Web Interface Via Nginx Proxy: Difference between revisions
(describe how to easily add pve-cluster dependencies to ngnix.service for certificates) |
m (Reflect IPv6 as requested and provided by https://forum.proxmox.com/threads/update-proxmox-documentation.151681/) |
||
(7 intermediate revisions by 3 users not shown) | |||
Line 2: | Line 2: | ||
This allows you to access Proxmox VE via the port 443 | This allows you to access Proxmox VE via the port 443 | ||
''Tested from Proxmox 3.4 - | ''Tested from Proxmox 3.4 - 6.3'' | ||
'''Why do I need this?''' | '''Why do I need this?''' | ||
Line 12: | Line 12: | ||
<pre>apt install nginx</pre> | <pre>apt install nginx</pre> | ||
* '''remove the default config file | * '''remove the default config file''' | ||
<pre>rm /etc/nginx/conf.d/default</pre> | <pre>rm /etc/nginx/conf.d/default</pre> | ||
or in newer PVE and Debian versions: | |||
<pre>rm /etc/nginx/sites-enabled/default</pre> | <pre>rm /etc/nginx/sites-enabled/default</pre> | ||
Line 22: | Line 22: | ||
<pre>nano /etc/nginx/conf.d/proxmox.conf</pre> | <pre>nano /etc/nginx/conf.d/proxmox.conf</pre> | ||
'''Note:''' | '''Note:''' You can choose the configuration filename freely, but it must have a ''.conf'' ending. | ||
The following is an example config that works for the web interface and also the noVNC console: | The following is an example config that works for the web interface and also the noVNC console: | ||
Line 28: | Line 28: | ||
<pre> | <pre> | ||
upstream proxmox { | upstream proxmox { | ||
server "FQDN HOSTNAME"; | server "YOUR.FQDN.HOSTNAME.HERE"; | ||
} | } | ||
server { | server { | ||
listen 80 default_server; | listen 80 default_server; | ||
listen [::]:80 default_server; | |||
rewrite ^(.*) https://$host$1 permanent; | rewrite ^(.*) https://$host$1 permanent; | ||
} | } | ||
server { | server { | ||
listen 443; | listen 443 ssl; | ||
listen [::]:443 ssl; | |||
server_name _; | server_name _; | ||
ssl_certificate /etc/pve/local/pve-ssl.pem; | ssl_certificate /etc/pve/local/pve-ssl.pem; | ||
ssl_certificate_key /etc/pve/local/pve-ssl.key; | ssl_certificate_key /etc/pve/local/pve-ssl.key; | ||
Line 46: | Line 47: | ||
proxy_http_version 1.1; | proxy_http_version 1.1; | ||
proxy_set_header Upgrade $http_upgrade; | proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection "upgrade"; | proxy_set_header Connection "upgrade"; | ||
proxy_pass https://localhost:8006; | proxy_pass https://localhost:8006; | ||
proxy_buffering off; | |||
client_max_body_size 0; | |||
proxy_connect_timeout 3600s; | |||
proxy_read_timeout 3600s; | proxy_read_timeout 3600s; | ||
proxy_send_timeout 3600s; | proxy_send_timeout 3600s; | ||
Line 58: | Line 59: | ||
</pre> | </pre> | ||
* ''' | Change the FQDN part to the fully qualified domain name of your host, you can check <code>cat /etc/hosts</code> output to find yours. in my case it was <code>pve-dev-machine.proxmox.com</code>. save the file and then check the syntax: | ||
<pre> | |||
nginx -t | |||
</pre> | |||
you should see: | |||
<pre> | |||
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok | |||
nginx: configuration file /etc/nginx/nginx.conf test is successful | |||
</pre> | |||
If you see this message then everything should work and you can proceed. | |||
* '''Restart nginx''' | |||
<pre> | <pre> | ||
systemctl restart nginx | systemctl restart nginx | ||
</pre> | </pre> | ||
* ensure that nginx gets only started after the certificates are available | After nginx service restarts you should be able to reach the web interface via either https://your.fqdn.goes.here or https://your.ip.address.goes.here | ||
= Post Setup = | |||
* '''ensure that nginx gets only started after the certificates are available''' | |||
As the certificates reside on <code>/etc/pve</code> which is provided by the <code>pve-cluster.service</code> | |||
we need to tell <code>nginx.service</code> to only start after that one. | |||
The easiest and cleanest way to do that is to add a <code>Requires</code> and <code>After</code> as a systemd override snippet. | |||
The easiest and cleanest way to do that is to add | |||
This can be done with systemd edit UNIT which opens your $EDITOR: | This can be done with <code>systemd edit UNIT</code> which opens your <code>$EDITOR</code>: | ||
# systemctl edit nginx.service | # systemctl edit nginx.service | ||
here add: | here add: | ||
Line 82: | Line 102: | ||
and save + exit. | and save + exit. | ||
Enjoy the | Enjoy the web interface on HTTPS port 443! | ||
= See Also = | = See Also = |
Latest revision as of 01:16, 26 July 2024
Introduction
This allows you to access Proxmox VE via the port 443
Tested from Proxmox 3.4 - 6.3
Why do I need this?
Sometimes there is a firewall restriction that blocks port 8006 and since we shouldn't touch the port config in proxmox we'll just use nginx as proxy to provide the web interface available on default https port 443. Now let's begin...
Configuration
- install nginx
apt install nginx
- remove the default config file
rm /etc/nginx/conf.d/default
or in newer PVE and Debian versions:
rm /etc/nginx/sites-enabled/default
- create a new config file
nano /etc/nginx/conf.d/proxmox.conf
Note: You can choose the configuration filename freely, but it must have a .conf ending.
The following is an example config that works for the web interface and also the noVNC console:
upstream proxmox { server "YOUR.FQDN.HOSTNAME.HERE"; } server { listen 80 default_server; listen [::]:80 default_server; rewrite ^(.*) https://$host$1 permanent; } server { listen 443 ssl; listen [::]:443 ssl; server_name _; ssl_certificate /etc/pve/local/pve-ssl.pem; ssl_certificate_key /etc/pve/local/pve-ssl.key; proxy_redirect off; location / { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass https://localhost:8006; proxy_buffering off; client_max_body_size 0; proxy_connect_timeout 3600s; proxy_read_timeout 3600s; proxy_send_timeout 3600s; send_timeout 3600s; } }
Change the FQDN part to the fully qualified domain name of your host, you can check cat /etc/hosts
output to find yours. in my case it was pve-dev-machine.proxmox.com
. save the file and then check the syntax:
nginx -t
you should see:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
If you see this message then everything should work and you can proceed.
- Restart nginx
systemctl restart nginx
After nginx service restarts you should be able to reach the web interface via either https://your.fqdn.goes.here or https://your.ip.address.goes.here
Post Setup
- ensure that nginx gets only started after the certificates are available
As the certificates reside on /etc/pve
which is provided by the pve-cluster.service
we need to tell nginx.service
to only start after that one.
The easiest and cleanest way to do that is to add a Requires
and After
as a systemd override snippet.
This can be done with systemd edit UNIT
which opens your $EDITOR
:
# systemctl edit nginx.service
here add:
[Unit] Requires=pve-cluster.service After=pve-cluster.service
and save + exit.
Enjoy the web interface on HTTPS port 443!
See Also
NoVNC reverse Proxy with Apache https://forum.proxmox.com/threads/working-novnc-with-reverse-proxy-on-5-1.43644/