Difference between revisions of "Web Interface Via Nginx Proxy"

From Proxmox VE
Jump to navigation Jump to search
(Created page with "= Web interface HTTPS(443) via nginx as proxy = ''Tested from Proxmox 3.4 - 4.2, still works fine!'' '''Why do I need this?''' Sometimes there is a firewall restriction tha...")
 
 
(16 intermediate revisions by 6 users not shown)
Line 1: Line 1:
= Web interface HTTPS(443) via nginx as proxy =
+
= Introduction =
 +
This allows you to access Proxmox VE via the port 443
  
''Tested from Proxmox 3.4 - 4.2, still works fine!''
+
''Tested from Proxmox 3.4 - 6.3''
  
 
'''Why do I need this?'''
 
'''Why do I need this?'''
  
Sometimes there is a firewall restriction that blocks port 8006 and since we shouldn't touch the port config in proxmox we'll just use nginx as proxy to provide the web interface available on default https port 443. Now let's beginn...
+
Sometimes there is a firewall restriction that blocks port 8006 and since we shouldn't touch the port config in proxmox we'll just use nginx as proxy to provide the web interface available on default https port 443. Now let's begin...
  
 +
= Configuration =
 +
* '''install nginx'''
 +
<pre>apt install nginx</pre>
  
'''install nginx'''
+
* '''remove the default config file'''
<pre>apt-get install nginx</pre>
+
<pre>rm /etc/nginx/conf.d/default</pre>
 +
 
 +
or in newer PVE and Debian versions:
 +
 
 +
<pre>rm /etc/nginx/sites-enabled/default</pre>
  
'''remove the default config file'''
+
* '''create a new config file'''
<pre>rm /etc/nginx/conf.d/default</pre>
+
<pre>nano /etc/nginx/conf.d/proxmox.conf</pre>
  
'''create a new config file'''
+
'''Note:''' You can choose the configuration filename freely, but it must have a ''.conf'' ending.
<pre>nano /etc/nginx/conf.d/proxmox</pre>
 
  
The following is an example config that works for the webinterface and noVNC:
+
The following is an example config that works for the web interface and also the noVNC console:
  
 
<pre>
 
<pre>
 
upstream proxmox {
 
upstream proxmox {
     server "FQDN HOSTNAME";
+
     server "YOUR.FQDN.HOSTNAME.HERE";
 
}
 
}
 
   
 
   
Line 51: Line 58:
 
</pre>
 
</pre>
  
'''Reload and restart nginx'''
+
Change the FQDN part to the fully qualified domain name of your host, you can check <code>cat /etc/hosts</code> output to find yours. in my case it was <code>pve-dev-machine.proxmox.com</code>. save the file and then check the syntax:
<pre>/etc/init.d/nginx reload; /etc/init.d/nginx restart</pre>
+
 
 +
<pre>
 +
nginx -t
 +
</pre>
 +
 
 +
you should see:
 +
 
 +
<pre>
 +
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
 +
nginx: configuration file /etc/nginx/nginx.conf test is successful
 +
</pre>
 +
 
 +
If you see this message then everything should work and you can proceed.
 +
 
 +
* '''Restart nginx'''
 +
 
 +
<pre>
 +
systemctl restart nginx
 +
</pre>
 +
 
 +
After nginx service restarts you should be able to reach the web interface via either https://your.fqdn.goes.here or https://your.ip.address.goes.here
 +
 
 +
= Post Setup =
 +
 
 +
* '''ensure that nginx gets only started after the certificates are available'''
 +
 
 +
As the certificates reside on <code>/etc/pve</code> which is provided by the <code>pve-cluster.service</code>
 +
we need to tell <code>nginx.service</code> to only start after that one.
 +
 
 +
The easiest and cleanest way to do that is to add a <code>Requires</code> and <code>After</code> as a systemd override snippet.
 +
 
 +
This can be done with <code>systemd edit UNIT</code> which opens your <code>$EDITOR</code>:
 +
  # systemctl edit nginx.service
 +
here add:
 +
<pre>
 +
[Unit]
 +
Requires=pve-cluster.service
 +
After=pve-cluster.service
 +
</pre>
 +
 
 +
and save + exit.
 +
 
 +
Enjoy the web interface on HTTPS port 443!
 +
 
 +
= See Also =
 +
 
 +
NoVNC reverse Proxy with Apache https://forum.proxmox.com/threads/working-novnc-with-reverse-proxy-on-5-1.43644/
  
Enjoy the webinterface on HTTPS port 443!
+
[[Category:HOWTO]]

Latest revision as of 16:33, 25 March 2021

Introduction

This allows you to access Proxmox VE via the port 443

Tested from Proxmox 3.4 - 6.3

Why do I need this?

Sometimes there is a firewall restriction that blocks port 8006 and since we shouldn't touch the port config in proxmox we'll just use nginx as proxy to provide the web interface available on default https port 443. Now let's begin...

Configuration

  • install nginx
apt install nginx
  • remove the default config file
rm /etc/nginx/conf.d/default

or in newer PVE and Debian versions:

rm /etc/nginx/sites-enabled/default
  • create a new config file
nano /etc/nginx/conf.d/proxmox.conf

Note: You can choose the configuration filename freely, but it must have a .conf ending.

The following is an example config that works for the web interface and also the noVNC console:

upstream proxmox {
    server "YOUR.FQDN.HOSTNAME.HERE";
}
 
server {
    listen 80 default_server;
    rewrite ^(.*) https://$host$1 permanent;
}
 
server {
    listen 443;
    server_name _;
    ssl on;
    ssl_certificate /etc/pve/local/pve-ssl.pem;
    ssl_certificate_key /etc/pve/local/pve-ssl.key;
    proxy_redirect off;
    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade"; 
        proxy_pass https://localhost:8006;
	proxy_buffering off;
	client_max_body_size 0;
	proxy_connect_timeout  3600s;
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        send_timeout  3600s;
    }
}

Change the FQDN part to the fully qualified domain name of your host, you can check cat /etc/hosts output to find yours. in my case it was pve-dev-machine.proxmox.com. save the file and then check the syntax:

 nginx -t 

you should see:

 nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
 nginx: configuration file /etc/nginx/nginx.conf test is successful

If you see this message then everything should work and you can proceed.

  • Restart nginx
 systemctl restart nginx

After nginx service restarts you should be able to reach the web interface via either https://your.fqdn.goes.here or https://your.ip.address.goes.here

Post Setup

  • ensure that nginx gets only started after the certificates are available

As the certificates reside on /etc/pve which is provided by the pve-cluster.service we need to tell nginx.service to only start after that one.

The easiest and cleanest way to do that is to add a Requires and After as a systemd override snippet.

This can be done with systemd edit UNIT which opens your $EDITOR:

  # systemctl edit nginx.service

here add:

[Unit]
Requires=pve-cluster.service
After=pve-cluster.service

and save + exit.

Enjoy the web interface on HTTPS port 443!

See Also

NoVNC reverse Proxy with Apache https://forum.proxmox.com/threads/working-novnc-with-reverse-proxy-on-5-1.43644/