Proxmox - Nginx Reverse Proxy to Apache Container running Streamlit on Port for subdomain
# Proxmox Container Setup with Nginx Reverse Proxy, Apache, and Stunnel
This provides a comprehensive guide to configure a Proxmox environment where a container running Apache (with stunnel for SSL on a custom port) is served by a Proxmox-hosted Nginx reverse proxy and iptables NAT rules.
---
## Overview
- **Proxmox Host:**
- Public IP: `74.91.24.10` on `vmbr0`.
- Runs Nginx as a reverse proxy for HTTP (port 80).
- Uses iptables NAT rules to forward traffic on custom ports (e.g. 31001) to containers.
- **Private Network (vmbr1):**
- A dedicated internal bridge with IP `192.168.100.1/24`.
- Containers attached to this bridge use private IPs.
- **Container:**
- Assigned IP: `192.168.100.10/24` (with gateway `192.168.100.1`).
- Runs Apache to serve web content.
- Runs stunnel to handle SSL on port `31001`, forwarding to a local service (e.g., port `30000`).
- Uses Certbot (via Apache or stunnel) for Let's Encrypt certificates.
---
## 1. Create a Private Bridge on Proxmox
1. **Log into Proxmox Web UI** and navigate to **Datacenter > Node > System > Network**.
2. **Add a New Linux Bridge (`vmbr1`):**
- **Name:** `vmbr1`
- **IPv4/CIDR:** `192.168.100.1/24`
- **Bridge Ports:** Leave empty (not attached to a physical NIC).
- **Autostart:** Enabled
---
## 2. Configure the Container
In the container's network configuration (accessible via the Proxmox web interface or by editing `/etc/pve/lxc/<CTID>.conf`):
- **Network Interface (`net0`):**
```ini
net0: name=eth0,bridge=vmbr1,firewall=1,gw=192.168.100.1,ip=192.168.100.10/24,hwaddr=XX:XX:XX:XX:XX:XX
Set Up NAT on the Proxmox Host
3.1 Enable IP Forwarding
Edit /etc/sysctl.conf and add or ensure:
ini Copy net.ipv4.ip_forward=1
Then apply the changes:
bash Copy sudo sysctl -p
3.2 Add iptables NAT Rules
Forward external traffic on port 31001 to the container:
bash Copy sudo iptables -t nat -A PREROUTING -p tcp -i vmbr0 --dport 31001 -j DNAT --to-destination 192.168.100.10:31001 sudo iptables -A FORWARD -p tcp -d 192.168.100.10 --dport 31001 -j ACCEPT
3.3 Persist the iptables Rules
Install the iptables-persistent package:
bash Copy sudo apt-get update sudo apt-get install iptables-persistent
During installation, choose “Yes” to save current IPv4/IPv6 rules.
Or manually save the rules:
bash Copy sudo netfilter-persistent save
Rules will be stored in /etc/iptables/rules.v4 (IPv4) and /etc/iptables/rules.v6 (IPv6) and loaded on boot.
4. Configure Nginx Reverse Proxy on the Proxmox Host
Create a server block file for your domain:
- Create the File:
bash Copy sudo nano /etc/nginx/sites-available/marina.flast.com.au
- Insert the Following Configuration:
nginx
Copy
server { listen 80; server_name marina.flast.com.au; # Increase timeouts for larger responses (optional) proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; location / { proxy_pass http://192.168.100.10; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
- Enable the Site:
bash Copy sudo ln -s /etc/nginx/sites-available/marina.flast.com.au /etc/nginx/sites-enabled/ sudo nginx -t && sudo systemctl reload nginx
Note: Traffic on port 31001 is handled by the NAT rules. No extra Nginx block is needed for that port unless you prefer central SSL termination on the host.
5. Configure Stunnel in the Container
In the container, edit your stunnel configuration file (e.g., /etc/stunnel/streamlit.conf):
ini Copy [Engine-Flast] accept = 0.0.0.0:31001 connect = 30000 # Ensure this matches the destination service port in Apache or your application cert = /etc/letsencrypt/live/marina.flast.com.au/fullchain.pem key = /etc/letsencrypt/live/marina.flast.com.au/privkey.pem
Restart stunnel to apply changes:
bash Copy sudo systemctl restart stunnel
Verify stunnel is listening:
bash Copy sudo netstat -tulpn | grep 31001
6. Configure Apache in the Container
Your Apache SSL configuration (e.g., /etc/apache2/sites-available/000-default-le-ssl.conf) should include your certificate paths and proxy settings. For example:
apache
Copy
<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/html/flast ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # Proxy settings for API and Engine ProxyPass /api/generate_answers/ http://localhost:31000/generate_answers/ ProxyPassReverse /api/generate_answers/ http://localhost:31000/generate_answers/ ProxyPass /engine http://localhost:31000 ProxyPassReverse /engine http://localhost:31000 ServerName marina.flast.com.au Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/marina.flast.com.au/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/marina.flast.com.au/privkey.pem </VirtualHost> </IfModule>
Ensure the ports in your Apache config match the stunnel “connect” port (adjust 30000 vs. 31000 as necessary).
7. Testing and Verification
- From the Outside:
- Visit
http://marina.flast.com.au(Nginx will proxy to the container). - Visit
https://marina.flast.com.au:31001(Traffic is forwarded via iptables to stunnel in the container). - Inside the Container:
- Test stunnel:
bash Copy curl -I https://localhost:31001
- Verify Apache logs for proxied requests.
- Verify NAT Rules on Proxmox:
bash Copy sudo iptables -t nat -L -n -v
8. Certificates with Certbot (Optional)
If needed, use Certbot to obtain or renew certificates. For Apache in the container:
bash Copy sudo certbot --apache -d marina.flast.com.au
Or, if you prefer to handle certificates on the Proxmox host using Nginx:
bash Copy sudo certbot --nginx -d marina.flast.com.au
Ensure your domain's DNS points to 74.91.24.10.
Conclusion
This setup ensures:
- A dedicated private network (
vmbr1) for container communication. - The container uses a static private IP (
192.168.100.10) with192.168.100.1as the gateway. - NAT rules on the Proxmox host forward custom port traffic (e.g.,
31001) to the container. - Nginx on the Proxmox host handles domain-based routing for HTTP traffic.
- The container runs stunnel to manage SSL connections on port
31001and Apache to serve content. - iptables rules are made persistent using the iptables-persistent package.
Adjust any configuration parameters to match your specific environment and requirements. Happy hosting!
yaml Copy