http proxy for the OpenID realms

[hudecof]

Hello,

I would like to ask, if there is a way to use http proxy, set in the Configuration->Other-General also for the OpenID realms.
The PBS server is trying to connect the OPenID server directly.
As this server is air gapped enviroment, the only access out is by the http proxy.

For PVE this works, the PVE is using the global HTTP proxy settings for the OpenID relams.

 

[hudecof]

As I wrote, the PVE/PBS servers are in air gaped environments.
We are using squid proxy with strict acl per host.

The package manager

PVE/PBS -> PROXY(internal) -> PVE package repoxitory (external)
PVE/PBS -> PROXY(internal) -> OpenID service(internal)

Also access to the PVE/PBS web ui is strictly from the reverse proxies, no direct access.

 

[bl1mp]

Hi hudcof,
I am not 100% sure and it might be a little bit depending on the authentication flow.
Usually the PVE/PBS has no need to access the Identity Provider directly if OpenID is used .
The trust is secured via the used cryptography.

The client needs to be capable to access both the Identity Provider (Keycloak, Authentik, Lemon LDAP NG ...)
and the service (PVE/PBS). The flow is usually:
- Client authenticates against the Identity Provider and gets a signed access token (including the groups in the claim)
- This token is signed by the Identity Provider
- The client can than present the token to the service, which can verify it via the cryptography.

Have you tried to setup the OpenID Flow without connection to the identity Provider?

If you would like to setup a proxy settings on the PBS you should be able to utilize proxy settings via cli

export http_proxy=http://proxy_server_address:port
export https_proxy=https://proxy_server_address:port

(The OS underneath the PBS is similar to the Debian Userland Packages)


BR, Lucas