EVE-ng reverse proxy

Before posting something, READ the changelog, WATCH the videos, howto and provide following:
Your install is: Bare metal, ESXi, what CPU model, RAM, HD, what EVE version you have, output of the uname -a and any other info that might help us faster.

Moderator: mike

Post Reply
User avatar
gpinero
Posts: 16
Joined: Wed Mar 06, 2019 10:18 pm

EVE-ng reverse proxy

Post by gpinero » Wed Jun 12, 2019 11:50 am

Hi, i'm trying to configure eve-ng throught nginx proxy but not work. Login page appear but when I click on login button hangs "Loading..."

New EVEPRO install 2.0.5.21 (https in the backend)
My config:


server{
listen 443;
server_name lab.lab.com

ssl_certificate /etc/letsencrypt/live/labxxxxxxxxm/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lab.xxxxxxxxom/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/lab.exxxxxx/fullchain.pem;
include /etc/nginx/snippets/ssl.conf;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

include /etc/nginx/snippets/letsencrypt.conf;

location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass https://10.10.10.10/;
}
}

Same settings works in my old eve-ng community 2.0.3.95, in this version eve is configured as http, with new EVE version is https.

ecze
Posts: 533
Joined: Wed Mar 15, 2017 1:54 pm

Re: EVE-ng reverse proxy

Post by ecze » Wed Jun 12, 2019 6:09 pm

Hi,

It is out of scope for EVE-NG support.
Perhaps a forum member will help you.

Good luck,

Ecze

User avatar
gpinero
Posts: 16
Joined: Wed Mar 06, 2019 10:18 pm

Re: EVE-ng reverse proxy

Post by gpinero » Sat Jun 15, 2019 5:34 am

Config that works for me:

### NGINX Config

1 - Define upstream to EVE-NG machine

upstream websocket {
server 10.10.10.10:8080;
}

2 - Port 80 http --> redirect to https with HSTS (you need to config letsencrypt for provisioning certificates)

server{
listen 80;
server_name lab.test.com;
include /etc/nginx/snippets/letsencrypt.conf;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
return 301 https://$host$request_uri;
}
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
}

3 - Port 443 proxyied to EVE-NG

server{
listen 443;
server_name lab.test.com;
ssl_certificate /etc/letsencrypt/live/lab.test.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lab.test.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/lab.test.com/fullchain.pem;
include /etc/nginx/snippets/ssl.conf;
include /etc/nginx/snippets/letsencrypt.conf;
client_max_body_size 0;
location /html5/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://websocket/guacamole/;
}
location /html5/websocket-tunnel {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://websocket/guacamole/websocket-tunnel;
}
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass http://10.10.10.10/;
}
location ~ /\. {
deny all;
}
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
}

4 - Enable http in EVE-NG (change file /etc/apache2/sites-enabled/unetlab.conf)
<IfModule mod_rewrite.c>
# Logging disabled by default
# LogLevel mod_rewrite.c:trace2
</IfModule>

<Directory /opt/unetlab/html/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>

<Directory /opt/unetlab/data/Exports/>
Options FollowSymLinks Indexes
AllowOverride All
Require all granted
</Directory>

<Directory /opt/unetlab/data/Logs/>
Options FollowSymLinks Indexes
AllowOverride All
Require all granted
</Directory>

<VirtualHost *:80>
#RewriteEngine On
#RewriteCond %{HTTPS} !=on
#RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
ServerAdmin webmaster@test.com
DocumentRoot /opt/unetlab/html

ErrorLog /opt/unetlab/data/Logs/error.txt
CustomLog /opt/unetlab/data/Logs/access.txt combined

Alias /Exports /opt/unetlab/data/Exports
Alias /Logs /opt/unetlab/data/Logs

<Location /html5/>
Order allow,deny
Allow from all
ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on
ProxyPassReverse http://127.0.0.1:8080/guacamole/
</Location>

<Location /html5/websocket-tunnel>
Order allow,deny
Allow from all
ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
</Location>

</VirtualHost>

5 - Enable direct connection to Tomcat por 8080 (edit /var/lib/tomcat8/conf/server.xml)
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
address="0.0.0.0"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" />

Change address 127.0.0.1 to 0.0.0.0 to permit all conections

This config works for me.

Post Reply