[PVE-User] Proxmox disable TLS 1

Uwe Sauter uwe.sauter.de at gmail.com
Thu Jul 26 13:54:33 CEST 2018


Thank you very much,

	Uwe


Am 26.07.2018 um 13:50 schrieb Ian Coetzee:
> Hi Uwe,
> 
> I won't mind, sanitised version below. This config gives me an A+ score on www.ssllabs.com <http://www.ssllabs.com>
> 
> It was originally sourced from https://pve.proxmox.com/wiki/Web_Interface_Via_Nginx_Proxy with some tweaks added by me over a period
> 
>     $ sudo cat /etc/nginx/sites-enabled/proxmox-gui
>     upstream proxmox {
>         server localhost:8006;
>     }
> 
>     server {
>         listen 80 default_server;
>         rewrite ^(.*) https:// permanent;
>     }
> 
>     server {
>         listen 443;
>         server_name _;
>         ssl on;
>         ssl_certificate ***;
>         ssl_certificate_key ***;
>         ssl_protocols TLSv1.2;
>         ssl_prefer_server_ciphers on;
>         ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
>         proxy_redirect off;
>         server_tokens off;
>         add_header X-XSS-Protection "1; mode=block";
>         add_header X-Content-Type-Options nosniff;
>         add_header X-Frame-Options SAMEORIGIN;
>         proxy_hide_header X-Powered-By;
>         location / {
>             proxy_http_version 1.1;
>             proxy_set_header Upgrade $http_upgrade;
>             proxy_set_header Connection "upgrade";
>             proxy_pass https://localhost:8006;
>             proxy_buffering off;
>             client_max_body_size 0;
>             proxy_connect_timeout  3600s;
>             proxy_read_timeout  3600s;
>             proxy_send_timeout  3600s;
>             send_timeout  3600s;
>         }
>     }
> 
> 
> NoVNC, xterm.js and Spice works perfectly.
> 
> Kind regards
> 
> 
> On 26 July 2018 at 13:27, Uwe Sauter <uwe.sauter.de at gmail.com <mailto:uwe.sauter.de at gmail.com>> wrote:
> 
>     Would you mind to share the relevant parts of your nginx config? Does forwarding NoVNC traffic work?
> 
> 
> 
>     Am 26.07.2018 um 13:22 schrieb Ian Coetzee:
>     > Hi All,
>     >
>     > I know this has been answered.
>     >
>     > What I did was to drop a reverse proxy (nginx) in front of pveproxy
>     > listening on port 443 then make the needed changes in the nginx config
>     >
>     > Makes my life way easier :)
>     >
>     > On 26 July 2018 at 11:38, Thomas Lamprecht <t.lamprecht at proxmox.com <mailto:t.lamprecht at proxmox.com>> wrote:
>     >
>     >> Am 07/26/2018 um 11:30 AM schrieb Brent Clark:
>     >>
>     >>> Thanks for replying
>     >>>
>     >>> Interesting, I do not have that file / package.
>     >>>
>     >>>
>     >> Just create it, it's not there by default but gets considered by
>     >> pveproxy - if there. And pveproxy resides in the pve-manager package
>     >>
>     >> root at chs-vmh01 ~ # dpkg -l | awk '/pve-/{print $2" "$3}'
>     >>>
>     >>
>     >> Not all our packages begin with pve, e.g. qemu-server, novnc-pve, etc.
>     >>
>     >> Use `pveversion -v` to get a list of all packages directly relevant to
>     >> PVE and it's version quickly, can also be found in the Web UI (Node ->
>     >> Summary -> Package versions)
>     >>
>     >> cheers,
>     >> Thomas
>     >>
>     >>
>     >>
>     >>> snippet
>     >>>
>     >>> pve-cluster 5.0-28
>     >>> pve-container 2.0-24
>     >>> pve-docs 5.2-4
>     >>> pve-edk2-firmware 1.20180612-1
>     >>> pve-firewall 3.0-13
>     >>> pve-firmware 2.0-5
>     >>> pve-ha-manager 2.0-5
>     >>> pve-i18n 1.0-6
>     >>> pve-kernel-4.15 5.2-4
>     >>> pve-kernel-4.15.15-1-pve 4.15.15-6
>     >>> pve-kernel-4.15.17-1-pve 4.15.17-9
>     >>> pve-kernel-4.15.17-3-pve 4.15.17-14
>     >>> pve-kernel-4.15.18-1-pve 4.15.18-15
>     >>> pve-libspice-server1 0.12.8-3
>     >>> pve-manager 5.2-5
>     >>> pve-qemu-kvm 2.11.2-1
>     >>> pve-xtermjs 1.0-5
>     >>>
>     >>> Regards
>     >>> Brent
>     >>>
>     >>>
>     >>> On 26/07/2018 11:22, Thomas Lamprecht wrote:
>     >>>
>     >>>> Hi,
>     >>>>
>     >>>> Am 07/26/2018 um 11:05 AM schrieb Brent Clark:
>     >>>>
>     >>>>> Good day Guys
>     >>>>>
>     >>>>> I did a sslscan on my proxmox host, and I got the following:
>     >>>>>
>     >>>>> snippet:
>     >>>>> Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256
>     >>>>> DHE 256
>     >>>>> Accepted  TLSv1.0  256 bits  DHE-RSA-AES256-SHA            DHE 2048 bits
>     >>>>> Accepted  TLSv1.0  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 2048 bits
>     >>>>> Accepted  TLSv1.0  256 bits  AES256-SHA
>     >>>>> Accepted  TLSv1.0  256 bits  CAMELLIA256-SHA
>     >>>>> Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256
>     >>>>> DHE 256
>     >>>>> Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA            DHE 2048 bits
>     >>>>> Accepted  TLSv1.0  128 bits  DHE-RSA-SEED-SHA              DHE 2048 bits
>     >>>>> Accepted  TLSv1.0  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 2048 bits
>     >>>>> Accepted  TLSv1.0  128 bits  AES128-SHA
>     >>>>> Accepted  TLSv1.0  128 bits  SEED-SHA
>     >>>>> Accepted  TLSv1.0  128 bits  CAMELLIA128-SHA
>     >>>>>
>     >>>>> I need to remove / disable TLSv1.0. Google has not been able to be of
>     >>>>> much help, for I get suggestions to edit
>     >>>>> /usr/bin/pveproxy and /etc/default/pveproxy and the list goes on.
>     >>>>>
>     >>>>>  > Can someone suggest how to fix this issue.
>     >>>>
>     >>>> Ah yes, I posted a possible quick solution for this in the forum a bit
>     >>>> ago [0].
>     >>>>
>     >>>> Edit /etc/default/pveproxy to have a line with:
>     >>>>
>     >>>> CIPHERS="HIGH:!TLSv1:!SSLv3:!aNULL:!MD5"
>     >>>>
>     >>>> then
>     >>>> systemctl restart pveproxy
>     >>>>
>     >>>> and you should be good to go :-)
>     >>>>
>     >>>> cheers,
>     >>>> Thomas
>     >>>>
>     >>>> [0]: https://forum.proxmox.com/threads/disabling-tls-1-0-and-1-1-
>     <https://forum.proxmox.com/threads/disabling-tls-1-0-and-1-1->
>     >>>> in-proxmox.35814/#post-175643
>     >>>>
>     >>>>
>     >>>>
>     >>>> _______________________________________________
>     >>> pve-user mailing list
>     >>> pve-user at pve.proxmox.com <mailto:pve-user at pve.proxmox.com>
>     >>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user <https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user>
>     >>>
>     >>
>     >>
>     >> _______________________________________________
>     >> pve-user mailing list
>     >> pve-user at pve.proxmox.com <mailto:pve-user at pve.proxmox.com>
>     >> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user <https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user>
>     >>
>     > _______________________________________________
>     > pve-user mailing list
>     > pve-user at pve.proxmox.com <mailto:pve-user at pve.proxmox.com>
>     > https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user <https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user>
>     >
> 
>     _______________________________________________
>     pve-user mailing list
>     pve-user at pve.proxmox.com <mailto:pve-user at pve.proxmox.com>
>     https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user <https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user>
> 
> 




More information about the pve-user mailing list