GitHub user daviftorres edited a comment on the discussion: Nginx or Apache as a reverse proxy in front of CloudStack (including VNC console support)
Hey @bradh352 and @weizhouapache, I ran into an issue with Reverse Proxy and CloudStack SysVMs that hasn’t been mentioned yet. When using Copy Template to make templates available in other Zones, the SSVM in the destination zone downloads the ISO/Template from the source zone over HTTP(s) using the `/copy/***` path. <img width="1532" height="435" alt="image" src="https://github.com/user-attachments/assets/bb7827f2-46f7-4ea1-908f-0ef4df57c9c9"; /> CloudStack automatically allows the internal SSVM IPs in `/var/www/html/copy/.htaccess`, but when a Reverse Proxy sits between zones, it breaks the trust chain. Since our zones are geographically separated, the SSVMs reach each other over the public internet through this proxy. ## Workaround Following Lucian’s advice, we worked around the issue by editing `/opt/cloud/bin/setup/secstorage.sh` to allow the proxy’s IP, then restricting access on the proxy itself. For example: ``` location /copy { allow 100.100.100.100; # Remote Zone A allow 200.200.200.200; # Remote Zone B # More as needed deny all; } ``` Even with the usual proxy headers: ``` proxy_pass https://$backend_ip:443; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; ``` …the SSVM still thinks the proxy is the requester, not the real SSVM behind it. ## Proposed Fix A simple fix would be to update the SSVM’s Apache config to trust the proxy’s forwarded IP: ``` RemoteIPHeader X-Forwarded-For RemoteIPTrustedProxy 127.0.0.1 RemoteIPTrustedProxy <your-nginx-ip> ``` This requires enabling Apache’s Remote IP module: ``` a2enmod remoteip ``` ## Additionally Today, the logs inside the SSVM will only show the IP of the Proxy and not the real one, which makes hard to investigate issues and spot (then block) abuse/threats. Sorry for the long explanation. Happy to clarify anything or discuss! GitHub link: https://github.com/apache/cloudstack/discussions/11562#discussioncomment-15039176 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
