Reverse Proxy Proxmox VNC With Nginx

  • 5

Reverse Proxy Proxmox VNC With Nginx

Get Social!

proxmox logo gradThe noVNC console in the Proxmox Web GUI transfers it’s data through a technology called Websockets. Websockets often work in tandem with normal HTTP traffic and therefore often use the same end point (IP and port). Proxmox uses port 8006 by default for all web traffic; this includes the Web GUI you see and a websockets stream for the VNC console.

If you don’t already have Nginx set up, see my other post on How to reverse proxy the Proxmox Web GUI.

You’ll also need one of the more recent versions of Nginx for this to work.

If you use Nginx to reverse proxy your Proxmox Web GUI already, making it websocket compatible is very easy. In fact, it’s as easy as adding three additional lines to your Nginx config file for the location tag that serves your Proxmox Web GUI.

Open up your sites-available config file for your Proxmox site with a text editor:

Find the location tag for your site and add the following:

The resulting site should look similar to the below:

 


  • 12

Proxy the Proxmox Web GUI with Nginx Over HTTPS with Load Balancing

Get Social!

The Proxmox web GUI is served by Proxmox’s new event driven API server called PVE Proxy. The default settings for the Proxmox web GUI is to listen on port 8006 for incoming HTTPS connections.

The following tutorial will show you how to use Nginx to reverse proxy the PVE Proxy application to do the following:

  • Redirect HTTP requests to use the HTTPS protocol.
  • Add your own certificate to use for HTTPS.
  • Listen on the standard HTTPS port (port 443).

The following steps show how to use Nginx to reverse Proxy Proxmox’s web GUI. If you would prefer to use Apache, please see my other blog post.

The first step is to make sure you have Nginx installed on the machine, or virtual instance, that you are going to use. You can install Nginx directly on the Proxmox host however, I prefer to keep the host software as standard as possible and run all additional applications in OpenVZ containers.

Create a shell session on the machine you would like to use and use apt-get to install Nginx.

Make sure you have an SSL certificate and key pair on your server. See my OpenSSL certificate cheat sheet for more information.

We now need to specify the configuration for Nginx. Remove the existing site configuration and create a new configuration file called proxmox-gui. You can call this file whatever you wish, but you will also need to use the same name in the below steps.

Add the below text to your proxmox-gui file. You will need to substitute some of the settings with your own values:

  • ssl_certificate – this should point to your SSL certificate to use for signing the SSL traffic.
  • ssl_certificate_key – is this key which matches the above certificate.
  • server – this is the IP and port of your Proxmox server. If you have installed Nginx on the same host as the Proxmox web GUI then you could use https://localhost:8006 here.

If you have multiple Proxmox servers in a cluster, it would make sense to use load balancing in Nginx. We don’t really want to use this feature to spread the load, because usually the traffic will be very light – we want to use it so that if one node in the cluster is down, Nginx will automatically try a different node in the cluster.

To add load balancing, add your additional servers in the upstream proxmox code section. For example:

We need to link the newly created config file so that Nginx can load it.

The last step is to restart Nginx web server to pick up the new settings.

Your Proxmox web GUI should now be available on the IP address of your Nginx server on the HTTPS protocol.

 


  • 4

Reverse Proxy Proxmox with Apache

Get Social!

proxmox logo gradThe Proxmox web GUI is accessible on port 8006 by default using SSL encryption. The web GUI is served by the built in Proxmox lightweight HTTP server however changing the config could cause issues when upgrading to future Proxmox releases. The easiest way to expose the Proxmox web GUI externally is to use Apache to reverse proxy the site. You can then add additional security or specify SSL certificates at the proxy level without interfering with the Proxmox installation.

See my blog post on the basics of using Apache to reverse proxy websites.

To setup the reverse proxy for Proxmox, create a new sites-available entry called proxmox.

Add the following to the file and substitute a few settings for your own environment:

  • proxmox.cer – change to your SSL certificate for Proxmox
  • proxmox.key – change to the SSL certificate key for Proxmox.
  • proxmox.host – appears in the Location tags and must be the IP address or resolvable hostname of your internal Proxmox server. The ServerAdmin attribute is an email address which will be displayed on error pages such as 404.
  • proxmox.jamescoyle.net – change this to the external URL which will be used to access the reverse proxy server. The server will only proxy requests which contain this URL.

Enable the new site in Apache. In Ubuntu the command a2ensite will create the symlink, or you can create it manually.

Reload Apache to load the new configuration.


  • 3

Reverse Proxy Subsonic with Apache

Get Social!

SubsonicLogoSubsonic is a web-based media player for playing audio and video files through a web browser. You can reverse proxy Subsonic using Apache

See my blog post on using Apache as a reverse proxy for more detailed information on Apache configuration files.

The below configuration expects the backend Subsonic port to be non-ssl as the encryption will be offloaded to the Apache reverse proxy server. The reverse proxy URL will be encrypted and available on the default SSL port 443. This has the advantage of not using any CPU on the Subsonic server for encrypting traffic allowing it to concentrate on transcoding.

Add the below text to a new sites-available Apache configuration file.
vi /etc/apache2/sites-available/subsonic

 

Enable the new site in Apache and reload the configuration.
a2ensite subsonic
service apache2 reload


  • 11

Simple Apache reverse proxy example

Get Social!

Background

Apache can be used as a reverse proxy to relay HTTP/ HTTPS requests to other machines. This is common practice and comes with two main benefits:

  • Security – Your Apache instance can be put in a DMZ and exposed to the world while the web servers can sit behind it with no access to the outside world.
  • Reduce load – You can reduce the load on the web servers with various methods such as web caching at the proxy, load balancing and deflecting traffic for invalid requests.

The interesting stuff – ProxyPass

To set up Apache as a reverse proxy server you will need to enable mod_proxy. Some other common mods you may need are below.

  • mod_proxy
  • mod_http
  • mod_headers
  • mod_html

To enable mods in Ubuntu/ Debian you need to make sure they are installed, then enabled. For example, installing and enabling mod_proxy would look like this:

Once these mods are enabled, we can begin editing the Apache config. The locations of these vary depending on your Linux distribution. For RHEL based distributions, this will be your httpd.conf; for Debian based, sites-available/default.

Inside your VirtualHost tag create a Location tag which matches the external path you wish to use. For this example we will use /.

Inside the Location tag add the proxy options ProxyPass and ProxyPassReverse followed by the site address which will be the target of the proxy. You will also need a couple of lines to allow access.

Outside of the location tags, towards the top of the virtual host add a few extras:

If you will be proxying SSL traffic, you will also need to add:

Restart apache or reload the settings for the changes to take effect:

You will now have a working proxy – all requests sent to / will be fetched from http://mywebsite.jamescoyle.net.

Example Apache reverse proxy VirtualHost

The below example shows an Apache VirtualHost which is listening on port 80. The confiiguration accepts requests on which match the www.jamescoyle.net hostname and proxys the requests to the backend server mywebsite.jamescoyle.net.


Visit our advertisers

Search

Visit our advertisers