Reverse Proxy required for accessing web services running in CT / VM


Well-Known Member
Mar 4, 2014
I have configured Nginx to access Proxmox WebUI via port 443 based on this documentation.
This works like charm.

However, I need an additional solution to access web services running on specific CTs / VMs.
In my case this web service is: NIPAP

This web service has only connection to private sub network defined for PVE, means any communication is via a Proxmox node with this NIC configuration:
auto vmbr1
iface vmbr1 inet static
bridge_ports eno3
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '' -o vmbr0 -j MASQUERADE
#private sub network pve

This works like charm for outgoing communication. But incoming communication with my Nginx configuration fails with this error:
2019/06/25 09:42:54 [error] 72529#72529: *3 connect() failed (111: Connection refused) while connecting to upstream, client:, server: _, request: "GET /favicon.ico HTTP/1.1", upstream: "https://[::1]:8006/favicon.ico", host: "ld3955", referrer: "https://ld3955/ipam"

My current Nginx config is this:
upstream proxmox {
server "";

server {
listen 80 default_server;
rewrite ^(.*) https://$host$1 permanent;

server {
listen 443;
server_name _;
ssl on;
ssl_certificate /etc/pve/local/pve-ssl.pem;
ssl_certificate_key /etc/pve/local/pve-ssl.key;
proxy_redirect off;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass https://localhost:8006;
proxy_buffering off;
client_max_body_size 0;
proxy_connect_timeout 3600s;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
send_timeout 3600s;

location /ipam {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
proxy_connect_timeout 3600s;

I think the issue is related to Nginx configuration; when I access NIPAP on a regular installation, the URL looks like this:

Somehow I must catch this URL to

Or will this only work using a subdomain http://ipam.ld3955/?
I would hesitate to install another service just for reverse proxy, e.g. haproxy.

Please advise.



The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!