Proxmox management behind reverse Proxy

[Glowsome]

As the separate threads were a bit unclear to me i'm just posting this here ( even tho its not mostly a proxmox config/install issue)

My setup is as following :

- a microfocus (formerly NetIQ/ Novell) Access Manager reverse proxy with authorisation and authentication capabillities.

The idea is to unlock /disclose the proxmox management portal thru this, meaning :

- after authenticating with the reverse proxy ( if from the internet via 2nd Factor) SSO login to the proxmox management portal.

For this i require information to find out other means then a simple formfill from AccessManager, as i'm assuming the form itself to signin has randomised names to stop bruteforcing.

So :

- does Proxmox management coap with header injection/authentication
- does it maybe even support SAML(2) authentication or other forms of federating ?

If not assuming as said above that the login form name is randomised to block bruteforcing, can it be disabled and use a rudimentary formfill with 'static' form name ?

i hope you can shed some light on this

- Glowsome

 

[dfenwick]

It uses an auth cookie (PVEAuthCookie) that's generated by the server. I assume it's a session cookie, since if I close and reopen my browser, I have to log in again.

They also have a cross-site prevention token (CSRFPreventionToken), but I'm not not exactly sure why it's necessary. Their API provides a means to get a token and use that token for future requests, but I'm not sure if it would be usable on the proxy.

I've been thinking about this as well. I would actually like the manager to be generalized and not care which server it's querying if you're in a cluster. To that end, it's on my list of things to do to figure out how to availability balance between the servers using HA-Proxy. My guess is I'd have to write something to make that work. Their backend DOES provide direct PAM authentication, though, so you could do some monkeying around with sssd + some SAML backend, but you'd still have to get the token through.

I'm pretty sure the easiest way to do this would be to extend the manager interface and deal with the SAML token. Provided your device will pass that through.

 

[Glowsome]

It uses an auth cookie (PVEAuthCookie) that's generated by the server. I assume it's a session cookie, since if I close and reopen my browser, I have to log in again.

They also have a cross-site prevention token (CSRFPreventionToken), but I'm not not exactly sure why it's necessary. Their API provides a means to get a token and use that token for future requests, but I'm not sure if it would be usable on the proxy.

I've been thinking about this as well. I would actually like the manager to be generalized and not care which server it's querying if you're in a cluster. To that end, it's on my list of things to do to figure out how to availability balance between the servers using HA-Proxy. My guess is I'd have to write something to make that work. Their backend DOES provide direct PAM authentication, though, so you could do some monkeying around with sssd + some SAML backend, but you'd still have to get the token through.

I'm pretty sure the easiest way to do this would be to extend the manager interface and deal with the SAML token. Provided your device will pass that through.

Thanks for your reply , i'll have to investigate further, but this means fiddling in code .. and looking at upgrades and stuff that wouldnt be the wisest thing, so i'll have to start looking for structure and how-to's on this first ...
..and i'm no the best at programming/creating this kind of stuff

I did hope there was like an 'off-switch' for the randomisation of the login-form, as from that part i can easily create the form-fill ( as the prox management ( and the entire box and guests) are on a private network anyways ...