Secure Domain Access

  • Views Views: 413
  • Last updated Last updated:
  • Stop using Chrome! Download the Brave Browser via >>> [Brave.com]
    It's a forked version of Chrome with native ad-blockers and Google's spyware stripped out! Download for Mac, Windows, Android, and Linux!
Welcome to the PlexGuide.com
Serving the Community since 2016!
Register Now
  • Intro


    There are two ways secure your Proxmox via domain access by generating a certificate for https access.

    Why would you want to access your domain securely?
    • The information between you and your server is encrypted
    • Enables the owner to access their Proxmox domain at work (depends on rules)
    • Adds extra layers of security by preventing nonsecure information being obtained by third parties
    • Prevents man-in-the-middle attacks
    • Provides a high degree of confidence that you are accessing you server

    Access Method 1 - Cloudflare


    Utilizing Cloudflare to secure your domain is the easiest way to obtain an https secure certificate for your server.

    *** More Written Later ***

    Access Method 2 - NGINX & Let's Encrypt


    Utilizing NGINX, your server can obtain an https secure certificate from Lets Encrypt for free.

    So, the first thing you're going to want to do is SSH into your Proxmox server, this can be done through either the built in shell section in Proxmox, or via a tool such as Putty or Xterm. Once this is done, follow the instructions below.

    1.) Setting up DNS
    Create an A record pointing to the IP Proxmox is on. Most popular Registrars will have a DNS section that you can edit or if you have it managed by another company such as Cloudflare, then you would change it in there. For example, the domain could be prox.example.com so the A record will be prox and the ipv4 IP will be your proxmox IP..

    2.) Install Cerbot!
    Code:
    apt-get install certbot -y
    3.) Create Script

    Code:
    nano /root/ssl.sh
    Paste the following

    Code:
    #!/bin/sh
    rm -rf /etc/pve/local/pve-ssl.pem
    rm -rf /etc/pve/local/pve-ssl.key
    rm -rf /etc/pve/pve-root-ca.pem
    cp /etc/letsencrypt/live/{DOMAIN}/fullchain.pem /etc/pve/local/pve-ssl.pem
    cp /etc/letsencrypt/live/{DOMAIN}/chain.pem /etc/pve/pve-root-ca.pem
    cp /etc/letsencrypt/live/{DOMAIN}/privkey.pem /etc/pve/local/pve-ssl.key
    service pveproxy restart
    service pvedaemon restart
    Make sure you replace {DOMAIN} with the domain you configured in step 1.

    4.) Get certificate from Lets Encrypt

    Code:
    certbot certonly --standalone --post-hook "sh /root/ssl.sh" --agree-tos --email {EMAIL} -d {DOMAIN}
    Replace {EMAIL} with your valid email and {DOMAIN} with the domain you setup in step 1.

    The next part is optional, and will allow you to connect to your Proxmox Dashboard without specifying port 8006.

    1.) Install NGINX
    Code:
    apt install nginx -y
    2.) Remove Default configuration file
    Code:
    rm /etc/nginx/sites-enabled/default
    3.) Create new NGINX conf file

    Code:
    nano /etc/nginx/conf.d/proxmox.conf
    Add the following


    Code:
    upstream proxmox {
    server "FQDN HOSTNAME";
    }

    server {
    listen 80 default_server;
    rewrite ^(.*) https://$host$1 permanent;
    }

    server {
    listen 443;
    server_name _;
    ssl on;
    ssl_certificate /etc/pve/local/pve-ssl.pem;
    ssl_certificate_key /etc/pve/local/pve-ssl.key;
    proxy_redirect off;
    location / {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_pass https://localhost:8006;
    proxy_buffering off;
    client_max_body_size 0;
    proxy_connect_timeout 3600s;
    proxy_read_timeout 3600s;
    proxy_send_timeout 3600s;
    send_timeout 3600s;
    }
    }
    Replace FQDN HOSTNAME with your domain you setup earlier, for example, prox.example.com

    5.) Test new NGINX conf file
    Code:
    nginx -t
    if successful restart NGINX
    Code:
    systemctl restart nginx
    • Like
    Reactions: 1 user