[PVE-User] Proxmox disable TLS 1

Ian Coetzee proxmox at iancoetzee.za.net
Thu Jul 26 13:50:31 CEST 2018 

Hi Uwe,

I won't mind, sanitised version below. This config gives me an A+ score on
www.ssllabs.com

It was originally sourced from
https://pve.proxmox.com/wiki/Web_Interface_Via_Nginx_Proxy with some tweaks
added by me over a period

$ sudo cat /etc/nginx/sites-enabled/proxmox-gui
> upstream proxmox {
>     server localhost:8006;
> }
>
> server {
>     listen 80 default_server;
>     rewrite ^(.*) https:// permanent;
> }
>
> server {
>     listen 443;
>     server_name _;
>     ssl on;
>     ssl_certificate ***;
>     ssl_certificate_key ***;
>     ssl_protocols TLSv1.2;
>     ssl_prefer_server_ciphers on;
>     ssl_ciphers
> ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
>     proxy_redirect off;
>     server_tokens off;
>     add_header X-XSS-Protection "1; mode=block";
>     add_header X-Content-Type-Options nosniff;
>     add_header X-Frame-Options SAMEORIGIN;
>     proxy_hide_header X-Powered-By;
>     location / {
>         proxy_http_version 1.1;
>         proxy_set_header Upgrade $http_upgrade;
>         proxy_set_header Connection "upgrade";
>         proxy_pass https://localhost:8006;
>         proxy_buffering off;
>         client_max_body_size 0;
>         proxy_connect_timeout  3600s;
>         proxy_read_timeout  3600s;
>         proxy_send_timeout  3600s;
>         send_timeout  3600s;
>     }
> }
>

NoVNC, xterm.js and Spice works perfectly.

Kind regards


On 26 July 2018 at 13:27, Uwe Sauter <uwe.sauter.de at gmail.com> wrote:

> Would you mind to share the relevant parts of your nginx config? Does
> forwarding NoVNC traffic work?
>
>
>
> Am 26.07.2018 um 13:22 schrieb Ian Coetzee:
> > Hi All,
> >
> > I know this has been answered.
> >
> > What I did was to drop a reverse proxy (nginx) in front of pveproxy
> > listening on port 443 then make the needed changes in the nginx config
> >
> > Makes my life way easier :)
> >
> > On 26 July 2018 at 11:38, Thomas Lamprecht <t.lamprecht at proxmox.com>
> wrote:
> >
> >> Am 07/26/2018 um 11:30 AM schrieb Brent Clark:
> >>
> >>> Thanks for replying
> >>>
> >>> Interesting, I do not have that file / package.
> >>>
> >>>
> >> Just create it, it's not there by default but gets considered by
> >> pveproxy - if there. And pveproxy resides in the pve-manager package
> >>
> >> root at chs-vmh01 ~ # dpkg -l | awk '/pve-/{print $2" "$3}'
> >>>
> >>
> >> Not all our packages begin with pve, e.g. qemu-server, novnc-pve, etc.
> >>
> >> Use `pveversion -v` to get a list of all packages directly relevant to
> >> PVE and it's version quickly, can also be found in the Web UI (Node ->
> >> Summary -> Package versions)
> >>
> >> cheers,
> >> Thomas
> >>
> >>
> >>
> >>> snippet
> >>>
> >>> pve-cluster 5.0-28
> >>> pve-container 2.0-24
> >>> pve-docs 5.2-4
> >>> pve-edk2-firmware 1.20180612-1
> >>> pve-firewall 3.0-13
> >>> pve-firmware 2.0-5
> >>> pve-ha-manager 2.0-5
> >>> pve-i18n 1.0-6
> >>> pve-kernel-4.15 5.2-4
> >>> pve-kernel-4.15.15-1-pve 4.15.15-6
> >>> pve-kernel-4.15.17-1-pve 4.15.17-9
> >>> pve-kernel-4.15.17-3-pve 4.15.17-14
> >>> pve-kernel-4.15.18-1-pve 4.15.18-15
> >>> pve-libspice-server1 0.12.8-3
> >>> pve-manager 5.2-5
> >>> pve-qemu-kvm 2.11.2-1
> >>> pve-xtermjs 1.0-5
> >>>
> >>> Regards
> >>> Brent
> >>>
> >>>
> >>> On 26/07/2018 11:22, Thomas Lamprecht wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> Am 07/26/2018 um 11:05 AM schrieb Brent Clark:
> >>>>
> >>>>> Good day Guys
> >>>>>
> >>>>> I did a sslscan on my proxmox host, and I got the following:
> >>>>>
> >>>>> snippet:
> >>>>> Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve
> P-256
> >>>>> DHE 256
> >>>>> Accepted  TLSv1.0  256 bits  DHE-RSA-AES256-SHA            DHE 2048
> bits
> >>>>> Accepted  TLSv1.0  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 2048
> bits
> >>>>> Accepted  TLSv1.0  256 bits  AES256-SHA
> >>>>> Accepted  TLSv1.0  256 bits  CAMELLIA256-SHA
> >>>>> Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve
> P-256
> >>>>> DHE 256
> >>>>> Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA            DHE 2048
> bits
> >>>>> Accepted  TLSv1.0  128 bits  DHE-RSA-SEED-SHA              DHE 2048
> bits
> >>>>> Accepted  TLSv1.0  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 2048
> bits
> >>>>> Accepted  TLSv1.0  128 bits  AES128-SHA
> >>>>> Accepted  TLSv1.0  128 bits  SEED-SHA
> >>>>> Accepted  TLSv1.0  128 bits  CAMELLIA128-SHA
> >>>>>
> >>>>> I need to remove / disable TLSv1.0. Google has not been able to be of
> >>>>> much help, for I get suggestions to edit
> >>>>> /usr/bin/pveproxy and /etc/default/pveproxy and the list goes on.
> >>>>>
> >>>>>  > Can someone suggest how to fix this issue.
> >>>>
> >>>> Ah yes, I posted a possible quick solution for this in the forum a bit
> >>>> ago [0].
> >>>>
> >>>> Edit /etc/default/pveproxy to have a line with:
> >>>>
> >>>> CIPHERS="HIGH:!TLSv1:!SSLv3:!aNULL:!MD5"
> >>>>
> >>>> then
> >>>> systemctl restart pveproxy
> >>>>
> >>>> and you should be good to go :-)
> >>>>
> >>>> cheers,
> >>>> Thomas
> >>>>
> >>>> [0]: https://forum.proxmox.com/threads/disabling-tls-1-0-and-1-1-
> >>>> in-proxmox.35814/#post-175643
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>> pve-user mailing list
> >>> pve-user at pve.proxmox.com
> >>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
> >>>
> >>
> >>
> >> _______________________________________________
> >> pve-user mailing list
> >> pve-user at pve.proxmox.com
> >> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
> >>
> > _______________________________________________
> > pve-user mailing list
> > pve-user at pve.proxmox.com
> > https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
> >
>
> _______________________________________________
> pve-user mailing list
> pve-user at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>

More information about the pve-user mailing list