Tip: Remap port 8006 to 443 in iptables, automatically

[xrobau]

As there's no official way to have proxmox use port 443 on the management interface, and various random suggestions like 'put a proxy in front of it' and other things like that (really? MORE moving pieces?), I've thrown together a little script that you can run in the post-up hook in /etc/network/interfaces that figures everything out for you automatically and puts the iptables rule in place (including removing any old ones, in case of IP address changes)

https://github.com/xrobau/ansible-proxmox-host/blob/master/roles/proxmox-base/files/fix-port-8006.sh

Super simple and basic, and PROBABLY doesn't work with anything more complex than the default OVS example.interfaces file that is put in place when you run `make proxmox`, but it does scratch an itch that needed scratching.

Kudos to @saud for the idea in https://forum.proxmox.com/threads/change-port-from-8006-to-443.41710/post-427251

 

[t.lamprecht]

put a proxy in front of it' and other things like that (really? MORE moving pieces?),

Just adding a bit of context: A simple, e.g. nginx or caddy, reverse proxy is not a moving piece, it's configured once and w.r.t. to updates it has about the same exposure as nft/iptable rule sets.
Further, the reverse proxy setup keeps direct 8006 traffic valid, e.g., for cluster traffic, reducing the overhead for some API traffic as the packages do not need to traverse the NAT for that compared to a NAT everything setup.

So, both can be fine, but if one wants to use NAT over HTTP proxying depends on the actual setup and use case and one's experience with iptables/nft and NAT over HTTP; but one really shouldn't make the choice just by considering the "more moving pieces" argument for HTTP proxying, as that doesn't hold much over NAT in practice IMO.

 

[xrobau]

Just adding a bit of context: A simple, e.g. nginx or caddy, reverse proxy is not a moving piece, it's configured once and w.r.t. to updates it has about the same exposure as nft/iptable rule sets.
[snip]

Well, it kinda IS a moving piece, as you either have to make it do its own SSL certificates and restarts, or it needs to use the pveproxy certs and then somehow detect when that cert has changed, and restart/reload automatically then.

Doing it with iptables is zero effort - 8006 works, 443, works, and it'll never need maintenance or upgrades. Doing it this way is equivalent to having a flag to make pveproxy listen on port 443 *and* 8006, without all the extra work! And I did look into how hard it was going to be - and having multiple listen threads, or some other multiplexing stuff was WAAAY more work than just putting a one-liner iptables in place.