[SOLVED] VE gives 401 Ticket while accessing web GUI

[WikiTech]

Hello,
I apologize on front, I was not sure where to put this thread.

I have a standalone host running Proxmox VE 7.4-3 on Debian 11 Installation.
During maintanence I decided to put a firewall behind the proxmox so the host is protected and not exposed to the public.
To still able to access the web GUI I forwarded via the firewall (PfSense) the port 8006 to 10000
It works, but it gives me an error 30-60s after access the GUI with Ticket Error 401.

Do I need to forward some more ports or proxmox VE does have some limitation when It comes to port forwarding?
Or do you guys have a better advice?
Thank you

 

[fabian]

https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_ports_used_by_proxmox_ve

that sounds more like the system time on your PVE host is wrong (now, or in the past). can you check both the current system time and the timestamps of the authkey used for ticket generation/validation?

stat /etc/pve/authkey*

 

[WikiTech]

I just checked it:

from timedatectl:

root@pm1:~# timedatectl
               Local time: Mo 2023-05-15 12:50:05 CEST
           Universal time: Mo 2023-05-15 10:50:05 UTC
                 RTC time: Mo 2023-05-15 10:50:05
                Time zone: Europe/Berlin (CEST, +0200)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

from stat /etc/pve/authkey* (output after logged to GUI)

root@pm1:~# stat /etc/pve/authkey*
  Datei: /etc/pve/authkey.pub
  Größe: 451            Blöcke: 1          EA Block: 4096   reguläre Datei
Gerät: 36h/54d  Inode: 5390713     Verknüpfungen: 1
Zugriff: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: (   33/www-data)
Zugriff    : 2023-05-15 00:03:11.000000000 +0200
Modifiziert: 2023-05-15 00:03:11.000000000 +0200
Geändert   : 2023-05-15 00:03:11.000000000 +0200
 Geburt    : -
  Datei: /etc/pve/authkey.pub.old
  Größe: 451            Blöcke: 1          EA Block: 4096   reguläre Datei
Gerät: 36h/54d  Inode: 5390712     Verknüpfungen: 1
Zugriff: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: (   33/www-data)
Zugriff    : 2023-05-15 00:03:11.000000000 +0200
Modifiziert: 2023-05-15 00:03:11.000000000 +0200
Geändert   : 2023-05-15 00:03:11.000000000 +0200

But weird, the ticket error is now gone but It comes back after time....
Edit: Now it happened again....

 

[fabian]

that stat output looks okay (unless your system regularly jumps back and forth in time ). anything visible in the logs server-side?

 

[WikiTech]

Like using a time machine ?

I just testing a theory and I think maybe that will be it.
I just took firefox to incognito mode and seems to work, maybe the old cache was doing his magic.... I will update if this fixed the issue.
Update: When It dont work, I will check the logs.

 

[WikiTech]

So, Im back after testing:
When I have more than 1 tab open with different proxmox host the error 401 ticket comes to live. (which its under the same firewall)
When I only have 1 tab open with only 1 machine it works as intended.

 

[fabian]

that sounds like they both use the same hostname then? that's a problem, since cookie scope doesn't include the port and you are thus sending wrong cookies..

 

[WikiTech]

The Machines are not using the same hostname. (just checked, IPs and Hostname are different)
I just have one Public IP in the firewall and thats why forwarding is being in use.

 

[fabian]

yeah, but that means the cookie is set for that public IP for both hosts the hostname that you connect to is what counts.

 

[WikiTech]

Ahh ok. That would explain it. Thank you for your help fabian ^^