[SOLVED] Working NoVNC with reverse proxy on 5.1

[dm15]

Hello, as I have spent a lot of time last week fighting nginx in order to make it render the NoVNC websocket correctly without any success, I saw there are multiple messages from many members indicating that it doesn't really work right now, not even this configuration.

I've managed to make it with Apache/2.4.25 and pasting a working configuration so anyone can use it.
Replace 10.1.1.1 with your Proxmox 5.1 node IP address.

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
   
        ServerAdmin admin@dummy.com
        ServerName dummy.com

        SSLEngine on

        SSLCertificateFile    /etc/nginx/ssl/yourcert.crt
        SSLCertificateKeyFile    /etc/nginx/ssl/yourcert.key
       
        SSLProxyEngine on
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
       
        ProxyRequests off
        ProxyPreserveHost on
   
        <Location />
            ProxyPass https://10.1.1.1:8006/
            ProxyPassReverse https://10.1.1.1:8006/
        </Location>
         
        <LocationMatch ^/(api2/json/nodes/[^\/]+/[^\/]+/[^\/]+/vncwebsocket.*)$>
            ProxyPass wss://10.1.1.1:8006/$1 retry=0
        </LocationMatch>
   
        <Location /websockify>
            ProxyPass ws://10.1.1.1:8006
            ProxyPassReverse ws://10.1.1.1:8006
        </Location>
       
    </VirtualHost>
</IfModule>

 

[loomes]

Works 100% Thank you.
Im failed at the configuration and then i found your Post

 

[r.jochum]

We work on a Nginx solution, please watch https://bugzilla.proxmox.com/show_bug.cgi?id=1684 .

 

[loomes]

Yes, but im a Apache User

 

[loomes]

I have found out that the PVE _shell itself dont work with this configuration:

timed out waiting for client
TASK ERROR: command '/usr/bin/termproxy 5900 --path /nodes/proxmox --perm Sys.Console -- /bin/login -f root' failed: exit code 4

The Consoles from my LCX Containers works.

OK solved. Extend the Code with this:
<LocationMatch ^/(api2/json/nodes/[^\/]+/vncwebsocket.*)$>
ProxyPass wss://ip:8006/$1 retry=0
</LocationMatch>

The Path is different when we open the Host Shell.

 

[jm3west]

thousand times thank you for this tutorial.
works fine

 

[DerDanilo]

Haproxy also worked out of the box, didn't have to use it for a while now.

 

[genel]

Thanks, this helped me a lot. But to get it to work I had to do this also:

a2enmod proxy_wstunnel

It took me a few minutes to figure out why it still did not work after following you example. So I post this to help others.

 

[phr53]

Hi in my case it's not working for the websocket until i restarted the browser... think about it

 

[tamet83]

Hi, I tried to follow this example on my proxmox setup.
I have apache inside an lxc container and already configured different "config" files.
I'd like to have access to my Proxmox instance from outside my lan.
I wrote the following code form the above example but it doesn't work.

<VirtualHost *:80>
    ServerName proxmox.mydomain.it
    Redirect / https://proxmox.mydomain.it/
</VirtualHost>

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerName proxmox.mydomain.it
        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload$
        Header always set X-Frame-Options DENY
        SSLEngine on
        SSLProxyEngine on
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        ProxyRequests off
        ProxyPreserveHost on
        <Location />
            ProxyPass https://192.168.1.9:8006/
            ProxyPassReverse https://192.168.1.9:8006/
        </Location>
        <LocationMatch ^/(api2/json/nodes/[^\/]+/[^\/]+/[^\/]+/vncwebsocket.*)$>
            ProxyPass wss://192.168.1.9:8006/$1 retry=0
        </LocationMatch>
        <Location /websockify>
            ProxyPass ws://192.168.1.9:8006
            ProxyPassReverse ws://192.168.1.9:8006
        </Location>
        <LocationMatch ^/(api2/json/nodes/[^\/]+/vncwebsocket.*)$>
        ProxyPass wss://192.168.1.9:8006/$1 retry=0
        </LocationMatch>
</VirtualHost>
</IfModule>

when I try a2ensite and restart apache service i receive this error:

apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Fri 2019-11-15 21:25:54 UTC; 9s ago
  Process: 1228 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/SUCCESS)
  Process: 1224 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
 Main PID: 172 (code=exited, status=1/FAILURE)

Nov 15 21:16:24 Apache systemd[1]: Starting The Apache HTTP Server...
Nov 15 21:16:24 Apache systemd[1]: Started The Apache HTTP Server.
Nov 15 21:25:54 Apache systemd[1]: apache2.service: Failed to reset devices.list: Operation not permitted
Nov 15 21:25:54 Apache systemd[1]: apache2.service: Failed to set invocation ID on control group /system.slice/apache2.service, ignoring: Operation not permitted
Nov 15 21:25:54 Apache systemd[1]: Reloading The Apache HTTP Server.
Nov 15 21:25:54 Apache systemd[1]: Reloaded The Apache HTTP Server.
Nov 15 21:25:54 Apache systemd[1]: apache2.service: Main process exited, code=exited, status=1/FAILURE
Nov 15 21:25:54 Apache apachectl[1228]: httpd (pid 172?) not running
Nov 15 21:25:54 Apache systemd[1]: apache2.service: Unit entered failed state.
Nov 15 21:25:54 Apache systemd[1]: apache2.service: Failed with result 'exit-code'.

Can you please help me? I'm new on this stuff

 

[bluesite]

thanx this is also working for me at proxmox 6.3.6 but i have added htauth at my config so it is a little bit secured an added totp at my user in proxmox to secure my user

<Proxy *>
                        Order deny,allow
                        Allow from all
                        Authtype Basic
                        Authname "Password Required"
                        AuthUserFile /etc/apache2/passwd
                        Require valid-user
</Proxy>

here is my complete config file

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerName pvedomain.tld
                ServerAlias pvedomain.tld

                SSLProxyEngine On
                SSLProxyVerify none
                SSLProxyCheckPeerCN off
                SSLProxyCheckPeerName off
                SSLProxyCheckPeerExpire off

                ErrorLog /var/log/apache2/pve_error.log
                CustomLog /var/log/apache2/pve_access.log combined

                ProxyRequests Off
                ProxyPreserveHost on

                <Location />
                    ProxyPass https://x.x.x.x:8006/
                    ProxyPassReverse https://x.x.x.x:8006/
                </Location>

                <LocationMatch ^/(api2/json/nodes/[^\/]+/[^\/]+/[^\/]+/vncwebsocket.*)$>
                    ProxyPass wss://x.x.x.x:8006/$1 retry=0
                </LocationMatch>

                <Location /websockify>
                    ProxyPass ws://x.x.x.x:8006
                    ProxyPassReverse ws://x.x.x.x:8006
                </Location>

                SSLCertificateFile      /etc/letsencrypt/live/pvedomain.tld/cert.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/pvedomain.tld/privkey.pem
                SSLCertificateChainFile /etc/letsencrypt/live/pvedomain.tld/chain.pem
                <Proxy *>
                        Order deny,allow
                        Allow from all
                        Authtype Basic
                        Authname "Password Required"
                        AuthUserFile /etc/apache2/passwd
                        Require valid-user
                </Proxy>
        </VirtualHost>
</IfModule>

i have changed my domian and ips in the example

 

[DerDanilo]

Haproxy also worked out of the box, didn't have to use it for a while now.

This is still valid and seems way easier to setup to me. HaProxy does also support basic auth if required (why though?)

 

[HlebNotGleb]

Thanks for this guide!
Still works on PVE 7.0-11.

 

[AleSanchez]

Hello, as I have spent a lot of time last week fighting nginx in order to make it render the NoVNC websocket correctly without any success, I saw there are multiple messages from many members indicating that it doesn't really work right now, not even this configuration.

I've managed to make it with Apache/2.4.25 and pasting a working configuration so anyone can use it.
Replace 10.1.1.1 with your Proxmox 5.1 node IP address.

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
  
        ServerAdmin admin@dummy.com
        ServerName dummy.com

        SSLEngine on

        SSLCertificateFile    /etc/nginx/ssl/yourcert.crt
        SSLCertificateKeyFile    /etc/nginx/ssl/yourcert.key
      
        SSLProxyEngine on
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
      
        ProxyRequests off
        ProxyPreserveHost on
  
        <Location />
            ProxyPass https://10.1.1.1:8006/
            ProxyPassReverse https://10.1.1.1:8006/
        </Location>
        
        <LocationMatch ^/(api2/json/nodes/[^\/]+/[^\/]+/[^\/]+/vncwebsocket.*)$>
            ProxyPass wss://10.1.1.1:8006/$1 retry=0
        </LocationMatch>
  
        <Location /websockify>
            ProxyPass ws://10.1.1.1:8006
            ProxyPassReverse ws://10.1.1.1:8006
        </Location>
      
    </VirtualHost>
</IfModule>

Still working on Proxmox 7.3-4 and Apache 2.4.52.

Thank you!

 

[mikiudon]

Works perfectly. Thank you. Was wondering how I can put only the NOVNC part into another app?

 

[mistersuite]

Hi, thanks again for the original post.

I have been using Nginx Proxy Manager in LXC docker, which I know isn't best practice (VM and docker would also work) but you can also enable 'websockets' support in the UI to support the NoVNC output. My knowledge of NGINX or Apache was limited and this particular approach suited my use case as it also supported LE certs out of the box.

I don't know what the general consensus of Nginx Proxy Manager is, but I would be keen to hear people's thoughts if they use it as well.

 

[teclab-at]

The Console works with these proxy fixes. But the PVE Shell does not not.
I guess there is an additional LocationMatch necessary? Someone knowing please post!

 

[mkeys]

I got this working using a single pve, but how do you use the balance module to balance across multiple PVEs?

So far I've got the kitchen sink loaded but struggling to understand what to use for the wss rewrite target. See example below with the commented line being the wss rewrite.

<IfModule mod_ssl.c>
<VirtualHost proxmox.frontend.lan:443>
LoadModule headers_module modules/mod_headers.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_express_module modules/mod_proxy_express.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule rewrite_module modules/mod_rewrite.so

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on

SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>

ProxyRequests off
ProxyPreserveHost on

Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED

<Proxy balancer://pve>
BalancerMember "https://192.168.1.2:8006" route=1
BalancerMember "https://192.168.1.3:8006" route=2
BalancerMember "https://192.168.1.4:8006" route=3
BalancerMember "https://192.168.1.5:8006" route=4
ProxySet stickysession=PVEAuthCookie
</Proxy>

ProxyPass "/" "balancer://pve"
ProxyPassReverse "/" "balancer://pve"

RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
# RewriteRule ^/?(.*) "wss://192.168.1.5:8006/$1" [P,L]

</VirtualHost>
</IfModule>

 

[chlspvh]

Hello, as I have spent a lot of time last week fighting nginx in order to make it render the NoVNC websocket correctly without any success, I saw there are multiple messages from many members indicating that it doesn't really work right now, not even this configuration.

I've managed to make it with Apache/2.4.25 and pasting a working configuration so anyone can use it.
Replace 10.1.1.1 with your Proxmox 5.1 node IP address.

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
 
        ServerAdmin admin@dummy.com
        ServerName dummy.com

        SSLEngine on

        SSLCertificateFile    /etc/nginx/ssl/yourcert.crt
        SSLCertificateKeyFile    /etc/nginx/ssl/yourcert.key
     
        SSLProxyEngine on
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
     
        ProxyRequests off
        ProxyPreserveHost on
 
        <Location />
            ProxyPass https://10.1.1.1:8006/
            ProxyPassReverse https://10.1.1.1:8006/
        </Location>
       
        <LocationMatch ^/(api2/json/nodes/[^\/]+/[^\/]+/[^\/]+/vncwebsocket.*)$>
            ProxyPass wss://10.1.1.1:8006/$1 retry=0
        </LocationMatch>
 
        <Location /websockify>
            ProxyPass ws://10.1.1.1:8006
            ProxyPassReverse ws://10.1.1.1:8006
        </Location>
     
    </VirtualHost>
</IfModule>

So many years later...and your post saved me after hours trying to solve that haha
Thank you very much!

 

[dklobucaric]

i've enabled this in my nginx proxy manager and now i can connect to console when connected externaly thru proxmox