API Security

[proxene]

Hello,

I created a system with the Proxmox API to display the VNC console and I have a security question.

To display the VNC console I do an echo iframe but the problem is that anyone can edit the line of code with F12 and change the id of the machine to access to another VNC. How can I secure the iframe?


Thank you in advance.

Best regards,
Proxene

 

[t.lamprecht]

Hi,

To display the VNC console I do an echo iframe but the problem is that anyone can edit the line of code with F12 and change the id of the machine to access to another VNC. How can I secure the iframe?

We enforce the " VM.Console" privilege on the VM, else the vncwebsocket which handles this call in the backed will throw a permission error[0].
So you'd need to restrict your API user to only show those VMs you want to use. If you want to provide an user fronted you probably want to have those also as pve realm user and give them only permissions to what they should have, then use the users credentials to connect to the PVE api, the permissions are then correctly handled by us, if you configured them for the user.

No frontend solution won't help you here.

[0]: https://git.proxmox.com/?p=qemu-ser...72db0fb6411c77ca278a8b318164c832e2f6ea0#l1738

 

[proxene]

Hi t.lamprecht,

Thank you so much for your answer
I have another question, sometimes I have an error when I load the VNC on my webpage : Error 401: permission denied - invalid PVE ticket.

Is an SSL certificate required to solve this problem ?

Thank you in advance,

Best regards,
Proxene

 

[t.lamprecht]

Is an SSL certificate required to solve this problem ?

You already have a SSL certificate, it's just a "self created unsigned" one by default, thus browser show it as "unsafe" (but self-signed certs can be just as safe as "trusted" ones, even safer if you have in mind that some CA authorities are/were pretty shady).
As long as you added an exception for this certificate you do not need a universal trusted one, and you could always setup a free let's encrypt certificate.

I have another question, sometimes I have an error when I load the VNC on my webpage : Error 401: permission denied - invalid PVE ticket.

If it's only sometimes the certificate should not be your issue. But the ticket has a lifetime of two hours, so you need to renew it periodically, this can be done by posting to the "access/ticket" API endpoint (like you do on initial API login) with the apiuser as username but the current ticket as password, this way you can renew the ticket lifetime. But once it's invalid (not renewed for >2 hours) you cannot renew it and need to login again freshly.

 

[proxene]

Ah ok, thank you for your explanation, I have find where I had a problem and apparently it would come from my code because when I'm connected to the webgui it works but when I'm disconnected it does not work anymore.

I think I must firstly send a post request: /access /ticket.
Error return : Error 401: No ticket

$vncproxy = $pve2->post("/nodes/mynode/lxc/100/vncproxy", array());
$vncwebsocket = $pve2->get("/nodes/mynode/lxc/100/vncwebsocket", array('port' => $vncproxy['port'], 'vncticket' => $vncproxy['ticket']));
            
$pve2->setCookie();