Preventing Access to GUI

[Ben McGuire]

Hello

We need to find a way to prevent public from accessing the Proxmox GUI however we are prevented from doing so because of a modulesgarden auto provisioning module we use for WHMCS. Normally we would simply prevent access via IP using the firewall but considering the module need access via port 8006 we are finding it difficult.

We have tried to only allow from the WHMCS server IP and our own VPN IP but when customers try and use the noVNC console they receive an error and cannot access the noVNC console

We need to know if there are other Ports being used and/or what would you recommend so that we can prevent the public from begin able to access/browse to the Proxmox GUI.

Another questions - when customers access the noVNC console via their customer portal are they using the WHMCS IP address or their own in respect of being the source of traffic to the proxmox host.

Does anyone have any advice on preventing and securing public access to the proxmox gui?

We have emailed the modules creator and are waiting for their response regarding the ports that the module uses. I think it just uses port 8006 as the setup requires us to setup and server in WHMCS and we need to enter the root info as well as the port 8006.

I am eagerly awaiting your response and advice

 

[duelle]

One thing I do occasionally is to completely block the WebGUI port from the outside and tunnel it via SSH.
To do so you have to have SSH access to the proxmox machine.

Now you use SSH to tunnel the port to your local machine:
ssh -L 8006:<machine-ip>:8006 -N <youruser>@<machine-ip>
This creates a SSH-tunnel making the port 8006 on the remote machine available on port 8006 on your local machine. This command leaves the SSH process in the foreground so you can easily see its output (e.g., if it fails).

Then you can open the WebGUI using https://localhost:8006

 

[Ben McGuire]

One thing I do occasionally is to completely block the WebGUI port from the outside and tunnel it via SSH.
To do so you have to have SSH access to the proxmox machine.

Now you use SSH to tunnel the port to your local machine:
ssh -L 8006:<machine-ip>:8006 -N <youruser>@<machine-ip>
This creates a SSH-tunnel making the port 8006 on the remote machine available on port 8006 on your local machine. This command leaves the SSH process in the foreground so you can easily see its output (e.g., if it fails).

Then you can open the WebGUI using https://localhost:8006

Thank you for you reply.

We have many ways of blocking access to the GUI however, this issue is that we still need everyone to be able to access via the Proxmox API on port 8006 as we use a WHMCS module that requires this. Is there anyway to restrict the GUI and still allow all to access the API over port 8006?

One thing we tried is we have nginx installed and we setup and proxy from 8006 to 443 and blocking access to the GUI via
ALLOW_FROM="127.0.0.1"
DENY_FROM="all"
POLICY="allow"

Even if we allow our own IP this still blocks the traffic that the public needs when they use the WHMCS module. This is the module
http://www.modulesgarden.com/products/whmcs/proxmox_vps/features

The provisioning module we can restrict via our WHMCS IP address however the module also has the feature to allow customers to access thier VM via a noVNC console and this connection is done from their own IP over 8006 and not the WHMCS IP so firewall and IP restriction rules do not work.

Is there a way to block access to the GUI page and still allow access to the proxmox API?

 

[CCUK]

Quite an old thread, but I'm interested in the same thing. Was there ever a solution to this?

 

[ruysilva]

Just to check if anyone has got a solution for this.

 

[TG4FOSS]

Yes. See this documentation page, from a discussion in this thread.