PVE GUI only listen to localhost not working

R

Retuas

Member
Aug 31, 2019
7
1
23
Good morning,

i wanted to secure my pve gui by only allowing it to listen on 127.0.0.1 so that i need to local forward 8006 on a computer in order to access the web interface. I found a thread where someone (ok, many threads) described to just do this:

/etc/default/pveproxy:

ALLOW_FROM="127.0.0.1"
DENY_FROM="all"
POLICY="allow"

I restartet the service, and even did a complete reboot of my machine but im still able to access the ui via the internet. Does anybody know a solution for this?
 
hi,

you need to create an nginx reverse proxy, check this article[0] (it is for PVE 3.0 but the process should be the same with some small differences in the commands, like instead of /etc/init.d you will use systemctl to restart service)

[0]: https://www.iezzi.ch/proxmox-ve-restricting-web-ui-access/
 
Last edited:
oguz said:
hi,

you need to create an nginx reverse proxy, check this article[0] (it is for PVE 3.0 but the process should be the same with some small differences in the commands, like instead of /etc/init.d you will use systemct to restart service)

[0]: https://www.iezzi.ch/proxmox-ve-restricting-web-ui-access/
Click to expand...

Nope. I dont. This tutorial if for making the ui alailable via https:// on default port 443. But i dont want it to be accessible from the internet.
 
Just retested here, using the following for /etc/default/pveproxy:
Bash: 
ALLOW_FROM="127.0.0.1,192.168.16.38"
DENY_FROM="all"
POLICY="allow"

Then: systemctl restart pveproxy.service

I can connect over 192.168.16.38 but not from any other, e.g., 192.168.16.74
 
t.lamprecht said:
Just retested here, using the following for /etc/default/pveproxy:
Bash: 
ALLOW_FROM="127.0.0.1,192.168.16.38"
DENY_FROM="all"
POLICY="allow"

Then: systemctl restart pveproxy.service

I can connect over 192.168.16.38 but not from any other, e.g., 192.168.16.74
Click to expand...

Thats exactly what i've did. I checked everything again and its not working. My server is hostet in a external data center with external ip address of course. Now im trying to connect to the ui (to test if its still available) from my houses internet access. And its still available and i see my own public IP address in the access.log too.


::ffff:80.138.XXX.XXX - - [22/05/2020:16:45:42 +0200] "GET / HTTP/1.1" 200 798
::ffff:80.138.XXX.XXX - - [22/05/2020:16:45:42 +0200] "GET /pve2/ext6/theme-crisp/resources/theme-crisp-all.css HTTP/1.1" 200 68
::ffff:80.138.XXX.XXX - - [22/05/2020:16:45:42 +0200] "GET /pve2/ext6/crisp/resources/charts-all.css HTTP/1.1" 200 995
::ffff:80.138.XXX.XXX - - [22/05/2020:16:45:42 +0200] "GET /pve2/fa/css/font-awesome.css HTTP/1.1" 200 7289
::ffff:80.138.XXX.XXX - - [22/05/2020:16:45:42 +0200] "GET /pwt/css/ext6-pmx.css?ver=2.2-1 HTTP/1.1" 200 179
::ffff:80.138.XXX.XXX - - [22/05/2020:16:45:42 +0200] "GET /pve2/ext6/theme-crisp/resources/theme-crisp-all_2.css HTTP/1.1" 200 5208
::ffff:80.138.XXX.XXX - - [22/05/2020:16:45:42 +0200] "GET /pve2/css/ext6-pve.css?ver=6.2-4 HTTP/1.1" 200 3044
::ffff:80.138.XXX.XXX - - [22/05/2020:16:45:42 +0200] "GET /pve2/ext6/theme-crisp/resources/theme-crisp-all_1.css HTTP/1.1" 200 33744
 
Retuas said:
Good morning,

i wanted to secure my pve gui by only allowing it to listen on 127.0.0.1 so that i need to local forward 8006 on a computer in order to access the web interface. I found a thread where someone (ok, many threads) described to just do this:

/etc/default/pveproxy:

ALLOW_FROM="127.0.0.1"
DENY_FROM="all"
POLICY="allow"

I restartet the service, and even did a complete reboot of my machine but im still able to access the ui via the internet. Does anybody know a solution for this?
Click to expand...
Hello, for future references, actually it works fine just as you indicate creating the pveproxy file, I tried and I think the only detail you were missing it was when you type the address at browser for the very first time you must do it like this "https://127.0.0.1:8006" and it will work (cert warning of course), next time you can type just "127.0.0.1:8006" and will work, only if you clear the navigation data then you will have to include the "https://" again, so thank you for your initial post, it helped me...
 
I had the same problem because of a lack or permissions:

Jun 23 11:16:10 amsoft pveproxy[1791365]: bash: line 1: /etc/default/pveproxy: Permission denied
Click to expand...

It seems that pveproxy actually runs as www-data and therefore simply needs permissions to read the created file. After changing that, the web-UI listens on the configured IP as expected by using LISTEN_IP.
 
ams_tschoening said:
I had the same problem because of a lack or permissions:



It seems that pveproxy actually runs as www-data and therefore simply needs permissions to read the created file. After changing that, the web-UI listens on the configured IP as expected by using LISTEN_IP.
Click to expand...

thanks for the heads up

you can make the file world-readable: chmod 644 /etc/default/pveproxy
 
ams_tschoening said:
I had the same problem because of a lack or permissions:



It seems that pveproxy actually runs as www-data and therefore simply needs permissions to read the created file. After changing that, the web-UI listens on the configured IP as expected by using LISTEN_IP.
Click to expand...
Files in /etc are mostly world readable by default though, especially with the default umask from Debian, so this isn't a general problem.
 
  • Like
Reactions: oguz
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back