Put vCenter 7.0 behind a reverse proxy

In a previous post, we were discussing about the necessary config to put a vCenter 6.X (HTML5) behind nginx reverse proxy.

As VMware updated the way the single sign-on works, thsi configuration was not valid anymore…

This gave me some headaches, but after looking at the local, the redirections and the failing URL, I had to modifiy it a little and add a line to the 6.X configuration.

Here is the working configuration:

server { 
   listen 443 ssl http2; 
   server_name my_internet_vcenter_fqdn; 
   ssl_certificate /etc/letsencrypt/live/my_letsencrypt_domain/fullchain.pem; 
   ssl_certificate_key /etc/letsencrypt/live/my_letsencrypt_domain/privkey.pem; 
   include /etc/letsencrypt/options-ssl-nginx.conf; 

   location / { proxy_set_header Host "your_vCenter_fqdn"; 
      proxy_set_header X-Real-IP $remote_addr; 
      proxy_ssl_verify off; 
      proxy_pass https://your_vCenter_fqdn; 
      proxy_http_version 1.1; 
      proxy_set_header Upgrade $http_upgrade; 
      proxy_set_header Connection "upgrade"; 
      proxy_buffering off; 
      client_max_body_size 0; proxy_read_timeout 36000s; 
      proxy_redirect https://your_vCenter_fqdn/ https://my_internet_vcenter_fqdn/; 
   } 

   location /websso/SAML2 { 
      sub_filter "your_vCenter_fqdn" "my_internet_vcenter_fqdn"; 
      proxy_set_header Host your_vCenter_fqdn; 
      proxy_set_header X-Real-IP $remote_addr; 
      proxy_ssl_verify off; 
      proxy_pass https://your_vCenter_fqdn; 
      proxy_http_version 1.1; 
      proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; 
      proxy_buffering off; 
      client_max_body_size 0; 
      proxy_read_timeout 36000s; 
      proxy_ssl_session_reuse on; 
      proxy_redirect https://your_vCenter_fqdn/ https://my_internet_vcenter_fqdn/; 
   } 
}

Hope this will help you and of course, if you have some suggestions, be my guest!
(and no: the concept of reverse-proxiing vCenter is still not debated !!!)

You may also like

7 comments

  • S Rob 27th January 2021   Reply →

    Does this still work for you with latest vcenter? It almost works for me, but get 403 on websocket connection …
    WebSocket connection to ‘wss://_MY_internet_vcenter_FQDN/ui/app-fabric/fabric’ failed: Error during WebSocket handshake: Unexpected response code: 403

    • Just a geek 5th February 2021   Reply →

      Hi,

      I just tried with very last update (build 7.0.1.00300) and it still works for mine so problem should be somewhere else.
      Do you see anything in NGINX logs? Did it worked before?

      PS: might be important: I run NGINX 1.18.0 (on a Fedora 33 server)

  • A 5th May 2021   Reply →

    Fab thank you 🙂

  • Bjorn 8th June 2021   Reply →

    Good info but I also get 403 from v-center for the webconsole. Used to work but not after upgrade to 7.0.2.00200. Not sure if it ever worked with version 7.

    Nginx log:
    request=”GET /ui/webconsole/authd?host=xxxxxxxx&port=902&cfgFile=%2Fvmfs%2Fvolumes%2F5dbac1a0-038ef105-3f82-f403435862b8%2Fxxxxx%2Fxxxxx.vmx&thumbprint=1C:B7:D6:D6:3B:F6:FA:2D:DD:12:FC:5F:2D:7E:B2:CE:AC:13:8A:43&ticket=52792b00-3d9f-9867-b269-cd1696a9879a&vmId=vm-25679&encoding=UTF-8 HTTP/1.1″ status=”403″

    On Nginx 1.16.1 since that is what CentOS 7 comes with.

    • Just a geek 2nd July 2021   Reply →

      Hi Bjorn,

      It did work before 7U2 but I also confirm that it is not working anymore. I didn’t notice it since I’m almost working 100% from home since COVID so I don’t use my reverse that much… Thanks for sharing.

      Can you post your / location configuration, so I can test it too and update the article?
      Thanks in advance! 😉

      PS: I’m running now NGINX 1.21 on CentOS 8 (with plan to migrate to Alma Linux or another)

  • Bjorn 8th June 2021   Reply →

    v-center logs this for the HTML5 remote console(websocket):

    ui-runtime – – – Request with origin:https:// and URL: https:///ui/webconsole/authd blocked!

  • Bjorn Frostberg 9th June 2021   Reply →

    I needed:

    proxy_set_header Origin “https://your_vCenter_fqdn”;

    Under / location to get html5 web-console to work. Otherwise v-center blocks it.

Leave a comment