Protect Proxmox Web Interface with a .htaccess

thierryForum

New Member
Feb 20, 2009
1
0
1
Hello to All,

I would like to add a Protect Acces to the Proxmox Web Interface (one more before the login proxmox)

i try to put a .htaccess like all other web control but without success...
i try in "var/www" or in /var/www/pve", i change the "pve.conf defaut to had
the "AllowOverride" to AuthConfig in the "/" or "pve/" but nothing...

Is anybody make this ?

The reason is to protect the "know" of proxmox for unwanted user...

Thank's a lot
 
Hello to All,

I would like to add a Protect Acces to the Proxmox Web Interface (one more before the login proxmox)

i try to put a .htaccess like all other web control but without success...
i try in "var/www" or in /var/www/pve", i change the "pve.conf defaut to had
the "AllowOverride" to AuthConfig in the "/" or "pve/" but nothing...

Is anybody make this ?

The reason is to protect the "know" of proxmox for unwanted user...

Thank's a lot

use a firewall before Proxmox VE to block unwanted access.
 
I`ve .htaccess ...

.htaccess is in /usr/share/pve-manager

an my /etc/apache2/sites-available/pve.conf looks like this

Code:
<IfModule mpm_prefork_module>
    StartServers 2
    MinSpareServers 1 
    MaxSpareServers 2
    MaxClients          50
    MaxRequestsPerChild 30
</IfModule>

ServerName localhost
ServerSignature Off
ServerTokens Prod
ServerAdmin root 
AddDefaultCharset On

# Hint: Ajax use KeepAlive, which in effect disables MaxRequestsPerChild,
# so we need to disable KeepAlive to prevent exhaustive memory usage, or
# at least make sure that periodic updaters interval > KeepAliveTimeout 
KeepAlive Off

DocumentRoot /usr/share/pve-manager/root
<Directory />
    Options ExecCGI FollowSymLinks
    AllowOverride AuthConfig
</Directory>

<Directory /usr/share/pve-manager/root>
    Options FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

LogLevel warn

# do not log access to our ajax services
SetEnvIf Request_URI "^/ws/" dontlog

CustomLog /var/log/apache2/access.log combined env=!dontlog 

Alias /images/  /usr/share/pve-manager/images/
Alias /css/ /usr/share/pve-manager/css/
Alias /javascript/ /usr/share/javascript/
Alias /vncterm/ /usr/share/vncterm/
 
# avoid authentication when accessing favicon
Alias /favicon.ico /usr/share/pve-manager/images/favicon.ico

PerlModule Embperl
EMBPERL_SESSION_ARGS "config=DB_File Lock=Semaphore"

AddType text/html .epl

PerlRequire /usr/share/pve-manager/root/startup.pl

PerlSetVar PVESatisfy any        
PerlSetVar PVEPath /    
PerlSetVar PVELoginScript /login.pl

PerlTransHandler PVE::URLRewrite
    
Alias /nrd/ /__no_real_dir__/
 
<Directory "/usr/share/pve-manager/root">
      AuthType PVE::AuthCookieHandler
      AuthName PVE
      PerlSetVar PVECookieName PVEAuthCookie
      #PerlSetVar AuthCookieDebug 5

      PerlAuthenHandler PVE::AuthCookieHandler->authenticate
      PerlAuthzHandler PVE::AuthCookieHandler->authorize

      require group root

      DirectoryIndex index.htm index.pl

      <FilesMatch ".*\.htm$">
    EMBPERL_APPNAME PVE
        EMBPERL_SYNTAX EmbperlBlocks
        EMBPERL_OBJECT_BASE base.epl
    EMBPERL_INPUT_ESCMODE 0
    EMBPERL_ESCMODE 0
        SetHandler  perl-script
        PerlHandler Embperl::Object
        Options     ExecCGI
      </FilesMatch>
      <FilesMatch ".*\.epl$">
        Order allow,deny
        Deny From all
      </FilesMatch>
      <FilesMatch ".*\.pl$">
        SetHandler perl-script
    PerlHandler ModPerl::Registry
         Options +ExecCGI
      </FilesMatch>

</Directory>

<Location /nrd/LOGIN>
      AuthType PVE::AuthCookieHandler
      AuthName PVE
      PerlSetVar PVECookieName PVEAuthCookie
      #PerlSetVar AuthCookieDebug 5
      SetHandler perl-script
      PerlHandler PVE::AuthCookieHandler->login
</Location>

<Location /ws/>
      SetHandler perl-script
      PerlHandler $PVE::HTMLServices::Obj->handler
</Location>


<VirtualHost *:567>

    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCertificateFile /etc/pve/pve-ssl.pem
    SSLCertificateKeyFile /etc/pve/pve-ssl.key

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]

 </VirtualHost>

#<VirtualHost *:80>
#    #RewriteLog "/root/rewrite.log"
#    #RewriteLogLevel 10
#    RewriteEngine on
#    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
#    RewriteRule .* - [F]
#    RewriteCond %{REQUEST_URI} !^/nrd/
#    RewriteCond %{REQUEST_URI} !^/images/
#    RewriteCond %{REQUEST_URI} !^/css/
#    RewriteCond %{REQUEST_URI} !^/javascript/
#    RewriteCond %{REQUEST_URI} !^/vncterm/
#    RewriteCond %{REQUEST_URI} !^/.*\.js$
#    RewriteCond %{REQUEST_URI} !^/login.pl$
#    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R]
#</VirtualHost>
 
Alternatively, you can just stop Apache on the host when you don't need the manager.
 
Edit /etc/apache2/sites-available/pve.conf
and change AllowOverride from None to Limit, then change Order from allow,deny to deny,allow. Then change allow from all to deny from all and finally put in your IP range to allow (you can have multiple allows)

<Directory /usr/share/pve-manager/root>
Options FollowSymLinks MultiViews
AllowOverride Limit
Order deny,allow
deny from all
allow from X.X.X.X/24
</Directory>
 
see 'man pveproxy'
 
I have some similar problems.

I dont want customers to be able to see the login screen at host:8006 but i want them to be able to use their consoles.
Consoles need 8006 and 5900:5999 to work.

If i use pveproxy access lists, like discribed in man page, i can effectivly control access. Login is not visible but consoles cant work.

Its like impossible to give to the world console access but not login screen.

I dont see any workaround without the need of other software to be installed.

Am i wrong?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!