On the dedicated server it is possible to run multiple virtual machines and assign one job/function per virtual machine. For example on the first machine is running the OpenVPN server, on the second machine the webserver with main web page, on the third machine another webserver with hosted files etc. There are some tools for making the virtual machines management easier – one of them is Proxmox. The owner of Proxmox says that itIn the example above, the
is a complete open-source platform for enterprise virtualization.
By default the Proxmox is running on the port 8006 and is available on all interfaces. In this article you will find information how to change the default Proxmox web interface port, set up the certificate to make connection safer. In this article the Proxmox web interface will be behind HAProxy load balancer – in this case Proxmox and HAProxy are installed on the hypervisor machine.
Blocking access to Proxmox web interface
First, block the port 8006 on the firewall. In the default Proxmox installation there is iptables. Block the port 8006 on eth0 or similar interface which is used for internet connection:
iptables -A INPUT -i eth0 -p tcp --dport 8006 -j DROP
Optionally it can be done by adding the proper lines into /etc/network/interfaces file:
auto eth0 iface eth0 inet static address 1.2.3.4 netmask 255.255.255.0 gateway 1.2.3.1 dns-nameservers 8.8.8.8 8.8.4.4 post-up iptables -A INPUT -i eth0 -p tcp --dport 8006 -j DROP post-down iptables -D INPUT -i eth0 -p tcp --dport 8006 -j DROP
HAProxy – frontend
Configuring the frontend in HAProxy allows to listen on the chosen IP and/or port. For the server with one IPv4 address it is possible to set up the Proxmox web interface on non standard port. The configuration of the frontend looks like below:
frontend someName
bind :28006 ssl crt /etc/haproxy/cert/
bind :::28006 ssl crt /etc/haproxy/cert/
mode http
option http-server-close
http-request set-header X-Forwarded-For %[src]
http-request set-header X-Real-IP %[src]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request add-header X-Forwarded-Proto http if !{ ssl_fc }
default_backend ProxmoxBackend
timeout client 60s
The frontend above allows HAProxy listen on the port 28006 and it is possible to use different port – HAProxy is listening on IPv4 and IPv6 interfaces on both encrypted connection. For security reasons it is required for setting the SSL certificate (more information how to use LetsEncrypt with HAProxy please look here). A
In my configuration of the Proxmox web interface backend the timeout is changed. Also it is required to use stick-table. By default the Proxmox web interface is available on the encrypted (https) port so for the backend it is required to listen on the encrypted port. Checking the internal pve certificate is not needed because HAProxy is using the LetsEncrypt SSL certificate.
backend ProxmoxBackend
timeout server 60s
server proxmox 127.0.0.1:8006 check ssl verify none
Summary
This solution allows you to change the default port of the Proxmox web interface if you want to make your server with Proxmox more secured.
Sources
- https://pve.proxmox.com/wiki/Ports
- https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-ubuntu-14-04