Access Vsphere web client using Nginx reverse proxy

August 30, 2016 809 views
Nginx Ubuntu

We have a deployment scenario where in we want to expose a public url and behind that access vcenter web client through Nginx using reverse proxy. Currently we are only able to access the login page which gets stuck when we enter the credentials.

Following is our conf file:

server {
listen 80;
servername localhost;
#access
log logs/host.access.log main;

    location / {
        root   html;
        index  index.html index.htm;
        resolver DNS server;
        proxy_pass vecenter IP;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

}

4 Answers

Doing a little searching I've found that a simple reverse proxy will not work for vcenter but i was able to find this repository which includes a sample nginx configuration and the other things needed to proxy vcenter.

  • Thanks for the reply.
    We were able to access the vcenter web client . But were unable to launch the VM console from vsphere web client through the reverse proxy. Any pointers on this ?

    Regards,
    Sagar

I've got it working with vCenter 6 using ryanpq's answer and some decent modifications.
this repository

Here's my nginx.conf, minus my site's name and some comments. I had to add some things and move things around, and I didn't see that port 7331 was needed at all when I connected locally so it was removed. You can compare with what I've linked above. Keep in mind, ports 443 and 9443 need to be forwarded to your NGINX server. Also, remember that your vSphere web client will be at https://<vcenter ip>/vsphere-client. I hope this helps others.

#user html;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
            worker_connections  1024;
}


http {


#
# A virtual host using mix of IP-, name-, and port-based configuration
#

        proxy_set_header            Host            $http_host;
        proxy_set_header            X-Real-IP       $remote_addr;
        proxy_set_header            X-Forwared-For  $proxy_add_x_forwarded_for;

#
# The upstream VCSA hostname or IP address for port 9443
#
        upstream vcsa-9443 {
                  server 192.168.1.128:9443;
        }

#
# HTTP => HTTPS redirect
#
        server {
                listen        80;
                server_name   example.com;

                location / {
                        allow all;
                        return 302 https://$server_name$request_uri;
                }
        }

#
# Main HTTPS Reverse Proxy for the VCSA
#
        server {
                listen        443 ssl;
                listen        9443 ssl;
                server_name   example.com;

                ssl_certificate  /etc/letsencrypt/live/example.com/fullchain.pem;
                ssl_certificate_key  /etc/letsencrypt/live/example.com/privkey.pem;
                ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers    HIGH:!aNULL:!MD5;
                keepalive_timeout 60;

                location /vsphere-client {
                        allow all;
                        proxy_set_header Host $http_host;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
                        proxy_pass https://vcsa-9443;
                }
        }
}

Ok, I was testing externally using a VPN. I'm testing from an external system today, and it's not working. It looks like it was still saying example.com, but it was actually using 192.168.1.128. I've also noticed the HTTPS cert isn't showing as secure. I'll follow up if I ever figure out why it doesn't seem to actually be proxying appropriately.

The following line fixes the redirect issue. Now I'm getting a 404 error for /websso/SAML2/SSOSSL. The link it's trying to go to looks just the same as when it's working locally minus using the IP. Not yet working, but at least I know I'm definitely getting to the server from an external source.

proxy_redirect https://192.168.1.128 https://example.com;

Have another answer? Share your knowledge.