Repository

Looks good to me!

User Tools

Site Tools

Trace: log
kb:intranet:platforms:proxmox:log

Log

2026-01-20 Tuesday

Currently stuck with connectivity issue to HTTPS. Debugging steps:

  • From same container:
    • Check service running, port exposed
    • Check firewall inbound rules
    • Test connectivity to port (via wget/curl/nc)
    • Verify certificate requested
    • Check IP address
    • Host nc server on different port
  • From Proxmox host:
    • Test DNS query points to IP address
    • Check firewall inbound rules
    • Test connectivity to ports
    • Verify certificate requested
  • From different container:
    • Test DNS query points to IP address
    • Check firewall outbound rules
    • Test connectivity to ports
    • Verify certificate requested
  • From router/firewall host:
    • Test DNS query points to IP address
    • Check firewall rules / NAT port forwarding
    • Test connectivity to ports
    • Verify certificate requested
    • Monitor firewall logs, enable logging
  • From different computer:
    • Test DNS query points to IP address
    • Check firewall rules
    • Test connectivity to ports
    • Verify certificate requested

Found that the buck stops with Proxmox. Port 443/tcp not exposed, but continues to intercept requests: 

proxmox:~$ nc -kl -p 443
proxmox:~$ lsof -nPi | grep 443
nc        362829     root    3u  IPv4 2612663      0t0  TCP *:443 (LISTEN)
 
# nc listener no output
# Applies to ports 443 and 8006. Other ports are not intercepted, e.g. 8007
container:~$ echo "test" | nc 192.168.1.2 443
HTTP/1.0 400 bad request
Cache-Control: max-age=0
Connection: close
Date: Tue, 20 Jan 2026 16:22:36 GMT
Pragma: no-cache
Server: pve-api-daemon/3.0
Expires: Tue, 20 Jan 2026 16:22:36 GMT

Stopping pveproxy of course terminates connections, while stopping pvedaemon does not change the behaviour: 

proxmox:~$ pveproxy stop
container:~$ echo "test" | nc 192.168.1.2 443
(UNKNOWN) [192.168.1.2] 443 (https) : Connection refused

Aha... of course it has got to do with the deactivated iptable rule to redirect 443/tcp to 8006/tcp created a year ago, which did not filter by destination IP address (so all incoming 443/tcp packets got redirected...). Fixed with: 

root:~# iptables -t nat -D PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8006
root:~# iptables -t nat -A PREROUTING -d 192.168.1.2/32 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8006
kb/intranet/platforms/proxmox/log.txt · Last modified: 32 hours ago (20 January 2026) by justin