[PVE-User] PVE behind reverse proxy: different webroot possible?
Uwe Sauter
uwe.sauter.de at gmail.com
Thu May 11 15:49:09 CEST 2017
Hi Thomas,
I've been working on this and found half of a solution. Using Nginx' sub_filter rules I was able to get all the static stuff to be
displayed under a new webroot "/pve".
This is the relevant parts of my Nginx configuration:
/etc/ngnix/conf.d/default
####
upstream proxmox-cluster {
ip_hash;
server pve-host1:8006;
server pve-host2:8006:
server pve-host3:8006;
}
server {
server_name myserver.example.org;
listen 443 ssl;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
#[…] other locations
location /pve/ {
proxy_pass https://proxmox-cluster/;
gzip off;
# filter to rewrite href anchors in content
sub_filter 'href="/' 'href="/pve/';
# filter to rewrite src anchors in content
sub_filter 'src="/' 'src="/pve/';
# filters to add prefix to urls (e.g. in pvemanagerlib.js)
sub_filter 'url: "/api2' 'url: "/pve/api2';
sub_filter "url: '/api2" "url: '/pve/api2";
sub_filter 'url = "/api2' 'url = "/pve/api2';
sub_filter "url = '/api2" "url = '/pve/api2";
# needed to load js files used by console window
sub_filter 'url = "/api2' 'url = "/pve/api2';
sub_filter "url = '/api2" "url = '/pve/api2";
#
sub_filter_last_modified on;
# replace every occasion not only first
sub_filter_once off;
# use filter on all types, not only on text/html
sub_filter_types *;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# necessary to tell pveproxy not to compress responses or else sub_filter will not work (as it does not decompress)
proxy_set_header Accept-Encoding "";
proxy_redirect off;
# really needed?
proxy_buffering off;
client_max_body_size 0;
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
send_timeout 60s;
}
}
####
With this configuration I had partial success. What is not working currently:
* Notes on the summary tab of virtual machines. Error displayed is:
"Error Method 'GET /pve/api2/extjs/nodes/hlrs-pxmx-02/qemu/101/config' not implemented (501)"
* Separate console window does not load. It seems that the URL needed to access a console is constructed by several function calls
and I don't know where I need to search for the string I need to replace. It tries to load
"https://myserver.example.org/api2/json/nodes/pve-host1/qemu/101/vncproxy" while it should load
"https://myserver.example.org/pve/api2/json/nodes/pve-host1/qemu/101/vncproxy".
* Inline console view: result is that I get displayed the root of my server: "https://myserver.example.org/index.html" (though
index.html is added by Nginx directive "index" for location "/").
* There might be more things I missed. Not even tested is containers (I don't have any).
Do you have any suggestions on those issues?
Regards,
Uwe
PS: Please also note that the use of single and double quotes inside pvemangerib.js is inconsistet (compare lines 4296 and 33465).
This is the reason why I have 2 sub_filters for basically the same replacement.
Am 09.05.2017 um 11:01 schrieb Thomas Lamprecht:
> Hi,
>
> On 05/05/2017 06:18 PM, Uwe Sauter wrote:
>> Hi,
>>
>> I've seen the wiki page [1] that explains how to operate a PVE host behind a reverse proxy.
>>
>> I'm currently in the situation that I have several services already behind a rev proxy that are accessible with different
>> webroots, e.g.
>>
>> https://example.com/dashboard
>> https://example.com/owncloud
>> https://example.com/nagios
>>
>> What changes would be needed so that I could reach the PVE host with
>>
>> https://example.com/pve ?
>>
>> Is it even possible?
>
> Hmm, there are some problems as we mostly set absolute paths on resources (images, JS and CSS files)
> so the loading fails...
> I.e., pve does not knows that it is accessed from https://example.com/pve-node/ and tries to load the resources from the absolute
> path /pve/foo.js
> but then https://example.com/pve/foo.js results in a 404/501 error.
> Same happens for api calls, AFAIK.
> Normally some webapps allow to set a "ROOT_URL" config entry, where the access URL can be set.
> As there are many places where this would need to be changed it is not just a quick fix, though.
>
> But you could work with sub-domains and achieve the same, e.g. a rever proxy entry for:
> https://pve-node.example.com
> should work.
>
> Tested with a default setup and the following nginx configuration:
>
> ----
> server {
> listen 443;
> server_name test.localhost; # <- FIXME, change
> ssl on;
> ssl_certificate /etc/pve/local/pve-ssl.pem;# OPTIONAL FIXME, change if you want other certs
> ssl_certificate_key /etc/pve/local/pve-ssl.key;# or proxy and PVE are on separated machines
>
> location / {
> proxy_pass https://localhost:8006/;
>
> proxy_set_header Host $host;
> proxy_set_header X-Forwarded-Proto https;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_redirect off;
>
> # really needed?
> proxy_buffering off;
> client_max_body_size 0;
> proxy_connect_timeout 60s;
> proxy_read_timeout 60s;
> proxy_send_timeout 60s;
> send_timeout 60s;
> }
> }
> ----
>
> With this I can access my cluster at https://test.localhost/ just fine.
>
> Change server_name respectively and if you run the proxy on another server than the PVE host adapt also the proxy_pass entry and
> the ssl certs for that matter.
> I did only tested the situation where the nginx runned on the PVE host but it should work the same.
>
> AFAICT, the "upstream" config entry described in the wiki is not really needed. Also the redirect from port 80 HTTP to 443 HTTPS
> is just convenience.
>
> I'll update the wiki article a bit :)
>> Also is it possible to make a whole PVE cluster available behind a rev proxy using [2]?
>
> How do you mean that? It should be possible to add multiple redirects for multiple nodes so it should work.
>
> cheers,
> Thomas
>
More information about the pve-user
mailing list