Categories
Linux nginx Virtualization

Nginx ProxMox Proxy using Letsencrypt SSL cert

Why use a nginx proxmox proxy using letsencrypt ssl?

1st: why not?
2nd: Load balancing! Nginx is built to handle many concurrent connections at the same time from multitude of clients. This makes it ideal for being the point-of-contact for said clients. The server can pass requests to any number of backend servers to handle the bulk of the work, which spreads the load across your infrastructure. This design also provides you with flexibility in easily adding backend servers or taking them down as needed for maintenance.
3rd: Security! Many times Nginx can be secured to not allow access to certain parts of the underlying application so life doesnt throw you a curveball at 3AM on December 24th 2006(dont ask 🙁 ).
4th: Port firewall constraints! Sometimes you need to access an application on port 34563 but firewall doesn’t allow access on random ports. You can allow incoming connections on port 80 via nginx but proxy them to the app on 34563.
5th: seriously… why not…..

Now you know why we may want nginx as  a frontend proxy for our underlying app. so let’s get to setting it up for our use case which is to protect proxmox from bad actors! and to provide reliable access to our proxmox for ourselves. We are going to setup nginx to forward all traffic from port 80 to port 443 where letsencrypt will provide us with ssl encrypted access!

Install nginx light instead of full, so you have a smaller set of utilities but also a lighter install. you can install nginx or nginx-full also if you wish.

apt-get install nginx-light

remove default nginx config

rm /etc/nginx/sites-enabled/default

add new nginx config copying the code below

nano /etc/nginx/sites-enabled/default

add the folllowing in there

upstream proxmox {
    server "proxmoxdomain.com";
}

server {
    listen 80 default_server;
    location ~ /.well-known {
      root "/var/www/html";
      allow all;
    }
    rewrite ^(.*) https://$host$1 permanent;

}

server {
    listen 443;
    server_name _;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/proxmoxdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/proxmoxdomain.com/privkey.pem;
    include ssl-params.conf;
    proxy_redirect off;

        location ~ /.well-known {
                root "/var/www/html";
                allow all;
        }

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header  Host  $host;
        proxy_set_header  X-Real-IP  $remote_addr;
        proxy_pass https://localhost:8006;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout  3600s;
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        send_timeout  3600s;
    }
}

install git

apt-get -y install git

grab a copy of letsencrypt client

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

get the certs

cd /opt/letsencrypt
./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d proxmoxdomain.com

specify your email when asked, this is only to retrieve lost certs.
lets encrypt add emailAgree to the TOS.lets encrypt tos

you will get 4 files from this:

  • cert.pem: Your domain’s certificate
  • chain.pem: The Let’s Encrypt chain certificate
  • fullchain.pem: cert.pem and chain.pem combined
  • privkey.pem: Your certificate’s private key

these files are located in

  • /etc/letsencrypt/live/proxmoddomain.com

Now that your certs are live and running! restart your nginx and you are live!

service nginx restart

or

systemctl restart nginx
Categories
Virtualization

Proxmox iso upload method

I just setup proxmox, and am testing out various features. I needed to upload an ISO so I can install an OS. took me a bit so i figured I’d throw it on here for future ref.

  1. Login to proxmox web control panel.
  2. Goto server view from drop down on left hand side.
  3. Expand datacenter menu until you see local then click it
  4. Right hand side select COntent tab
  5. click upload button
  6. Click select file, find your ISO, click upload.

This should solve any proxmox iso upload questions that may arise 🙂

Update to add a screenshot below.

Categories
Linux Virtualization

Proxmox IP bridge for single public IP

 

I just setup a test copy of proxmox 4.1 and realized I only had one IP attached to the box. So I had to set up a bridge and forward ports to the internal IPs. So the basic idea is, we are going to set up a new virtual interface bridge in your networking file. This requires a working proxmox machine up and running. I am using a standard install, no changes made to the network prior to this.

Proxmox Desired Network Layout

External IP ————————- proxmox server as NAT ————————— Internal IP

1.2.3.4 ————————- 1.2.3.4 NAT 10.0.0.10 ————————-10.0.0.10

 

Current network Layout

when we check /etc/network/interfaces we see the following :

# The loopback network interface
auto lo
iface lo inet loopback

# for Routing
auto vmbr1
iface vmbr1 inet manual
        post-up /etc/pve/kvm-networking.sh
        bridge_ports dummy0
        bridge_stp off
        bridge_fd 0


# vmbr0: Bridging. Make sure to use only MAC adresses that were assigned to you.
auto vmbr0
iface vmbr0 inet static
        address 1.2.3.4
        netmask 255.255.255.0
        network 1.2.3.0
        broadcast 1.2.3.255
        gateway 1.2.3.254
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

iface vmbr0 inet6 static
        address 1:2:3:4::5
        netmask 64
        post-up /sbin/ip -f inet6 route add 1:2:3:4:ff:ff:ff:ff dev vmbr0
        post-up /sbin/ip -f inet6 route add default via 1:2:3:4:ff:ff:ff:ff
        pre-down /sbin/ip -f inet6 route del default via 1:2:3:4:ff:ff:ff:ff
        pre-down /sbin/ip -f inet6 route del 1:2:3:4:ff:ff:ff:ff dev vmbr0

As you can see above we have a working interfaces file just with pseudo IPs instead of real ones. yours will of course have your own IP. Also, you may not have an inet6 section.

The actual Proxmox IP bridge part

I added a new bridge interface to it like so :

auto vmbr10
iface vmbr10 inet static
    address 10.0.0.254
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 12022 -j DNAT --to 10.0.0.2:22
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 12022 -j DNAT --to 10.0.0.2:22
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 12080 -j DNAT --to 10.0.0.2:80
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 12080 -j DNAT --to 10.0.0.2:80

Ok so lets break it down, line by line :

automatically start vmbr10
interface vmbr10 is a network interface with static IP
the address for the proxmox main server on this interface is 10.0.0.254
netmast is 255.255.255.0
Dont bind any ports
disable the spanning tree protocol **
disable delayed forwarding or no delay on forwarding
Allow IP traffic forwarding once networking i up and running after a boot
Add IP masquerading on networking online ***
disable masquerading on networking offline
Enable routing all packets on port 12022 from public to port 22 on private subnet to machine 10.0.0.2 on networking up
Disable routing all packets on port 12022 from public to port 22 on private subnet to machine 10.0.0.2 on networking down
Enable routing all packets on port 12080 from public to port 80 on private subnet to machine 10.0.0.2 on networking up
Disable routing all packets on port 12080 from public to port 80 on private subnet to machine 10.0.0.2 on networking down

 

Now as you can see above you have a basic bridge and you are forwarding specific ports to internal ports on the VMs. you can forward more ports by copying the last two lines and changing the ports or to different VMs by changing the IPs. also vmbr10 is a random number and can be changed at will. after all is done simply reboot the machine and you are up and running. you can restart networking or ifup vmbr10 if you want but I prefer a clean boot to test the new networking. this should give you a working Proxmox IP bridge 🙂

 

let me know if I messed up anything or how you dealt with this situation.

 

** The Spanning Tree Protocol (STP) is an older network protocol that ensures a loop-free topology for any bridged Ethernet local area network. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. more info here.

*** IP Masquerade is a networking function in Linux similar to the one-to-many (1:Many) NAT (Network Address Translation) servers found in many commercial firewalls and network routers. For example, if a Linux host is connected to the Internet via PPP, Ethernet, etc., the IP Masquerade feature allows other “internal” computers connected to this Linux box (via PPP, Ethernet, etc.) to also reach the Internet as well. Linux IP Masquerading allows for this functionality even though these internal machines don’t have an officially assigned IP address. more info here