Access Vsphere web client using Nginx reverse proxy

August 30, 2016 4.9k views
Nginx Ubuntu

We have a deployment scenario where in we want to expose a public url and behind that access vcenter web client through Nginx using reverse proxy. Currently we are only able to access the login page which gets stuck when we enter the credentials.

Following is our conf file:

server {
listen 80;
servername localhost;
#access
log logs/host.access.log main;

    location / {
        root   html;
        index  index.html index.htm;
        resolver DNS server;
        proxy_pass vecenter IP;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

}

4 Answers

Doing a little searching I've found that a simple reverse proxy will not work for vcenter but i was able to find this repository which includes a sample nginx configuration and the other things needed to proxy vcenter.

  • Thanks for the reply.
    We were able to access the vcenter web client . But were unable to launch the VM console from vsphere web client through the reverse proxy. Any pointers on this ?

    Regards,
    Sagar

I've got it working with vCenter 6 using ryanpq's answer and some decent modifications.
this repository

Here's my nginx.conf, minus my site's name and some comments. I had to add some things and move things around, and I didn't see that port 7331 was needed at all when I connected locally so it was removed. You can compare with what I've linked above. Keep in mind, ports 443 and 9443 need to be forwarded to your NGINX server. Also, remember that your vSphere web client will be at https://<vcenter ip>/vsphere-client. I hope this helps others.

#user html;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
            worker_connections  1024;
}


http {


#
# A virtual host using mix of IP-, name-, and port-based configuration
#

        proxy_set_header            Host            $http_host;
        proxy_set_header            X-Real-IP       $remote_addr;
        proxy_set_header            X-Forwared-For  $proxy_add_x_forwarded_for;

#
# The upstream VCSA hostname or IP address for port 9443
#
        upstream vcsa-9443 {
                  server 192.168.1.128:9443;
        }

#
# HTTP => HTTPS redirect
#
        server {
                listen        80;
                server_name   example.com;

                location / {
                        allow all;
                        return 302 https://$server_name$request_uri;
                }
        }

#
# Main HTTPS Reverse Proxy for the VCSA
#
        server {
                listen        443 ssl;
                listen        9443 ssl;
                server_name   example.com;

                ssl_certificate  /etc/letsencrypt/live/example.com/fullchain.pem;
                ssl_certificate_key  /etc/letsencrypt/live/example.com/privkey.pem;
                ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers    HIGH:!aNULL:!MD5;
                keepalive_timeout 60;

                location /vsphere-client {
                        allow all;
                        proxy_set_header Host $http_host;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
                        proxy_pass https://vcsa-9443;
                }
        }
}

Ok, I was testing externally using a VPN. I'm testing from an external system today, and it's not working. It looks like it was still saying example.com, but it was actually using 192.168.1.128. I've also noticed the HTTPS cert isn't showing as secure. I'll follow up if I ever figure out why it doesn't seem to actually be proxying appropriately.

The following line fixes the redirect issue. Now I'm getting a 404 error for /websso/SAML2/SSOSSL. The link it's trying to go to looks just the same as when it's working locally minus using the IP. Not yet working, but at least I know I'm definitely getting to the server from an external source.

proxy_redirect https://192.168.1.128 https://example.com;

  • Hey were you able to get it figured out in the end? I am trying to setup a reverse proxy for my setup to no avail!

    Thank you

    • It's been a long time since I've messed with it, but it works minus console. I ended up on different projects eventually, so I'm not sure if the console is or isn't possible. From what I remember, I rebuilt my vCenter appliance to use the same domain name as my public domain name. That was definitely important for me getting it working. My Raspberry Pi 3 is my reverse NGINX server, and I also have BIND running on it with an internal version of my public domain, so my internal systems resolve the domain to internal IPs. That may have been part of it too, but I can't remember.

      Here is the relevant snip from my active config. I just logged in to make sure it was still working with this config. Hopefully that helps.

          server {
              listen        443 ssl;
              server_name   example.com;
              root /usr/share/nginx/html;
      
              ssl_certificate  /etc/letsencrypt/live/example.com/fullchain.pem;
              ssl_certificate_key  /etc/letsencrypt/live/example.com/privkey.pem;
              ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
              ssl_ciphers    HIGH:!aNULL:!MD5;
              keepalive_timeout 60;
      
              location /vsphere-client {
                  allow all;
                  proxy_set_header Host $http_host;
                  proxy_set_header Connection "upgrade";
                  proxy_pass https://192.168.1.128/vsphere-client;
              }
              location /websso {
                  allow all;
                  proxy_set_header Host $http_host;
                  proxy_set_header Connection "upgrade";
                  proxy_pass https://192.168.1.128/websso;
              }
      
      
Have another answer? Share your knowledge.