How to configure web interface internals

[John-Doe]

Hi there,

I recently scanned for vulnerabilities on a Proxmox host and discovered a few vulnerabilites with the GUI/Web interface. I was wondering if there is any way to manage the configuration of this web interface for things like X-Frame-Options and HTTPS compression (GZIP/Deflate) so I can resolve some of the issues I've discovered. Apologies if I have missed questions that already answer my questions.

Thanks,
John

 

[Stoiko Ivanov]

Some things can be configured - see the reference documentation https://pve.proxmox.com/pve-docs/pveproxy.8.html

Hope this helps!

 

[John-Doe]

Ah, thank you that helps with the BREACH vulnerability but I was unable to see any mention of anti-clickjacking X-Frame-Options. I will be looking through documentation again but I do not believe I can find any new pages that will have information on this. Should I submit this to the bug tracker?

 

[Stoiko Ivanov]

AFAIR there are no further options - so if you like - please open an enhancement request at https://bugzilla.proxmox.com for further discussion.

OTOH if you want full control over the web-facing side of PVE I would really suggest putting a nginx/haproxy reverse proxy in front of it and use the pve-firewall to prevent access to port 8006 - this should give you the greatest flexibility.

 

[guletz]

Hi,

Much better is to expose your pmx web page using a vpn.

Good luck!