How can I use https of proxmox web with internal network

[jjc27017]

Hi All,
I have been use proxmox for some times, it seem stable to me. Recently I want to set up secure https for the cluster proxmox. I have read guide https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer)

Because the cluster is set up with internal network in company, I think it is not work with Let's Encrypt.
Am I correct that I generate fullchain.pem and private-key.pem to repleace /etc/pve/nodes/<node>/pveproxy-ssl.pem and /etc/pve/nodes/<node>/pveproxy-ssl.key for each node then systemctl restart pveproxy.

Then each node should become secure https? Will these steps make downtime to the running virtual hosts?

 

[LnxBil]

You already have HTTPs with default, self-signed certificates. There is no unencrypted way to access the web interface and this is by design. I'd only replace these certificates if you have company signed certificates.

The change itself is unrelated to running VMs. Yet you do not replace certificates, the files pveproxy-ssl* are normally not present on the system, only pve-ssl.* are present.

 

[jjc27017]

You already have HTTPs with default, self-signed certificates. There is no unencrypted way to access the web interface and this is by design. I'd only replace these certificates if you have company signed certificates.

The change itself is unrelated to running VMs. Yet you do not replace certificates, the files pveproxy-ssl* are normally not present on the system, only pve-ssl.* are present.

Thanks for answering, I am now use nginx for Load Balancing because I have run some node as cluster.
And I want to make a internal domain to access into web interface ( I have dns server in company. ) and now it works fine for me but nginx conf can only support one certificates for all setting instead of for each real server.

I check out that different server have its own pve-ssl* , and I use one of nodes' pve-ssl* then write into nginx conf to make it work. But it show that it only can access to the certificates which belong to its node.

Nginx conf

upstream cloud {
server 192.168.0.39:8006 max_fails=1 fail_timeout=30s;
server 192.168.0.40:8006 max_fails=1 fail_timeout=30s;
server 192.168.0.41:8006 max_fails=1 fail_timeout=30s;
server 192.168.0.42:8006 max_fails=1 fail_timeout=30s;
}


server {
listen 80;
server_name www.cloud.com;
rewrite ^(.*)$ https://$host$1 permanent;
}

server {
listen 443;
server_name www.cloud.com;

ssl on;
ssl_certificate /etc/nginx/certs/pve-ssl.pem;
ssl_certificate_key /etc/nginx/certs/pve-ssl.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;


location / {
proxy_pass https://cloud;
}

}



How can I use one domain name then I can run load balance for these four nodes?

 

[LnxBil]

I'm no expert in nginx, yet the proxying workes without a problem in apache, so I assume it also works without a problem in nginx. The ssl proxy does normally (and with the right configuration settings) not care about self-signed certificates. You cannot have the same certificate for all hosts unless you issue a wildcard ssl certificate.

Another problem you might run into is that you cannot use login tokens from one server on another, so that you will not be able to log in on e.g. node 1 and use the same login token on node 2 if you get redirected/load balanced there.

I created a similar setting for our cluster that does distributed redirection depending on the available nodes. The term load balancing is a overstatement, because you really do not need load balacing with the PVE GUI. Often you just need one portal that redirects to a working node and you stick to that node.