Limit access to RestAPI

Jul 19, 2019

How can I limit access to the RestAPI?
I cannot limit it in the firewall since users need access the WebUI to see there Quarantine.

What I want is a user that is using the RestAPI and is only able to add domains, networks, LDAP configs, but cannot login into the WebUI or see other things like e-mails and so on.
Are there possibilities for this?

Best regards,


No, there's no way to tell a REST user's api request apart from our Webinterface or another application.
Any one having the credential could just take the WebUI (it's all opensource), take out the code which would block some specific accounts (the backend could not make such a decision anyway) and point the self-hosted WebUI to your backend.

So at least the "lock a user out of the WebUI" is not possible.

I cannot limit it in the firewall since users need access the WebUI to see there Quarantine.

You could set another port for the Quarantine URL (see 4.6.2) and then restrict the 8006 one.

The Mailgateway has not a really granular permission system as most of the time it's not needed, there's only a small set of Admins and unlike Proxmox VE no resources like CTs, VMs, storages, .. can be allocated..

But there are some basic different roles, see: maybe it's enough for you.

What do you want to do/achieve?

What I want to achieve is this:
- all users in the world need access to https://<myproxmoxserver>/quarantine
- only some ip addresses need access to https://<myproxmoxserver>:8006 (so this is for adminisrators)

I already ran the following command: pmgsh set /config/spamquar -port 443

Only when I redirect all traffic from 443 to port 8006 (in my firewall), everything works. But then everything is accessible for everyone.
It would be great if only https://<myproxmoxserver>/quarantine would listen on 443 and the rest would be accessible on 8006.
How can that be done?

Best regards,
You could try configuring an https reverse-proxy on the pmg installation, which only forwards requests to the '/quarantine' paths - and let that listen on 443 -> then all external access to 8006 is the admin-access (you can limit that on an ip-basis via iptables of '/etc/default/pmgproxy' ) and all access on 443 is for your users

I hope this helps!


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!