Introduction

Out of the box, the Proxmox VE Web Interface runs under the TCP Port 8006. This brings the advantage that the “Entrance to the cockpit” is a bit more hidden, opposed to a normal HTTPS Port 443 location. However, one might say that such critical settings shouldn’t be accessible via the internet in the first place and I agree with that assessment. That’s why I prefer it personally, to have the web interface on the normal HTTPS Port 443 and put the entire Proxmox Installation behind a firewall.

This how-to will explain to you step-by-step, on how to move the Proxmox VE web interface from the default port 8006 to the HTTPS port 443.

Step 1: The Nginx Reverse Proxy

Technically, we aren’t actually moving the port assignment for the web interface itself, but rather establish a “gatekeeper” in the form of a reverse proxy, which forwards incoming traffic from its own port (443) to the web interface’s port (8006) running in the background. In the end, we make sure that only port 443 is reachable from outside the machine.

To start off, please login into your Proxmox machine via SSH and install nginx, as this will serve as the actual reverse proxy.

apt-get install nginx

After nginx is installed, make sure to change to the confgurations location and remove the default settings file.

cd /etc/nginx
rm -rf sites-enabled/default
rm -rf sites-available/default

Proceed to create this file anew…

nano sites-available/default

… with the following contents:

stream proxmox {
    server <YOUR-COMPLETE-SERVER-ADDRESS.COM>;
}

server {
    listen 80 default_server;
    rewrite ^(.*) https://$host$1 permanent;
}

server {
    listen 443 ssl;
    server_name <YOUR-COMPLETE-SERVER-ADDRESS.COM>;

    ssl_certificate /etc/pve/nodes/<YOUR-NODENAME>/pve-ssl.pem;
    ssl_certificate_key /etc/pve/nodes/<YOUR-NODENAME>/pve-ssl.key;

    proxy_redirect off;

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass https://127.0.0.1:8006;
        proxy_buffering off;

        client_max_body_size 0;

        proxy_connect_timeout 3600s;
        proxy_read_timeout 3600s;
        proxy_send_timeout 3600s;
        send_timeout 3600s;
    }
}

Remember to change the placeholder-strings in the provided configuration file with your appropiate values. Continue with linking the site-available default as a site-enabled. Restart nginx afterwards.

ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
service nginx restart

Please notice, that we are using the default self-signed SSL Keys from Proxmox via the ssl_certificate and ssl_certificate_key directives here.

Step 1B: Setup Let’s Encrypt (Optional)

If you want to use Let’s Encrypt signed SSL certificates instead, please also follow along with this step.

Continue to comment out the ssl_certificate and ssl_certificate_key directives from the default configuration file, as we are going to use certbot to create SSL Keys via Let’s Encrypt.

Restart nginx afterwards and install Let’s Encrypt certbot.

nano /etc/nginx/sites-available/default
<Comment out the lines containing ssl_certificate and ssl_certificate_key>

service nginx restart
apt-get install certbot

Start the certbot wizard and create the SSL keypair with it.

certbot certonly -d <YOUR-COMPLETE-SERVER-ADDRESS.COM>

Once again we are now modifiying the default configuration file, to supply nginx with the now generated Let’s Encrypt SSL keys.

nano /etc/nginx/sites-available/default
<Remove Comments from the ssl_certificate and ssl_certificate_key directives>

ssl_certificate /etc/letsencrypt/live/<YOUR-DOMAIN>/fullchain.pem
ssl_certificate_key /etc/letsencrypt/live/<YOUR-DOMAIN>/privkey.pem

Finally restart nginx to load the new SSL keys in.

service nginx restart

Step 2: Adjust pveproxy Settings

Right now, it should actually be possible to reach your Proxmox web interface with HTTPS with valid SSL keys via port 443. Unfortunately the original Port 8006 is also still open. So we are going to fix that now.

For that, edit the /etc/default/pveproxy configuration file with the following contents:

ALLOW_FROM="127.0.0.1"
DENY_FROM="all"
POLICY="allow"

This configuration file tells the native Proxmox webserver to only accept requests from inside the same machine (127.0.0.1 -> localhost), so only requests coming from nginx, running as a neighbor so to speak, are actually processed.

Finally make sure to restart pveproxy:

service pveproxy restart

Congratulations! Your Proxmox web interface should now run on HTTPS Port 443 exclusively.

Final Note

When you intent to also utilize SPICE for Proxmox remote desktops, it is strongly advised to also refer to the following article as a follow-up, as SPICE connections may not work flawlessly after the reverse proxy is established on the Proxmox Host (refer to “Solution 4”).

Article: Ways to solve SPICE “Unable connect to graphics server” Error

Leave a Reply

Your email address will not be published.

You May Also Like