PVE logs and Proxy Server

fdm91

New Member
May 25, 2023
1
0
1
Hi all!

I have a Proxmox Virtual Environment installed at home in order to manage some VMs for my private network. In order to see and manage VMs remotely, I configured a virtual host on another machine through apache that redirects all traffic to proxmox.mydomain.com.
Now come some security concerns:

1. Because of the apache proxy, every failed login attempt in the /var/log/daemon.log is logged using the internal proxy IP, instead of the real client IP. I red a lot of documentation talking about using X-Forwarded-For headers and mod_remoteip, but all this kind of stuff should be configured on the pveproxy.conf that is not a "real" webserver (like apache, nginx, etc) so I really don't know where to put my hands on.

2. Also, if I have success logging the correct IPs, I'd like to mount the /var/log/ folder on the proxyserver and configure fail2ban in order to block repeatedly wrong login attempts. Now, I cannot do it because every failed attempt is logged as my proxy IP, so obviously it cannot ban itself.

Anyway, for security reasons, since day one I already disabled root login through web interface and protected my account with 2FA.

Do you have any idea? I tried to find someone with my same problem but didn't find anything. Also, I tried to ask chatgpt hoping it was "better than me" in searching online, but without any luck.

Thanks in advance for every reply to my doubts.
 
Hi, all
Reopen this thread :)
With this configuration proxmox not reveal correct ip becouse not receive Apache Packet from mod_remoteip to allow this function you will mod " /usr/share/perl5/PVE/APIServer/AnyEvent.pm" and add this:

if ($request->header('X-Forwarded-For')) {
$reqstate->{peer_host} = $request->header('X-Forwarded-For');
}

from line 1483.

With this modify proxmox reveal correct ip but with this fail2ban config not detect failed login attept and i not know the reason.

Thanks for any help
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!