vCenter

 View Only
  • 1.  Reverse Proxy for vCenter issues

    Posted Aug 23, 2021 09:55 PM

    Has anyone gotten a working apache or nginx reverse proxy working for vcenter 7.0??

    I am having the hardest time ever getting the sso portion of the login working.

    I am able to use apache to make public.vcenter.com/ui/ as internal.vcenter.com/ui/, which loads internal.vcenter.com/websso/SAML2/.../.... , once I log in with the sso, it spits me back out to public.vcenter.com/ui/.../... 

    The issue with this is I want to put a firewall on vcenter so that only the public.vcenter.com host is able to load internal.vcenter.com. So with the above workflow, when it redirects to websso, it would 404.

    Ideally i want this workflow.
    public.vcenter.com/ui/ -> public.vcenter.com/websso/SAML2/.../.... -> public.vcenter.com/ui/.../... 

     

    Any ideas? Is there a way to pass in the sso logins into the URL maybe? 

    Any help will be appricated.
    I have this simple config for making it almost work in apache

     

    Listen 443
    <VirtualHost *:443>
    ServerName public.vcenter.com
    SSLEngine on
    SSLCertificateFile /usr/local/etc/apache24/certificate.pem
    SSLCertificateKeyFile /usr/local/etc/apache24/certificate.pem
    SSLCACertificateFile /usr/local/etc/apache24/certificate.pem
    SSLProxyEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    ProxyVia Full
    ProxyPreserveHost on
    ProxyRequests on
    </VirtualHost>


    <Location /ui>
    ProxyPass wss://internal.vcenter.com/ui
    ProxyPassReverse wss://internal.vcenter.com/ui
    </Location>



  • 2.  RE: Reverse Proxy for vCenter issues

    Posted Aug 24, 2021 06:32 AM

    Hello, hope you are doing fine.

    Why would you need to publish your vCenter over the internet?



  • 3.  RE: Reverse Proxy for vCenter issues

    Posted Aug 24, 2021 07:11 PM

    This is not for the open internet, but open lab network. I want to expose various private network portals on a single web server. For example I want the esxi host portals on various private networks exposed along side other tools like elk, splunk, etx on my lab network and secure it via okta authentication so the correct people can use my tools.

    Regardless even if it was to the open internet, its my responsibility and choice. 



  • 4.  RE: Reverse Proxy for vCenter issues

    Posted Aug 25, 2021 07:05 AM

    It's okay, I just wanted to understand.
    Exposing vCenter directly to the internet is not a good idea. 

    Up to my understanding:
    vCenter is designed to run as an internal service, so you always have one FQDN for the vCenter. (let's say: internal.vcenter.com)
    Internal api calls within the vCenter and it's sub component will use the internal.vcenter.com fqdn. 

    What you can try is putting a redirect http redirect on the reverse proxy for everything pointing to public.vcenter.com it should be redirected to internal.vcenter.com

    That being said, I don't remember the exact setting

    Hope that works.



  • 5.  RE: Reverse Proxy for vCenter issues

    Posted Aug 25, 2021 06:42 PM

    Thanks for the reply, yes so I am able to redirect internal.vcenter.com, my issue is i am unable to redirect internal.vcenter.com/websso/SAML which handles the username/pass to SAML token exchange. I need help from someone who knows how to modify my config I shared to also take every after internal.vcenter.com and append it to public.vcenter.com/websso/SAML so that the reverse proxy works.



  • 6.  RE: Reverse Proxy for vCenter issues

    Posted Aug 26, 2021 05:36 PM

    I tried NGNIX and I end up with the same result where the SSO page is handled by the internal vcenter FQDN

    public.vcenter.com/ui -> <WRONG> internal.vcenter.com/websso/SAML2/…/…  -> public.vcenter.com/ui/…/….

     

    server {
    listen 9011 ssl http2;
    server_name public.vcenter.net;
    ssl_certificate /usr/home/user/certificate.pem;
    ssl_certificate_key /usr/home/user/certificate.pem;
    #rewrite ^/$ /ui permanent;

    location / {
    proxy_set_header Host "internal.vcenter.net";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_ssl_verify off;
    proxy_pass https://internal.vcenter.net;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_buffering off;
    client_max_body_size 0; proxy_read_timeout 36000s;
    proxy_set_header Origin "https://internal.vcenter.net";
    proxy_redirect https://internal.vcenter.net/ https://public.vcenter.net/;
    }

    location /websso/SAML2 {
    sub_filter "internal.vcenter.net" "public.vcenter.net";
    proxy_set_header Host "internal.vcenter.net";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_ssl_verify off;
    proxy_pass https://internal.vcenter.net;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade";
    proxy_buffering off;
    client_max_body_size 0;
    proxy_read_timeout 36000s;
    proxy_ssl_session_reuse on;
    proxy_redirect https://internal.vcenter.net/ https://public.vcenter.net/;
    }
    }