A secure, lightweight PHP-based admin panel for managing Proxmox VMs without a database.
- π Secure session-based authentication
- π₯ Multi-user support with hashed passwords
- π‘οΈ CSRF protection
- β±οΈ Session timeout and fingerprinting
- π« Rate limiting on login attempts
- π₯οΈ Simple VM control interface (start, stop, reboot, reset)
- π Real-time VM status monitoring (CPU, memory, uptime)
- π― Per-user VM access control
- π Auto-refreshing status every 5 seconds
-
Clone the repository
git clone <your-repo-url> cd pmx_admin_panel
-
Configure the application
cp config/config.example.php config/config.php
-
Edit
config/config.phpwith your settings:- Proxmox host and node information
- API token credentials
- VM list you want to manage (only these VMs will be accessible)
- User accounts (see below)
The $VMS array in config/config.php defines all available VMs in the system:
$VMS = [
101 => 'Web Server',
102 => 'Database',
103 => 'Backup Server',
];Each user can have specific VM access defined using the vm_access field:
$USERS = [
'admin' => [
'password_hash' => '$2y$10$...',
'name' => 'Administrator',
'vm_access' => [101, 102, 103], // Access to all VMs
],
'developer' => [
'password_hash' => '$2y$10$...',
'name' => 'Developer',
'vm_access' => [101], // Only access to Web Server
],
'dbadmin' => [
'password_hash' => '$2y$10$...',
'name' => 'Database Admin',
'vm_access' => [102], // Only access to Database
],
];How it works:
- Users only see and control VMs listed in their
vm_accessarray - VM IDs must also exist in the global
$VMSarray - If
vm_accessis not defined for a user, they get access to all VMs (backward compatibility) - Access is enforced at all levels: display, status, and actions
Security:
- Users cannot view status of VMs they don't have access to
- Users cannot perform actions on VMs outside their access list
- All API endpoints validate VM access before executing commands
- Deploy to your web server
- Make sure PHP is installed (PHP 7.4+ recommended)
- Point your web server root to the
public_htmldirectory - Ensure proper file permissions
Users are stored in the $USERS array in config/config.php. Each user needs a hashed password.
Generate a password hash:
php -r "echo password_hash('your_password_here', PASSWORD_DEFAULT) . PHP_EOL;"Add to config/config.php:
$USERS = [
'admin' => [
'password_hash' => '$2y$10$...', // Your generated hash
'name' => 'Administrator',
],
'john' => [
'password_hash' => '$2y$10$...', // Another hash
'name' => 'John Doe',
],
];The example config comes with:
- Username:
admin - Password:
password
- Password Hashing: Uses PHP's
password_hash()with bcrypt - Session Security:
- HTTP-only cookies
- Session fingerprinting (User-Agent validation)
- Automatic session regeneration
- Configurable timeout (default: 1 hour)
- CSRF Protection: All state-changing requests require a valid CSRF token
- Rate Limiting: 5 failed login attempts per 15 minutes
- Secure Headers: SameSite cookie policy
define('SESSION_NAME', 'pmx_admin_session'); // Session cookie name
define('SESSION_LIFETIME', 3600); // Session timeout in seconds (1 hour)define('VERIFY_SSL', false); // Set to true in production with valid SSL certpmx_admin_panel/
βββ public_html/ # Web root (point your web server here)
β βββ index.php # Login page
β βββ admin.php # Main VM management dashboard
β βββ logout.php # Logout handler
β βββ actions.php # API endpoint for VM actions
β βββ status.php # API endpoint for VM status
β βββ auth.php # Authentication helper functions
β βββ proxmox_api.php # Proxmox API integration
β βββ guard.php # Security guard for include-only files
β βββ debug_api.php # API debug and test tool
β βββ find_node.php # Proxmox node discovery tool
β βββ check_status.php # Quick status check tool
βββ config/ # Configuration files (outside web root)
β βββ config.php # Your configuration (not in git)
β βββ config.example.php # Configuration template
β βββ nginx-security.conf # Nginx security configuration
βββ .jules/ # Jules configuration
βββ README.md # This file
βββ .gitignore # Prevents config.php from being committed
- Navigate to your installation URL
- Log in with your credentials
- View real-time status of all your VMs:
- Green indicator: VM is running
- Red indicator: VM is stopped
- CPU, Memory, Uptime: Displayed for running VMs
- Use the dashboard to manage VMs:
- Start: Power on a VM
- Shutdown: Graceful shutdown
- Reboot: Graceful reboot
- Reset: Hard reset (force restart)
- Status auto-refreshes every 5 seconds
For running VMs, the dashboard displays:
- Status: Running/Stopped with color-coded indicator
- CPU Usage: Current CPU utilization percentage
- Memory Usage: Current memory used vs. total allocated
- Uptime: How long the VM has been running
- PHP 7.4 or higher
- Access to Proxmox API
- Valid API token
- Always use HTTPS in production
- Regularly rotate API tokens
- Use strong passwords for all accounts
- Keep session timeout reasonable for your use case
- Monitor failed login attempts
Wait 15 minutes or clear your session cookie.
Increase SESSION_LIFETIME in config/config.php.
Make sure cookies are enabled and you're not blocking JavaScript.
- Verify
PVE_HOSTis correct - Check API token credentials
- Ensure firewall allows connection
- Set
VERIFY_SSLtofalseif using self-signed cert
- Use HTTPS: Always use HTTPS in production to protect credentials
- Secure config/config.php: Ensure proper file permissions (600 or 640)
- Change default passwords: Never use example passwords in production
- Regular updates: Keep PHP updated for security patches
- Audit logs: Consider adding logging for security events
GNU General Public License v3.0