PBS Access Segmentation

L

liptech

Active Member
Jan 14, 2021
48
11
28
44
Brasil
Hello everybody

I have a Proxmox Backup Server with two network interfaces:
  • One network dedicated to backup traffic
  • Another separate network for administrative access (Web GUI)
I would like to configure PBS so that:
  • The backup interface listens only for backup traffic (proxmox-backup-client, Proxmox VE, etc.)
  • The admin interface listens only for the web GUI
Additionally, I want to separate the ports:
  • Port 8443 for the Web GUI
  • Port 8007 for backup traffic
I have found that the pbsproxy and proxmox-backup-api services can be configured using systemd overrides by changing the -l (bind) parameter.
Is this approach officially supported? Does Proxmox have any recommendations for this kind of setup?
Thank you.
 
liptech said:
Is this approach officially supported? Does Proxmox have any recommendations for this kind of setup?
Click to expand...
No it's not really supported, as the administration API and the backup API are the same thing.
The two daemons are for privilege separation, where the one that just listens on local address is doing all root operations (not that many, but things like disk management API) and the proxy is doing the rest and proxies connections transparently to the privileged daemon when needed.

The main question is: For what reason would you like to make such a split? What do you want to solve?
 
  • Like
Reactions: Johannes S
t.lamprecht said:
No it's not really supported, as the administration API and the backup API are the same thing.
The two daemons are for privilege separation, where the one that just listens on local address is doing all root operations (not that many, but things like disk management API) and the proxy is doing the rest and proxies connections transparently to the privileged daemon when needed.

The main question is: For what reason would you like to make such a split? What do you want to solve?
Click to expand...
Objective:
Prevent users from using the PBS management address (http://pbs:8007) to connect Proxmox VE nodes. This interface must be used exclusively for administrative purposes.
And have an interface dedicated solely to backup operations.
For security reasons too.
 
Last edited:
You must log in or register to reply here.
Top Bottom