Differences

This shows you the differences between two versions of the page.

--- proxmox_nginx [2016/07/17 10:12] – neoon
+++ proxmox_nginx [2021/11/25 22:42] (current) – external edit 127.0.0.1
@@ Line 11: / Line 11: @@
     proxy_redirect off;
     location / {
-    	proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Proto https;
         proxy_pass https://127.0.0.1:8006;
         proxy_http_version 1.1;
+        proxy_set_header Connection $http_connection;
-	proxy_set_header Connection $http_connection;
+	      proxy_set_header Origin http://$host;
-	proxy_set_header Origin http://$host;
+	      proxy_set_header Upgrade $http_upgrade;
-	proxy_set_header Upgrade $http_upgrade;
     }
   }
@@ Line 24: / Line 23: @@
 Make sure you replace ssl_certificate and ssl_certificate_key
-Restart Nginx: service nginx restart, it should return no errors.
+Restart Nginx:
+  service nginx restart
 Second step, Turn the pveproxy to localhost only. Copy this file to: /etc/default/pveproxy
@@ Line 32: / Line 32: @@
   POLICY="allow"
-Restart pveproxy: service pveproxy
+You can also block it over iptables, since it does not fully work anymore on 5.x.
+  post-up iptables -A INPUT -p tcp --dport 8006 -s 127.0.0.0/8 -j ACCEPT #allow localhost for reverse proxy
+  post-up iptables -A INPUT -p tcp --dport 8006 -j DROP #webinterface
+  post-up iptables -A INPUT -p tcp --dport 3128 -j DROP #spiceproxy
+Restart pveproxy:
+  service pveproxy restart
 https://YOURIP:8006 should be not more reachable.