ProxmoxVE: Proxy PVE GUI with NigNX configuring HTTPS on Standard port.

With the release of PVE 3.0, the Proxmox VE Web-Interface does no longer require Apache.
Instead using a standard WebServer, Proxmox team is now proud to use a new event-driven API-Server called ‘pveproxy’ listening on TCP Port 8006 and delivering contents via HTTPS using a self-signed certificate.

Proxying pveproxy behind NgiNX will prevent direct access to the event-driven API-Server, let the administrator to (optionally) add a second layer HTTP authentication, to configure a standard HTTPS TCP port to reach the admin panel and to use his own SSL certificates.

First of all it is needed to install NgiNX WebServer (NgiNX is a very powerful and light one), the operation could be easily done via APT:

apt-get install nginx-light

Install (copy) the x509 Certificate (named pve-ssl.pem) and corresponding RSA Key (named pve-ssl.key) to /etc/pve/local/ or just use the installed self-signed one, and create a VirtualHost configuration file in /etc/nginx/sites-available/pve containing these lines:

server {
 listen 80;
 rewrite ^(.*) https://$host$1 permanent;
}
 
server {
 listen 443;
 server_name _;
 ssl on;
 ssl_certificate /etc/pve/local/pve-ssl.pem;
 ssl_certificate_key /etc/pve/local/pve-ssl.key;
 location / {
  proxy_pass https://127.0.0.1:8006 ;
 }
}

Remove the default NgiNX VirtualHost:

rm -f /etc/nginx/sites-enabled/default

Enable the previously created VirtualHost:

ln -sf /etc/nginx/sites-available/pve /etc/nginx/sites-enabled/

Restart NgiNX WebServer:

/etc/init.d/nginx restart

At this point, addressing the browser to http://PVE.Box.IP.Address/ should result in a redirect to https://PVE.Box.IP.Address/ and to PVE Administration GUI Login Page.

If everything works, it would be a good idea to restrict access to pveproxy API-Server to LocalHost. This could be done bu creating the file /etc/default/pveproxy containig the following lines and restarting pveproxy service:

ALLOW_FROM="127.0.0.1"
DENY_FROM="all"
POLICY="allow"

With NgiNX, adding HTTP Authentication is very easy. Just create a htpasswd fiel in /etc/nginx/htpasswd and add these lines to the SSL Server section of the VirtualHost previously created just before the ‘location’ directive:

auth_basic              "PVE Restricted Access";
auth_basic_user_file    htpasswd;

Comments are closed.