Proxy the Proxmox Web GUI with Nginx Over HTTPS with Load Balancing

Proxy the Proxmox Web GUI with Nginx Over HTTPS with Load Balancing

Get Social!

The Proxmox web GUI is served by Proxmox’s new event driven API server called PVE Proxy. The default settings for the Proxmox web GUI is to listen on port 8006 for incoming HTTPS connections.

The following tutorial will show you how to use Nginx to reverse proxy the PVE Proxy application to do the following:

  • Redirect HTTP requests to use the HTTPS protocol.
  • Add your own certificate to use for HTTPS.
  • Listen on the standard HTTPS port (port 443).

The following steps show how to use Nginx to reverse Proxy Proxmox’s web GUI. If you would prefer to use Apache, please see my other blog post.

The first step is to make sure you have Nginx installed on the machine, or virtual instance, that you are going to use. You can install Nginx directly on the Proxmox host however, I prefer to keep the host software as standard as possible and run all additional applications in OpenVZ containers.

Create a shell session on the machine you would like to use and use apt-get to install Nginx.

apt-get install nginx

Make sure you have an SSL certificate and key pair on your server. See my OpenSSL certificate cheat sheet for more information.

We now need to specify the configuration for Nginx. Remove the existing site configuration and create a new configuration file called proxmox-gui. You can call this file whatever you wish, but you will also need to use the same name in the below steps.

rm -f /etc/nginx/sites-enabled/default
vi /etc/nginx/sites-enabled/proxmox-gui

Add the below text to your proxmox-gui file. You will need to substitute some of the settings with your own values:

  • ssl_certificate – this should point to your SSL certificate to use for signing the SSL traffic.
  • ssl_certificate_key – is this key which matches the above certificate.
  • server – this is the IP and port of your Proxmox server. If you have installed Nginx on the same host as the Proxmox web GUI then you could use https://localhost:8006 here.
upstream proxmox {
    server 10.10.10.10:8006;
}

server {
    listen 80 default_server;
    rewrite ^(.*) https://$host$1 permanent;
}

server {
    listen 443;
    server_name _;
    ssl on;
    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;
    proxy_redirect off;
    location / {
        proxy_pass https://proxmox;
    }
}

If you have multiple Proxmox servers in a cluster, it would make sense to use load balancing in Nginx. We don’t really want to use this feature to spread the load, because usually the traffic will be very light – we want to use it so that if one node in the cluster is down, Nginx will automatically try a different node in the cluster.

To add load balancing, add your additional servers in the upstream proxmox code section. For example:

upstream proxmox {
    server 10.10.10.10:8006;
    server 10.10.10.11:8006;
    server 10.10.10.12:8006;

}

We need to link the newly created config file so that Nginx can load it.

ln -sf /etc/nginx/sites-available/proxmox-gui /etc/nginx/sites-enabled/

The last step is to restart Nginx web server to pick up the new settings.

service nginx restart

Your Proxmox web GUI should now be available on the IP address of your Nginx server on the HTTPS protocol.

 


14 Comments

Michael

11-Aug-2014 at 2:53 pm

That’s a really great idea, i’m using the same method but there’s a little problem…you can’t use VNC since the java applet tries to connect through “yournginxproxy.com:5900” since you’re opening the webinterface via this domain.

Do you know a way how to proxy the VNC connections also?

    james.coyle

    11-Aug-2014 at 3:22 pm

    I have not proxyed the VNC console as I always access SSH over VPN.

    You would likely need something to support websockets – I think Nginx does but I haven’t tried it myself.

    Kevin Shenk

    3-Jun-2015 at 9:39 pm

    I was able to enable Proxmox VNC connections behind nginx by adding this to my location / block:

    proxy_http_version 1.1;
    proxy_set_header Connection $http_connection;
    proxy_set_header Origin http://$host;
    proxy_set_header Upgrade $http_upgrade;

    According to this: http://nginx.org/en/CHANGES reverse proxy support for websockets in nginx was added in 1.3.13.

      Edson Junior

      23-Sep-2016 at 8:10 pm

      Dude, absolutely fantastic!
      4 lines of peace to me.
      Best regards!

Omitted

6-Apr-2016 at 4:14 pm

Thanks for the tutorial, very nice!

Any idea on how to use this but change the reverse proxy location to a subfolder like https://domain.com/proxmox/

    Sergey

    28-Apr-2016 at 2:02 pm

    Hmm, I think you just need to change:

    location / {

    to

    location /proxmox/ {

      james.coyle

      28-Apr-2016 at 2:10 pm

      It’s unlikely this will work, due to root paths being specified for web resources by the Proxmox team.

Frank

5-Jun-2016 at 10:41 am

Nice tutorial, thanks. BUT…

I can’t get it working as described. If I put a

[CODE]location / { proxy_pass https://192.168.1.61:8006/; } [/CODE],

it works fine. When using the server_group variant

[CODE]location / { proxy_pass https://proxmox:8006; } [/CODE],

I get error message saying ‘8006’ not allowed here. When configuring the :8006 in the upstream part as following:

[CODE] upstream proxmox { 192.168.1.61:8006; }[/CODE]

and without the :8006 in the location part, then I get 504 gateway timeouts…

I’m using nginx 1.6.2 on debian jessie.

Can you give any hints on solving this?

    james.coyle

    5-Jun-2016 at 11:23 am

    It looks like the syntax may have changed. I’ve updated the post as per the latest documentation for upstream.

Frank

8-Jun-2016 at 8:52 am

In my system I did not get it running until I added a keep alive

upstream proxmox {
server 10.10.10.10:8006;
keepalive 1;
}

Additionally, when having more than one node in the upstream section it is needed to keep the connection sticky (otherwise the noVNC console redirection will only work randomly. So finally I get

upstream proxmox {
ip_hash;
server 10.10.10.10:8006;
server 10.10.10.11:8006;
server 10.10.10.12:8006;
server 10.10.10.13:8006;
keepalive 1;
}

The next problem to solve is upload of ISO images. I can set the client_max_body_size to a value of say 100M. But if an iso image is larger than that (and they are!) the upload fails with

client intended to send too large body: 4454359412 bytes, client: 10.10.10.100, server: _, request: “POST /api12/json/nodes/virt3/storage/xxx/upload HTTP/1.1”

Any workaround for that? I’m not sure if the original api does any chunking and if we can proxy that.

Edson Junior

29-Sep-2016 at 11:52 am

The only issue is the novnc console that freezes after seconds of use. Sometimes it works for almost 2 minutes and sometimes for 60 seconds only. :/
I’m searching all over the web and until now I don’t found any answer to this. Thanks guys.

TheOli

22-Nov-2019 at 12:18 pm

Does this still work in 2019 with Proxmox5 ?

    James Coyle

    25-Nov-2019 at 8:17 am

    Yes

Leave a Reply to james.coyle Cancel reply

Visit our advertisers

Quick Poll

Which type of virtualisation do you use?
  • Add your answer

Visit our advertisers