EDIT: I solved it by removing the extra security stuff from nginx.conf
Hello, first thank you for doing an awesome job. I've used proxmox for a couple weeks now and have benefited extensively from browsing this forum. I'm learning so much, which is good because this system is intended for use in production eventually.
My host has several VMs on different bridges. Each of these separate networks will host a webserver (apache tomcat webapps) and if I wanted to I could just use different ports for each domain and just set up forwarding with iptables, but since this is meant for production, I want a clean look. Eventually I also want to setup reverse proxies with letsencrypt to get rid of those annoying ssl cert messages.
This is a hosted node with a single public IP btw. NAT is set up and working perfectly.
I've done some googling and have tried to setup a forward proxy with nginx installed on the host which will forward requests to the correct VM based on URL, but it will only start to connect, and then I get a "refused to connect" error inside a frame.
If this is unsuitable for this forum I apologize, but so many of the writeups I've found are too unspecific to my use case, so I chose to post it here in hope someone else has done it.
This is my initial /etc/nginx/nginx.conf to which I plan to add more domains when I get it working:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
EDIT: I removed this section below
# Random Security Stuff
server_tokens off;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security max-age=63072000;
# Common Proxy Settings
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
########################
# Default Config Stuff #
########################
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096; #Default:2048
include /etc/nginx/mime.types;
default_type application/octet-stream;
gzip on;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
server {
listen 80;
server_name example.com;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
location /
{
proxy_pass http://10.10.0.3:80;
}
}
This is my /etc/network/interfaces:
auto lo
iface lo inet loopback
iface eno0 inet manual
iface enp26s0f1 inet manual
auto vmbr0
iface vmbr0 inet static
address PUBLIC_IP/24
gateway GATEWAY
bridge-ports eno0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
hwaddress MAC
auto vmbr1
iface vmbr1 inet static
address 10.0.0.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
auto vmbr2
iface vmbr2 inet static
address 10.10.0.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE #NAT for vmbr1
post-up iptables -t nat -A POSTROUTING -s '10.10.0.0/24' -o vmbr0 -j MASQUERADE #NAT for vmbr2
post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.0.0/24' -o vmbr0 -j MASQUERADE
post-up iptables -A FORWARD -o vmbr0 -j ALLOW #I'll remove many of these eventually, but it's to allow different networks on different bridges to talk
post-up iptables -A FORWARD -i vmbr0 -j ALLOW
post-up iptables -A FORWARD -o vmbr1 -j ALLOW
post-up iptables -A FORWARD -i vmbr1 -j ALLOW
post-up iptables -A FORWARD -o vmbr2 -j ALLOW
post-up iptables -A FORWARD -i vmbr2 -j ALLOW
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
For testing purposes all firewalls are off. The error message says "refused to connect" but the firewalls are off. This site is running apache tomcat on windows (windows is only choice).
Hello, first thank you for doing an awesome job. I've used proxmox for a couple weeks now and have benefited extensively from browsing this forum. I'm learning so much, which is good because this system is intended for use in production eventually.
My host has several VMs on different bridges. Each of these separate networks will host a webserver (apache tomcat webapps) and if I wanted to I could just use different ports for each domain and just set up forwarding with iptables, but since this is meant for production, I want a clean look. Eventually I also want to setup reverse proxies with letsencrypt to get rid of those annoying ssl cert messages.
This is a hosted node with a single public IP btw. NAT is set up and working perfectly.
I've done some googling and have tried to setup a forward proxy with nginx installed on the host which will forward requests to the correct VM based on URL, but it will only start to connect, and then I get a "refused to connect" error inside a frame.
If this is unsuitable for this forum I apologize, but so many of the writeups I've found are too unspecific to my use case, so I chose to post it here in hope someone else has done it.
This is my initial /etc/nginx/nginx.conf to which I plan to add more domains when I get it working:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
EDIT: I removed this section below
server_tokens off;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security max-age=63072000;
# Common Proxy Settings
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
########################
# Default Config Stuff #
########################
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096; #Default:2048
include /etc/nginx/mime.types;
default_type application/octet-stream;
gzip on;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
server {
listen 80;
server_name example.com;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
location /
{
proxy_pass http://10.10.0.3:80;
}
}
This is my /etc/network/interfaces:
auto lo
iface lo inet loopback
iface eno0 inet manual
iface enp26s0f1 inet manual
auto vmbr0
iface vmbr0 inet static
address PUBLIC_IP/24
gateway GATEWAY
bridge-ports eno0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
hwaddress MAC
auto vmbr1
iface vmbr1 inet static
address 10.0.0.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
auto vmbr2
iface vmbr2 inet static
address 10.10.0.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE #NAT for vmbr1
post-up iptables -t nat -A POSTROUTING -s '10.10.0.0/24' -o vmbr0 -j MASQUERADE #NAT for vmbr2
post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.0.0/24' -o vmbr0 -j MASQUERADE
post-up iptables -A FORWARD -o vmbr0 -j ALLOW #I'll remove many of these eventually, but it's to allow different networks on different bridges to talk
post-up iptables -A FORWARD -i vmbr0 -j ALLOW
post-up iptables -A FORWARD -o vmbr1 -j ALLOW
post-up iptables -A FORWARD -i vmbr1 -j ALLOW
post-up iptables -A FORWARD -o vmbr2 -j ALLOW
post-up iptables -A FORWARD -i vmbr2 -j ALLOW
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
For testing purposes all firewalls are off. The error message says "refused to connect" but the firewalls are off. This site is running apache tomcat on windows (windows is only choice).
Attachments
Last edited: