Binding pve-proxy to localhost only in Proxmox 9

[halcyon days]

Hi all,

I'm trying to limit the GUI to just the loopback, so it's only accessible via a SSH port redirect, ie

ssh proxmox.server -L8006:localhost:8006

But where do I configure the listen address for the pve-proxy? I've tried:

1. /etc/pve/nodes/hv1/pveproxy.cfg
2. /etc/pve/local/pveproxy.cfg

And adding 'listen 127.0.0.1" But neither file seemed to be read upon restart.

 

[BobhWasatch]

You could just enable the firewall.

 

[halcyon days]

Belt and braces my friend, security is a layered creature. And as I don't know my source IP address, and disabling the GUI massively reduces the attack vectors with just SSH open I'd prefer to change the binding. Thanks for the idea though!

 

[BobhWasatch]

Why do you care about source IP? I'm talking just blocking all inbound to port 8006 on the host IP and leaving 22 open. It will then work like you want without hacking around on PVE. It might break stuff, but so might your way.

I've seen comments here before from Proxmox staff that it isn't possible to change the listening port so I wouldn't bet that there's a way to change the IP. The generally recommended approach is to put the management IP on a private subnet.

 

[halcyon days]

I see your logic. I'll will give the firewall a try; I just fear mis-configuration update could undo it.

 

[halcyon days]

Well I feel foolish, I followed the docs and it worked!

echo 'LISTEN_IP="127.0.0.1"' >> /etc/default/pveproxy
systemctl restart pveproxy

ss -lntp | grep 8006
LISTEN 0 4096 127.0.0.1:8006

And now I can do:

ssh -i .ssh/id_ed25519 'root@x.x.x.x' -L8006:localhost:8006