Proxmox is behind a reverse proxy, so I want to turn off TLS. How?

Just want to find out how I can do this. My Nginx reverse proxy is already doing TLS for me with multiple domains.

not possible. PVE uses TLS (with certificate pinning) for intra-cluster request proxying as well, and this is not optional/configurable.

edit: also, there should be no harm except for a slight overhead if you reverse-proxy to a (cluster of) TLS enabled host(s)? it's not like you are sending gigabytes of data to/from the PVE host via the API or web interface, and you are probably also not having thousands of concurrent sessions either.. and IMHO intra-datacenter traffic should be encrypted as much as possible as well, just like "public" traffic - you never know who might listen in on your supposedly "private" traffic
 
not possible. PVE uses TLS (with certificate pinning) for intra-cluster request proxying as well, and this is not optional/configurable.

edit: also, there should be no harm except for a slight overhead if you reverse-proxy to a (cluster of) TLS enabled host(s)? it's not like you are sending gigabytes of data to/from the PVE host via the API or web interface, and you are probably also not having thousands of concurrent sessions either.. and IMHO intra-datacenter traffic should be encrypted as much as possible as well, just like "public" traffic - you never know who might listen in on your supposedly "private" traffic
Is spirit right that reverse-proxying will break websockets for the console?
 
hey guys! anyone who can describe how you did this with haproxy?
Hi,
I don't terminate TLS with haproxy.
This is an working haproxy config for me (with an own script for regenerate the letsencrypt certificate (all nodes in one certificate).
Code:
frontend pve_frontend
   bind *:8006
   mode tcp
   option httpclose
   option tcplog
   reqadd X-Forwarded-Proto:\ https
   default_backend pve-server
   timeout client  65000

frontend http_frontend
   bind *:80
   mode http
   option httplog
   acl acl_pve   hdr(host) -i pve.domain.org
   acl acl_pve   hdr(host) -i pve-a.domain.org
   acl acl_pve   hdr(host) -i pve-b.domain.org
   acl acl_pve   hdr(host) -i pve-c.domain.org
   acl acl_letsencrypt url_beg /.well-known/acme-challenge/
   use_backend pve-http     if acl_pve
   use_backend web-srv-http if acl_letsencrypt !acl_pve

backend pve-http
   mode http
   server pve 192.168.200.11:8080

backend pve-a-http
   mode http
   server pve-a 192.168.200.11:80

backend pve-b-http
   mode http
   server pve-b 192.168.200.12:80

backend pve-c-http
   mode http
   server pve-c 192.168.200.13:80

backend pve-server
   mode tcp
   balance roundrobin
   timeout server  65000
   stick-table type ip size 200k expire 60m
   stick on src
   server pve-a 192.168.200.11:8006
   server pve-b 192.168.200.12:8006
   server pve-c 192.168.200.13:8006
Udo
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!