LXD behind a nginx reverse proxy (how?)


I’m trying following setup:

LXC CLIENT -----> nginx (reverse proxy) ------> lxd (either unix-socket or rest api)

Is there a way to set this up and if so, how?

Current state:

server {
        ssl on;
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name some-test-host;

        ssl_certificate /etc/ssl/some-test-host/fullchain.pem;
        ssl_certificate_key /etc/ssl/some-test-host/privkey.pem;

        //some snippets configuring ssl + client certificate handling/validation (it's there and working, trust me)

        location / {
                proxy_pass https://some-intenral-lxd:8443;
                proxy_ssl_certificate /var/www/.config/lxc/client.crt;
                proxy_ssl_certificate_key /var/www/.config/lxc/client.key;
                # neither this nor http:://unix:/ socket is working...
                proxy_set_header Host $host;


#client: lxc remote add test some-test-host:443
#client: Certificate fingerprint: some-finger-print
#client: ok (y/n)? y
#client: Error: Failed to fetch https://some-test-host:443/1.0: 400 Bad Request

Or is this simply impossible, since the client only knows the protocols lxd/simplestream?

I think you need to search around Nginx reverse proxy RESTful API.
It can be done.

I notice that you set up http2. Are you sure that LXD supports that?

Also, you can use HAProxy for a TCP proxy.

you might try it with the stream module off nginx? They use that as well for openvpn behind nginx and seems to work. See : https://forum.nginx.org/read.php?11,260587

Hi simos

The rest api of lxd itself is working great using nginx as a reverse proxy. Didn’t played around much with it, but, this is trivia.

Here is the documentation for the http2 directive of nginx: http://nginx.org/en/docs/http/ngx_http_v2_module.html

HAProxy won’t help, since the question was specific about nginx.

Hi idef1x

The stream module of nginx sadly doesn’t support if-conditions based on ssl_*_ variables, which is essential to verify the client’s certificate based on the certs informations.

finally found the root problem… the daemon also allows connections without a client certificate, which some other components of the infrastructure don’t like…