GitHub user ewerton-silva00 closed the discussion with a comment: Nginx or
Apache as a reverse proxy in front of CloudStack (including VNC console support)
@bradh352, thank you for your contribution.
You helped me configure the proxy correctly in Nginx.
I leave here my contribution for those who need guidance the most.
/etc/nginx/sites-available/consoleproxy.conf
`server {
listen 443 ssl http2;
listen 8080 ssl http2;
server_name
~^(?<oct1>192)-(?<oct2>168)-(?<oct3>0)-(?<oct4>[1-9][0-9]?)\.consoleproxy\.example\.io$;
ssl_certificate /etc/letsencrypt/live/consoleproxy.example.io/fullchain.pem;
ssl_certificate_key
/etc/letsencrypt/live/consoleproxy.example.io/privkey.pem;
ssl_dhparam /etc/ssl/dhparam.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;
preload" always;
add_header X-Content-Type-Options nosniff always;
add_header X-Frame-Options DENY always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
access_log /var/log/nginx/consoleproxy.access.log;
error_log /var/log/nginx/consoleproxy.error.log warn;
if ($oct4 !~ ^(1[0-9]|[2-4][0-9]|50)$) { return 403; } # 192.168.0.10 -
192.168.0.50
set $backend_ip "${oct1}.${oct2}.${oct3}.${oct4}";
client_max_body_size 0;
proxy_http_version 1.1;
proxy_cache off;
proxy_request_buffering off;
proxy_buffering off;
proxy_max_temp_file_size 0;
proxy_redirect off;
location / {
proxy_pass http://$backend_ip;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600;
}
location /websockify {
proxy_pass http://$backend_ip:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_cache_bypass $http_upgrade;
proxy_ignore_client_abort off;
proxy_read_timeout 86400;
}
}`
/etc/nginx/sites-available/secstorage.conf
`server {
listen 443 ssl http2;
server_name
~^(?<oct1>192)-(?<oct2>168)-(?<oct3>0)-(?<oct4>[1-9][0-9]?)\.secstorage\.example\.io$;
ssl_certificate /etc/letsencrypt/live/secstorage.example.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/secstorage.example.io/privkey.pem;
ssl_dhparam /etc/ssl/dhparam.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;
preload" always;
add_header X-Content-Type-Options nosniff always;
add_header X-Frame-Options DENY always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
access_log /var/log/nginx/secstorage.access.log;
error_log /var/log/nginx/secstorage.error.log warn;
if ($oct4 !~ ^(1[0-9]|[2-4][0-9]|50)$) { return 403; } # 192.168.0.10 -
192.168.0.50
set $backend_ip "${oct1}.${oct2}.${oct3}.${oct4}";
client_max_body_size 0;
proxy_http_version 1.1;
proxy_cache off;
proxy_request_buffering off;
proxy_max_temp_file_size 0;
proxy_redirect off;
proxy_buffering off;
location / {
proxy_pass https://$backend_ip;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_ssl_verify off;
proxy_read_timeout 600;
}
}`
GitHub link:
https://github.com/apache/cloudstack/discussions/11562#discussioncomment-15500459
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: [email protected]
