Post by Ian CoetzeeHi Uwe,
I won't mind, sanitised version below. This config gives me an A+ score on www.ssllabs.com <http://www.ssllabs.com>
It was originally sourced from https://pve.proxmox.com/wiki/Web_Interface_Via_Nginx_Proxy with some tweaks added by me over a period
$ sudo cat /etc/nginx/sites-enabled/proxmox-gui
upstream proxmox {
server localhost:8006;
}
server {
listen 80 default_server;
rewrite ^(.*) https:// permanent;
}
server {
listen 443;
server_name _;
ssl on;
ssl_certificate ***;
ssl_certificate_key ***;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
proxy_redirect off;
server_tokens off;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
proxy_hide_header X-Powered-By;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass https://localhost:8006;
proxy_buffering off;
client_max_body_size 0;
proxy_connect_timeout 3600s;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
send_timeout 3600s;
}
}
NoVNC, xterm.js and Spice works perfectly.
Kind regards
Would you mind to share the relevant parts of your nginx config? Does forwarding NoVNC traffic work?
Post by Ian CoetzeeHi All,
I know this has been answered.
What I did was to drop a reverse proxy (nginx) in front of pveproxy
listening on port 443 then make the needed changes in the nginx config
Makes my life way easier :)
Post by Thomas LamprechtPost by Brent ClarkThanks for replying
Interesting, I do not have that file / package.
Just create it, it's not there by default but gets considered by
pveproxy - if there. And pveproxy resides in the pve-manager package
Not all our packages begin with pve, e.g. qemu-server, novnc-pve, etc.
Use `pveversion -v` to get a list of all packages directly relevant to
PVE and it's version quickly, can also be found in the Web UI (Node ->
Summary -> Package versions)
cheers,
Thomas
Post by Brent Clarksnippet
pve-cluster 5.0-28
pve-container 2.0-24
pve-docs 5.2-4
pve-edk2-firmware 1.20180612-1
pve-firewall 3.0-13
pve-firmware 2.0-5
pve-ha-manager 2.0-5
pve-i18n 1.0-6
pve-kernel-4.15 5.2-4
pve-kernel-4.15.15-1-pve 4.15.15-6
pve-kernel-4.15.17-1-pve 4.15.17-9
pve-kernel-4.15.17-3-pve 4.15.17-14
pve-kernel-4.15.18-1-pve 4.15.18-15
pve-libspice-server1 0.12.8-3
pve-manager 5.2-5
pve-qemu-kvm 2.11.2-1
pve-xtermjs 1.0-5
Regards
Brent
Post by Thomas LamprechtHi,
Post by Brent ClarkGood day Guys
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256
DHE 256
Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits
Accepted TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 256 bits CAMELLIA256-SHA
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256
DHE 256
Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
Accepted TLSv1.0 128 bits DHE-RSA-SEED-SHA DHE 2048 bits
Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 128 bits SEED-SHA
Accepted TLSv1.0 128 bits CAMELLIA128-SHA
I need to remove / disable TLSv1.0. Google has not been able to be of
much help, for I get suggestions to edit
/usr/bin/pveproxy and /etc/default/pveproxy and the list goes on.
> Can someone suggest how to fix this issue.
Ah yes, I posted a possible quick solution for this in the forum a bit
ago [0].
CIPHERS="HIGH:!TLSv1:!SSLv3:!aNULL:!MD5"
then
systemctl restart pveproxy
and you should be good to go :-)
cheers,
Thomas
[0]: https://forum.proxmox.com/threads/disabling-tls-1-0-and-1-1-
<https://forum.proxmox.com/threads/disabling-tls-1-0-and-1-1->
Post by Ian CoetzeePost by Thomas LamprechtPost by Brent ClarkPost by Thomas Lamprechtin-proxmox.35814/#post-175643
_______________________________________________
pve-user mailing list
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user <https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user>
_______________________________________________
pve-user mailing list
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user <https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user>
_______________________________________________
pve-user mailing list
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user <https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user>
_______________________________________________
pve-user mailing list
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user <https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user>