Tip: Remap port 8006 to 443 in iptables, automatically

X

xrobau

Member
Sep 4, 2022
30
8
8
QLD, Australia
clearlyip.com
As there's no official way to have proxmox use port 443 on the management interface, and various random suggestions like 'put a proxy in front of it' and other things like that (really? MORE moving pieces?), I've thrown together a little script that you can run in the post-up hook in /etc/network/interfaces that figures everything out for you automatically and puts the iptables rule in place (including removing any old ones, in case of IP address changes)

https://github.com/xrobau/ansible-proxmox-host/blob/master/roles/proxmox-base/files/fix-port-8006.sh

Super simple and basic, and PROBABLY doesn't work with anything more complex than the default OVS example.interfaces file that is put in place when you run `make proxmox`, but it does scratch an itch that needed scratching.

Kudos to @saud for the idea in https://forum.proxmox.com/threads/change-port-from-8006-to-443.41710/post-427251
 
  • Like
Reactions: zzz09700
xrobau said:
put a proxy in front of it' and other things like that (really? MORE moving pieces?),
Click to expand...
Just adding a bit of context: A simple, e.g. nginx or caddy, reverse proxy is not a moving piece, it's configured once and w.r.t. to updates it has about the same exposure as nft/iptable rule sets.
Further, the reverse proxy setup keeps direct 8006 traffic valid, e.g., for cluster traffic, reducing the overhead for some API traffic as the packages do not need to traverse the NAT for that compared to a NAT everything setup.

So, both can be fine, but if one wants to use NAT over HTTP proxying depends on the actual setup and use case and one's experience with iptables/nft and NAT over HTTP; but one really shouldn't make the choice just by considering the "more moving pieces" argument for HTTP proxying, as that doesn't hold much over NAT in practice IMO.
 
t.lamprecht said:
Just adding a bit of context: A simple, e.g. nginx or caddy, reverse proxy is not a moving piece, it's configured once and w.r.t. to updates it has about the same exposure as nft/iptable rule sets.
[snip]
Click to expand...
Well, it kinda IS a moving piece, as you either have to make it do its own SSL certificates and restarts, or it needs to use the pveproxy certs and then somehow detect when that cert has changed, and restart/reload automatically then.

Doing it with iptables is zero effort - 8006 works, 443, works, and it'll never need maintenance or upgrades. Doing it this way is equivalent to having a flag to make pveproxy listen on port 443 *and* 8006, without all the extra work! And I did look into how hard it was going to be - and having multiple listen threads, or some other multiplexing stuff was WAAAY more work than just putting a one-liner iptables in place.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom