d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
3f76bc950779f8c1a4403abddb952cdbce5fa420
proxmox/docs/04-configuration/NPMPLUS_CUSTOM_NGINX_CONFIG.md
defiQUG e4c9dda0fd
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
chore: update submodule references and documentation 
- Marked submodules ai-mcp-pmm-controller, explorer-monorepo, and smom-dbis-138 as dirty to reflect recent changes.
- Updated documentation to clarify operator script usage, including dotenv loading and task execution instructions.
- Enhanced the README and various index files to provide clearer navigation and task completion guidance.

Made-with: Cursor
2026-03-04 02:03:08 -08:00

2.8 KiB
Raw Blame History

NPMplus custom Nginx configuration

Purpose: Reference for editing proxy hosts in NPMplus when adding security headers or custom directives.
Important: Adding location '/' in custom config overwrites the proxy; use headers only or a custom '/' location as needed.

Proxy details as Nginx variables

In Custom Nginx Configuration for a proxy host, these variables are available:

Variable Meaning
$server Backend domain or IP (e.g. 192.168.11.140)
$port Backend port (e.g. 80)
$forward_scheme Scheme to backend: http or https
$forward_path Optional path forwarded to backend

Use them if you need to reference the proxy target in custom blocks.

Safe custom config (headers only)

To add security headers (including CSP with 'unsafe-eval' for ethers.js v5) without replacing the proxy, paste the following in Custom Nginx Configuration. Do not add a location '/' block here, or it will overwrite the proxy to the backend.

# Security Headers (unsafe-eval for ethers.js v5)
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:; style-src 'self' 'unsafe-inline' https: data:; font-src 'self' https: data:; img-src 'self' data: https: blob:; connect-src 'self' https: wss: ws:; media-src 'self' https: data:; object-src 'none'; base-uri 'self'; form-action 'self' https:; frame-ancestors 'none'; upgrade-insecure-requests" always;

These directives apply in the context where NPMplus injects them (typically the proxy location). If your NPMplus version supports more_set_headers (from the headers-more module), you can use that instead of add_header for more control.

Caveats (from NPMplus)

  • Adding location '/' in custom config overwrites the proxy configuration for that host. The request will no longer be forwarded to $server:$port.
  • If you need directives inside the '/' location, create a custom location for '/' in the UI (e.g. “Custom locations” → add location path /) instead of putting location / { ... } in the custom Nginx snippet.
  • For headers only, prefer the snippet above (or more_set_headers if available); no location block is needed.

Example use

  • Explorer (explorer.d-bis.org): Proxy target http://192.168.11.140:80. Pasting the security-headers block above into “Custom Nginx Configuration” adds CSP and other headers without changing the proxy. Backend (VMID 5000) still serves the custom frontend and APIs.
Reference in New Issue View Git Blame Copy Permalink