[SOLVED] Sunstone / noVNC behind nginx reverse proxy

(em) #1


I have a nginx running as reverse proxy doing ssl termination. I configured it to forward request to the sunstone port and this is working fine.
Problem is when I try to use the noVNC window. It seems like the request is actually going to the nginx server: wss://nginx_server:29876/?token=xxxx

How do I tell novnc or sunstone that it is behind a reverse proxy?

Here is my sunstone-server config:

:vnc_proxy_port: 29876
:vnc_proxy_support_wss: yes
:vnc_proxy_cert: /etc/ssl/certs/domain.crt
:vnc_proxy_key: /etc/ssl/private/domain.key
:vnc_proxy_ipv6: false
:vnc_request_password: false

(Kirk Macdonald) #3

ok this is the nginx config for opennebula on a reverse proxy

THIS ONE IS FOR opennebula on same host as reverse proxy make a new vhost file called opennebular and paste the following into it

i have added folder locations as this is easier too obtain lets say letsencrypt for ssl for opennebula

if you need the config and template for opennbula on different machine then nginx reverse proxy post here and i will post it its fairly tricky on a different machine as there is a few bits of tweaking to do

make a new vhost file called opennebular and paste the following thee whole code below into it

server {

listen 80;

    # Server name and allias
server_name  your server name here or or localhost ip opennebula is on please dont for get at the end ----> ; # SO IT SHOULD  LOOK LIKE ABOVE server_name or www.yourwebsite.co.uk;

    # Folder location
    root / you need to add your website folder location here dont foget ----> ;   CREATE A FOLDER CALLED OPENNEBULA AND ADD IT LOCATION NEXT TO THIS SO IT LOOKS LIKE  root /var/www/opennebula OR WHAT EVER YOUR WEB LOCATION IS

    index index.php index.html index.htm;



# OpenNebula Sunstone upstream
    upstream sunstone  {


    server {

    listen 443;

    # Server name and allias
    server_name  your server name here or or localhost ip opennebula is on please dont forget at the end ---->;

    # Folder location 
    root   /your folder location for opennebula DONT FORGET --->;

    # Logging
    access_log /var/log/nginx/opennebula_access_log;
    error_log /var/log/nginx/opennebula_error_log;  # PLEASE MANUALLY CREATE THE ABOVE LOG FILES

    ### Proxy requests to upstream
    location / {
             proxy_pass http://sunstone;



(em) #4

Hi Kirk,

Thanks for the info… Our setup actually has nginx running on a different host.

Could you please share that config?

(Kirk Macdonald) #5

ok i have a lot of other code in my vhost and lots of bits
this is a tricky process to get reverse proxy running i need some other info so i can replicate all the steps as i have different code and a lot of added extra code in my vhost template.

right i need a bit of info from you as it is vital for the vhost config i will make for you.

  1. will you be running your opennebula in ssl mode this tricky process but i will add it and give you the extra files to add to other files to add to get a A+ rating on ssl labs

  2. will you be using other ssl configs like strict ssl transport i suggest you do

  3. how fresh is your installs have you been playing with them its really important cos other configs can interfere with the vhost file

  4. do you already have php installed if so what version no and will you be running fast cgi

  5. do you want me to upload a full nginx config with nginx bad bots files full ssl support, geo blocker just so i know how much code i have to trim from my vhost template.

  6. how much experience do you have with computing and coding basically are you a noob or do you no a bit i aske this as it will help when im writing the code and the forum post so i know if i have to explain things in detail or i can just write the code and post and you will understand it

  7. What Operating system are you using

if you give me this info i should get this done for you by the end of the day

(em) #6

Hi Kirk,

Actually this nginx is internal and we don’t need any extra configuration (geoip, bad bots, etc). It also doesn’t need to be A+.
We are just looking for nginx to do the ssl termination. We could also use haproxy if needed.

So, the “design” is:

  • VM running nginx for ssl termination
  • OpenNebula frontend running on another server


(Kirk Macdonald) #7

right ok i get the drift i will get sorted today for you

(Kirk Macdonald) #8

right im gonna replicate all the steps for you and will take some time
im gonna install opennebula inside a opennebula setup lmao

(em) #9

Hi Kirk,

Actually I was able to get it to work. I had to make nginx listen on the 29876 port and configure it as websocket proxy.

Thanks for the help.

(Kirk Macdonald) #10

ok cool, glad you got it to work

(Haydn Solomon) #11

Would you mind sharing your nginx configuration?


Can someone remove the SOLVED title tag?
This thread is a collection of “works for me” and “doesn’t work - please share the config” - it does not provide complete instructions. What about creating a detailed section, based on with working and continuously tested setup just before http://docs.opennebula.org/5.4/deployment/sunstone_setup/sunstone.html?highlight=vnc#troubleshooting

(Erik Nagy) #13

Could you please share the NGINX configuration for the benefit of new comers?