[SOLVED] PVE Web Interface not recognizing PVEAuthCookie

ngschaider

New Member
May 14, 2021
2
0
1
23
Hello forums,

at first thanks to Proxmox for providing such a great product!

We are currently developing a software which acts as a kind of reverse proxy in front of the Proxmox VE Web Interface. The proxying is working perfectly, the UI can be accessed (including noVNC, etc.). The next step is to move the authentication from proxmox to the proxy. This means the proxy authenticates the user and before proxying the users' requests to proxmox it "injects" the PVEAuthCookie that the proxy got from the API.

This does not work yet! The web interface behaves like there was no cookie set!

When proxying the http request through Burp Suite I can cleary see a well-formed HTTP request with all needed headers being sent to the PVE interface, but the Interface still gives me a login form and works like there would be no cookie present.

For testing purposes I copy-pasted a valid cookie from a session where I logged in manually.

The http request I'm sending looks like this (i removed a portion of the cookie, even if it isn't valid anymore):

Code:
GET / HTTP/1.1
cookie: PVEAuthCookie=PVE%3Aroot@pam%3A609E2A9F%3A%3AkYpvXW[REDACTED]m1/7fEfS40lApmIwFVgybIJVjD/79r6CabPVhCABJ4BFaR3ccPRjImXRfz8rccX0/oA%3D%3D
cache-control: max-age=0
upgrade-insecure-requests: 1
Connection: close
Accept-Encoding: gzip, deflate
accept-language: de,en-US;q=0.7,en;q=0.3
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
host: pve.direct.example.com:8006

Is the cookie bound to a specific domain, request ip or something else?
How can I debug this? There is no info in /var/log/pveproxy/access.log other than a couple of "200 OK" requests (just like I didn't provide a cookie at all).

EDIT: I just discovered, that the returned HTML actually includes the username (root@pam) and a csrf prevention token (which is not included when not specifying the PVEAuthCookie. So why is the login form displayed?

Thanks in advance and best regards,
Niklas Gschaider
 
Last edited:
mhmm... the client itself checks if it has a cookie and displays the login mask if it does not have one, you'd probably have to patch that out, or set some bogus cookie
 
Hi Dominik,
thanks for your reply!

For some reason I did not think about the client looking for a ticket.
I got it running using your method of adding a bogus cookie! I really didn't want to patch pve because of updates possibly overriding the changes.

Here is how the data flow basically works:

Browser makes a request to pve.example.com
Proxy sets the Cookie header to the correct value ("PVEAuthCookie=...")
Proxy proxies the request to PVE
Proxy receives the response from PVE
If the requested Path was "/" then it add's an extra Set-Cookie header of value "PVEAuthCookie=ProxyWillChangeThis"
Proxy sends the request to the client.

By the time the client-side JavaScript is loaded the Set-Cookie header already got evaluated and the cookie got set by the browser.
This will make the frontend think it is logged in and the server also gets the real ticket because the proxy will change the cookie value.

Thanks for helping me out!

Best regards,
Niklas Gschaider
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!