Proxmox and HAProxy

On the dedicated server it is possible to run multiple virtual machines and assign one job/function per virtual machine. For example on the first machine is running the OpenVPN server, on the second machine the webserver with main web page, on the third machine another webserver with hosted files etc.  There are some tools for making the virtual machines management easier – one of them is Proxmox. The owner of Proxmox says that itIn the example above, the

is a complete open-source platform for enterprise virtualization.

By default the Proxmox is running on the port 8006 and is available on all interfaces. In this article you will find information how to change the default Proxmox web interface port, set up the certificate to make connection safer. In this article the Proxmox web interface will be behind HAProxy load balancer – in this case Proxmox and HAProxy are installed on the hypervisor machine.

Blocking access to Proxmox web interface

First, block the port 8006 on the firewall. In the default Proxmox installation there is iptables. Block the port 8006 on eth0 or similar interface which is used for internet connection:

iptables -A INPUT -i eth0 -p tcp --dport 8006 -j DROP

Optionally it can be done by adding  the proper lines into /etc/network/interfaces file:

auto eth0
iface eth0 inet static
    address 1.2.3.4
    netmask 255.255.255.0
    gateway 1.2.3.1
    dns-nameservers 8.8.8.8 8.8.4.4
    post-up iptables -A INPUT -i eth0 -p tcp --dport 8006 -j DROP
    post-down iptables -D INPUT -i eth0 -p tcp --dport 8006 -j DROP

HAProxy – frontend

Configuring the frontend in HAProxy allows to listen on the chosen IP and/or port. For the server with one IPv4 address it is possible to set up the Proxmox web interface on non standard port. The configuration of the frontend looks like below:

frontend someName
bind :28006 ssl crt /etc/haproxy/cert/
bind :::28006 ssl crt /etc/haproxy/cert/
mode http
option http-server-close

http-request set-header X-Forwarded-For %[src]
http-request set-header X-Real-IP %[src]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request add-header X-Forwarded-Proto http if !{ ssl_fc }
default_backend ProxmoxBackend
timeout client 65000

The frontend above allows HAProxy listen on the port 28006 and it is possible to use different port – HAProxy is listening on IPv4 and IPv6 interfaces on both encrypted connection. For security reasons it is required for setting the SSL certificate (more information how to use LetsEncrypt with HAProxy please look here). A

In my configuration of the Proxmox web interface backend the timeout is changed. Also it is required to use stick-table. By default the Proxmox web interface is available on the encrypted (https) port so for the backend it is required to listen on the encrypted port. Checking the internal pve certificate is not needed because HAProxy is using the LetsEncrypt SSL certificate.

backend ProxmoxBackend
timeout server 65000
stick-table type ip size 200k expire 60m
stick on src
server proxmox 127.0.0.1:8006 check ssl verify none

Summary

This solution allows you to change the default port of the Proxmox web interface if you want to make your server with Proxmox more secured.

Sources

  • https://pve.proxmox.com/wiki/Ports
  • https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-ubuntu-14-04