How to disable (firewall) proxmox-backup-proxy to local IP addresses

H

hand363

Member
Jan 1, 2023
14
1
8
Hello,

I am looking for a way to block access to the default proxmox-backup-proxy web server. I have nginx running and passing the traffic from port 443 to 8007, I just need something similar to /etc/default/pveproxy to whitelist/blacklist IPs. Can anyone give me guidance on how I could do this.

Thanks for the suggestion in advance, great products!
 
Last edited:
Hi,
hand363 said:
Hello,

I am looking for a way to block access to the default proxmox-backup-proxy Web server. I have nginx running and passing the traffic from port 443 to 8007, I just need something similar to /etc/default/pveproxy to whitelist/blacklist IPs. Can anyone give me guidance on how I could do this.
Click to expand...
What's your use case for this? Note that it is not recommended to expose the PBS API and WebUI to the public internet. You should use a VPN if you require the PBS instance to be accessible from a remote location.

Also, there is no firewall integration in PBS, so you will have to either use iptables or use a custom solution. If your PBS runs inside a VM on top of PVE you can utilize the PVE guest firewall rules to filter traffic.
 
Chris said:
Hi,

What's your use case for this? Note that it is not recommended to expose the PBS API and WebUI to the public internet. You should use a VPN if you require the PBS instance to be accessible from a remote location.

Also, there is no firewall integration in PBS, so you will have to either use iptables or use a custom solution. If your PBS runs inside a VM on top of PVE you can utilize the PVE guest firewall rules to filter traffic.
Click to expand...
Hey Chris, Thanks for the quick reply and the suggestion to use iptables! I use nginx to enforce timeouts, TLS1.3 and other compliance requirements.

I was successful with my iptable rules:
sudo apt install iptables-persistant
sudo /sbin/iptables -A INPUT -i lo -j ACCEPT
sudo /sbin/iptables -A INPUT -p tcp --destination-port 8007 -j DROP
Click to expand...

But the problem is after applying the iptable rules, and being able to access the web server through port 443 (and not 8007), my PVE nodes were not able to backup to PBS! I tried removing and re-adding the PBS server (with the exact same configuration, except the server had <IP>:443. I found this post from 2021 with the same issue, Fabian (Proxmox staff) said the CLI command with the port parameter would work, it didn't. Any suggestions? I attached a few screenshots of my configuration.
Screenshot from 2025-05-14 14-26-26.pngScreenshot from 2025-05-14 14-27-10.pngScreenshot from 2025-05-14 14-28-22.png

 
Last edited:
You must log in or register to reply here.
Top Bottom