Turns out that if you run Proxmox behind a reverse proxy like nginx, you actually do need https. So if you get an error like “Connection error 401, Invalid Ticket”, then this is the reason.
There’s a good configuration on cipherli.st, just be careful to disable HSTS if that’s not your sorta thing.
For some reason, the
ssl_session_tickets off; option that cipherli.st provides doesn’t break things.
Oh well, if it works, it works.