Nginx virtual host config for Proxmox. To hide pveproxy on 8006 port behind. With working VNC passthrough.

nginx-vhost-proxprox.conf

###
# Nginx vhost file to hide Proxmox pveproxy
# For 3.4+, 5.x version.
#
# Do not forget to create file
# /etc/default/pveproxy:
# ALLOW_FROM="127.0.0.1"
# DENY_FROM="all"
# POLICY="allow"
#
# @2019-08-05
# - disable big iso/templates upload buffering
#
# @2018-08-01 - changes
# - add missing special locations for proxmoxlib.js, vnc
#
# @2017-11-17 - changes
# - use nginx-1.10+ for https
# - move proxy_params inside locations cos
#   some parameters/header are dropping to defaults by the way
# - add other hacks to skip proxy to pveproxy: docs
# - add special location for api access
# - add some descriptions to options

server {
        # nginx-1.0+
        #listen 443 ssl;
        # nginx-1.6+
        #listen 443 ssl spdy;
        # nginx-1.10+
        listen 443 ssl http2;

        root    /var/www/default;

        # Set YOUR server name here
        server_name proxmox.example.com;

        # Check for cross-framing - nuke bustards
        valid_referers none blocked server_names;
        if ($invalid_referer) {
            return 403;
        }
        # Hint for browsers
        add_header X-Frame-Options SAMEORIGIN;
        # Don't "detect" file type by extension (IE10+?)
        add_header X-Content-Type-Options nosniff;
        
        access_log /var/log/nginx/proxmox.example.com-ssl-access.log;
        error_log /var/log/nginx/proxmox.example.com-ssl-error.log;

        # load images, backups, iso...
        client_max_body_size 64m;

        include proxy_params;
        # Your certificates here must be
        include ssl/proxmox.conf;

        # restrict supported by pveproxy ssl protocols
        # Special for Proxmox-3
        proxy_ssl_protocols     TLSv1;
        # Special for Proxmox-5+
        #proxy_ssl_protocols    TLSv1.2;

        location / {
                # Magic for VNC
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                include proxy_params;
                proxy_pass https://127.0.0.1:8006;
        }

        location ~* ^/(api2|novnc)/ {
                proxy_redirect off;
                # Magic for VNC
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                # Upload templates/iso
                location ~* ^/api2/json/nodes/.*/storage/.*/upload {
                        client_max_body_size 2000m;
                        # nginx-1.8+
                        proxy_request_buffering off;
                        proxy_max_temp_file_size 0;

                        include proxy_params;
                        proxy_pass https://127.0.0.1:8006;
                }

                include proxy_params;
                proxy_pass https://127.0.0.1:8006;
        }

        # MAGICK !!!
        # Proxmox Web-UI loads DEBUG version of ExtJS
        # And nginx waaaaaing sooo long. And hangs.
        # Do not proxy static files, just give them
        location ~* ^/pve2/(?<file>.*)$ {
                gzip_static on;
                root /usr/share/pve-manager;
                try_files /$file @proxmox;
        }
        # Special for proxmox-5.x
        location ~* ^/proxmox.*\.js$ {
                gzip_static on;
                root /usr/share/usr/share/javascript/proxmox-widget-toolkit;
                try_files $uri @proxmox;
        }
        location ~* ^/pve-docs/(?<file>.*)$ {
                gzip_static on;
                root /usr/share/pve-docs;
                try_files /$file @proxmox;
        }
        location @proxmox {
                internal;

                # Magic for VNC
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                # nginx-1.8+
                proxy_request_buffering off;
                proxy_max_temp_file_size 0;

                include proxy_params;
                proxy_pass https://127.0.0.1:8006;
        }
}

Thnak you so much! :)

Does it work with Proxmox 5.1 ? and where can I get proxy_params for including in config ?
include proxy_params;
Thanks!

@stirch
include proxy_params; - includes /etc/nginx/proxy_params file.
It's available in Debian/Ubuntu build.

But if you don't have it here it is:

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

In case anyone "really" doesn't want pveproxy to be listening on all interfaces

Edit /usr/share/perl5/PVE/Service/pveproxy.pm

Change:
my $socket = $self->create_reusable_socket(8006, undef, $family);

To:
my $socket = $self->create_reusable_socket(8006, '127.0.0.1', $family);

systemctl restart pveproxy.service
netstat -tupln | grep pveproxy

And keep /etc/default/pveproxy settings just in case "pveproxy.pm" got overwritten by a Proxmox update

Everything works fine, except when I use file upload :-)) Can you help with this:

2019/02/22 18:26:30 [error] 15387#15387: *15 upstream prematurely closed connection while reading response header from upstream, client: 192.168.0.15, server: 192.168.10.60, request: "POST /api2/json/nodes/proxmox-node-2/storage/local/upload HTTP/1.1", upstream: "https://127.0.0.1:8006/api2/json/nodes/proxmox-node-2/storage/local/upload", host: "192.168.10.60", referrer: "https://192.168.10.60/"

I just want to upload Debian.iso to the local datastore, the iso is 290MB large.

@KpuCko
Updated gist - disable buffering of request/response on upload.
You'll need nginx >= 1.8

Can u explain how to install ?
Regards,

@aguerrave
Copy this file into /etc/nginx/sites-enabled/ directory or where is your installation keep nginx configs.
Change server_name ... line to your proxmox server dns-name.
Reload nginx instance.

Thanks for yours response, And keep they defult conf? Thk El jue., 6 feb. 2020 15:42, Sergey Dryabzhinsky <notifications@github.com> escribió:

…

@aguerrave <https://github.com/aguerrave> Copy this file into /etc/nginx/sites-enabled/ directory or where is your installation keep nginx configs. Change server_name ... line to your proxmox server dns-name. Reload nginx instance. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://gist.github.com/2af5f7c56e1ee01ce128e04bf38ee99a?email_source=notifications&email_token=AACV5C2WW252HM33BBSILFTRBRR25A5CNFSM4IIUX7V2YY3PNVWWK3TUL52HS4DFVNDWS43UINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAGBM4E#gistcomment-3168706>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACV5C5SJBFBVMBYVAUUFMDRBRR25ANCNFSM4IIUX7VQ> .

We need to install in host proxmox or in a the virtual machine ?

/etc/nginx/sites-enabled# journalctl -xe
Feb 08 17:26:32 condor3160 nginx[9062]: nginx: [emerg] open() "/etc/nginx/ssl/proxmox.conf" failed (2: No such file or directory) in /etc/nginx/con
Feb 08 17:26:32 condor3160 nginx[9062]: nginx: configuration file /etc/nginx/nginx.conf test failed
Feb 08 17:26:32 condor3160 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support

-- An ExecStartPre= process belonging to unit nginx.service has exited.

-- The process' exit code is 'exited' and its exit status is 1.
Feb 08 17:26:32 condor3160 systemd[1]: nginx.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support

-- The unit nginx.service has entered the 'failed' state with result 'exit-code'.
Feb 08 17:26:32 condor3160 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
-- Subject: A start job for unit nginx.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support

-- A start job for unit nginx.service has finished with a failure.

-- The job identifier is 264934 and the job result is failed.
lines 7023-7046/7046 (END)
Feb 08 17:26:32 condor3160 nginx[9062]: nginx: [emerg] open() "/etc/nginx/ssl/proxmox.conf" failed (2: No such file or directory) in /etc/nginx/conf.d/nginx-vhost-proxpr
Feb 08 17:26:32 condor3160 nginx[9062]: nginx: configuration file /etc/nginx/nginx.conf test failed
Feb 08 17:26:32 condor3160 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support

-- An ExecStartPre= process belonging to unit nginx.service has exited.

-- The process' exit code is 'exited' and its exit status is 1.
Feb 08 17:26:32 condor3160 systemd[1]: nginx.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support

-- The unit nginx.service has entered the 'failed' state with result 'exit-code'.
Feb 08 17:26:32 condor3160 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
-- Subject: A start job for unit nginx.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support

-- A start job for unit nginx.service has finished with a failure.

-- The job identifier is 264934 and the job result is failed.

I assume that you use these configs on proxmox host machine.

You should define ssl configs for nginx in file /etc/nginx/ssl/proxmox.conf - paths to certificate and key, cyphers.
Read about it there: https://nginx.org/en/docs/http/configuring_https_servers.html

Or disable line with include ssl/proxmox.conf. And change listen option to listen 80;. Not recommended though.

Updated gist: restrict proxy ssl protocols to supported by pveproxy.
On Proxmox-3 its limited to TLSv1.1, on Proxmox-5+ - to TLSv1.2.

Update gist: on Proxmox-3 pveproxy limited to TLSv1.