Put vCenter 7.0 behind a reverse proxy

In a previous post, we were discussing about the necessary config to put a vCenter 6.X (HTML5) behind nginx reverse proxy.

As VMware updated the way the single sign-on works, thsi configuration was not valid anymore…

This gave me some headaches, but after looking at the local, the redirections and the failing URL, I had to modifiy it a little and add a line to the 6.X configuration.

Here is the working configuration:

server { 
   listen 443 ssl http2; 
   server_name my_internet_vcenter_fqdn; 
   ssl_certificate /etc/letsencrypt/live/my_letsencrypt_domain/fullchain.pem; 
   ssl_certificate_key /etc/letsencrypt/live/my_letsencrypt_domain/privkey.pem; 
   include /etc/letsencrypt/options-ssl-nginx.conf; 

   location / { 
      proxy_set_header Host "your_vCenter_fqdn"; 
      proxy_set_header Origin "your_vCenter_fqdn";
      proxy_set_header X-Real-IP $remote_addr; 
      proxy_ssl_verify off; 
      proxy_pass https://your_vCenter_fqdn; 
      proxy_http_version 1.1; 
      proxy_set_header Upgrade $http_upgrade; 
      proxy_set_header Connection "upgrade"; 
      proxy_buffering off; 
      client_max_body_size 0; 
      proxy_read_timeout 36000s; 
      proxy_redirect https://your_vCenter_fqdn/ https://my_internet_vcenter_fqdn/; 
   } 

   location /websso/SAML2 { 
      sub_filter "your_vCenter_fqdn" "my_internet_vcenter_fqdn"; 
      proxy_set_header Host your_vCenter_fqdn; 
      proxy_set_header X-Real-IP $remote_addr; 
      proxy_ssl_verify off; 
      proxy_pass https://your_vCenter_fqdn; 
      proxy_http_version 1.1; 
      proxy_set_header Upgrade $http_upgrade; 
      proxy_set_header Connection "upgrade"; 
      proxy_buffering off; 
      client_max_body_size 0; 
      proxy_read_timeout 36000s; 
      proxy_ssl_session_reuse on; 
      proxy_redirect https://your_vCenter_fqdn/ https://my_internet_vcenter_fqdn/; 
   } 
}

Hope this will help you and of course, if you have some suggestions, be my guest!
(and no: the concept of reverse-proxiing vCenter is still not debated !!!)

You may also like

14 comments

  • S Rob 27th January 2021   Reply →

    Does this still work for you with latest vcenter? It almost works for me, but get 403 on websocket connection …
    WebSocket connection to ‘wss://_MY_internet_vcenter_FQDN/ui/app-fabric/fabric’ failed: Error during WebSocket handshake: Unexpected response code: 403

    • Just a geek 5th February 2021   Reply →

      Hi,

      I just tried with very last update (build 7.0.1.00300) and it still works for mine so problem should be somewhere else.
      Do you see anything in NGINX logs? Did it worked before?

      PS: might be important: I run NGINX 1.18.0 (on a Fedora 33 server)

  • A 5th May 2021   Reply →

    Fab thank you 🙂

  • Bjorn 8th June 2021   Reply →

    Good info but I also get 403 from v-center for the webconsole. Used to work but not after upgrade to 7.0.2.00200. Not sure if it ever worked with version 7.

    Nginx log:
    request=”GET /ui/webconsole/authd?host=xxxxxxxx&port=902&cfgFile=%2Fvmfs%2Fvolumes%2F5dbac1a0-038ef105-3f82-f403435862b8%2Fxxxxx%2Fxxxxx.vmx&thumbprint=1C:B7:D6:D6:3B:F6:FA:2D:DD:12:FC:5F:2D:7E:B2:CE:AC:13:8A:43&ticket=52792b00-3d9f-9867-b269-cd1696a9879a&vmId=vm-25679&encoding=UTF-8 HTTP/1.1″ status=”403″

    On Nginx 1.16.1 since that is what CentOS 7 comes with.

    • Just a geek 2nd July 2021   Reply →

      Hi Bjorn,

      It did work before 7U2 but I also confirm that it is not working anymore. I didn’t notice it since I’m almost working 100% from home since COVID so I don’t use my reverse that much… Thanks for sharing.

      Can you post your / location configuration, so I can test it too and update the article?
      Thanks in advance! 😉

      PS: I’m running now NGINX 1.21 on CentOS 8 (with plan to migrate to Alma Linux or another)

  • Bjorn 8th June 2021   Reply →

    v-center logs this for the HTML5 remote console(websocket):

    ui-runtime – – – Request with origin:https:// and URL: https:///ui/webconsole/authd blocked!

  • Bjorn Frostberg 9th June 2021   Reply →

    I needed:

    proxy_set_header Origin “https://your_vCenter_fqdn”;

    Under / location to get html5 web-console to work. Otherwise v-center blocks it.

    • Rado 16th November 2021   Reply →

      Hey guys, it seems I have the same was:// 403 error issue with my nginx reverse proxy config.
      How were you able to fix it? I tried adding proxy_set_header Origin “https://your_vCenter_fqdn”; in my config but still getting this 403.
      Something else? Someone to post a full working config with webconsole working?

  • K 26th August 2021   Reply →

    I coped your config and put in my vcenter host name and my ngnix server name and I still get this workflow

    public.vcenter.com/ui -> internal.vcenter.com/websso/SAML2/…/… -> public.vcenter.com/ui/…/….

    I still can not get

    public.vcenter.com/ui -> public.vcenter.com/websso/SAML2/…/… -> public.vcenter.com/ui/…/….

    What would cause my SSO to still load the internal.vcenter.com hostname?

    • Just a geek 9th December 2021   Reply →

      Hi,

      I’ve recheck the config, there was a missing “proxy_set_header Origin “your_vCenter_fqdn”;” in the first block.
      The modification was mentioned by Bjorn on a previous comment but the article was not corrected.

      Please try and let me know 😉

  • Jason 27th August 2021   Reply →

    Do you know how to do the same thing in Apache2?

    • Just a geek 9th December 2021   Reply →

      Unfortunately not, I never used Apache as a reverse proxy 🙂

  • Matt 18th May 2022   Reply →

    Thanks for this! It’s a step closer in the right direction.
    I got it to work in a pod based on latest nginx but still face some issues as mentioned in earlier comments.
    – my vCenter redirects to ADFS and this redirects back to internal url (the internal URL is in the request URI sent to ADFS)
    – websocket fails to connect for the console
    – had to configure ‘listen 443 ssl’ as haproxy in ssl passthrough mode behaves really weird and mixes backends when http2 is used

    I’m on latest vcenter 7.

    Also, are you not concerned about exposing vCenter to the public internet?

    • Just a geek 25th May 2022   Reply →

      Hi,

      ADFS is probably on my wish list and you’re right, it’s probably complicated!

      For now, my vCenter is not exposed to Internet since the last 2 updates as when they wanted to correct the last big issue, they also put some vulnerable libraries back… 😒

      But my reverse proxy is behind a firewall with IPS and with also different IP filtering lists, so the risk, even if present, is reduced. 😊

      I really need to learn NGINX the deep way!!!

Leave a comment