nginx on separate host as reverse proxy with domain name

[NullBy7e]

Hello,

I am trying to configure my nginx instance in such a way that it will reverse proxy proxmox.internal to 10.0.1.1:8006.

All of the guides I find, including the official documentation explain how to do this but they do not include configuration for a domain name, and my nginx instance is located on a different host.

Could someone help me get this to work? I would appreciate it!

Config:

server {
    listen 80;
    server_name proxmox.internal www.proxmox.internal;
    rewrite ^(.*) https://$host$1 permanent;
}

upstream proxmox {
    server 10.0.1.1:8006;
}

server {
    listen 443 ssl;
    server_name proxmox.internal www.proxmox.internal;
    ssl_certificate /cert/pve-ssl.pem;
    ssl_certificate_key /cert/pve-ssl.key;
    proxy_redirect off;

    location / {
        proxy_ssl_protocols TLSv1.2;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout 3600s;
        proxy_read_timeout 3600s;
        proxy_send_timeout 3600s;
        send_timeout 3600s;

        proxy_pass https://proxmox;
    }
}

When I navigate to https://proxmox.internal I get into an infinite loading loop.

 

[VictorSTS]

Try adding a directive to change the host header before forwarding the request from Nginx to PVE:

server {
    listen 80;
    server_name proxmox.internal www.proxmox.internal;
    rewrite ^(.*) https://$host$1 permanent;
}

upstream proxmox {
    server 10.0.1.1:8006;
}

server {
    listen 443 ssl;
    server_name proxmox.internal www.proxmox.internal;
    ssl_certificate /cert/pve-ssl.pem;
    ssl_certificate_key /cert/pve-ssl.key;
    proxy_redirect off;

    location / {
        proxy_ssl_protocols TLSv1.2;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host "10.0.1.1";

        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout 3600s;
        proxy_read_timeout 3600s;
        proxy_send_timeout 3600s;
        send_timeout 3600s;

        proxy_pass https://proxmox;
    }
}

AFAIR Nginx by default will use $proxy_host, which is either the name of the upstream server or the IP used in the proxy_pass directive. This makes the request reach PVE with the wrong Host header, hence the redirect loop.

 

[NullBy7e]

Try adding a directive to change the host header before forwarding the request from Nginx to PVE:

server {
    listen 80;
    server_name proxmox.internal www.proxmox.internal;
    rewrite ^(.*) https://$host$1 permanent;
}

upstream proxmox {
    server 10.0.1.1:8006;
}

server {
    listen 443 ssl;
    server_name proxmox.internal www.proxmox.internal;
    ssl_certificate /cert/pve-ssl.pem;
    ssl_certificate_key /cert/pve-ssl.key;
    proxy_redirect off;

    location / {
        proxy_ssl_protocols TLSv1.2;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host "10.0.1.1";

        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout 3600s;
        proxy_read_timeout 3600s;
        proxy_send_timeout 3600s;
        send_timeout 3600s;

        proxy_pass https://proxmox;
    }
}

AFAIR Nginx by default will use $proxy_host, which is either the name of the upstream server or the IP used in the proxy_pass directive. This makes the request reach PVE with the wrong Host header, hence the redirect loop.

Hey!

So what I did to 'fix' this is install nginx on the proxmox host itself. I also installed nginx on all my other LXCs and VMs for proxying because I found it easier to for example have service1.internal point to 10.0.1.1 via DNS (pihole) but then also proxy https://service1.internal to 10.0.1.1:8000.

Normally if you wanted to proxy using a dedicated nginx host then you'd have to make the DNS point to that host, which would not be ideal for my case.