WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / Changing the default HTTP(s) Reverse Proxy Ports on ESXi 8.0

Changing the default HTTP(s) Reverse Proxy Ports on ESXi 8.0

03.22.2023 by William Lam // 7 Comments

The process of changing the default ports for the ESXi Reverse Proxy service has always been pretty straight forward, which I had also shared back in 2015 HERE. While most customers stick with the default configuration (80 for HTTP and 443 for HTTPS), we do have some customers that need to change these ports to meet certain organization security and/or compliance requirements.

Disclaimer: VMware does not officially support modifying the default HTTP/HTTPS ports on an ESXi host.

I recently came across a customer report where the previous method for changing the ESXi Reverse Proxy ports on an 8.0 host no longer worked and the only thing that was shared was that the user could no longer run ESXCLI directly within the ESXi Shell, which I thought was a strange observation.

I deployed the latest ESXi 8.0b as a Nested ESXi VM and I went through the instructions I had outlined in my blog post HERE and changed the HTTPS port from 443 to 4444, which was the setup the user was looking to do and I ran into the exact same issue. At first, I thought maybe we actually no longer support this capability and decided to quickly test by using the remote version of ESXCLI, which allows you to specify a port as part of the connection and it failed with the same error.

UPDATE (07/31/23) - For ESXi 8.0 Update 1 instructions, please refer to this blog post HERE.

I first took a look at the ESXi VMkernel log (/var/log/vmkernel.log) and immediately I saw that there was an issue with the configuration change and that it was being blocked by the VMkernel with the following error message:

rhttpproxy: running in rhttpproxyDom(68): ipAddr = ::, port = 4444: Access denied by vmkernel access control policy

While I thought the ESXi Reverse Proxy service had successfully restarted, in fact, it had failed to bind to the new port and thus never started. This would explain why local ESXCLI command was unable to connect, because the reverse proxy service was actually down.


The error message jogged my memory a bit or at least gave me a hint as I vaguely recall seeing some security policy commands within ESXCLI. Long story short, since this was not a default configuration, the new ESXi Security Domain Enforcement policy had prevented the binding of the new port. The workaround was straight forward after a quick test.

Step 1 - If you already made the change, then you can use localcli (which bypasses hostd) to disable the enforcement policy for reverse proxy service or you can use ESXCLI to do that before making any configuration changes to reverse proxy configuration file

esxcli system secpolicy domain set -n rhttpproxyDom -l disabled

Step 2 - Edit the reverse proxy configuration file (/etc/vmware/rhttpproxy/config.xml), if you have not already and then start service by running the following command:

/etc/init.d/rhttpproxy start

Confirm that the reverse proxy service is now running with the new port by checking its status:

/etc/init.d/rhttpproxy status

Step 3 - Finally, we will re-enable the default security policy for reverse proxy service with the enforcing value using the following command:

esxcli system secpolicy domain set -n rhttpproxyDom -l enforcing

More from my site

  • ESXi on Protectli Vault Pro 6650/6670
  • Creating a custom VIB for ESXi 8.x
  • Converting VirtualBox VDI (Virtual Disk Image) to VMDK for use with ESXi 8.x
  • Google Coral USB Edge TPU Accelerator on ESXi
  • USB Network Native Driver Fling for ESXi 8.0 Update 1

Categories // Automation, ESXi, vSphere 8.0 Tags // ESXi 8.0, reverse proxy

Comments

  1. *protectedGbmaryland says

    03/22/2023 at 9:56 am

    Out of curiosity William, are there any special ports that need to be open when attempting to use the remote client to connect to a guest as opposed to the web client?

    What are the things I noticed recently was that we have a VPN into the environment we only pass 80/443, and we run into connection issues when trying to use the standalone client…

    Reply
    • *protectedWill says

      03/22/2023 at 10:47 am

      902 is typically required

      Reply
  2. *protectedMayank Kailash Phirke says

    03/22/2023 at 8:06 pm

    Why do we use proxy ?

    Reply
  3. *protectedFlorin Petrescu says

    03/23/2023 at 12:30 pm

    Where is the article:
    https://williamlam.com/2023/03/nfs-multi-connections-in-vsphere-8-0-update-1.html

    Reply
    • William Lam says

      03/24/2023 at 5:40 am

      There was some confusion w/PM, so it was un-published. I have just re-published it, same content.

      Reply
  4. *protectedlclancey says

    04/18/2023 at 12:27 am

    However after reboot ESXi8.0, rhttpproxy still cannot work, I have to do step 1-3 over again.
    Is it OK just leave rhttpproxyDom disabled?

    Reply
  5. *protectedSilentT says

    07/18/2023 at 1:32 am

    Not working in 8U1, config file dosent exist and when created it the config is not take in account, same with secpolicy before or after

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...