pveproxy LISTEN address

[Idar Lund]

Hi,

I have several ethernet interfaces. To secure Proxmox webgui I want it to only listen on one of them.
When checking netstat, I can see that it's listening on 0.0.0.0 (all) interfaces:

root@pve:~# netstat -lntp|grep 8006
tcp        0      0 0.0.0.0:8006            0.0.0.0:*               LISTEN      6629/pveproxy

Checked man pveproxy and found the following:

HOST BASED ACCESS CONTROL
It is possible to configure “apache2”-like access control lists. Values are read from file /etc/default/pveproxy. For example:

ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
DENY_FROM="all"
POLICY="allow"

This probably denies requests from IPs not in the ALLOW_FROM, but this is dependant on security measures within the pveproxy application. I want to filter this on the OS level.

How can I make pveproxy LISTEN on only one interface/IP? Yes, I know I can use iptables, but I want it to LISTEN on only one interface.

 

[wolfgang]

Hi,

this setting is hardcoded and can't be easily changed.
You can only use iptables or use a revers-proxy in combination with the Allow_from rule.

 

[Idar Lund]

With the implementation today we are totally dependable on that the application will withstand attempted attacks. If the pveproxy application some time in the future suffers from a vulnerability that can buypass this application security layer, we are at risk. It's good practice to have several layers with security. To be able to only listen on traffic from spesific interface/IP is curcial in such an approach.

What's the proper channel to request this as a new feature?

 

[wolfgang]

https://bugzilla.proxmox.com

 

[Idar Lund]

Created https://bugzilla.proxmox.com/show_bug.cgi?id=2997

 

[topperharly]

i agreed 100%..

this is a major issue.
Additionally it has a second impact:

using community.general.proxmox dynamic inventory plugin results in error.
Because PVEPROXY give back the interfaces in random order.

i´ve login to API is only restricted to one specific interface, you have to restart the ansible playbook several times to get the right interface randomly

BR TopperHarly

 

[Idar Lund]

The feature request is now in production. Add LISTEN_IP=<your_IP> to /etc/default/pveproxy and restart pveproxy. ie:

echo 'LISTEN_IP=127.0.0.1' > /etc/default/pveproxy
systemctl restart pveproxy

To check if it worked:

netstat -lntp|grep 8006

 

[Mr.Goodcat]

Thank you for adding this feature!
In my case it would be great if the service could be configured to listen on multiple interfaces. Unfortunately, simply using e.g. 'LISTEN_IP=10.0.0.1,192.168.0.1' doesn't work. Any ideas if this is possible or potentially planned?

 

[Idar Lund]

I don't know if that'll be added or not. However; you can just use a reverse proxy for that. Listen on loopback (127.0.0.1) device and put a reverse proxy on the interfaces you want to listen on the network.

 

[Mr.Goodcat]

I don't know if that'll be added or not. However; you can just use a reverse proxy for that. Listen on loopback (127.0.0.1) device and put a reverse proxy on the interfaces you want to listen on the network.

Interesing workaround, thanks! Nevertheless, it would be great if it were possible out-of-the-box, without any additional software.

 

[Stoiko Ivanov]

In my case it would be great if the service could be configured to listen on multiple interfaces. Unfortunately, simply using e.g. 'LISTEN_IP=10.0.0.1,192.168.0.1' doesn't work. Any ideas if this is possible or potentially planned?

Not possible, and not really planned - currently our event-loop implementation is using one socket (which you can only bind to one address) - changing that to multiple sockets is too complex and outweighs the benefits - so this is not really planned for PVE and PMG.