Hello friends,
I moved away from ESXi to Proxmox couple of weeks ago and switched to proxmox to downsize my infrastructure at home a little bit. I love how well I can use Proxmox as my VDI and how polished it feels using it in combination with SPICE/virt-viewer.
Now my question is regarding security by exposing certain services of Proxmox to the internet. I use an Apache reverse proxy for the Proxmox webgui, which is secured by the Apache's basic user auth as well as by Proxmox's own 2FA. I don't have too much security concerns here.
What I'm a little bit concerned about is the spiceproxy that is running on port 3128. I sometime need to use my VDI from the outside, and using a VPN is not always an option since some networks have firewall restrictions to prevent VPN usage.
Right now, I forwarded the port 3128 where spiceproxy is running to my Proxmox, and the virt-viewer works quite well from the outside of my network. Any word on how secure it is running the spiceproxy exposed this way? According to the description, it runs with very limited privileges, but I'm still concerned.
Any other ideas on how I could go about hardening it in this particular case?
Regards
I moved away from ESXi to Proxmox couple of weeks ago and switched to proxmox to downsize my infrastructure at home a little bit. I love how well I can use Proxmox as my VDI and how polished it feels using it in combination with SPICE/virt-viewer.
Now my question is regarding security by exposing certain services of Proxmox to the internet. I use an Apache reverse proxy for the Proxmox webgui, which is secured by the Apache's basic user auth as well as by Proxmox's own 2FA. I don't have too much security concerns here.
What I'm a little bit concerned about is the spiceproxy that is running on port 3128. I sometime need to use my VDI from the outside, and using a VPN is not always an option since some networks have firewall restrictions to prevent VPN usage.
Right now, I forwarded the port 3128 where spiceproxy is running to my Proxmox, and the virt-viewer works quite well from the outside of my network. Any word on how secure it is running the spiceproxy exposed this way? According to the description, it runs with very limited privileges, but I'm still concerned.
Any other ideas on how I could go about hardening it in this particular case?
Regards