[PVE-User] PVE behind reverse proxy: different webroot possible?

Tue May 9 11:01:43 CEST 2017

Hi,

On 05/05/2017 06:18 PM, Uwe Sauter wrote:
> Hi,
>
> I've seen the wiki page [1] that explains how to operate a PVE host behind a reverse proxy.
>
> I'm currently in the situation that I have several services already behind a rev proxy that are accessible with different
> webroots, e.g.
>
> https://example.com/dashboard
> https://example.com/owncloud
> https://example.com/nagios
>
> What changes would be needed so that I could reach the PVE host with
>
> https://example.com/pve ?
>
> Is it even possible?

Hmm, there are some problems as we mostly set absolute paths on 
resources (images, JS and CSS files)
so the loading fails...
I.e., pve does not knows that it is accessed from 
https://example.com/pve-node/ and tries to load the resources from the 
absolute path /pve/foo.js
but then https://example.com/pve/foo.js results in a 404/501 error.
Same happens for api calls, AFAIK.
Normally some webapps allow to set a "ROOT_URL" config entry, where the 
access URL can be set.
As there are many places where this would need to be changed it is not 
just a quick fix, though.

But you could work with sub-domains and achieve the same, e.g. a rever 
proxy entry for:
https://pve-node.example.com
should work.

Tested with a default setup and the following nginx configuration:

----
server {
     listen 443;
     server_name test.localhost; # <- FIXME, change
     ssl on;
     ssl_certificate /etc/pve/local/pve-ssl.pem;# OPTIONAL FIXME, change 
if you want other certs
     ssl_certificate_key /etc/pve/local/pve-ssl.key;# or proxy and PVE 
are on separated machines

     location / {
         proxy_pass https://localhost:8006/;

         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-Proto https;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_redirect off;

         # really needed?
         proxy_buffering off;
         client_max_body_size 0;
         proxy_connect_timeout 60s;
         proxy_read_timeout 60s;
         proxy_send_timeout 60s;
         send_timeout 60s;
     }
}
----

With this I can access my cluster at https://test.localhost/ just fine.

Change server_name respectively and if you run the proxy on another 
server than the PVE host adapt also the proxy_pass entry and the ssl 
certs for that matter.
I did only tested the situation where the nginx runned on the PVE host 
but it should work the same.

AFAICT, the "upstream" config entry described in the wiki is not really 
needed. Also the redirect from port 80 HTTP to 443 HTTPS is just 
convenience.

I'll update the wiki article a bit :)
> Also is it possible to make a whole PVE cluster available behind a rev proxy using [2]?

How do you mean that? It should be possible to add multiple redirects 
for multiple nodes so it should work.

cheers,
Thomas