Put vCenter behind a reverse proxy (because we can !)
Since a long time, I’m trying to figure out how to access all my home lab web applications from the outside and if possible, in a secure manner.
Challenge is : when you have a home Internet box, you can only have one single IP address.
One of the possibility then is too use different host names within a particular domain.
In order to make that work, you have to use a reverse proxy that will redirect each single sub-domain to a particular internal host.
The logic/achievement I wanted is the following :
- sub-domain 1 goes to https://internal-host-1:443
- sub-domain 2 goes to https://internal-host-2:xxx
- sub-domain 3 goes to https://internal-host-3:yyy
- all http request is automatically redirected to https
- being able to have a well know certification authority… for free
- have a modern, secure and free platform/os
That is how the following choices were made :
- Fedora server was chosen as the OS : it offers a free and modern interface with the integrated Cockpit interface (out of the box)
- nginx would be my reverse proxy : there is not so many options out there, I’ll come to the choice later on.
- Letsencrypt would be the chosen certificate provider : easy to guess why : fully supported by all recent browser, free. The only drawback would be the certificate lifetime, but this can be easily solved by automation.
There is a tremendous amount on ow to deploy/install nginx, this will not be detailed here, but here are some special configurations you can use:
Normal server:
server {
listen 443 ssl;
server_name my_internet_hostname_fqdn;
ssl_certificate /etc/letsencrypt/live/my_letsencrypt_domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my_letsencrypt_domain/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass https://your_server_fqdn:port_number/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
When this simple config will work most of the time (still trying to find the configuration for Windows Admin Center…), this will not work for vCenter HTML5 URL…
This is a working configuration (some settings might be exchanged, I’m not a nginx specialist, just sharing some info):
server {
listen 443 ssl http2;
server_name my_internet_vcenter_fqdn;
ssl_certificate /etc/letsencrypt/live/my_letsencrypt_domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my_letsencrypt_domain/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_ssl_verify off;
proxy_pass https://your_vCenter_IP;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect https://your_vCenter_fqdn/ https://my_internet_vcenter_fqdn/;
}
location /websso/SAML2 {
proxy_set_header Host your_vCenter_fqdn;
proxy_set_header X-Real-IP $remote_addr;
proxy_ssl_verify off;
proxy_pass https://your_vCenter_IP;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_ssl_session_reuse on;
proxy_redirect https://your_vCenter_fqdn/ https://my_internet_vcenter_fqdn/;
}
}
That’s it !
Please update me if this can be improved, especially if you can improve security, I’m fully open!
(But the concept itself: putting a vCenter behind a reverse proxy on the Internet, will not be debated !!!)
One comment