The Architecture Rationale
This infrastructure idea was born out of the limitations of traditional shared hosting and cPanel environments. When dealing with strict budget constraints but requiring high-speed, isolated, and granularly controllable environments on the same network, standard shared hosting falls short.
The precursor to this setup involved leveraging the AWS Free Tier (t3.micro). Building on AWS provided a crucial sandbox for mastering security groups, IAM policies, and VPC firewalls. That knowledge was then ported to a more cost-effective, high-resource VPS provider. By installing a custom Proxmox VE ISO, setting up cloud-level firewalls, and managing native Proxmox firewalls, this architecture achieves enterprise-grade routing and isolation on a fraction of the budget.
Phase 1: Bare Metal Foundation & Initial Setup
The foundation relies on a robust VPS with a fresh installation of the latest Proxmox VE using a custom ISO.
- Network Configuration: During setup, bind the public IP using the provider’s assigned CIDR block (e.g.,
/21) and set DNS to a reliable public resolver like Cloudflare (1.1.1.1). - Post-Install Optimization: Utilize community-vetted post-installation scripts (like the Proxmox VE Helper-Scripts) to strip out enterprise nag screens, update repositories, and optimize the host.
Time & Host Resolution
Infrastructure hygiene requires a unified timezone and internal resolution.
- Navigate to DataCenter > PVE (Node) > System > Time, and set the system to UTC.
- Navigate to DataCenter > PVE (Node) > System > Hosts and map the local environment:
127.0.0.1 localhost.localdomain localhost
[PUBLIC_IP] pve.server.net pve proxmox.[YOUR_DOMAIN].com
192.168.100.52 stalwart.[YOUR_DOMAIN].com
# IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
Phase 2: Software-Defined Networking (SDN) & DHCP
To provide VMs and LXC containers with automatic IP assignment via DHCP and allow them to reach the internet (passing WAN to LAN via SNAT), Proxmox’s SDN core must be enabled.
1. Install Routing Dependencies
Access the PVE shell and install the necessary routing daemon and DNS forwarder:
apt update
apt install dnsmasq frr-pythontools
systemctl disable --now dnsmasq
systemctl enable frr.service
2. Configure the SDN Interface
- Zone: Create a Simple Zone (DataCenter > SDN > Zones). Enable automatic DHCP.
- VNet: Create a VNet within this zone. Note: There is no need to make this VLAN aware or isolate ports on the default
vmbr0bridge. - Subnet: Attach a subnet to the VNet with the following parameters:
- Subnet:
192.168.100.0/24 - Gateway:
192.168.100.1 - SNAT: Enabled
- DHCP Ranges:
192.168.100.50 - 192.168.100.100
3. NAT Routing & Port Forwarding
To route external web traffic (80/443) to the internal Nginx/Deployment server at 192.168.100.50, append iptables rules directly to the network interfaces file.
nano /etc/network/interfaces
auto lo
iface lo inet loopback
iface ens18 inet manual
auto vmbr0
iface vmbr0 inet static
address [PUBLIC_IP]/21
gateway [PUBLIC_GATEWAY]
bridge-ports ens18
bridge-stp off
bridge-fd 0
# Route HTTP/HTTPS to internal proxy/LXC (.50)
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.100.50:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.100.50:80
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.100.50:443
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.100.50:443
source /etc/network/interfaces.d/*
Phase 3: Secure GUI Access & Reverse Proxy
Exposing the native Proxmox GUI (port 8006) directly to the public internet is a security liability. To solve this, access is routed through a secure internal channel.
- Nginx LXC Reverse Proxy: The Proxmox GUI is placed behind an internal Nginx proxy container.
- Domain Access: This allows secure access via a “
custom-domain-or-subdomain.com"instead of typing IPs and ports.
Due to security protocols and the production-grade nature of this infrastructure, the live management interface is restricted. Architecture diagrams and system logs are available upon request for verification purposes. - Basic Authentication: As a secondary defense layer, the Nginx reverse proxy enforces strict Basic Auth (Admin/Password prompt) before the traffic even reaches the Proxmox login screen, dropping unauthorized scans at the edge.
Phase 4: External Storage Integrations
Rather than paying for expensive block storage, this setup mounts external legacy hosting accounts and cloud drives directly into Proxmox for backups and ISO storage.
SSHFS (Legacy cPanel Storage)
Mounting an external cPanel account via secure SSHFS:
- Generate/import SSH keys in
~/.ssh/. - Configure the SSH client
~/.ssh/config:
Host gd
HostName [CPANEL_SERVER_HOSTNAME]
User [CPANEL_USERNAME]
IdentityFile ~/.ssh/bftech_gd
- Install SSHFS, create the mount point (
/mnt/pve/ftp/sharedhosting), and add it to/etc/fstabfor persistence across reboots:
gd:/home/[CPANEL_USERNAME]/storage /mnt/pve/ftp/sharedhostingfuse.sshfs _netdev,users,idmap=user,IdentityFile=/root/.ssh/bftech_gd,allow_other,reconnect 0 0
Rclone (Google Drive / Mega)
To mount cloud providers natively using Rclone:
- Install Rclone:
curl https://rclone.org/install.sh | bash - Configure headless OAuth via a local Windows machine.
- Create systemd service templates (
/etc/systemd/system/[email protected]) to ensure cloud drives auto-mount on boot:
[Unit]
Description=RClone mount for %i
After=network-online.target
Wants=network-online.target
AssertPathIsDirectory=/mnt/pve/%i
[Service]
Type=simple
User=root
Group=root
ExecStart=/usr/bin/rclone mount %i:storage /mnt/pve/%i \
--vfs-cache-mode writes \
--allow-non-empty \
--allow-other
ExecStop=/bin/fusermount -uz /mnt/pve/%i
Restart=always
RestartSec=10
TimeoutSec=60
- Enable the mounts:
systemctl enable --now rclone@gdrive_user(repeat for all configured drives). - Finally, add these directories as Storage resources in the Proxmox GUI (DataCenter > Storage > Add Directory).
Phase 5: Security & Alerts
Fail2Ban Hardening
Protect the Proxmox GUI and SSH ports from brute-force attacks by integrating Fail2Ban.
apt install fail2ban -y
systemctl enable --now fail2ban
Create a custom Proxmox filter (/etc/fail2ban/filter.d/proxmox.conf):
[Definition]
failregex = ^.*pvedaemon.*authentication failure; rhost=<HOST> user=.*$
^.*pam_unix\(proxmox-ve-auth:auth\).*rhost=<HOST>.*$
ignoreregex =
Define the jails (/etc/fail2ban/jail.d/proxmox.local):
[proxmox]
enabled = true
backend = systemd
journalmatch = _SYSTEMD_UNIT=pvedaemon.service
port = 8006
maxretry = 3
findtime = 10m
bantime = 31536000
Note: Ensure firewall rules allow UDP 67/68 for DHCP, ICMP for ping, UDP 53 for DNS, and required TCP ports.
Slack Webhook Notifications
Route system alerts directly to Slack via DataCenter > Notifications > Notification Targets.
Webhook Body:
{
"text": "``` {{escape message}}```",
"type": "mrkdwn"
}
