|
|
@@ -0,0 +1,92 @@
|
|
|
+---
|
|
|
+title: Proxmox
|
|
|
+categories: [cheatsheets]
|
|
|
+tags: [misc, proxmox, virt]
|
|
|
+---
|
|
|
+
|
|
|
+# Proxmox
|
|
|
+
|
|
|
+## Limit Webinterface (8006) to Loopback
|
|
|
+
|
|
|
+* Not officially possible
|
|
|
+* Access Block via PVEProxy is not possible (wont work with nginx reverse proxy)
|
|
|
+* But, can be changed in the Perl Source: `/usr/share/perl5/PVE/Service/pveproxy.pm`
|
|
|
+ - Change from:
|
|
|
+ ```perl
|
|
|
+ my $socket = $self->create_reusable_socket(8006, undef, $family);
|
|
|
+ ```
|
|
|
+ - To:
|
|
|
+ ```perl
|
|
|
+ my $socket = $self->create_reusable_socket(8006, '127.0.0.1', $family);
|
|
|
+ ```
|
|
|
+* This will enable proxmox to only listen on the loopback interface
|
|
|
+
|
|
|
+## Nginx - Reverse Proxy Configuration:
|
|
|
+
|
|
|
+```
|
|
|
+server {
|
|
|
+ server_name pm.zweinoch.de;
|
|
|
+ listen 443;
|
|
|
+ proxy_redirect off;
|
|
|
+ location / {
|
|
|
+ proxy_pass https://127.0.0.1:8006;
|
|
|
+ set_real_ip_from 127.0.0.1;
|
|
|
+ proxy_http_version 1.1;
|
|
|
+ proxy_set_header Upgrade $http_upgrade;
|
|
|
+ proxy_set_header Connection "upgrade";
|
|
|
+ proxy_buffering off;
|
|
|
+ client_max_body_size 0;
|
|
|
+ proxy_connect_timeout 3600s;
|
|
|
+ proxy_read_timeout 3600s;
|
|
|
+ proxy_send_timeout 3600s;
|
|
|
+ send_timeout 3600s;
|
|
|
+ proxy_ssl_verify off;
|
|
|
+ }
|
|
|
+ # SSL configuration (Certificate and Key)
|
|
|
+ ssl_certificate /etc/letsencrypt/live/pm.zweinoch.de/fullchain.pem; # managed by Certbot
|
|
|
+ ssl_certificate_key /etc/letsencrypt/live/pm.zweinoch.de/privkey.pem; # managed by Certbot
|
|
|
+
|
|
|
+ # Only use TLSv1.2 & TLSv1.3 and restrict to high cipher suites
|
|
|
+ ssl_protocols TLSv1.2 TLSv1.3;
|
|
|
+ ssl_ciphers HIGH:!aNULL:!MD5;
|
|
|
+
|
|
|
+ # Disable Gzip for TLS
|
|
|
+ gzip off;
|
|
|
+}
|
|
|
+```
|
|
|
+
|
|
|
+## NAT Network
|
|
|
+
|
|
|
+* Add the following config to `/etc/network/interfaces`
|
|
|
+
|
|
|
+```
|
|
|
+auto vmbr0
|
|
|
+iface vmbr0 inet static
|
|
|
+ address 192.168.2.1
|
|
|
+ netmask 255.255.255.0
|
|
|
+ bridge-ports none
|
|
|
+ bridge-stp off
|
|
|
+ bridge-fd 0
|
|
|
+ post-up echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
+ post-up iptables -t nat -A POSTROUTING -s '192.168.2.0/24' -o enp35s0 -j MASQUERADE
|
|
|
+ post-down iptables -t nat -D POSTROUTING -s '192.168.2.0/24' -o enp35s0 -j MASQUERADE
|
|
|
+```
|
|
|
+
|
|
|
+* `vmbr0` is the interface name
|
|
|
+* `enp35s0` is the name of the interface with the public IP
|
|
|
+* Enables a local network for all VM's while being able to communicate with the internet
|
|
|
+* Verify Firewall Rule with:
|
|
|
+
|
|
|
+```bash
|
|
|
+iptables -t nat -L
|
|
|
+```
|
|
|
+
|
|
|
+**Output:**
|
|
|
+
|
|
|
+```
|
|
|
+Chain POSTROUTING (policy ACCEPT)
|
|
|
+target prot opt source destination
|
|
|
+MASQUERADE all -- 192.168.2.0/24 anywhere
|
|
|
+```
|
|
|
+
|
|
|
+
|
Marius Schwarz