Q: how to enable SSL client certificate vailidation

one-tester

New Member
Nov 7, 2017
5
0
1
42
Hi,

SSL supports client validation that requires a web client to submit a certificate that it owns (has) before a secure connection is established. Such will help to reduce the risk caused by brute force ( super admin user name is known -- root), as well as the risk caused by its default https port.

Actually there are some other methods such as ngix reverse proxy and stunnel. Anyway it is not the best way because the log will be much more confusing --- everything is from localhost.

I wonder if it is doable within perl scripts used by pveproxy. The project is so huge and I don't know what to start with. If a mod is not possible, please provide some clue for me to try.

I was suggested to put a detailed question. And I tried my best.

TY
 

manu

Proxmox Staff Member
Retired Staff
Mar 3, 2015
806
66
28
If you want to resctrict brute force attacks, a simple alternative would be to restrict the IPs which are allowed to connect on the 8006 port, using the built in firewall.
 

one-tester

New Member
Nov 7, 2017
5
0
1
42
Well, that would be too much simpler than actual requirements, sir. Client's IP is not fixed or expected in most cases.
Would you provide some information on this? E.g., what file of the pveproxy CA verification module i need to change.

I don't think it would be too tough for me make it happen.
 

markmarkmia

New Member
Feb 5, 2018
23
0
1
47
I'm looking to do the same thing. I'd like to be able to access my cluster without always needing to VPN in, and would like to use client certs. I've done this to protect less than secure web applications using Nginx as a reverse proxy. Only problem is, Proxmox 5.1 and Nginx reverse proxy seem to have issues with noVNC that I can't find a way to resolve after combing through all relevant posts in Proxmox forum, reddit, etc. afaik nobody has resolved this.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!