[PVE-User] Advices - Proxmox behind L3 or L2 network
admin-at-extremeshok-dot-com
admin at extremeshok.com
Mon Nov 11 18:10:04 CET 2013
See the following:
https://extremeshok.com/2013/08/07/proxmox-3-secure-webgui-web-interface-pveproxy-to-listen-on-the-local-address-127-0-0-1/
Our proxmox boxes only allows for SSH access, the admin interface can
only be accessed publically via an SSH tunnel.
We have locked the box down with iptrables, so nothing is exposed
besides port 22, and then the regular utilities to secure the ssh server
(fail2ban, hostsdeny)
On 11/11/2013 6:40 PM, Alexandre Kouznetsov wrote:
> Hello.
>
> El 10/11/13 08:12, Leslie-Alexandre DENIS escribió:
>> Thanks Alexandre with your informations, very useful. I intend to do
>> something like that but unfortunately I didn't find any good
>> router/firewall appliance in my budget to do that on the administration
>> side.
> In my case, the administration network is behind a software router,
> actually it is a Xen paravirtualized host (not on any Proxmox machine)
> running Debian Linux and a iptables script.
> The "public" network is managed by somebody else, and I'm not too
> aware of what they use exactly.
>
>> Do you know if it's possible to force Proxmox Web built-in to listen on
>> localhost only ? Thus I could build an Apache2 with mod_security as a
>> reverse proxy for WAN access.
> Can't say how to tweak the Web GUI listening port, it must the in the
> documentation somewhere, but the setup you describe does not need that.
> Consider a Proxmox system listening on it's own regular port 8006, and
> a Apache reverse proxy listening on port 80. Your reverse proxy may
> use localhost:8006 as backend server.
>
> Personally, I do not consider a good idea to expose Proxmox directly
> to Internet, so I would place the reverse proxy on a multi-homed host,
> connected to Proxmox internal network and Internet. In order to use
> the build-in access to VNC console, some additional requirements shall
> be met.
>
More information about the pve-user
mailing list