PROXMOX Cluster GUI behind HA Layer 4 Loadbalancer and Reverse Proxy

[stefan felder]

Hi,

I'm new to the PROXMOX system, coming from VMware, XCP-ng and Harvester, trying to get my feet wet with some HA fun.
I've set up a PROXMOX Cluster with 3 Nodes and CEPH, working great.
Now I'm trying to access the GUI loadbalanced of all nodes via a single URL.

I have 2 NGINX webservers installed as layer-4 loadbalancers (config below) with a keepalieved vIP accessed internally by a NGINX Proxy Manager and externally by a Cloudflare Tunnel.

If I hit the vIP of the loadbalancers I can access the PROXMOX GUI and the loadbalancing does work.
If I setup the NGINX Proxy Manager to redirect to a single node IP i can access the PROXMOX GUI.
If I setup the NGINX Proxy Manager to redirect to the loadbalancers vIP, i cannot access the GUI, getting a ERR_CONNECTION_RESET.

Has anyone else encountered the same issue, trying to get the GUI working behind a proxy and loadbalancer and has a fix for me?

Thanks in advance.
Stefan

NGINX.conf

load_module /usr/lib/nginx/modules/ngx_stream_module.so;
worker_processes 4;
worker_rlimit_nofile 40000;

events {
        worker_connections 8192;
}

stream {
    upstream proxmox_servers_https {
        least_conn;
        server 192.168.178.151:8006 max_fails=3 fail_timeout=5s;
        server 192.168.178.152:8006 max_fails=3 fail_timeout=5s;
        server 192.168.178.153:8006 max_fails=3 fail_timeout=5s;
    }
    server {
        listen 8006;
        proxy_pass proxmox_servers_https;
    }
}

 

[Robert.H]

Probably the same answer as here: https://forum.proxmox.com/threads/proxmox-ui-caddy-and-reverse-proxy.83198/
You need to deal with the self-signed certificate proxmox generated or add a valide certificate.
And you most likely will need ip_hash instead of least_conn for the load balancing algorythm or will have issues with re-authentication and console/vnc sessions.
https://nginx.org/en/docs/http/ngx_...6396.1691382376-1220408361.1691382376#ip_hash
Cheers