[SOLVED] Proxy ngninx - Configuration / Wrong behaviour

[foxco]

Hello,
Browsing the best practices tips, I install and enable Ngninx to avoid allowing access on port 8006 for everybody;
the idea was to offer https on port 443 for all quarantine links
and keep 8006 access from specific IP only for appliance management.

I run ngninx -t to test my configuration, need to change few points *

server {
    listen 80 default_server;
    rewrite ^(.*) https://MyPublicFQDN permanent;
}
 
server {
    listen 443 ssl;
    server_name LocalServerName;
    # * ssl on; > I had to remove this and add SSL on the first line
    ssl_certificate /etc/pmg/pmg-api.pem;
    ssl_certificate_key /etc/pmg/pmg-api.pem;
    proxy_redirect off;

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header PVEClientIP $remote_addr;
    proxy_buffering off;
    client_max_body_size 0;
    proxy_connect_timeout  3600s;
    proxy_read_timeout  3600s;
    proxy_send_timeout  3600s;
    send_timeout  3600s;
   
    # proxy requests for static components
    location ~ /proxmoxlib.js$|/favicon.ico$|/pve2/|/fontawesome/|/framework7/|/pwt/ {
        proxy_pass https://localhost:8006;
    }
    location /quarantine {
        proxy_pass https://localhost:8006;
    }

    location /api2 {
        location ~ /api2/(extjs|json|htmlmail)/(access/ticket$|version$) {
            proxy_pass https://localhost:8006;
        }
        location ~ /api2/(extjs|json|htmlmail)/nodes/.+/subscription$ {
            proxy_pass https://localhost:8006;
        }
        location ~ /api2/(extjs|json|htmlmail)/quarantine {
            proxy_pass https://localhost:8006;
        }
        return 403;
    }

    location / {
        return 301 $scheme://www.facebook.com/MyPage;
    }
}

Then I restrict access on my frontal firewall to port 8006 for few public IPs.
I update my PMG configuration on GUI : Configuration > Spam Detector > Quarantine > Quarantine port : 443

So quarantine links are fine in the dailly report.
-> pointing to my https://MyPublicFQDN

but seems it's only readable from IP which are in my 'allowed-list' on port 8006 ...
other do get a blank page.

I propably miss something.
Any idea ?

Thanks

 

[dcsapak]

other do get a blank page.

any errors in the browser console? (maybe something is missing?)

did you check https://pmg.proxmox.com/wiki/index.php/Quarantine_Web_Interface_Via_Nginx_Proxy ?

 

[Stoiko Ivanov]

On a hunch - please check /var/log/pmgproxy/pmgproxy.log (and the browser console of clients which get the empty page) - do they get a 403 forbidden?

I think that setting:

proxy_set_header PVEClientIP $remote_addr;

causes the blocklists in /etc/default/pmgproxy to also be taken into account when accessing via nginx

Alternatively - remove the allow/deny lines from /etc/default/pmgproxy and see if this works - if it does - consider blocking port 8006 via iptables instead

I hope this helps!

 

[foxco]

Hello,
@dcsapak, the link you provide is the one in my initial post;
I had to change the syntax as the SSL line is obsolete.
@Stoiko Ivanov, thanks

I make new tests and was able to reproduce the error on Edge only...
After an update, Edge is able to display the content.

So, issue was not in my configuration, only on customer site

Thanks for your reply.