nginx reverse proxy to web UI

[NullBy7e]

Hi there,

I am unable to get a nginx reverse proxy to work for letting me access the web UI from a FQDN.
Here are the relevant details:

nginx host: 10.0.3.4
web ui: 10.0..3.1:8006 (IP of the main pve host, it's a vmbr)

Config:

    location / {
        proxy_pass http://10.0.3.1:8006;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
    }

I get 'too many redirects' as a response.

I've also looked at the nginx guide but that uses the pve's certificates which I can't access from the nginx host (LXC).
I'm using letsencrypt for the certificates.

Is there anything that I'm doing wrong for the config?

 

[ce3rd]

I think this will not work: "http://10.0.3.1:8006" - because PVE uses httpS://ip:8006

 

[NullBy7e]

I think this will not work: "http://10.0.3.1:8006" - because PVE uses httpS://ip:8006

I thought so, I also tried https but then I get a 501.
When I proxy pass to the external IP it is also showing the same error so it must be related to the pve cert (which it's not using)?

 

[LnxBil]

When I proxy pass to the external IP it is also showing the same error so it must be related to the pve cert (which it's not using)?

You need to either accept the certificate or ignore certificate errors in order to rever proxy a https connection

 

[NullBy7e]

You need to either accept the certificate or ignore certificate errors in order to rever proxy a https connection

Ok so then I would have to use the pve's certificates? I'd rather do that than ignore certificate errors.

 

[LnxBil]

Ok so then I would have to use the pve's certificates? I'd rather do that than ignore certificate errors.

Best way would be to have a proper internal CA and just add it to your local ca-certificates. Another signed cert to your PVE. Maybe it also works if you add the self-created certificate from your PVE host to the ca-certificates, yet I never tried. You also have to check to what CN the current certificate is issued and use this name/ip as the proxy destination.

Why don't you just let PVE do the let's'encrypt handshake and dismiss the proxy? The nginx-proxy with proper certificates is more complex than just using the PVE node itself.

 

[NullBy7e]

I managed to solve it!

1) had to make sure to use https
2) i had TFA enabled but this needs to be disabled and then re-enabled so that the FQDN is accepted
3) I did not need proxy_redirect off or the upstream section

Here's the complete config:

server {
    root /var/www/example.com;
    server_name example.com www.example.com;

    listen 80;
    listen [::]:80;

    location / {
        return 301 https://$host$request_uri;
    }

    location ^~ /.well-known/acme-challenge/ {
        allow all;
    }
}

server {
    root /var/www/example.com;
    server_name example.com www.example.com;

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass https://10.0.3.1:8006/;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout  3600s;
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        send_timeout  3600s;
    }

    listen [::]:443;
    listen 443;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
}

 

[NullBy7e]

Best way would be to have a proper internal CA and just add it to your local ca-certificates. Another signed cert to your PVE. Maybe it also works if you add the self-created certificate from your PVE host to the ca-certificates, yet I never tried. You also have to check to what CN the current certificate is issued and use this name/ip as the proxy destination.

Why don't you just let PVE do the let's'encrypt handshake and dismiss the proxy? The nginx-proxy with proper certificates is more complex than just using the PVE node itself.

This honestly sounds more complex than nginx to me, I let certbot handle the certificates. I also have a couple more redirects to different websites on the nginx host so it's not just for accessing pve.