May I ask how I can change the HTTPS access of PVE to HTTP

ggea

New Member
Jun 28, 2023
29
1
3
Due to business requirements, I am currently using PVE8.0 and cannot use untrusted certificates. I want to change the default HTTPS access method for PVE to HTTP. May I ask where there are parameters that can be modified? Thank you all
 
May I ask where there are parameters that can be modified?
It can't be modified.

Due to business requirements, I am currently using PVE8.0 and cannot use untrusted certificates.
Requirements that prohibit from using untrusted certificates but allow unencrypted traffic? Sounds very weird to me. Why don't you just use trusted certificates?
 
Because there is no domain controller on the intranet, I cannot have all PCs install my intranet self signed certificate. Why can we use HTTP? It's because the front-end cannot nest the console using insecure HTTPS, but using HTTP is possible. So I'm thinking about how to change the HTTPS access method to HTTP.

It can't be modified.


Requirements that prohibit from using untrusted certificates but allow unencrypted traffic? Sounds very weird to me. Why don't you just use trusted certificates?
 
Well, you could either set up a bough certificate manually or use LetsEncrypt to auto generate the certificates. https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_certificate_management

With the DNS challenge, you don't have to open port 80 to the nodes at all. Should the company where your domain is hosted, not offer or be supported for the DNS challenge plugin, you could use CNAMEs to redirect to a different domain, that is located at a service provider with which the DNS challenge works. https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_dns_validation_through_cname_alias
For example:
Code:
pvenode config set --acmedomain0 domain=mynode.mydomain.com,alias=otherdomain.com

But disabling https does sound like a bad idea as everything, passwords included will be transferred in the clear.
 
  • Like
Reactions: G0ldmember
Well, you could either set up a bough certificate manually or use LetsEncrypt to auto generate the certificates. https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_certificate_management

With the DNS challenge, you don't have to open port 80 to the nodes at all. Should the company where your domain is hosted, not offer or be supported for the DNS challenge plugin, you could use CNAMEs to redirect to a different domain, that is located at a service provider with which the DNS challenge works. https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_dns_validation_through_cname_alias
For example:
Code:
pvenode config set --acmedomain0 domain=mynode.mydomain.com,alias=otherdomain.com

But disabling https does sound like a bad idea as everything, passwords included will be transferred in the clear.
If no certificate is used, disable HTTPS and use HTTP to operate PVE. Is there any solution
 
If no certificate is used, disable HTTPS and use HTTP to operate PVE. Is there any solution
It cannot be disabled. Talking HTTPS over port 8006 is the default and only option. If you remove the certificates, you will see errors and the pveproxy service should issue new self signed on the next boot or if the service gets restarted.

If you really want to use HTTP alone, you would have to set up a reverse proxy that proxies port 80 to 8006. But again, this is generally a bad idea!
 
It cannot be disabled. Talking HTTPS over port 8006 is the default and only option. If you remove the certificates, you will see errors and the pveproxy service should issue new self signed on the next boot or if the service gets restarted.

If you really want to use HTTP alone, you would have to set up a reverse proxy that proxies port 80 to 8006. But again, this is generally a bad idea!
But after using NGINX to set up a reverse proxy, logging in to PVE will prompt an error stating that I cannot log in to 403
 
What am I missing, just issue the proxmox hosts trusted certificates. You really really don’t want to switch to http, that’s incredibly insecure.
 
i tried socat for http->https proxing

# socat TCP-LISTEN:8005,fork,reuseaddr ssl:localhost:8006,verify=0

then in browser:

http:/pve-ip:8005

you get to a login page, but after login it will fail as proxmox webinterface does:

PVEAuthCookie" wurde abgelehnt, weil ein Nicht-HTTPS-Cookie nicht als "secure" gesetzt werden kann. proxmoxlib.js:2285:61

"At least in Chromium-based browsers and in Firefox, it's no longer possible for a non-secure origin
  • to set cookies with a Secure flag, or
  • to overwrite cookies whose Secure flag is true."

so, without changing proxmox code, you will not be successful using proxmox webinterface via http

i tried to relax cookie settings in browser config, but have not been successful so far. maybe someone will find out how to tune the browserver for this...

https://bugzilla.mozilla.org/show_bug.cgi?id=1748693
 
  • Like
Reactions: _gabriel
But after using NGINX to set up a reverse proxy, logging in to PVE will prompt an error stating that I cannot log in to 403
sounds like you didn't setup the proxy correctly? did you remember to set the proxy to not redirect to 443?
 
you will most likely get "Connection error 401: No ticket" after login because of the cookie issue explained above
thanks for explaining.

sounds like it will be easier for the OP to get a trusted cert and run over https (i am unclear why any org would prefer http if they care that much about the trusted cert). Unless the OP is the 'rogue IT guy' and doesn't have ability to buy a cert / prove he has anything to do with the DNS domain...?
 
Because there is no domain controller on the intranet, I cannot have all PCs install my intranet self signed certificate.
This may sound a bit harsh, but ..... I've never worked in a firm with a domain controller and still have SSL for decades. You should read up on how a PKI works and build one. Companies without any PKI should not be able to do business in 2023. This is security 101 from the last millenium.
 
Because there is no domain controller on the intranet, I cannot have all PCs install my intranet self signed certificate. Why can we use HTTP? It's because the front-end cannot nest the console using insecure HTTPS, but using HTTP is possible.
What has a domain controller got to do with certificates, and no one said you have to have all clients have a certificate. Also self signed won’t help you. Also http is insecure, https with an unknown certificate is waaay more secure. Either way use something like nginx proxy manager to front all servers and buy one wildcard cert from Comodo to install on the nginx server.
 
i tried socat for http->https proxing

# socat TCP-LISTEN:8005,fork,reuseaddr ssl:localhost:8006,verify=0

then in browser:

http:/pve-ip:8005

you get to a login page, but after login it will fail as proxmox webinterface does:

PVEAuthCookie" wurde abgelehnt, weil ein Nicht-HTTPS-Cookie nicht als "secure" gesetzt werden kann. proxmoxlib.js:2285:61

"At least in Chromium-based browsers and in Firefox, it's no longer possible for a non-secure origin
  • to set cookies with a Secure flag, or
  • to overwrite cookies whose Secure flag is true."

so, without changing proxmox code, you will not be successful using proxmox webinterface via http

i tried to relax cookie settings in browser config, but have not been successful so far. maybe someone will find out how to tune the browserver for this...

https://bugzilla.mozilla.org/ativador pacote office.cgi?id=1748693
Thank you for sharing your experience and the workaround using socat for http to https proxying! Your detailed explanation and effort are greatly appreciated. It's valuable to know the limitations with cookie settings in browsers and the challenges with Proxmox web interface over http. Your insights will undoubtedly be helpful for others navigating similar issues. Much gratitude for contributing to the community knowledge pool!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!