Don't judge, I need this for my lab, I'll never put that in production… 😉
The following configuration was from another guy on the internet (pigsmud) so unfortunately, I'm not understanding a lot of things here. Also his website just vanished so I'll not be able to discuss the topic with him any further (which I did for the 6.7)
That was my working 6.X working for vCenter 6.7:
server {
listen 443 ssl http2;
# ssl_certificate and ssl_certificate_key are required
ssl_certificate /etc/letsencrypt/live/myletsencryptdomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myletsencryptdomain/privkey.pem;
include /etc/nginx/snippets/ssl-params.conf;
# removed DH params as my ssl-params.conf specifies to only use ECDHE key exchange.
server_name fqdn.extern;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_ssl_verify off; # No need on isolated LAN
proxy_pass https://vcenter.ip; # esxi IP Address
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below
#replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name.
}
location /websso/SAML2 {
proxy_set_header Host fqdn.local; # your actual vcenter's hostname
proxy_set_header X-Real-IP $remote_addr;
proxy_ssl_verify off; # No need on isolated LAN
proxy_pass https://vcenter.ip; # esxi IP Address
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_ssl_session_reuse on;
proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below
#replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name.
}
}
This was my previous (non working) 7.0 configuration. The section "location /ui/login" was necessary to get to the login mask, otherwise, I was just getting an error. I added then /ui/saml/websso/sso but it wasn't working:
# vCenter special configuration
server {
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/myletsencryptdomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myletsencryptdomain/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
server_name fqdn.extern;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_ssl_verify off; # No need on isolated LAN
proxy_pass https://vcenter.ip; # esxi IP Address
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below
#replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name.
}
location /websso/SAML2 {
proxy_set_header Host fqdn.local; # your actual vcenter's hostname
proxy_set_header X-Real-IP $remote_addr;
proxy_ssl_verify off; # No need on isolated LAN
proxy_pass https://vcenter.ip; # esxi IP Address
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_ssl_session_reuse on;
proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below
#replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name.
}
location /ui/login {
proxy_set_header Host fqdn.local; # your actual vcenter's hostname
proxy_set_header X-Real-IP $remote_addr;
proxy_ssl_verify off; # No need on isolated LAN
proxy_pass https://vcenter.ip; # esxi IP Address
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_ssl_session_reuse on;
proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below
#replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name.
}
location /ui/saml/websso/sso {
proxy_set_header Host $http_host;
#proxy_set_header Host fqdn.local; # your actual vcenter's hostname
proxy_set_header X-Real-IP $remote_addr;
proxy_ssl_verify off; # No need on isolated LAN
proxy_pass https://vcenter.ip; # esxi IP Address
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_ssl_session_reuse on;
proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below
#replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name.
}
}
Then, I was able to simplify the config but I still get the exact same result (but with a WAAAYYY shorter config)
I've removed all the certificates parameters because I'm using a certificate with several names, so I could move that to http section.
I've tried several combinations so it is still very unclear which line is doing what…
server {
listen 443 ssl http2;
server_name fqdn.extern;
location / {
#proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
#proxy_ssl_verify off; # No need on isolated LAN
proxy_pass https://fqdn.local/;
#proxy_pass https://vcenter.ip; # esxi IP Address
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
#client_max_body_size 0;
#proxy_read_timeout 36000s;
proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below
#replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name.
}
}
I'm trying now to understand why I'm still getting redirected to the local server when I'm trying to login to the vcenter. What works so far:
https://fqdn.extern/ –> https://fqdn.extern/ui –> https://fqdn.extern/websso/SAML2/SSO/
But when I press login button (on the websso/SAML2/SSO/ page), I get https://fqdn.local/ui/saml/websso/sso and of course, I'm not getting any further. Right after, it is supposed to go back to /ui/ alone (this is what I'm seeing when logging in locally)
At this point, if I try to get back at the root of the external URL, it seems I'm logged-in because it goes straight back to /ui/saml/websso/sso, so a part of the proxying worked, but I still can't get access to the vcenter.
Any idea so far?
(and if I can get a small crash course, I'll be more than happy!!!) 😊
Best Answer
just need add two parameter proxy_set_header Host "fqdn.local"; and sub_filter "fqdn.local" "fqdn.extern";
It's work for vCenter 7.0