Best‑practice for exposing PMG GUI + Quarantine via HAProxy (TLS termination or passthrough)?

[TomasHermansson]

Hi everyone,

I’m trying to correctly expose the Proxmox Mail Gateway (PMG) 9.0.2 web GUI and the end‑user quarantine interface via HAProxy on port 443, but I’m struggling to find a clean, recommended way to do this.

My setup:

• PMG runs internally at: 192.168.1.3:8006 (I understand 8006 is hard‑coded for the GUI).
• HAProxy sits in my DMZ as a reverse proxy.
• Public hostname: example-gateway.example.com → HAProxy.
• Goal: Users should access the quarantine at:
  https://example-gateway.example.com

Issues I'm running into:

1. HAProxy warns that my HTTP rules are ignored:
   
   [WARNING] : 'http-request' rules ignored for backend 'pmg_gui' as they require HTTP mode.<br>
   I’m unsure whether the backend for PMG should run in HTTP mode (for TLS termination) or TCP mode (for TLS passthrough).
2. I also get:
   
   missing timeouts for backend 'pmg_gui'<br>
   even when I try to set them in the UI.
3. I’d like to support either:
   
   • TLS termination in HAProxy (with Let's Encrypt on the edge), or
   • TLS passthrough, where PMG presents its own certificate.
   • But I can’t find clear PMG‑specific guidance on which method is recommended for the GUI + quarantine.
4. I’m also unsure whether the following lines should be placed in the backend, and whether they are even correct for PMG behind HAProxy:
   
   server pmg1 192.168.1.3:8006 ssl verify none<br>http-request set-header X-Forwarded-Proto https<br>http-request set-header X-Forwarded-Host example-gateway.example.com<br>

My questions to the PMG team/community:

1. What is the recommended mode for exposing PMG behind HAProxy?
   
   • TLS termination (mode http)
   • TLS passthrough (mode tcp)
   • or does PMG work equally well with both?
2. Does anyone have a known‑good HAProxy configuration example for publishing the PMG GUI and quarantine on port 443?
3. How should the quarantine host and port be configured in PMG when it’s accessed externally through 443 instead of 8006?
   (I’m aware that host/port can be adjusted in /etc/pmg/pmg.cfg → [spamquar], but I’d like to confirm the correct method.)
4. Is there an official recommendation or best‑practice from Proxmox for placing PMG behind a reverse proxy?

Thanks in advance for any advice or working examples!

 

[Onslow]

Hi. I just remember there is a thread of a similar topic from a few days ago.
I'm copying the link in case it is of some help for you : https://forum.proxmox.com/threads/pmg-quarantine-links-behind-ha-proxy.178240/