Q: how to enable SSL client certificate vailidation

[one-tester]

Hi,

SSL supports client validation that requires a web client to submit a certificate that it owns (has) before a secure connection is established. Such will help to reduce the risk caused by brute force ( super admin user name is known -- root), as well as the risk caused by its default https port.

Actually there are some other methods such as ngix reverse proxy and stunnel. Anyway it is not the best way because the log will be much more confusing --- everything is from localhost.

I wonder if it is doable within perl scripts used by pveproxy. The project is so huge and I don't know what to start with. If a mod is not possible, please provide some clue for me to try.

I was suggested to put a detailed question. And I tried my best.

TY

 

[manu]

If you want to resctrict brute force attacks, a simple alternative would be to restrict the IPs which are allowed to connect on the 8006 port, using the built in firewall.

 

[one-tester]

Well, that would be too much simpler than actual requirements, sir. Client's IP is not fixed or expected in most cases.
Would you provide some information on this? E.g., what file of the pveproxy CA verification module i need to change.

I don't think it would be too tough for me make it happen.

 

[markmarkmia]

I'm looking to do the same thing. I'd like to be able to access my cluster without always needing to VPN in, and would like to use client certs. I've done this to protect less than secure web applications using Nginx as a reverse proxy. Only problem is, Proxmox 5.1 and Nginx reverse proxy seem to have issues with noVNC that I can't find a way to resolve after combing through all relevant posts in Proxmox forum, reddit, etc. afaik nobody has resolved this.