Turns out that if you run Proxmox behind a reverse proxy like nginx, you actually do need https. So if you get an error like “Connection error 401, Invalid Ticket”, then this is the reason.

There’s a good configuration on cipherli.st, just be careful to disable HSTS if that’s not your sorta thing.

For some reason, the ssl_session_tickets off; option that cipherli.st provides doesn’t break things.

Oh well, if it works, it works.