nginx reverse proxy with subdirectory - again

[elterminatore]

hey guys,

it's a never ending story - configure a nginx reverse proxy for proxmox within a subdirectory. found some threads with other solutions than the originally intended nginx with subdirectory. but it's not possible in my case because using the existing nginx proxy is a given fact.
we have one nginx reverse proxy to serve different (web)services to outside the company network. all this services running on different hosts and must be served external within a subdirectory. so the only possibility to do this with proxmox, is to work with a subdirectory too. i think i'm got it working but only the console don't work. it is ok for me, because i only need the webinterface for some basic administration tasks. and only in that case there is any trouble with the company vpn gateway.

with this configuration when the new console window opens, the complete webgui is opened in this window. probably it's an issue with the used location/rewrite config and the request is not included in the rules. this is the corresponding logfile entry:

10.10.10.10 - - [26/Dec/2019:08:52:12 +0100] "GET /px/?console=kvm&novnc=1&vmid=1077&vmname=webserver26&node=p1&resize=off&cmd= HTTP/1.1" 200 855 "https://px.mydomain.tld/px/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/78.0.3904.108 Chrome/78.0.3904.108 Safari/537.36"

maybe here are some guys interested in that configuration? (scroll down for the proxmox related part)
and maybe here are some guys with more know how to configure nginx than me and can help get the console working? (and fix some unlovely settings i've googled and used with trial and error method.)

regards
stefan

p.s. don't be confused about the double use of the string "px". in a hostname i used it as an acronym of "proxy" and in an URL is used it as an acronym for "proxmox"

server {
    listen 80;
    server_name px.mydomain.tld px.internal.mydomain.tld;
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;

    # let's encrypt
    location ^~ /.well-known/acme-challenge/ {
    proxy_pass http://localhost:60001;
    }
}

upstream proxmox {
    ip_hash;
    server p1.internal.mydomain.tld:8006;
    server p2.internal.mydomain.tld:8006;
    server p3.internal.mydomain.tld:8006;
}

server {
    listen 443 ssl;
    server_name px.mydomain.tld px.internal.mydomain.tld;
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;

    ssl_certificate /etc/letsencrypt/live/px.mydomain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/px.mydomain.tld/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/px.mydomain.tld/chain.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 10.10.10.1 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    access_log  /var/log/nginx/access.log;
    error_log  /var/log/nginx/error.log;

# guacamole
    location /gu/ {
        proxy_pass http://gu.internal.mydomain.tld:8080/guacamole/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_cookie_path /guacamole/ /;
    }
# end guacamole

# [... more configs at this place ...]

# proxmox
    location ~/px(.*)$ {
        proxy_pass https://proxmox$1;
        proxy_buffering off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        add_header X-Frame-Options SAMEORIGIN;
    }
    location ~ ^/(pve2|api2|pwt|ceph)/ {
        rewrite ^/$1/$ /px/$1/$2 break;
        proxy_pass https://proxmox$2;
    }
    location ~* ^/proxmox.*\.js$ {
        proxy_pass https://proxmox$1;
    }
    location ~* ^/favicon.*\.ico$ {
        proxy_pass https://proxmox$1;
    }
# ende proxmox

}

 

[Dominic]

You can access the console from the web interface by clicking on your node in the resource tree on the left and then selecting "Shell" in the menu of the content panel. Does this help you? What version of Proxmox VE are you using (pveversion -v)?

 

[elterminatore]

maybe I didn't express myself correctly... next try:

with this proxy configuration, some things are going wrong.
when i open a console from a vm, a new window opens. but it does not show the console, but the webgui:




and when i want to access the console from a proxmox host, this is displayed:

Spoiler: pveversion -v

root@p1:~# pveversion -v
perl: warning: Falling back to a fallback locale ("en_US.UTF-8").
proxmox-ve: 6.1-2 (running kernel: 5.3.13-1-pve)
pve-manager: 6.1-5 (running version: 6.1-5/9bf06119)
pve-kernel-5.3: 6.1-1
pve-kernel-helper: 6.1-1
pve-kernel-5.0: 6.0-11
pve-kernel-4.15: 5.4-8
pve-kernel-5.3.13-1-pve: 5.3.13-1
pve-kernel-5.3.10-1-pve: 5.3.10-1
pve-kernel-5.0.21-5-pve: 5.0.21-10
pve-kernel-5.0.21-4-pve: 5.0.21-9
pve-kernel-5.0.21-3-pve: 5.0.21-7
pve-kernel-5.0.21-2-pve: 5.0.21-7
pve-kernel-5.0.21-1-pve: 5.0.21-2
pve-kernel-4.15.18-20-pve: 4.15.18-46
pve-kernel-4.15.18-3-pve: 4.15.18-22
ceph: 14.2.6-pve1
ceph-fuse: 14.2.6-pve1
corosync: 3.0.2-pve4
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: 0.8.35+pve1
libjs-extjs: 6.0.1-10
libknet1: 1.13-pve1
libpve-access-control: 6.0-5
libpve-apiclient-perl: 3.0-2
libpve-common-perl: 6.0-10
libpve-guest-common-perl: 3.0-3
libpve-http-server-perl: 3.0-3
libpve-storage-perl: 6.1-3
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve3
lxc-pve: 3.2.1-1
lxcfs: 3.0.3-pve60
novnc-pve: 1.1.0-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.1-2
pve-cluster: 6.1-3
pve-container: 3.0-16
pve-docs: 6.1-3
pve-edk2-firmware: 2.20191127-1
pve-firewall: 4.0-9
pve-firmware: 3.0-4
pve-ha-manager: 3.0-8
pve-i18n: 2.0-3
pve-qemu-kvm: 4.1.1-2
pve-xtermjs: 3.13.2-1
qemu-server: 6.1-4
smartmontools: 7.1-pve2
spiceterm: 3.1-1
vncterm: 1.6-1
zfsutils-linux: 0.8.2-pve2

 

[Dominic]

It is normal that a new window opens up and the displayed URL looks ok. This is an example for a working one

https://localhost:8006/?console=kvm&novnc=1&vmid=100&vmname=dev&node=mala&resize=scale&cmd=

What happens if you try to open a console of your host p1 from the GUI of p1? Then the URL should look like this:

https://localhost:8006/?console=shell&novnc=1&vmid=0&vmname=&node=mala&resize=scale&cmd=

 

[elterminatore]

What happens if you try to open a console of your host p1 from the GUI of p1? Then the URL should look like this:

when i directly use the gui from host p1 (or another host), everything works fine.

it does not work trough the proxy (px) with the nginx config shown above and and i'm getting the results shown above. the urls are correct because proxmox does not know the reverse proxy configuration. i think there is an issue with the nginx config especially with the use of a subdirectory. in any case, i have made further progress than most who tried to put a nginx proxy with a subdirectory in front of proxmox. it's not essentially for me to getting the vm and host console work. i but it would be nice to getting that working.