HAProxy in front of web interface

Feb 8, 2023
12
2
3
Is it possible to put HAProxy (or another load balancer) in front of the web interface (port 8006) so that that the web interface will be reachable from a common domain name (even when one of the nodes is rebooting)?
 
  • Like
Reactions: mjw
Yes. We have done it. HAProxy runs in a small VM that is made HA through Proxmox itself.

The configuration looks like this:

Code:
global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
    log    global
    mode    http
    option    httplog
    option    dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

frontend web
    bind *:443
    mode tcp
    option tcplog
    default_backend pveweb

backend pveweb
    mode tcp
    balance source
    server pve55 192.0.2.5:8006 check
    server pve56 192.0.2.6:8006 check
    server pve57 192.0.2.7:8006 check
    server pve58 192.0.2.8:8006 check
    server pve59 192.0.2.9:8006 check
    server pve60 192.0.2.10:8006 check
    server pve61 192.0.2.11:8006 check
    server pve62 192.0.2.12:8006 check

frontend spice
    bind *:3128
    mode tcp
    option tcplog
    default_backend pvespice

backend pvespice
    mode tcp
    balance source
    server pve55 192.0.2.5:3128 check
    server pve56 192.0.2.6:3128 check
    server pve57 192.0.2.7:3128 check
    server pve58 192.0.2.8:3128 check
    server pve59 192.0.2.9:3128 check
    server pve60 192.0.2.10:3128 check
    server pve61 192.0.2.11:3128 check
    server pve62 192.0.2.12:3128 check
 
  • Like
Reactions: mjw and iamwillbar
Hi, @gurubert I need your help :) , on something similar.

I have copied your haproxy config to mine and it looks like this:
Code:
global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend web
        bind *:443
        mode tcp
        option tcplog
        default_backend pveweb

backend pveweb
        mode tcp
        balance source
        server pve007 192.168.1.99:8006 check

frontend spice
        bind *:3128
        mode tcp
        option tcplog
        default_backend pvespice

backend pvespice
        mode tcp
        balance source
        server pve007 192.168.1.99:3128 check

My haproxy is version 2.4.25.
The web interface is working but Spice is not.
I have the router pointing 443 and 80 to haproxy, I also have tested port 3128 from router to proxmox server and for haproxy server, but none of these tests worked.

Could you give me some help on what could be wrong here?? (btw this is for accessing spice machines from the internet, locally works)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!