Securing Proxmox GUI

[Stereoscope]

I'm trying to figure out how to secure access to the web GUI i.e. how to setup networking both physical and logical. I've read all the blogs I could find on Google, posts on reddit and these forums and have read all relevant sections in the documentation (everything multiple times). However, I'm still unsure of how things work or what I should do. Not being well versed in networking and proxies doesn't help in solving this puzzle.
In my mind, the web GUI should live on a management network. Specifically on an OOB management network. However, if I put it there, since that network doesn't have access to the internet, I won't be able to update Proxmox.
It seems most people are either using pveproxy or Nginx reverse proxy. Not sure how those solve the problem to be honest. Why some people use one or the other for example. Everywhere I look, it seems like proxies are for internet facing applications and Proxmox isn't internet facing.

 

[cwt]

There are several ways to secure PVE. You can use a dedicated NIC/port for the management in a VLAN with appropiate firewall rules in your network. In addition, you can also use PVE‘s firewall as a second layer. Crowdsec or fail2ban are commonly used and free available tools. 2FA is another layer of security.

 

[UdoB]

However, if I put it there, since that network doesn't have access to the internet, I won't be able to update Proxmox.

You need to differentiate between outgoing and incoming traffic. All of my PVE can access the outside world. None of them can be reached from the outside world. They are simply hidden behind NAT.

When I do home office I have two ways to access my dayjob's cluster: I do run a Guacamole¹ relay server to access some specific computers in my company - including some with a GUI; from there I can run a browser on the LAN to access PVE. This Guacamole is only reachable from specific IP source addresses. But actually that's a too complicated way with a lot of GUI overhead.

My usual connection goes through an SSH tunnel host on that LAN, accessible only from inside a Wireguard² VPN.

As a concrete example, I've configured a stanza in my .ssh/config like this:

Host    myjumphost
        hostname 192.168.4.139
        port 22222
        user myusername
        LocalForward localhost:443  pve.mycompancy.internal.network.de:8006

That hostname IP address is inside a tunnel. No routing required!

I run "ssh myjumphost". Then my local browser can access https://localhost to reach my PVE login.

You may say that using Wireguard plus SSH is overkill. May be, this is just an example. You may install the Wireguard endpoint directly on the PVE, it you want. My way is to stack two good tools and it works reliably for me, for some years now.

... and Proxmox isn't internet facing.

That's my recommendation too: do not grant access to PVE port 8006 from the outside internet. Always use a VPN or other means to be not reachable by a random foreign IP-client trying to connect.

There is no³ mechanism to avoid port scanning happening on a public IP address. And port scanning is only the very first step, quickly followed by actual probes for vulnerabilities... again and again.


¹ https://guacamole.apache.org/
² https://www.wireguard.com/quickstart/
³ that said, there are mechanisms like port knocking, hiding an open port. But that's not "normal" and it requires specific tools at the user clients end - as it is for the VPN approach.

 

[Stereoscope]

So if I understood you guys correctly, then this is what the Proxmox settings should look like and how the network should be arranged?
Assign an IP to the first ethernet port and connect it to the management switch for connecting to the Proxmox web GUI. Connect the second ethernet port to the managed switch and don't assign an IP address to it. (This bit is confusing to me, how you don't assign an IP address to the second NIC but I'm watching a few videos about Linux networking (@20:13 - 25:40 of https://www.youtube.com/watch?v=EnAZB8GI97c&t=2186s&ab_channel=MattTurner) and it seems like this is fine. I think this is where I've been confused all this time. I thought that you must assign IP addresses to all physical interfaces. But then that means you can access the Proxmox GUI from each of these!). Then connect the management switch to the router and set block all except for outgoing traffic from the Proxmox server IP? All VMs and containers connect to vmbr0. I forgot to set vmbr0 as VLAN aware, but you get the picture.

 

[UdoB]

This bit is confusing to me, how you don't assign an IP address to the second NIC

Yeah, that's a mental pitfall.

Your Mockup Network looks fine as far as I can see.