Differences

This shows you the differences between two versions of the page.

--- proxmox_nginx [2016/07/17 11:12] – neoon
+++ proxmox_nginx [2019/12/08 15:37] – neoon
@@ Line 11: / Line 11: @@
     proxy_redirect off;
     location / {
-    	proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Proto https;
         proxy_pass https://127.0.0.1:8006;
         proxy_http_version 1.1;
-	proxy_set_header Connection $http_connection;
+        proxy_set_header Connection $http_connection;
-	proxy_set_header Origin http://$host;
+	      proxy_set_header Origin http://$host;
-	proxy_set_header Upgrade $http_upgrade;
+	      proxy_set_header Upgrade $http_upgrade;
     }
   }
@@ Line 23: / Line 23: @@
 Make sure you replace ssl_certificate and ssl_certificate_key
-Restart Nginx: service nginx restart, it should return no errors.
+Restart Nginx:
+  service nginx restart
 Second step, Turn the pveproxy to localhost only. Copy this file to: /etc/default/pveproxy
@@ Line 31: / Line 32: @@
   POLICY="allow"
-Restart pveproxy: service pveproxy
+You can also block it over iptables, since it does not fully work anymore on 5.x.
+  post-up iptables -A INPUT -p tcp --dport 8006 -s 127.0.0.0/8 -j ACCEPT #allow localhost for reverse proxy
+  post-up iptables -A INPUT -p tcp --dport 8006 -j DROP #webinterface
+  post-up iptables -A INPUT -p tcp --dport 3128 -j DROP #spiceproxy
+Restart pveproxy:
+  service pveproxy restart
 https://YOURIP:8006 should be not more reachable.