2048
$ openssl req -new -key server.key -out server.csr
$ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Create /etc/nginx/sites-available/pveproxy
:
server {
listen 80;
server_name hn*.example.com;
rewrite ^ https://$hostname.example.com$request_uri? permanent;
}
server {
listen 443 ssl;
server_name hn*.example.com;
ssl_certificate /etc/nginx/conf.d/server.crt;
ssl_certificate_key /etc/nginx/conf.d/server.key;
auth_basic "Restricted";
auth_basic_user_file htpasswd;
location / { proxy_pass https://127.0.0.1:8006; }
}
Disable the default site and enable pveproxy:
$ rm -f /etc/nginx/sites-enabled/default
$ ln -sf /etc/nginx/sites-available/pveproxy /etc/nginx/sites-enabled/
For details, check NGINX ngx_http_ssl_module. Note that the certificates could also be placed in another directory (adjust /etc/nginx/nginx.conf accordingly).
Create the htpasswd file in /etc/nginx/htpasswd
I'd recommend to simply create it on another host where you have Apache installed. But in case you have no such tools at hand, check the FAQ: How do I generate an .htpasswd file without having Apache tools installed?
Restart Nginx:
$ /etc/init.d/nginx restart
Done! You may now access the Proxmox VE Web UI directly via HTTPS
- no separate port required as we are using the standard SSL port 443 for our NGINX proxy.
Credits to: Printscreen GmbH, Daniel Mettler - Thanks for helping me out with NGINX!