Proxmox GUI hinter Nginx verstecken
Posted: Mon 29. Jul 2019, 20:47
Fassung vom 21.04.2020
Proxmox GUI absichern
Proxmox Port 8006 binden an localhost (127.0.0.1)
Anlegen der Datei /etc/default/pveproxy
Proxmox via ProxyPass hinter Nginx mit .htaccess verstecken
Nginx und Webserver Tools installieren
Anlegen des selbst signierten TLS/SSL Zertifikates
Anlegen der .htaccess (ndwatch gegen den eigenen User austauschen)
anlegen der /etc/nginx/sites-available/proxmox.conf (pve.4noobs.de gegen die eigene Domain austauschen)
Quelle: https://gist.githubusercontent.com/serg ... xprox.conf
aktivieren der proxmox.conf
Nginx neustarten
Proxmox GUI absichern
Proxmox Port 8006 binden an localhost (127.0.0.1)
Anlegen der Datei /etc/default/pveproxy
Code: Select all
ALLOW_FROM="127.0.0.1"
DENY_FROM="all"
POLICY="allow"
Nginx und Webserver Tools installieren
Code: Select all
apt install nginx openssl apache2-utils
Anlegen des selbst signierten TLS/SSL Zertifikates
Code: Select all
mkdir /etc/nginx/ssl/;
cd /etc/nginx/ssl/;
sudo openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out pve.crt -keyout pve.key -subj "/C=DE/ST=Chaoszone/L=Cyberspace/O=4noobs/OU=Hosting/CN=pve.4noobs.de"
Anlegen der .htaccess (ndwatch gegen den eigenen User austauschen)
Code: Select all
cd /etc/nginx/
sudo htpasswd -c /etc/nginx/.htpasswd ndwatch
Quelle: https://gist.githubusercontent.com/serg ... xprox.conf
Code: Select all
server {
listen 443 ssl http2;
root /var/www/default;
server_name pve.4noobs.de;
valid_referers none blocked server_names;
if ($invalid_referer) {
return 403;
}
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
access_log /var/log/nginx/proxmox-ssl-access.log;
error_log /var/log/nginx/proxmox-ssl-error.log;
client_max_body_size 1024m;
include proxy_params;
#include ssl/proxmox.conf;
ssl_certificate /etc/nginx/ssl/pve.crt;
ssl_certificate_key /etc/nginx/ssl/pve.key;
location / {
# Magick for VNC
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
include proxy_params;
proxy_pass https://127.0.0.1:8006;
}
location ~* ^/(api2|novnc)/ {
proxy_redirect off;
# Magick for VNC
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
include proxy_params;
proxy_pass https://127.0.0.1:8006;
}
location ~* ^/pve2/(?<file>.*)$ {
gzip_static on;
root /usr/share/pve-manager;
try_files /$file @proxmox;
}
# Special for proxmox-5.x
location ~* ^/proxmox.*\.js$ {
gzip_static on;
root /usr/share/usr/share/javascript/proxmox-widget-toolkit;
try_files $uri @proxmox;
}
location ~* ^/pve-docs/(?<file>.*)$ {
gzip_static on;
root /usr/share/pve-docs;
try_files /$file @proxmox;
}
location @proxmox {
# Magick for VNC
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
include proxy_params;
proxy_pass https://127.0.0.1:8006;
}
}
Code: Select all
sudo ln -s /etc/nginx/sites-available/proxmox.conf /etc/nginx/sites-enabled/
Code: Select all
sudo systemctl restart nginx.service