Random notes from a security-aware software engineer, open-source advocate and occasional lecturer.
Now that we have our basic setup done, we can get to the tricky part of setting up an internal network for our Proxmox server.
In the University environment, this has the advantage of us being able to do whatever we want inside the network and just having a single ingress and egress node which interacts with the external network. This especially means that we can have IP autoconfiguration, which makes spinning up machines so much easier.
Of course, having an internal network can also act as a natural barrier of protection, since no one route directly to the machines and attack them. For example, even with the planned open set-up, if someone spins up a MariaDB server without authentication, no one can exploit that from the outside since no one can connect to the server.
The first step is, to actually create the internal network by creating a new network interface on our Proxmox server and assign it a network. This network bridge can then later be used to put machines on the internal network:
This gives us a fully functional internal network to use. That’s a good foundation for our next steps.
While having a network is the foundation we need, we do want autoconfiguration for this. That is why next, we configure dnsmasq to handle both:
Having this makes spinning up machines a breeze. What is left is access from the external network.
Most services we run today are being accessed via HTTPS. This means allowing this one protocol from the outside to get to internal machines will already allow us to handle most use-cases with no additional network configuration. We can easily configure Nginx as a reverse proxy for doing this. In fact, we kind of already did with the Proxmox web interface. So, we just need to repeat this in a slightly more generic way:
Finally, all that is left is to provide an easy way for developers to connect to internal machines. Luckily, SSH can use jump hosts as intermediary when connecting to a target. This means, we just need a single host on the internal network which is accessible from the outside:
With this, our basic Proxmox server setup is done. All that is left is to create some accounts and hand them out to users to use what you havebuilt.
Good luck with your set-up.