Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Nginx virtual host config for Proxmox. To hide pveproxy on 8006 port behind. With working VNC passthrough.
###
# Nginx vhost file to hide Proxmox pveproxy
# For 3.4+, 5.x version.
#
# Do not forget to create file
# /etc/default/pveproxy:
# ALLOW_FROM="127.0.0.1"
# DENY_FROM="all"
# POLICY="allow"
#
# @2019-08-05
# - disable big iso/templates upload buffering
#
# @2018-08-01 - changes
# - add missing special locations for proxmoxlib.js, vnc
#
# @2017-11-17 - changes
# - use nginx-1.10+ for https
# - move proxy_params inside locations cos
# some parameters/header are dropping to defaults by the way
# - add other hacks to skip proxy to pveproxy: docs
# - add special location for api access
# - add some descriptions to options
server {
# nginx-1.0+
#listen 443 ssl;
# nginx-1.6+
#listen 443 ssl spdy;
# nginx-1.10+
listen 443 ssl http2;
root /var/www/default;
# Set YOUR server name here
server_name proxmox.example.com;
# Check for cross-framing - nuke bustards
valid_referers none blocked server_names;
if ($invalid_referer) {
return 403;
}
# Hint for browsers
add_header X-Frame-Options SAMEORIGIN;
# Don't "detect" file type by extension (IE10+?)
add_header X-Content-Type-Options nosniff;
access_log /var/log/nginx/proxmox.example.com-ssl-access.log;
error_log /var/log/nginx/proxmox.example.com-ssl-error.log;
# load images, backups, iso...
client_max_body_size 64m;
include proxy_params;
# Your certificates here must be
include ssl/proxmox.conf;
location / {
# Magick for VNC
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
include proxy_params;
proxy_pass https://127.0.0.1:8006;
}
location ~* ^/(api2|novnc)/ {
proxy_redirect off;
# Magick for VNC
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Upload templates/iso
location ~* ^/api2/json/nodes/.*/storage/.*/upload {
client_max_body_size 2000m;
# nginx-1.8+
proxy_request_buffering off;
proxy_max_temp_file_size 0;
include proxy_params;
proxy_pass https://127.0.0.1:8006;
}
include proxy_params;
proxy_pass https://127.0.0.1:8006;
}
# MAGICK !!!
# Proxmox Web-UI loads DEBUG version of ExtJS
# And nginx waaaaaing sooo long. And hangs.
# Do not proxy static files, just give them
location ~* ^/pve2/(?<file>.*)$ {
gzip_static on;
root /usr/share/pve-manager;
try_files /$file @proxmox;
}
# Special for proxmox-5.x
location ~* ^/proxmox.*\.js$ {
gzip_static on;
root /usr/share/usr/share/javascript/proxmox-widget-toolkit;
try_files $uri @proxmox;
}
location ~* ^/pve-docs/(?<file>.*)$ {
gzip_static on;
root /usr/share/pve-docs;
try_files /$file @proxmox;
}
location @proxmox {
internal;
# Magick for VNC
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# nginx-1.8+
proxy_request_buffering off;
proxy_max_temp_file_size 0;
include proxy_params;
proxy_pass https://127.0.0.1:8006;
}
}
@qwsj

This comment has been minimized.

Copy link

@qwsj qwsj commented Jun 2, 2017

Thnak you so much! :)

@stirch

This comment has been minimized.

Copy link

@stirch stirch commented Dec 20, 2017

Does it work with Proxmox 5.1 ? and where can I get proxy_params for including in config ?
include proxy_params;
Thanks!

@sergey-dryabzhinsky

This comment has been minimized.

Copy link
Owner Author

@sergey-dryabzhinsky sergey-dryabzhinsky commented Aug 1, 2018

@stirch
include proxy_params; - includes /etc/nginx/proxy_params file.
It's available in Debian/Ubuntu build.

But if you don't have it here it is:

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Oct 17, 2018

In case anyone "really" doesn't want pveproxy to be listening on all interfaces

Edit /usr/share/perl5/PVE/Service/pveproxy.pm

Change:
my $socket = $self->create_reusable_socket(8006, undef, $family);

To:
my $socket = $self->create_reusable_socket(8006, '127.0.0.1', $family);

systemctl restart pveproxy.service
netstat -tupln | grep pveproxy

And keep /etc/default/pveproxy settings just in case "pveproxy.pm" got overwritten by a Proxmox update

@KpuCko

This comment has been minimized.

Copy link

@KpuCko KpuCko commented Feb 22, 2019

Everything works fine, except when I use file upload :-)) Can you help with this:

2019/02/22 18:26:30 [error] 15387#15387: *15 upstream prematurely closed connection while reading response header from upstream, client: 192.168.0.15, server: 192.168.10.60, request: "POST /api2/json/nodes/proxmox-node-2/storage/local/upload HTTP/1.1", upstream: "https://127.0.0.1:8006/api2/json/nodes/proxmox-node-2/storage/local/upload", host: "192.168.10.60", referrer: "https://192.168.10.60/"

I just want to upload Debian.iso to the local datastore, the iso is 290MB large.

@sergey-dryabzhinsky

This comment has been minimized.

Copy link
Owner Author

@sergey-dryabzhinsky sergey-dryabzhinsky commented Aug 1, 2019

@KpuCko
Updated gist - disable buffering of request/response on upload.
You'll need nginx >= 1.8

@aguerrave

This comment has been minimized.

Copy link

@aguerrave aguerrave commented Feb 6, 2020

Can u explain how to install ?
Regards,

@sergey-dryabzhinsky

This comment has been minimized.

Copy link
Owner Author

@sergey-dryabzhinsky sergey-dryabzhinsky commented Feb 6, 2020

@aguerrave
Copy this file into /etc/nginx/sites-enabled/ directory or where is your installation keep nginx configs.
Change server_name ... line to your proxmox server dns-name.
Reload nginx instance.

@aguerrave

This comment has been minimized.

Copy link

@aguerrave aguerrave commented Feb 7, 2020

@aguerrave

This comment has been minimized.

Copy link

@aguerrave aguerrave commented Feb 8, 2020

We need to install in host proxmox or in a the virtual machine ?

/etc/nginx/sites-enabled# journalctl -xe
Feb 08 17:26:32 condor3160 nginx[9062]: nginx: [emerg] open() "/etc/nginx/ssl/proxmox.conf" failed (2: No such file or directory) in /etc/nginx/con
Feb 08 17:26:32 condor3160 nginx[9062]: nginx: configuration file /etc/nginx/nginx.conf test failed
Feb 08 17:26:32 condor3160 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support

-- An ExecStartPre= process belonging to unit nginx.service has exited.

-- The process' exit code is 'exited' and its exit status is 1.
Feb 08 17:26:32 condor3160 systemd[1]: nginx.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support

-- The unit nginx.service has entered the 'failed' state with result 'exit-code'.
Feb 08 17:26:32 condor3160 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
-- Subject: A start job for unit nginx.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support

-- A start job for unit nginx.service has finished with a failure.

-- The job identifier is 264934 and the job result is failed.
lines 7023-7046/7046 (END)
Feb 08 17:26:32 condor3160 nginx[9062]: nginx: [emerg] open() "/etc/nginx/ssl/proxmox.conf" failed (2: No such file or directory) in /etc/nginx/conf.d/nginx-vhost-proxpr
Feb 08 17:26:32 condor3160 nginx[9062]: nginx: configuration file /etc/nginx/nginx.conf test failed
Feb 08 17:26:32 condor3160 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support

-- An ExecStartPre= process belonging to unit nginx.service has exited.

-- The process' exit code is 'exited' and its exit status is 1.
Feb 08 17:26:32 condor3160 systemd[1]: nginx.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support

-- The unit nginx.service has entered the 'failed' state with result 'exit-code'.
Feb 08 17:26:32 condor3160 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
-- Subject: A start job for unit nginx.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support

-- A start job for unit nginx.service has finished with a failure.

-- The job identifier is 264934 and the job result is failed.

@sergey-dryabzhinsky

This comment has been minimized.

Copy link
Owner Author

@sergey-dryabzhinsky sergey-dryabzhinsky commented Nov 13, 2020

I assume that you use these configs on proxmox host machine.

You should define ssl configs for nginx in file /etc/nginx/ssl/proxmox.conf - paths to certificate and key, cyphers.
Read about it there: https://nginx.org/en/docs/http/configuring_https_servers.html

Or disable line with include ssl/proxmox.conf. And change listen option to listen 80;. Not recommended though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.