Proxmox and letsencrypt

G

Guy

Renowned Member
Jan 15, 2009
121
1
83
m0guy.com
I've been using lets encrypt since it's beginning (which isn't say too much, it's still very young). I have also been creating and installing the certs on my Proxmox system manually so when they include the options to automate this I'm very excited. However... There is no way on earth I'm exposing my Proxmox nodes to the internet, they are running internal services. This presents a problem. I want the automation but I'm concerned about the security.

I have a subdomain of my public DNS for my internal systems (.int...). So my solution is this..

Create entries in my public DNS for all my proxmox nodes, but pointing to a single internet routable IP address. This IP terminates on my firewall, and NATs to a small VM (in fact it's a docker image), running nginx.

In side this nginx I have configured it to simply take a specific set of server names (the proxmox names), and proxy port 80 traffic for /.well-known/ onto the correct proxmox node.

Thus I can use the automation inside proxmox to generate my certs, and I'm still protecting my proxmox systems by only exposing the /.well-known/ path on port 80 to the internet via my nginx proxy.

Maybe I'm a little too paranoid, but just because I'm paranoid doesn't mean people aren't out to get my systems :)

In case you're interested here's a snippet from the nginx config which handles the proxying..

Code: 
server {
    server_name ~^$THIS_HOST.${TLD}$;
    location /.well-known/ {
        proxy_pass "http://$THIS_HOST.${TLD}/.well-known/";
    }
}
 
Guy said:
I've been using lets encrypt since it's beginning (which isn't say too much, it's still very young). I have also been creating and installing the certs on my Proxmox system manually so when they include the options to automate this I'm very excited. However... There is no way on earth I'm exposing my Proxmox nodes to the internet, they are running internal services. This presents a problem. I want the automation but I'm concerned about the security.

I have a subdomain of my public DNS for my internal systems (.int...). So my solution is this..

Create entries in my public DNS for all my proxmox nodes, but pointing to a single internet routable IP address. This IP terminates on my firewall, and NATs to a small VM (in fact it's a docker image), running nginx.

In side this nginx I have configured it to simply take a specific set of server names (the proxmox names), and proxy port 80 traffic for /.well-known/ onto the correct proxmox node.

Thus I can use the automation inside proxmox to generate my certs, and I'm still protecting my proxmox systems by only exposing the /.well-known/ path on port 80 to the internet via my nginx proxy.

Maybe I'm a little too paranoid, but just because I'm paranoid doesn't mean people aren't out to get my systems :)

In case you're interested here's a snippet from the nginx config which handles the proxying..

Code: 
server {
    server_name ~^$THIS_HOST.${TLD}$;
    location /.well-known/ {
        proxy_pass "http://$THIS_HOST.${TLD}/.well-known/";
    }
}
Click to expand...

we are planning on extending the ACME support in PVE to support other challenge types via a plugin system, including the DNS challenge type which does not require exposing the nodes to the internet.
 
  • Like
Reactions: Michel V
@fabian any timeframe on the DNS validation option? AWS/R53? Potentially support for wildcard certs?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back