Last active
April 18, 2022 20:15
-
-
Save sergey-dryabzhinsky/2af5f7c56e1ee01ce128e04bf38ee99a to your computer and use it in GitHub Desktop.
Nginx virtual host config for Proxmox. To hide pveproxy on 8006 port behind. With working VNC passthrough.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### | |
| # Nginx vhost file to hide Proxmox pveproxy | |
| # For 3.4+, 5.x version. | |
| # | |
| # Do not forget to create file | |
| # /etc/default/pveproxy: | |
| # ALLOW_FROM="127.0.0.1" | |
| # DENY_FROM="all" | |
| # POLICY="allow" | |
| # | |
| # @2019-08-05 | |
| # - disable big iso/templates upload buffering | |
| # | |
| # @2018-08-01 - changes | |
| # - add missing special locations for proxmoxlib.js, vnc | |
| # | |
| # @2017-11-17 - changes | |
| # - use nginx-1.10+ for https | |
| # - move proxy_params inside locations cos | |
| # some parameters/header are dropping to defaults by the way | |
| # - add other hacks to skip proxy to pveproxy: docs | |
| # - add special location for api access | |
| # - add some descriptions to options | |
| server { | |
| # nginx-1.0+ | |
| #listen 443 ssl; | |
| # nginx-1.6+ | |
| #listen 443 ssl spdy; | |
| # nginx-1.10+ | |
| listen 443 ssl http2; | |
| root /var/www/default; | |
| # Set YOUR server name here | |
| server_name proxmox.example.com; | |
| # Check for cross-framing - nuke bustards | |
| valid_referers none blocked server_names; | |
| if ($invalid_referer) { | |
| return 403; | |
| } | |
| # Hint for browsers | |
| add_header X-Frame-Options SAMEORIGIN; | |
| # Don't "detect" file type by extension (IE10+?) | |
| add_header X-Content-Type-Options nosniff; | |
| access_log /var/log/nginx/proxmox.example.com-ssl-access.log; | |
| error_log /var/log/nginx/proxmox.example.com-ssl-error.log; | |
| # load images, backups, iso... | |
| client_max_body_size 64m; | |
| include proxy_params; | |
| # Your certificates here must be | |
| include ssl/proxmox.conf; | |
| # restrict supported by pveproxy ssl protocols | |
| # Special for Proxmox-3 | |
| proxy_ssl_protocols TLSv1; | |
| # Special for Proxmox-5+ | |
| #proxy_ssl_protocols TLSv1.2; | |
| location / { | |
| # Magic for VNC | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection "upgrade"; | |
| include proxy_params; | |
| proxy_pass https://127.0.0.1:8006; | |
| } | |
| location ~* ^/(api2|novnc)/ { | |
| proxy_redirect off; | |
| # Magic for VNC | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection "upgrade"; | |
| # Upload templates/iso | |
| location ~* ^/api2/json/nodes/.*/storage/.*/upload { | |
| client_max_body_size 2000m; | |
| # nginx-1.8+ | |
| proxy_request_buffering off; | |
| proxy_max_temp_file_size 0; | |
| include proxy_params; | |
| proxy_pass https://127.0.0.1:8006; | |
| } | |
| include proxy_params; | |
| proxy_pass https://127.0.0.1:8006; | |
| } | |
| # MAGICK !!! | |
| # Proxmox Web-UI loads DEBUG version of ExtJS | |
| # And nginx waaaaaing sooo long. And hangs. | |
| # Do not proxy static files, just give them | |
| location ~* ^/pve2/(?<file>.*)$ { | |
| gzip_static on; | |
| root /usr/share/pve-manager; | |
| try_files /$file @proxmox; | |
| } | |
| # Special for proxmox-5.x | |
| location ~* ^/proxmox.*\.js$ { | |
| gzip_static on; | |
| root /usr/share/usr/share/javascript/proxmox-widget-toolkit; | |
| try_files $uri @proxmox; | |
| } | |
| location ~* ^/pve-docs/(?<file>.*)$ { | |
| gzip_static on; | |
| root /usr/share/pve-docs; | |
| try_files /$file @proxmox; | |
| } | |
| location @proxmox { | |
| internal; | |
| # Magic for VNC | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection "upgrade"; | |
| # nginx-1.8+ | |
| proxy_request_buffering off; | |
| proxy_max_temp_file_size 0; | |
| include proxy_params; | |
| proxy_pass https://127.0.0.1:8006; | |
| } | |
| } |
Thanks for yours response,
And keep they defult conf?
Thk
El jue., 6 feb. 2020 15:42, Sergey Dryabzhinsky <[email protected]>
escribió:
… @aguerrave <https://github.com/aguerrave>
Copy this file into /etc/nginx/sites-enabled/ directory or where is your
installation keep nginx configs.
Change server_name ... line to your proxmox server dns-name.
Reload nginx instance.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<https://gist.github.com/2af5f7c56e1ee01ce128e04bf38ee99a?email_source=notifications&email_token=AACV5C2WW252HM33BBSILFTRBRR25A5CNFSM4IIUX7V2YY3PNVWWK3TUL52HS4DFVNDWS43UINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAGBM4E#gistcomment-3168706>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACV5C5SJBFBVMBYVAUUFMDRBRR25ANCNFSM4IIUX7VQ>
.
We need to install in host proxmox or in a the virtual machine ?
/etc/nginx/sites-enabled# journalctl -xe
Feb 08 17:26:32 condor3160 nginx[9062]: nginx: [emerg] open() "/etc/nginx/ssl/proxmox.conf" failed (2: No such file or directory) in /etc/nginx/con
Feb 08 17:26:32 condor3160 nginx[9062]: nginx: configuration file /etc/nginx/nginx.conf test failed
Feb 08 17:26:32 condor3160 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support-- An ExecStartPre= process belonging to unit nginx.service has exited.
-- The process' exit code is 'exited' and its exit status is 1.
Feb 08 17:26:32 condor3160 systemd[1]: nginx.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support-- The unit nginx.service has entered the 'failed' state with result 'exit-code'.
Feb 08 17:26:32 condor3160 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
-- Subject: A start job for unit nginx.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support-- A start job for unit nginx.service has finished with a failure.
-- The job identifier is 264934 and the job result is failed.
lines 7023-7046/7046 (END)
Feb 08 17:26:32 condor3160 nginx[9062]: nginx: [emerg] open() "/etc/nginx/ssl/proxmox.conf" failed (2: No such file or directory) in /etc/nginx/conf.d/nginx-vhost-proxpr
Feb 08 17:26:32 condor3160 nginx[9062]: nginx: configuration file /etc/nginx/nginx.conf test failed
Feb 08 17:26:32 condor3160 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support-- An ExecStartPre= process belonging to unit nginx.service has exited.
-- The process' exit code is 'exited' and its exit status is 1.
Feb 08 17:26:32 condor3160 systemd[1]: nginx.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support-- The unit nginx.service has entered the 'failed' state with result 'exit-code'.
Feb 08 17:26:32 condor3160 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
-- Subject: A start job for unit nginx.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support-- A start job for unit nginx.service has finished with a failure.
-- The job identifier is 264934 and the job result is failed.
I assume that you use these configs on proxmox host machine.
You should define ssl configs for nginx in file /etc/nginx/ssl/proxmox.conf - paths to certificate and key, cyphers.
Read about it there: https://nginx.org/en/docs/http/configuring_https_servers.html
Or disable line with include ssl/proxmox.conf. And change listen option to listen 80;. Not recommended though.
Updated gist: restrict proxy ssl protocols to supported by pveproxy.
On Proxmox-3 its limited to TLSv1.1, on Proxmox-5+ - to TLSv1.2.
Update gist: on Proxmox-3 pveproxy limited to TLSv1.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@aguerrave
Copy this file into /etc/nginx/sites-enabled/ directory or where is your installation keep nginx configs.
Change
server_name ...line to your proxmox server dns-name.Reload nginx instance.