Proxmox is behind a reverse proxy, so I want to turn off TLS. How?

[starkruzr]

Just want to find out how I can do this. My Nginx reverse proxy is already doing TLS for me with multiple domains.

 

[spirit]

It's not so simple, because vnc console use websockets.

I remember that somebody has posted nginx config on the forum some time ago, to support websocket passthrough to proxmox.

 

[fabian]

Just want to find out how I can do this. My Nginx reverse proxy is already doing TLS for me with multiple domains.

not possible. PVE uses TLS (with certificate pinning) for intra-cluster request proxying as well, and this is not optional/configurable.

edit: also, there should be no harm except for a slight overhead if you reverse-proxy to a (cluster of) TLS enabled host(s)? it's not like you are sending gigabytes of data to/from the PVE host via the API or web interface, and you are probably also not having thousands of concurrent sessions either.. and IMHO intra-datacenter traffic should be encrypted as much as possible as well, just like "public" traffic - you never know who might listen in on your supposedly "private" traffic

 

[starkruzr]

not possible. PVE uses TLS (with certificate pinning) for intra-cluster request proxying as well, and this is not optional/configurable.

edit: also, there should be no harm except for a slight overhead if you reverse-proxy to a (cluster of) TLS enabled host(s)? it's not like you are sending gigabytes of data to/from the PVE host via the API or web interface, and you are probably also not having thousands of concurrent sessions either.. and IMHO intra-datacenter traffic should be encrypted as much as possible as well, just like "public" traffic - you never know who might listen in on your supposedly "private" traffic

Is spirit right that reverse-proxying will break websockets for the console?

 

[LnxBil]

Is spirit right that reverse-proxying will break websockets for the console?

No, you just need to reverse-proxy websockets too :-D

 

[starkruzr]

No, you just need to reverse-proxy websockets too :-D

Is this a different or additional process? I know next to nothing about how websockets work.

 

[LnxBil]

Just look in the forums for the entry @spirit mentioned. It describes the process.

 

[udo]

Just want to find out how I can do this. My Nginx reverse proxy is already doing TLS for me with multiple domains.

Hi,
instead of nginx you can use haproxy and forward tcp 8006.
In this case haproxy isn't the tls-endpoind.

Can provide an config for this.

Udo

 

[joulester]

hey guys! anyone who can describe how you did this with haproxy?

 

[udo]

hey guys! anyone who can describe how you did this with haproxy?

Hi,
I don't terminate TLS with haproxy.
This is an working haproxy config for me (with an own script for regenerate the letsencrypt certificate (all nodes in one certificate).

frontend pve_frontend
   bind *:8006
   mode tcp
   option httpclose
   option tcplog
   reqadd X-Forwarded-Proto:\ https
   default_backend pve-server
   timeout client  65000

frontend http_frontend
   bind *:80
   mode http
   option httplog
   acl acl_pve   hdr(host) -i pve.domain.org
   acl acl_pve   hdr(host) -i pve-a.domain.org
   acl acl_pve   hdr(host) -i pve-b.domain.org
   acl acl_pve   hdr(host) -i pve-c.domain.org
   acl acl_letsencrypt url_beg /.well-known/acme-challenge/
   use_backend pve-http     if acl_pve
   use_backend web-srv-http if acl_letsencrypt !acl_pve

backend pve-http
   mode http
   server pve 192.168.200.11:8080

backend pve-a-http
   mode http
   server pve-a 192.168.200.11:80

backend pve-b-http
   mode http
   server pve-b 192.168.200.12:80

backend pve-c-http
   mode http
   server pve-c 192.168.200.13:80

backend pve-server
   mode tcp
   balance roundrobin
   timeout server  65000
   stick-table type ip size 200k expire 60m
   stick on src
   server pve-a 192.168.200.11:8006
   server pve-b 192.168.200.12:8006
   server pve-c 192.168.200.13:8006

Udo