[SOLVED] PVE Console behind NGINX Reverse Proxy

[hr556]

Hello,

I hope this is the correct sub-forum. I want to get the PVE console (NoVNC) working in combination with an NGINX reverse proxy. My current NGINX conf is:

user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log debug;

events {
    worker_connections  1024;
}
 
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
 
    server {
        listen     80;
        server_name  localhost;
 
        location / {
 
            default_type text/html;
            proxy_set_header Host $http_host;
            proxy_pass https://192.168.10.5:8006$request_uri;

            proxy_ssl_server_name on;
            proxy_ssl_protocols TLSv1.2;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_buffering off;
            client_max_body_size 0;
            proxy_connect_timeout  3600s;
            proxy_read_timeout  3600s;
            proxy_send_timeout  3600s;
            send_timeout  3600s;
        }
    }
}

I already read to enable websockets, but unfortunately it's still not working. When I try to access the console, after 30sec. I get the following error message and the console stays black:

failed waiting for client: timed out
TASK ERROR: command '/usr/bin/termproxy 5900 --path /vms/445 --perm VM.Console -- /usr/bin/ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=pve02' -t root@192.168.10.6 -- /usr/sbin/qm terminal 445 -escape 0 -iface serial0' failed: exit code 1

I'm running a two-node PVE cluster with version 6.3-3. Has anyone every got the console with NGINX working?

Thanks!

 

[oguz]

hi,

did you take a look at this wiki page [0] ?

[0]: https://pve.proxmox.com/wiki/Web_Interface_Via_Nginx_Proxy

 

[hr556]

hi,

did you take a look at this wiki page [0] ?

[0]: https://pve.proxmox.com/wiki/Web_Interface_Via_Nginx_Proxy

Yes, I configured it exactly that way, unfortunately not working :-(

 

[oguz]

you're missing things in your config. you should try adapting the config from the wiki example and it will work

 

[hr556]

you're missing things in your config. you should try adapting the config from the wiki example and it will work

The only thing that was missing was "proxy_redirect", I added that but still not working - same error.

 

[oguz]

here on my test machine with latest PVE 6.3 this works:

apt update
apt install nginx
rm /etc/nginx/sites-enabled/default
nano /etc/nginx/conf.d/proxmox.conf

and the contents of proxmox.conf:

upstream proxmox {
    server "YOUR.FQDN.GOES.HERE";
}

server {
    listen 80 default_server;
    rewrite ^(.*) https://$host$1 permanent;
}

server {
    listen 443;
    server_name _;
    ssl on;
    ssl_certificate /etc/pve/local/pve-ssl.pem;
    ssl_certificate_key /etc/pve/local/pve-ssl.key;
    proxy_redirect off;
    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass https://localhost:8006;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout  3600s;
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        send_timeout  3600s;
    }
}

you need to change the FQDN part to the fully qualified domain name of your host, you can check cat /etc/hosts output to find yours. in my case it was pve-dev-machine.proxmox.com. save the file and then check the syntax:

nginx -t

it should return:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

if you see this message then you can restart the service:

systemctl restart nginx

and access the user interface at https://your.fqdn.goes.here or https://your.ip.address.here


if everything works (web interface, noVNC) then you can follow the additional steps described on the wiki to make it persistent


hope this helps

 

[hr556]

I recreated it now from scratch with the exact same config mentioned in the article above, and now it works. No clue what's the problem, but it's solved. Thanks oguz for your patience.

 

[oguz]

you're welcome, please mark the thread as [SOLVED] so others know what to expect

 

[usrdev]

here on my test machine with latest PVE 6.3 this works:

apt update
apt install nginx
rm /etc/nginx/sites-enabled/default
nano /etc/nginx/conf.d/proxmox.conf

and the contents of proxmox.conf:

upstream proxmox {
    server "YOUR.FQDN.GOES.HERE";
}

server {
    listen 80 default_server;
    rewrite ^(.*) https://$host$1 permanent;
}

server {
    listen 443;
    server_name _;
    ssl on;
    ssl_certificate /etc/pve/local/pve-ssl.pem;
    ssl_certificate_key /etc/pve/local/pve-ssl.key;
    proxy_redirect off;
    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass https://localhost:8006;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout  3600s;
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        send_timeout  3600s;
    }
}

you need to change the FQDN part to the fully qualified domain name of your host, you can check cat /etc/hosts output to find yours. in my case it was pve-dev-machine.proxmox.com. save the file and then check the syntax:

nginx -t

it should return:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

if you see this message then you can restart the service:

systemctl restart nginx

and access the user interface at https://your.fqdn.goes.here or https://your.ip.address.here


if everything works (web interface, noVNC) then you can follow the additional steps described on the wiki to make it persistent


hope this helps

Hello,

I stumbled across this post whilst attempting to set up Let's Encrypt SSL while also utilizing Nginx Reverse Proxy. The issue I am encountering, even updating the conf file to reflect the location of where the SSL cert is living, still suggests that the connection is not secure. However, without the Nginx Reverse proxy, and maintaining the default port of 8006, there are no issues and the connection is secure. What is the configuration that might be missing to redirect to Let's Encrypt certs?

upstream proxmox { server "my.FQDN.here"; } server { listen 80 default_server; rewrite ^(.*) https://$host$1 permanent; } server { listen 443 ssl; server_name _; ssl_certificate /etc/pve/nodes/nodename/pve-ssl.pem; ssl_certificate_key /etc/pve/nodes/nodename/pve-ssl.key; proxy_redirect off; location / { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass https://localhost:8006; proxy_buffering off; client_max_body_size 0; proxy_connect_timeout 3600s; proxy_read_timeout 3600s; proxy_send_timeout 3600s; send_timeout 3600s; } }

 

[krootjes]

here on my test machine with latest PVE 6.3 this works:

apt update
apt install nginx
rm /etc/nginx/sites-enabled/default
nano /etc/nginx/conf.d/proxmox.conf

and the contents of proxmox.conf:

upstream proxmox {
    server "YOUR.FQDN.GOES.HERE";
}

server {
    listen 80 default_server;
    rewrite ^(.*) https://$host$1 permanent;
}

server {
    listen 443;
    server_name _;
    ssl on;
    ssl_certificate /etc/pve/local/pve-ssl.pem;
    ssl_certificate_key /etc/pve/local/pve-ssl.key;
    proxy_redirect off;
    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass https://localhost:8006;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout  3600s;
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        send_timeout  3600s;
    }
}

you need to change the FQDN part to the fully qualified domain name of your host, you can check cat /etc/hosts output to find yours. in my case it was pve-dev-machine.proxmox.com. save the file and then check the syntax:

nginx -t

it should return:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

if you see this message then you can restart the service:

systemctl restart nginx

and access the user interface at https://your.fqdn.goes.here or https://your.ip.address.here


if everything works (web interface, noVNC) then you can follow the additional steps described on the wiki to make it persistent


hope this helps

I just wanted to add that in proxmox.conf, the line ssl on; should be commented out and on the line listen 443; ssl should be added. This is because that ssl on; is deprecated. See below:

upstream proxmox {
    server "YOUR.FQDN.GOES.HERE";
}

server {
    listen 80 default_server;
    rewrite ^(.*) https://$host$1 permanent;
}

server {
    listen 443 ssl;
    server_name _;
#    ssl on;
    ssl_certificate /etc/pve/local/pve-ssl.pem;
    ssl_certificate_key /etc/pve/local/pve-ssl.key;
    proxy_redirect off;
    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass https://localhost:8006;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout  3600s;
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        send_timeout  3600s;
    }
}

 

[zodiac]

NGINX and an ACME client for renewing LE certificates is a fine solution. I've used that before and can confirm that it works. But it's a lot of moving parts and if you're not familiar with how everything fits together, I can see how it would be frustrating.

These days, I recommend configuring a Cloudflare reverse proxy and ZeroTrust authentication with an OpenID provider (e.g. GMail) instead. I think that's less effort and probably a better user experience.

You can still use NGINX for rewriting URLs, if necessary. But that's much easier to configure.