Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Nginx virtual host config for Proxmox. To hide pveproxy on 8006 port behind. With working VNC passthrough.
###
# Nginx vhost file to hide Proxmox pveproxy
# For 3.4+, 5.x version.
#
# Do not forget to create file
# /etc/default/pveproxy:
# ALLOW_FROM="127.0.0.1"
# DENY_FROM="all"
# POLICY="allow"
#
# @2019-08-05
# - disable big iso/templates upload buffering
#
# @2018-08-01 - changes
# - add missing special locations for proxmoxlib.js, vnc
#
# @2017-11-17 - changes
# - use nginx-1.10+ for https
# - move proxy_params inside locations cos
# some parameters/header are dropping to defaults by the way
# - add other hacks to skip proxy to pveproxy: docs
# - add special location for api access
# - add some descriptions to options
server {
# nginx-1.0+
#listen 443 ssl;
# nginx-1.6+
#listen 443 ssl spdy;
# nginx-1.10+
listen 443 ssl http2;
root /var/www/default;
# Set YOUR server name here
server_name proxmox.example.com;
# Check for cross-framing - nuke bustards
valid_referers none blocked server_names;
if ($invalid_referer) {
return 403;
}
# Hint for browsers
add_header X-Frame-Options SAMEORIGIN;
# Don't "detect" file type by extension (IE10+?)
add_header X-Content-Type-Options nosniff;
access_log /var/log/nginx/proxmox.example.com-ssl-access.log;
error_log /var/log/nginx/proxmox.example.com-ssl-error.log;
# load images, backups, iso...
client_max_body_size 64m;
include proxy_params;
# Your certificates here must be
include ssl/proxmox.conf;
location / {
# Magick for VNC
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
include proxy_params;
proxy_pass https://127.0.0.1:8006;
}
location ~* ^/(api2|novnc)/ {
proxy_redirect off;
# Magick for VNC
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Upload templates/iso
location ~* ^/api2/json/nodes/.*/storage/.*/upload {
client_max_body_size 2000m;
# nginx-1.8+
proxy_request_buffering off;
proxy_max_temp_file_size 0;
include proxy_params;
proxy_pass https://127.0.0.1:8006;
}
include proxy_params;
proxy_pass https://127.0.0.1:8006;
}
# MAGICK !!!
# Proxmox Web-UI loads DEBUG version of ExtJS
# And nginx waaaaaing sooo long. And hangs.
# Do not proxy static files, just give them
location ~* ^/pve2/(?<file>.*)$ {
gzip_static on;
root /usr/share/pve-manager;
try_files /$file @proxmox;
}
# Special for proxmox-5.x
location ~* ^/proxmox.*\.js$ {
gzip_static on;
root /usr/share/usr/share/javascript/proxmox-widget-toolkit;
try_files $uri @proxmox;
}
location ~* ^/pve-docs/(?<file>.*)$ {
gzip_static on;
root /usr/share/pve-docs;
try_files /$file @proxmox;
}
location @proxmox {
internal;
# Magick for VNC
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# nginx-1.8+
proxy_request_buffering off;
proxy_max_temp_file_size 0;
include proxy_params;
proxy_pass https://127.0.0.1:8006;
}
}
@qwsj

This comment has been minimized.

Copy link

commented Jun 2, 2017

Thnak you so much! :)

@stirch

This comment has been minimized.

Copy link

commented Dec 20, 2017

Does it work with Proxmox 5.1 ? and where can I get proxy_params for including in config ?
include proxy_params;
Thanks!

@sergey-dryabzhinsky

This comment has been minimized.

Copy link
Owner Author

commented Aug 1, 2018

@stirch
include proxy_params; - includes /etc/nginx/proxy_params file.
It's available in Debian/Ubuntu build.

But if you don't have it here it is:

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
@ahmedm

This comment has been minimized.

Copy link

commented Oct 17, 2018

In case anyone "really" doesn't want pveproxy to be listening on all interfaces

Edit /usr/share/perl5/PVE/Service/pveproxy.pm

Change:
my $socket = $self->create_reusable_socket(8006, undef, $family);

To:
my $socket = $self->create_reusable_socket(8006, '127.0.0.1', $family);

systemctl restart pveproxy.service
netstat -tupln | grep pveproxy

And keep /etc/default/pveproxy settings just in case "pveproxy.pm" got overwritten by a Proxmox update

@KpuCko

This comment has been minimized.

Copy link

commented Feb 22, 2019

Everything works fine, except when I use file upload :-)) Can you help with this:

2019/02/22 18:26:30 [error] 15387#15387: *15 upstream prematurely closed connection while reading response header from upstream, client: 192.168.0.15, server: 192.168.10.60, request: "POST /api2/json/nodes/proxmox-node-2/storage/local/upload HTTP/1.1", upstream: "https://127.0.0.1:8006/api2/json/nodes/proxmox-node-2/storage/local/upload", host: "192.168.10.60", referrer: "https://192.168.10.60/"

I just want to upload Debian.iso to the local datastore, the iso is 290MB large.

@sergey-dryabzhinsky

This comment has been minimized.

Copy link
Owner Author

commented Aug 1, 2019

@KpuCko
Updated gist - disable buffering of request/response on upload.
You'll need nginx >= 1.8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.