May I ask how I can change the HTTPS access of PVE to HTTP
- Thread starter ggea
- Start date
It can't be modified.
Requirements that prohibit from using untrusted certificates but allow unencrypted traffic? Sounds very weird to me. Why don't you just use trusted certificates?
Because there is no domain controller on the intranet, I cannot have all PCs install my intranet self signed certificate. Why can we use HTTP? It's because the front-end cannot nest the console using insecure HTTPS, but using HTTP is possible. So I'm thinking about how to change the HTTPS access method to HTTP.
Well, you could either set up a bough certificate manually or use LetsEncrypt to auto generate the certificates. https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_certificate_management
With the DNS challenge, you don't have to open port 80 to the nodes at all. Should the company where your domain is hosted, not offer or be supported for the DNS challenge plugin, you could use CNAMEs to redirect to a different domain, that is located at a service provider with which the DNS challenge works. https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_dns_validation_through_cname_alias
For example:
But disabling https does sound like a bad idea as everything, passwords included will be transferred in the clear.
With the DNS challenge, you don't have to open port 80 to the nodes at all. Should the company where your domain is hosted, not offer or be supported for the DNS challenge plugin, you could use CNAMEs to redirect to a different domain, that is located at a service provider with which the DNS challenge works. https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_dns_validation_through_cname_alias
For example:
Code:
pvenode config set --acmedomain0 domain=mynode.mydomain.com,alias=otherdomain.comBut disabling https does sound like a bad idea as everything, passwords included will be transferred in the clear.
If no certificate is used, disable HTTPS and use HTTP to operate PVE. Is there any solution
It cannot be disabled. Talking HTTPS over port 8006 is the default and only option. If you remove the certificates, you will see errors and the pveproxy service should issue new self signed on the next boot or if the service gets restarted.
If you really want to use HTTP alone, you would have to set up a reverse proxy that proxies port 80 to 8006. But again, this is generally a bad idea!
But after using NGINX to set up a reverse proxy, logging in to PVE will prompt an error stating that I cannot log in to 403
i tried socat for http->https proxing
# socat TCP-LISTEN:8005,fork,reuseaddr ssl:localhost:8006,verify=0
then in browser:
http:/pve-ip:8005
you get to a login page, but after login it will fail as proxmox webinterface does:
PVEAuthCookie" wurde abgelehnt, weil ein Nicht-HTTPS-Cookie nicht als "secure" gesetzt werden kann. proxmoxlib.js:2285:61
"At least in Chromium-based browsers and in Firefox, it's no longer possible for a non-secure origin
so, without changing proxmox code, you will not be successful using proxmox webinterface via http
i tried to relax cookie settings in browser config, but have not been successful so far. maybe someone will find out how to tune the browserver for this...
https://bugzilla.mozilla.org/show_bug.cgi?id=1748693
# socat TCP-LISTEN:8005,fork,reuseaddr ssl:localhost:8006,verify=0
then in browser:
http:/pve-ip:8005
you get to a login page, but after login it will fail as proxmox webinterface does:
PVEAuthCookie" wurde abgelehnt, weil ein Nicht-HTTPS-Cookie nicht als "secure" gesetzt werden kann. proxmoxlib.js:2285:61
"At least in Chromium-based browsers and in Firefox, it's no longer possible for a non-secure origin
- to set cookies with a Secure flag, or
- to overwrite cookies whose Secure flag is true."
so, without changing proxmox code, you will not be successful using proxmox webinterface via http
i tried to relax cookie settings in browser config, but have not been successful so far. maybe someone will find out how to tune the browserver for this...
https://bugzilla.mozilla.org/show_bug.cgi?id=1748693
sounds like you didn't setup the proxy correctly? did you remember to set the proxy to not redirect to 443?
you will most likely get "Connection error 401: No ticket" after login because of the cookie issue explained above
thanks for explaining.
sounds like it will be easier for the OP to get a trusted cert and run over https (i am unclear why any org would prefer http if they care that much about the trusted cert). Unless the OP is the 'rogue IT guy' and doesn't have ability to buy a cert / prove he has anything to do with the DNS domain...?
This may sound a bit harsh, but ..... I've never worked in a firm with a domain controller and still have SSL for decades. You should read up on how a PKI works and build one. Companies without any PKI should not be able to do business in 2023. This is security 101 from the last millenium.
What has a domain controller got to do with certificates, and no one said you have to have all clients have a certificate. Also self signed won’t help you. Also http is insecure, https with an unknown certificate is waaay more secure. Either way use something like nginx proxy manager to front all servers and buy one wildcard cert from Comodo to install on the nginx server.
Thank you for sharing your experience and the workaround using socat for http to https proxying! Your detailed explanation and effort are greatly appreciated. It's valuable to know the limitations with cookie settings in browsers and the challenges with Proxmox web interface over http. Your insights will undoubtedly be helpful for others navigating similar issues. Much gratitude for contributing to the community knowledge pool!