Proxmox VE nginx反代
|
|
0
|
547
|
安全配置,服务管理

229 字
|
2 分钟

1.使用lnmp申请的Let’s Encrypt免费证书
cat /usr/local/nginx/conf/vhost/pve.conf

upstream proxmox {
    server "your-domain.com";
}

#server {
#    listen 80 default_server;
#    rewrite ^(.*) https://$host$1 permanent;
#}

server {
    listen 48006 ssl http2;
    server_name _;
    ssl_certificate /usr/local/nginx/conf/ssl/your-domain.com/fullchain.cer;
    ssl_certificate_key /usr/local/nginx/conf/ssl/your-domain.com/your-domain.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
    ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
    proxy_redirect off;
    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass https://localhost:8006;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout  3600s;
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        send_timeout  3600s;
    }
}

刷新nginx配置
lnmp nginx reload

2.修改PVE监听地址,让外部不能直接访问8006端口
nano /etc/default/pveproxy

LISTEN_IP=127.0.0.1

再重启服务
systemctl restart pveproxy

3.访问新地址
https://your-domain.com:48006

Proxmox VE
上一篇
下一篇