Reverse Proxy Proxmox VNC With Nginx

Reverse Proxy Proxmox VNC With Nginx

Get Social!

proxmox logo gradThe noVNC console in the Proxmox Web GUI transfers it’s data through a technology called Websockets. Websockets often work in tandem with normal HTTP traffic and therefore often use the same end point (IP and port). Proxmox uses port 8006 by default for all web traffic; this includes the Web GUI you see and a websockets stream for the VNC console.

If you don’t already have Nginx set up, see my other post on How to reverse proxy the Proxmox Web GUI.

You’ll also need one of the more recent versions of Nginx for this to work.

If you use Nginx to reverse proxy your Proxmox Web GUI already, making it websocket compatible is very easy. In fact, it’s as easy as adding three additional lines to your Nginx config file for the location tag that serves your Proxmox Web GUI.

Open up your sites-available config file for your Proxmox site with a text editor:

vi /etc/nginx/sites-available/proxmox.jamescoyle.net

Find the location tag for your site and add the following:

proxy_http_version 1.1;                                                           proxy_set_header Upgrade $http_upgrade;                                           proxy_set_header Connection "upgrade";

The resulting site should look similar to the below:

upstream proxmox {
    server 10.10.10.10;
}
 
server {
    listen 80 default_server;
    rewrite ^(.*) https://$host$1 permanent;
}
 
server {
    listen 443;
    server_name _;
    ssl on;
    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;
    proxy_redirect off;
    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade"; 
        proxy_pass https://proxmox:8006;
    }
}

 


Proxy the Proxmox Web GUI with Nginx Over HTTPS with Load Balancing

Get Social!

The Proxmox web GUI is served by Proxmox’s new event driven API server called PVE Proxy. The default settings for the Proxmox web GUI is to listen on port 8006 for incoming HTTPS connections.

The following tutorial will show you how to use Nginx to reverse proxy the PVE Proxy application to do the following:

  • Redirect HTTP requests to use the HTTPS protocol.
  • Add your own certificate to use for HTTPS.
  • Listen on the standard HTTPS port (port 443).

The following steps show how to use Nginx to reverse Proxy Proxmox’s web GUI. If you would prefer to use Apache, please see my other blog post.

The first step is to make sure you have Nginx installed on the machine, or virtual instance, that you are going to use. You can install Nginx directly on the Proxmox host however, I prefer to keep the host software as standard as possible and run all additional applications in OpenVZ containers.

Create a shell session on the machine you would like to use and use apt-get to install Nginx.

apt-get install nginx

Make sure you have an SSL certificate and key pair on your server. See my OpenSSL certificate cheat sheet for more information.

We now need to specify the configuration for Nginx. Remove the existing site configuration and create a new configuration file called proxmox-gui. You can call this file whatever you wish, but you will also need to use the same name in the below steps.

rm -f /etc/nginx/sites-enabled/default
vi /etc/nginx/sites-enabled/proxmox-gui

Add the below text to your proxmox-gui file. You will need to substitute some of the settings with your own values:

  • ssl_certificate – this should point to your SSL certificate to use for signing the SSL traffic.
  • ssl_certificate_key – is this key which matches the above certificate.
  • server – this is the IP and port of your Proxmox server. If you have installed Nginx on the same host as the Proxmox web GUI then you could use https://localhost:8006 here.
upstream proxmox {
    server 10.10.10.10:8006;
}

server {
    listen 80 default_server;
    rewrite ^(.*) https://$host$1 permanent;
}

server {
    listen 443;
    server_name _;
    ssl on;
    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;
    proxy_redirect off;
    location / {
        proxy_pass https://proxmox;
    }
}

If you have multiple Proxmox servers in a cluster, it would make sense to use load balancing in Nginx. We don’t really want to use this feature to spread the load, because usually the traffic will be very light – we want to use it so that if one node in the cluster is down, Nginx will automatically try a different node in the cluster.

To add load balancing, add your additional servers in the upstream proxmox code section. For example:

upstream proxmox {
    server 10.10.10.10:8006;
    server 10.10.10.11:8006;
    server 10.10.10.12:8006;

}

We need to link the newly created config file so that Nginx can load it.

ln -sf /etc/nginx/sites-available/proxmox-gui /etc/nginx/sites-enabled/

The last step is to restart Nginx web server to pick up the new settings.

service nginx restart

Your Proxmox web GUI should now be available on the IP address of your Nginx server on the HTTPS protocol.

 


Reverse Proxy Proxmox with Apache

Get Social!

proxmox logo gradThe Proxmox web GUI is accessible on port 8006 by default using SSL encryption. The web GUI is served by the built in Proxmox lightweight HTTP server however changing the config could cause issues when upgrading to future Proxmox releases. The easiest way to expose the Proxmox web GUI externally is to use Apache to reverse proxy the site. You can then add additional security or specify SSL certificates at the proxy level without interfering with the Proxmox installation.

See my blog post on the basics of using Apache to reverse proxy websites.

To setup the reverse proxy for Proxmox, create a new sites-available entry called proxmox.

vi /etc/apache2/sites-available/proxmox

Add the following to the file and substitute a few settings for your own environment:

  • proxmox.cer – change to your SSL certificate for Proxmox
  • proxmox.key – change to the SSL certificate key for Proxmox.
  • proxmox.host – appears in the Location tags and must be the IP address or resolvable hostname of your internal Proxmox server. The ServerAdmin attribute is an email address which will be displayed on error pages such as 404.
  • proxmox.jamescoyle.net – change this to the external URL which will be used to access the reverse proxy server. The server will only proxy requests which contain this URL.
  SSLEngine On
  SSLCertificateFile /etc/apache2/ssl/proxmox.cer
  SSLCertificateKeyFile /etc/apache2/ssl/proxmox.key
  SSLProxyEngine on
  SSLProxyVerify none

  ServerAdmin [email protected]
  DocumentRoot /var/www
  ServerName proxmox.jamescoyle.net

  # Possible values include: debug, info, notice, warn, error, crit,alert, emerg.
  LogLevel warn
  CustomLog ${APACHE_LOG_DIR}/proxmox-access.log combined
  ErrorLog ${APACHE_LOG_DIR}/proxmox-error.log

  ProxyRequests off
  ProxyPreserveHost on
  RequestHeader unset Accept-Encoding

  
     ProxyPass https://proxmox.host:8006/
     ProxyPassReverse https://proxmox.host:8006/
     Order allow,deny
     Allow from all
  

Enable the new site in Apache. In Ubuntu the command a2ensite will create the symlink, or you can create it manually.

a2ensite proxmox

Reload Apache to load the new configuration.

service apache2 reload

Reverse Proxy Subsonic with Apache

Get Social!

SubsonicLogoSubsonic is a web-based media player for playing audio and video files through a web browser. You can reverse proxy Subsonic using Apache

See my blog post on using Apache as a reverse proxy for more detailed information on Apache configuration files.

The below configuration expects the backend Subsonic port to be non-ssl as the encryption will be offloaded to the Apache reverse proxy server. The reverse proxy URL will be encrypted and available on the default SSL port 443. This has the advantage of not using any CPU on the Subsonic server for encrypting traffic allowing it to concentrate on transcoding.

Add the below text to a new sites-available Apache configuration file.
vi /etc/apache2/sites-available/subsonic

<VirtualHost *:443>
    SSLEngine On
    SSLCertificateFile /ssl-certs/cert.cer
    SSLCertificateKeyFile /ssl-certs/key.key
    SSLProxyEngine on
    ServerAdmin [email protected]
    DocumentRoot /var/www
    ServerName subsonic.jamescoyle.net
    # Possible values include: debug, info, notice, warn, error, crit ,alert, emerg.
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/subsonic-access.log combined
    ErrorLog ${APACHE_LOG_DIR}/subsonic-error.logProxyHTMLStripComments on
    <Location />
        ProxyRequests off
        RequestHeader unset Accept-Encoding
        ProxyPass http://192.168.1.22:4040/
        ProxyPassReverse http://192.168.1.22:4040/
        Order allow,deny
        Allow from all
    </Location>
<VirtualHost>

 

Enable the new site in Apache and reload the configuration.
a2ensite subsonic
service apache2 reload


Simple Apache reverse proxy example

Get Social!

Background

Apache can be used as a reverse proxy to relay HTTP/ HTTPS requests to other machines. This is common practice and comes with two main benefits:

  • Security – Your Apache instance can be put in a DMZ and exposed to the world while the web servers can sit behind it with no access to the outside world.
  • Reduce load – You can reduce the load on the web servers with various methods such as web caching at the proxy, load balancing and deflecting traffic for invalid requests.

The interesting stuff – ProxyPass

To set up Apache as a reverse proxy server you will need to enable mod_proxy. Some other common mods you may need are below.

  • mod_proxy
  • mod_http
  • mod_headers
  • mod_html

To enable mods in Ubuntu/ Debian you need to make sure they are installed, then enabled. For example, installing and enabling mod_proxy would look like this:

apt-get install libapache2-mod-proxy-html a2enmod mod_proxy

Once these mods are enabled, we can begin editing the Apache config. The locations of these vary depending on your Linux distribution. For RHEL based distributions, this will be your httpd.conf; for Debian based, sites-available/default.

Inside your VirtualHost tag create a Location tag which matches the external path you wish to use. For this example we will use /.

<Location />
    # commands go here
</Location>

Inside the Location tag add the proxy options ProxyPass and ProxyPassReverse followed by the site address which will be the target of the proxy. You will also need a couple of lines to allow access.

    ProxyPass http://mywebsite.jamescoyle.net/
    ProxyPassReverse http://mywebsite.jamescoyle.net/
    Order allow,deny
    Allow from all

Outside of the location tags, towards the top of the virtual host add a few extras:

    ProxyHTMLStripComments on
    ProxyRequests off
    SetOutputFilter proxy-html
    ProxyHTMLDoctype XHTML

If you will be proxying SSL traffic, you will also need to add:

    SSLProxyEngine on

Restart apache or reload the settings for the changes to take effect:

    service apache2 reload

You will now have a working proxy – all requests sent to / will be fetched from http://mywebsite.jamescoyle.net.

Example Apache reverse proxy VirtualHost

The below example shows an Apache VirtualHost which is listening on port 80. The confiiguration accepts requests on which match the www.jamescoyle.net hostname and proxys the requests to the backend server mywebsite.jamescoyle.net.

<VirtualHost *:80>
    ServerAdmin [email protected]
    ProxyRequests off
    DocumentRoot /var/www
    SSLProxyEngine on
    ProxyPreserveHost On

    ServerName www.jamescoyle.net

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel error

    <Location />
        ProxyPass http://mywebsite.jamescoyle.net/
        ProxyPassReverse http://mywebsite.jamescoyle.net/
        Order allow,deny
        Allow from all
    </Location>

</VirtualHost>

Visit our advertisers

Search

Quick Poll

Do you use GlusterFS in your workplace?

Visit our advertisers