Separate Admin and User interfaces

bfrd9k

New Member
Apr 23, 2024
18
8
3
Portland Oregon
While setting up a PMG cluster I realized I cannot separate the / and /quarantine. This means if I want to expose /quarantine to the internet for users, it will also expose the admin interface. I am unsure if PMG has brute force prevention or anything like that but it would be a safe guess, if you found proxmox mail gateway's web interface open to the internet, that you can brute force for root.

It would be nice to have the user portal on its own port and prevent authenticating to PAM on this interface, this way you can place a load balancer/reverse proxy in front and lock down the admin interface with ACL's and open up the user portal to the internet, so that they can manage their filter from anywhere.

I would be stoked to find out that this is already possible but I haven't been able to figure it out on my own. From what I can tell /quarantine still requires things from /.

If this isn't a possibility and there isn't already a feature request out there, is there a way to make an official feature request?

Thanks!
 
  • Like
Reactions: Ajan and adamjoy
While setting up a PMG cluster I realized I cannot separate the / and /quarantine. This means if I want to expose /quarantine to the internet for users, it will also expose the admin interface.
see:
https://pmg.proxmox.com/wiki/index.php/Quarantine_Web_Interface_Via_Nginx_Proxy

I am unsure if PMG has brute force prevention or anything like that but it would be a safe guess, if you found proxmox mail gateway's web interface open to the internet, that you can brute force for root.
There's the timeout you have to wait upon a wrong login, which should effectively prevent brute-force, additionally you can use something like fail2ban to further block users who try

If this isn't a possibility and there isn't already a feature request out there, is there a way to make an official feature request?
that would be https://bugzilla.proxmox.com - but in this case I think the current state should work for most deployments.

I hope this helps!
 
  • Like
Reactions: bfrd9k
see:
https://pmg.proxmox.com/wiki/index.php/Quarantine_Web_Interface_Via_Nginx_Proxy


There's the timeout you have to wait upon a wrong login, which should effectively prevent brute-force, additionally you can use something like fail2ban to further block users who try


that would be https://bugzilla.proxmox.com - but in this case I think the current state should work for most deployments.

I hope this helps!
In my specific situation the nginx solution works great, thanks!