Hello forums,
at first thanks to Proxmox for providing such a great product!
We are currently developing a software which acts as a kind of reverse proxy in front of the Proxmox VE Web Interface. The proxying is working perfectly, the UI can be accessed (including noVNC, etc.). The next step is to move the authentication from proxmox to the proxy. This means the proxy authenticates the user and before proxying the users' requests to proxmox it "injects" the PVEAuthCookie that the proxy got from the API.
This does not work yet! The web interface behaves like there was no cookie set!
When proxying the http request through Burp Suite I can cleary see a well-formed HTTP request with all needed headers being sent to the PVE interface, but the Interface still gives me a login form and works like there would be no cookie present.
For testing purposes I copy-pasted a valid cookie from a session where I logged in manually.
The http request I'm sending looks like this (i removed a portion of the cookie, even if it isn't valid anymore):
Is the cookie bound to a specific domain, request ip or something else?
How can I debug this? There is no info in /var/log/pveproxy/access.log other than a couple of "200 OK" requests (just like I didn't provide a cookie at all).
EDIT: I just discovered, that the returned HTML actually includes the username (root@pam) and a csrf prevention token (which is not included when not specifying the PVEAuthCookie. So why is the login form displayed?
Thanks in advance and best regards,
Niklas Gschaider
at first thanks to Proxmox for providing such a great product!
We are currently developing a software which acts as a kind of reverse proxy in front of the Proxmox VE Web Interface. The proxying is working perfectly, the UI can be accessed (including noVNC, etc.). The next step is to move the authentication from proxmox to the proxy. This means the proxy authenticates the user and before proxying the users' requests to proxmox it "injects" the PVEAuthCookie that the proxy got from the API.
This does not work yet! The web interface behaves like there was no cookie set!
When proxying the http request through Burp Suite I can cleary see a well-formed HTTP request with all needed headers being sent to the PVE interface, but the Interface still gives me a login form and works like there would be no cookie present.
For testing purposes I copy-pasted a valid cookie from a session where I logged in manually.
The http request I'm sending looks like this (i removed a portion of the cookie, even if it isn't valid anymore):
Code:
GET / HTTP/1.1
cookie: PVEAuthCookie=PVE%3Aroot@pam%3A609E2A9F%3A%3AkYpvXW[REDACTED]m1/7fEfS40lApmIwFVgybIJVjD/79r6CabPVhCABJ4BFaR3ccPRjImXRfz8rccX0/oA%3D%3D
cache-control: max-age=0
upgrade-insecure-requests: 1
Connection: close
Accept-Encoding: gzip, deflate
accept-language: de,en-US;q=0.7,en;q=0.3
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
host: pve.direct.example.com:8006Is the cookie bound to a specific domain, request ip or something else?
How can I debug this? There is no info in /var/log/pveproxy/access.log other than a couple of "200 OK" requests (just like I didn't provide a cookie at all).
EDIT: I just discovered, that the returned HTML actually includes the username (root@pam) and a csrf prevention token (which is not included when not specifying the PVEAuthCookie. So why is the login form displayed?
Thanks in advance and best regards,
Niklas Gschaider
Last edited:
