Page 1 of 1

Proxmox GUI hinter Nginx verstecken

Posted: Mon 29. Jul 2019, 20:47
by h3rb3rn
Fassung vom 21.04.2020

Proxmox GUI absichern

Proxmox Port 8006 binden an localhost (127.0.0.1)

Anlegen der Datei /etc/default/pveproxy

Code: Select all

ALLOW_FROM="127.0.0.1"
DENY_FROM="all"
POLICY="allow"
Proxmox via ProxyPass hinter Nginx mit .htaccess verstecken

Nginx und Webserver Tools installieren

Code: Select all

apt install nginx openssl apache2-utils

Anlegen des selbst signierten TLS/SSL Zertifikates

Code: Select all

mkdir /etc/nginx/ssl/;
cd /etc/nginx/ssl/;
sudo openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out pve.crt -keyout pve.key -subj "/C=DE/ST=Chaoszone/L=Cyberspace/O=4noobs/OU=Hosting/CN=pve.4noobs.de"

Anlegen der .htaccess (ndwatch gegen den eigenen User austauschen)

Code: Select all

cd /etc/nginx/
sudo htpasswd -c /etc/nginx/.htpasswd ndwatch
anlegen der /etc/nginx/sites-available/proxmox.conf (pve.4noobs.de gegen die eigene Domain austauschen)

Quelle: https://gist.githubusercontent.com/serg ... xprox.conf

Code: Select all

server {
        listen 443 ssl http2;

        root    /var/www/default;

        server_name pve.4noobs.de;

        valid_referers none blocked server_names;
        if ($invalid_referer) {
            return 403;
        }
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        
        access_log /var/log/nginx/proxmox-ssl-access.log;
        error_log /var/log/nginx/proxmox-ssl-error.log;

        client_max_body_size 1024m;

        include proxy_params;

        #include ssl/proxmox.conf;
        ssl_certificate /etc/nginx/ssl/pve.crt;
        ssl_certificate_key /etc/nginx/ssl/pve.key;


        location / {
                # Magick for VNC
                auth_basic "Restricted Content";
                auth_basic_user_file /etc/nginx/.htpasswd;

                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                include proxy_params;
                proxy_pass https://127.0.0.1:8006;
        }

        location ~* ^/(api2|novnc)/ {
                proxy_redirect off;
                # Magick for VNC
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                include proxy_params;
                proxy_pass https://127.0.0.1:8006;
        }

        location ~* ^/pve2/(?<file>.*)$ {
                gzip_static on;
                root /usr/share/pve-manager;
                try_files /$file @proxmox;
        }
        # Special for proxmox-5.x
        location ~* ^/proxmox.*\.js$ {
                gzip_static on;
                root /usr/share/usr/share/javascript/proxmox-widget-toolkit;
                try_files $uri @proxmox;
        }
        location ~* ^/pve-docs/(?<file>.*)$ {
                gzip_static on;
                root /usr/share/pve-docs;
                try_files /$file @proxmox;
        }
        location @proxmox {
                # Magick for VNC
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                include proxy_params;
                proxy_pass https://127.0.0.1:8006;
        }
}
aktivieren der proxmox.conf

Code: Select all

sudo ln -s /etc/nginx/sites-available/proxmox.conf /etc/nginx/sites-enabled/
Nginx neustarten

Code: Select all

sudo systemctl restart nginx.service