Put vCenter behind a reverse proxy (because we can !)

Since a long time, I’m trying to figure out how to access all my home lab web applications from the outside and if possible, in a secure manner.
Challenge is : when you have a home Internet box, you can only have one single IP address.

One of the possibility then is too use different host names within a particular domain.
In order to make that work, you have to use a reverse proxy that will redirect each single sub-domain to a particular internal host.

The logic/achievement I wanted is the following :

  • sub-domain 1 goes to https://internal-host-1:443
  • sub-domain 2 goes to https://internal-host-2:xxx
  • sub-domain 3 goes to https://internal-host-3:yyy
  • all http request is automatically redirected to https
  • being able to have a well know certification authority… for free
  • have a modern, secure and free platform/os

That is how the following choices were made :

  • Fedora server was chosen as the OS : it offers a free and modern interface with the integrated Cockpit interface (out of the box)
  • nginx would be my reverse proxy : there is not so many options out there, I’ll come to the choice later on.
  • Letsencrypt would be the chosen certificate provider : easy to guess why : fully supported by all recent browser, free. The only drawback would be the certificate lifetime, but this can be easily solved by automation.

There is a tremendous amount on ow to deploy/install nginx, this will not be detailed here, but here are some special configurations you can use:

Normal server:

server {
   listen 443 ssl;
   server_name my_internet_hostname_fqdn;
   ssl_certificate /etc/letsencrypt/live/my_letsencrypt_domain/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/my_letsencrypt_domain/privkey.pem;
   include /etc/letsencrypt/options-ssl-nginx.conf;
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
   location / {
      proxy_pass https://your_server_fqdn:port_number/;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection 'upgrade';
      proxy_set_header Host $host; 
      proxy_cache_bypass $http_upgrade;
   }
}

When this simple config will work most of the time (still trying to find the configuration for Windows Admin Center…), this will not work for vCenter HTML5 URL…

This is a working configuration (some settings might be exchanged, I’m not a nginx specialist, just sharing some info):

server {
   listen 443 ssl http2;
   server_name my_internet_vcenter_fqdn;
   ssl_certificate /etc/letsencrypt/live/my_letsencrypt_domain/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/my_letsencrypt_domain/privkey.pem;
   include /etc/letsencrypt/options-ssl-nginx.conf;
   
   location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_ssl_verify off;
      proxy_pass https://your_vCenter_IP;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_buffering off;
      client_max_body_size 0;
      proxy_read_timeout 36000s;
      proxy_redirect https://your_vCenter_fqdn/ https://my_internet_vcenter_fqdn/;
   }

   location /websso/SAML2 {
      proxy_set_header Host your_vCenter_fqdn; 
      proxy_set_header X-Real-IP $remote_addr;
      proxy_ssl_verify off; 
      proxy_pass https://your_vCenter_IP;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_buffering off;
      client_max_body_size 0;
      proxy_read_timeout 36000s;
      proxy_ssl_session_reuse on;
      proxy_redirect https://your_vCenter_fqdn/ https://my_internet_vcenter_fqdn/;
   }
}

That’s it !

Please update me if this can be improved, especially if you can improve security, I’m fully open!
(But the concept itself: putting a vCenter behind a reverse proxy on the Internet, will not be debated !!!)

You may also like

One comment

Leave a comment