HanSolo71
Contributor
Contributor

vCenter Behind NGINX

Currently, i'm working on a project to put as many of our systems as possible through our Duo Network Gateway (DNG from here forward).

The end goal is to put every administrative interface behind the DNG while we implement Zero Trust. (Being inside or outside the org doesn't mean I trust you, there is no inherently trusted device.) To reach a device you first need to use a MFA secured portal to verify your identity.

As part of this we are attempting to move our VMWare vSphere web interface behind our DNG, it appears natively this is not supported so we are first going through a NGINX reverse proxy to present a single supported web interface.

If you have kept up this far, great! The only thing we can't figure out is how to get the VMWare Remote Console either web based or the local .exe to work. Here is the config we have working for everything but VMRC.

If I manually make a VMRC link like so: vmrc://vsphere.company.dev/?moid=vm-1337 the VMRC opens and attempts to connect after I give it a username and password but then just gives me a "Error HTTP 200"

server {
   listen 443 ssl http2;
   server_name vsphere.company.dev;
   ssl_certificate /etc/nginx/ssl/vsphere-proxy-test.company.lan.cert;
   ssl_certificate_key /etc/nginx/ssl/vsphere-proxy-test.company.lan.key;

   location / {
      proxy_set_header Host "vsphere.company.lan";
      proxy_set_header Origin "vsphere.company.lan";
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Authorization "";
      proxy_set_header Origin "";
      proxy_pass_header X-XSRF-TOKEN;
      proxy_ssl_verify off;
      proxy_pass https://vsphere.company.lan;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";
      proxy_buffering off;
      proxy_send_timeout      300;
      proxy_read_timeout      300;
      send_timeout            300;
      client_max_body_size    1000m;
      proxy_redirect https://vsphere.company.lan/ https://vsphere.company.dev/;
   }

   location /websso/SAML2 {
      sub_filter "vsphere.company.lan" "vsphere.company.dev";
      proxy_set_header Host vsphere.company.lan;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Authorization "";
      proxy_set_header Origin "";
      proxy_pass_header X-XSRF-TOKEN;
      proxy_ssl_verify off;
      proxy_pass https://vsphere.company.lan;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_buffering off;
      proxy_send_timeout      300;
      proxy_read_timeout      300;
      send_timeout            300;
      client_max_body_size    1000m;
      proxy_ssl_session_reuse on;
      proxy_redirect https://vsphere.company.lan/ https://vsphere.company.dev/;
  }
}
0 Kudos
1 Reply
scott28tt
VMware Employee
VMware Employee

Expect a moderator to move your thread to the vSphere area now that I’ve reported it.

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos