proxmox UI, Caddy and reverse proxy

A

ayo91

New Member
Jan 23, 2021
10
2
3
33
I use Caddy Server as reverse proxy in my local network for avoid use specify ports in each of my applications. I have the solution working for all my network except for promox. When open the UI using https://proxmox.lan it shows me an error 502. Any idea? I have several other apps with the same setup and everything works well. It has to be something related to Proxmox...

Caddy config:

proxmox.lan:443 {
reverse_proxy {
to 192.168.1.200:8006
}
}

Any idea?
 
ayo91 said:
I use Caddy Server as reverse proxy in my local network for avoid use specify ports in each of my applications. I have the solution working for all my network except for promox. When open the UI using https://proxmox.lan it shows me an error 502. Any idea? I have several other apps with the same setup and everything works well. It has to be something related to Proxmox...

Caddy config:

proxmox.lan:443 {
reverse_proxy {
to 192.168.1.200:8006
}
}

Any idea?
Click to expand...
Hi! Have you been able to configure caddy to work with proxmox? I don't get any errors at all, the page with proxmox is just blank.
 
Hi,

I have only registered in order to post my solution to the problem. The working entry in my Caddy config file is as follows:

proxmox.lan {
reverse_proxy 192.168.1.200:8006 {
transport http {
tls_insecure_skip_verify
}
}
}
 
  • Like
Reactions: ayo91
oherold said:
Hi,

I have only registered in order to post my solution to the problem. The working entry in my Caddy config file is as follows:

proxmox.lan {
reverse_proxy 192.168.1.200:8006 {
transport http {
tls_insecure_skip_verify
}
}
}
Click to expand...

Thnx! This did it!
 
oherold said:
Hi,

I have only registered in order to post my solution to the problem. The working entry in my Caddy config file is as follows:

proxmox.lan {
reverse_proxy 192.168.1.200:8006 {
transport http {
tls_insecure_skip_verify
}
}
}
Click to expand...
Amazing! It worked like a charm. Without user Nginx_Proxy. Only caddy configuration
 
stuif1982 said:
Thnx! This did it!
Click to expand...
I noticed this is not completely working in a cluster:

The node which my domain is proxying to is working. But on the others nodes added to the cluster (and so also have other IP-addresses) the consoles stay blank.
 
  • Like
Reactions: eivamu
stuif1982 said:
I noticed this is not completely working in a cluster:

The node which my domain is proxying to is working. But on the others nodes added to the cluster (and so also have other IP-addresses) the consoles stay blank.
Click to expand...

I ran into problems with Proxmox clusters on Caddy too. This was especially apparent when trying to connect to consoles via noVNC. I think I fixed it by selecting a correct load balancing rule to make sure that the client stays on the same backend server.

Here's my working config extracted from my Caddyfile:

Code: 
proxmox.domain.com {
    reverse_proxy * {
        to server01:8006
        to server02:8006
        to server03:8006

        lb_policy ip_hash     # Makes backend sticky based on client ip
        lb_try_duration 1s
        lb_try_interval 250ms

        health_uri /          # Backend health check path
        # health_port 80      # Default same as backend port
        health_interval 10s
        health_timeout 2s
        health_status 200

        transport http {
            tls_insecure_skip_verify
        }
    }
}

Caddy 2.6.2 on Ubuntu 22.04 LTS.
Proxmox GUI 7.2-11.
 
Last edited:
  • Like
Reactions: Denham and billthe4th
Is using tls_insecure_skip_verify advised from a security standpoint? If not, does anyone know another workaround to this problem?
 
kimmer2k said:
Is using tls_insecure_skip_verify advised from a security standpoint? If not, does anyone know another workaround to this problem?
Click to expand...
It does enable a man-in-the-middle attack as the Caddy server will accept any certificate from the backend server(s), but assuming Caddy and Proxmox are on the same LAN, or even the same machine, I'd say the risk is minimal.

If you want to avoid using that option, you've got to make Caddy trust the certificate that Proxmox is providing, either by adding your PVE root cert to the Caddy server's trusted root store, or by adding it to the config something like this (stealing eivamu's example):

Code: 
proxmox.domain.com {
    reverse_proxy * {
        to server01:8006
        to server02:8006
        to server03:8006

        lb_policy ip_hash     # Makes backend sticky based on client ip
        lb_try_duration 1s
        lb_try_interval 250ms

        health_uri /          # Backend health check path
        # health_port 80      # Default same as backend port
        health_interval 10s
        health_timeout 2s
        health_status 200

        transport http {
            tls_trusted_ca_certs /etc/pve/pve-root-ca.pem # Path to PVE root cert
        }
    }
}

Or you could make PVE use a publicly trusted CA signed cert through the ACME challenge options available in Node -> System -> Certificates.
 
  • Like
Reactions: Denham
billthe4th said:
It does enable a man-in-the-middle attack as the Caddy server will accept any certificate from the backend server(s), but assuming Caddy and Proxmox are on the same LAN, or even the same machine, I'd say the risk is minimal.

If you want to avoid using that option, you've got to make Caddy trust the certificate that Proxmox is providing, either by adding your PVE root cert to the Caddy server's trusted root store, or by adding it to the config something like this (stealing eivamu's example):

Code: 
proxmox.domain.com {
    reverse_proxy * {
        to server01:8006
        to server02:8006
        to server03:8006

        lb_policy ip_hash     # Makes backend sticky based on client ip
        lb_try_duration 1s
        lb_try_interval 250ms

        health_uri /          # Backend health check path
        # health_port 80      # Default same as backend port
        health_interval 10s
        health_timeout 2s
        health_status 200

        transport http {
            tls_trusted_ca_certs /etc/pve/pve-root-ca.pem # Path to PVE root cert
        }
    }
}

Or you could make PVE use a publicly trusted CA signed cert through the ACME challenge options available in Node -> System -> Certificates.
Click to expand...

Thanks for this, I was able to figure out adding the pve cert, but didn't think of making it a public trusted CA as an even simpler way!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back