Skip to content

Instantly share code, notes, and snippets.

@sergey-dryabzhinsky

sergey-dryabzhinsky/nginx-vhost-proxprox.conf

Last active April 18, 2022 20:15
Show Gist options
  • Save sergey-dryabzhinsky/2af5f7c56e1ee01ce128e04bf38ee99a to your computer and use it in GitHub Desktop.
Save sergey-dryabzhinsky/2af5f7c56e1ee01ce128e04bf38ee99a to your computer and use it in GitHub Desktop.
Download ZIP
Nginx virtual host config for Proxmox. To hide pveproxy on 8006 port behind. With working VNC passthrough.
Raw
nginx-vhost-proxprox.conf
###
# Nginx vhost file to hide Proxmox pveproxy
# For 3.4+, 5.x version.
#
# Do not forget to create file
# /etc/default/pveproxy:
# ALLOW_FROM="127.0.0.1"
# DENY_FROM="all"
# POLICY="allow"
#
# @2019-08-05
# - disable big iso/templates upload buffering
#
# @2018-08-01 - changes
# - add missing special locations for proxmoxlib.js, vnc
#
# @2017-11-17 - changes
# - use nginx-1.10+ for https
# - move proxy_params inside locations cos
# some parameters/header are dropping to defaults by the way
# - add other hacks to skip proxy to pveproxy: docs
# - add special location for api access
# - add some descriptions to options
server {
# nginx-1.0+
#listen 443 ssl;
# nginx-1.6+
#listen 443 ssl spdy;
# nginx-1.10+
listen 443 ssl http2;
root /var/www/default;
# Set YOUR server name here
server_name proxmox.example.com;
# Check for cross-framing - nuke bustards
valid_referers none blocked server_names;
if ($invalid_referer) {
return 403;
}
# Hint for browsers
add_header X-Frame-Options SAMEORIGIN;
# Don't "detect" file type by extension (IE10+?)
add_header X-Content-Type-Options nosniff;
access_log /var/log/nginx/proxmox.example.com-ssl-access.log;
error_log /var/log/nginx/proxmox.example.com-ssl-error.log;
# load images, backups, iso...
client_max_body_size 64m;
include proxy_params;
# Your certificates here must be
include ssl/proxmox.conf;
# restrict supported by pveproxy ssl protocols
# Special for Proxmox-3
proxy_ssl_protocols TLSv1;
# Special for Proxmox-5+
#proxy_ssl_protocols TLSv1.2;
location / {
# Magic for VNC
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
include proxy_params;
proxy_pass https://127.0.0.1:8006;
}
location ~* ^/(api2|novnc)/ {
proxy_redirect off;
# Magic for VNC
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Upload templates/iso
location ~* ^/api2/json/nodes/.*/storage/.*/upload {
client_max_body_size 2000m;
# nginx-1.8+
proxy_request_buffering off;
proxy_max_temp_file_size 0;
include proxy_params;
proxy_pass https://127.0.0.1:8006;
}
include proxy_params;
proxy_pass https://127.0.0.1:8006;
}
# MAGICK !!!
# Proxmox Web-UI loads DEBUG version of ExtJS
# And nginx waaaaaing sooo long. And hangs.
# Do not proxy static files, just give them
location ~* ^/pve2/(?<file>.*)$ {
gzip_static on;
root /usr/share/pve-manager;
try_files /$file @proxmox;
}
# Special for proxmox-5.x
location ~* ^/proxmox.*\.js$ {
gzip_static on;
root /usr/share/usr/share/javascript/proxmox-widget-toolkit;
try_files $uri @proxmox;
}
location ~* ^/pve-docs/(?<file>.*)$ {
gzip_static on;
root /usr/share/pve-docs;
try_files /$file @proxmox;
}
location @proxmox {
internal;
# Magic for VNC
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# nginx-1.8+
proxy_request_buffering off;
proxy_max_temp_file_size 0;
include proxy_params;
proxy_pass https://127.0.0.1:8006;
}
}
@sergey-dryabzhinsky
Copy link
Author

Updated gist: restrict proxy ssl protocols to supported by pveproxy.
On Proxmox-3 its limited to TLSv1.1, on Proxmox-5+ - to TLSv1.2.

@sergey-dryabzhinsky
Copy link
Author

Update gist: on Proxmox-3 pveproxy limited to TLSv1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment