Hello,
I have a problem connecting to PBS, which runs behind a Cloudflare tunnel and is accessed through Zero Trust.
My setup:
create storage failed: nexus-pbs: error fetching datastores - 403 Forbidden (500)
What I’ve checked and ruled out so far:
Returned HTTP 200
Returned HTTP 200 with body:
2. Adding storage using CLI:
I believe I’ve checked everything thoroughly enough that the only remaining idea I have is a possible bug in PVE when PBS is running on a non-default port.
Has anyone encountered this issue or has any other ideas?
I have a problem connecting to PBS, which runs behind a Cloudflare tunnel and is accessed through Zero Trust.
My setup:
- The PBS server is tunneled to a private domain, restricted by Zero trust – pbs.mydomain.com
- A Bypass Policy is added for the PVE host – by IP address
- In PVE, I'm adding the storage using login, password, host:443, and datastore, no fingerprint
create storage failed: nexus-pbs: error fetching datastores - 403 Forbidden (500)
What I’ve checked and ruled out so far:
- Insufficient permissions in PBS: I assigned the user an admin role and root namespace to make sure nothing was missing. Additionally, I was able to add the storage from another PVE host in the same network without any issues. So we can fully rule out any misconfiguration or permission problems on the PBS side.
- Cloudflare correctly passing traffic: I thoroughly verified that the Bypass works and that the server can communicate with PBS – there are no issues here. I also checked the flow from external PVE server by hitting two endpoints in sequence:
Bash:
read TICKET TOKEN <<<$(curl -sk \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data 'username=backup@pbs&password=mypw' \
https://pbs.mydomain.com/api2/json/access/ticket \
| jq -r '.data.ticket,.data.CSRFPreventionToken')Returned HTTP 200
Bash:
curl -ik \
-H "Cookie: PBSAuthCookie=$TICKET" \
-H "CSRFPreventionToken: $TOKEN" \
https://pbs.mydomain.com/api2/json/admin/datastoreReturned HTTP 200 with body:
JSON:
{"data":[{"comment":null,"mount-status":"nonremovable","store":"pbs"}]}2. Adding storage using CLI:
Bash:
pvesm add pbs nexus-pbs \
--server pbs.mydomain.com \
--port 443 \
--username backup@pbs \
--password 'mypw' \
--datastore pbs \
--content backup
create storage failed: nexus-pbs: error fetching datastores - 403 ForbiddenI believe I’ve checked everything thoroughly enough that the only remaining idea I have is a possible bug in PVE when PBS is running on a non-default port.
Has anyone encountered this issue or has any other ideas?