PVE GUI only listen to localhost not working

[Retuas]

Good morning,

i wanted to secure my pve gui by only allowing it to listen on 127.0.0.1 so that i need to local forward 8006 on a computer in order to access the web interface. I found a thread where someone (ok, many threads) described to just do this:

/etc/default/pveproxy:

ALLOW_FROM="127.0.0.1"
DENY_FROM="all"
POLICY="allow"

I restartet the service, and even did a complete reboot of my machine but im still able to access the ui via the internet. Does anybody know a solution for this?

 

[oguz]

hi,

you need to create an nginx reverse proxy, check this article[0] (it is for PVE 3.0 but the process should be the same with some small differences in the commands, like instead of /etc/init.d you will use systemctl to restart service)

[0]: https://www.iezzi.ch/proxmox-ve-restricting-web-ui-access/

 

[Retuas]

hi,

you need to create an nginx reverse proxy, check this article[0] (it is for PVE 3.0 but the process should be the same with some small differences in the commands, like instead of /etc/init.d you will use systemct to restart service)

[0]: https://www.iezzi.ch/proxmox-ve-restricting-web-ui-access/

Nope. I dont. This tutorial if for making the ui alailable via https:// on default port 443. But i dont want it to be accessible from the internet.

 

[t.lamprecht]

Hi.

Yes this is documented and should work:
https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_pveproxy_proxmox_ve_api_proxy_daemon

Can you check /var/log/pveproxy/access.log for the requests you tested with, to check what the services sees as address ?

 

[t.lamprecht]

Just retested here, using the following for /etc/default/pveproxy:

ALLOW_FROM="127.0.0.1,192.168.16.38"
DENY_FROM="all"
POLICY="allow"

Then: systemctl restart pveproxy.service

I can connect over 192.168.16.38 but not from any other, e.g., 192.168.16.74

 

[Retuas]

Just retested here, using the following for /etc/default/pveproxy:

ALLOW_FROM="127.0.0.1,192.168.16.38"
DENY_FROM="all"
POLICY="allow"

Then: systemctl restart pveproxy.service

I can connect over 192.168.16.38 but not from any other, e.g., 192.168.16.74

Thats exactly what i've did. I checked everything again and its not working. My server is hostet in a external data center with external ip address of course. Now im trying to connect to the ui (to test if its still available) from my houses internet access. And its still available and i see my own public IP address in the access.log too.


::ffff:80.138.XXX.XXX - - [22/05/2020:16:45:42 +0200] "GET / HTTP/1.1" 200 798
::ffff:80.138.XXX.XXX - - [22/05/2020:16:45:42 +0200] "GET /pve2/ext6/theme-crisp/resources/theme-crisp-all.css HTTP/1.1" 200 68
::ffff:80.138.XXX.XXX - - [22/05/2020:16:45:42 +0200] "GET /pve2/ext6/crisp/resources/charts-all.css HTTP/1.1" 200 995
::ffff:80.138.XXX.XXX - - [22/05/2020:16:45:42 +0200] "GET /pve2/fa/css/font-awesome.css HTTP/1.1" 200 7289
::ffff:80.138.XXX.XXX - - [22/05/2020:16:45:42 +0200] "GET /pwt/css/ext6-pmx.css?ver=2.2-1 HTTP/1.1" 200 179
::ffff:80.138.XXX.XXX - - [22/05/2020:16:45:42 +0200] "GET /pve2/ext6/theme-crisp/resources/theme-crisp-all_2.css HTTP/1.1" 200 5208
::ffff:80.138.XXX.XXX - - [22/05/2020:16:45:42 +0200] "GET /pve2/css/ext6-pve.css?ver=6.2-4 HTTP/1.1" 200 3044
::ffff:80.138.XXX.XXX - - [22/05/2020:16:45:42 +0200] "GET /pve2/ext6/theme-crisp/resources/theme-crisp-all_1.css HTTP/1.1" 200 33744

 

[Retuas]

Something new here? Do i really have to buy support for my private virt host which wont accept this settings?

This Issue is nothing special i think: https://forum.proxmox.com/threads/pveproxy-rules-are-ignored.55137/

 

[oguz]

Something new here? Do i really have to buy support for my private virt host which wont accept this settings?

This Issue is nothing special i think: https://forum.proxmox.com/threads/pveproxy-rules-are-ignored.55137/

it's working here...

can you post your /etc/network/interfaces and /etc/hosts files? (redact your public IP address)

 

[josecruzr]

Good morning,

i wanted to secure my pve gui by only allowing it to listen on 127.0.0.1 so that i need to local forward 8006 on a computer in order to access the web interface. I found a thread where someone (ok, many threads) described to just do this:

/etc/default/pveproxy:

ALLOW_FROM="127.0.0.1"
DENY_FROM="all"
POLICY="allow"

I restartet the service, and even did a complete reboot of my machine but im still able to access the ui via the internet. Does anybody know a solution for this?

Hello, for future references, actually it works fine just as you indicate creating the pveproxy file, I tried and I think the only detail you were missing it was when you type the address at browser for the very first time you must do it like this "https://127.0.0.1:8006" and it will work (cert warning of course), next time you can type just "127.0.0.1:8006" and will work, only if you clear the navigation data then you will have to include the "https://" again, so thank you for your initial post, it helped me...

 

[ams_tschoening]

I had the same problem because of a lack or permissions:

Jun 23 11:16:10 amsoft pveproxy[1791365]: bash: line 1: /etc/default/pveproxy: Permission denied

It seems that pveproxy actually runs as www-data and therefore simply needs permissions to read the created file. After changing that, the web-UI listens on the configured IP as expected by using LISTEN_IP.

 

[oguz]

I had the same problem because of a lack or permissions:



It seems that pveproxy actually runs as www-data and therefore simply needs permissions to read the created file. After changing that, the web-UI listens on the configured IP as expected by using LISTEN_IP.

thanks for the heads up

you can make the file world-readable: chmod 644 /etc/default/pveproxy

 

[t.lamprecht]

I had the same problem because of a lack or permissions:



It seems that pveproxy actually runs as www-data and therefore simply needs permissions to read the created file. After changing that, the web-UI listens on the configured IP as expected by using LISTEN_IP.

Files in /etc are mostly world readable by default though, especially with the default umask from Debian, so this isn't a general problem.