[SOLVED] Proxmox VNC behind HAProxy

Z

Zeash

Member
Jan 23, 2022
15
3
8
21
Hi, I'm trying to set up HAProxy (v2.6.12) as a reverse proxy for 2 Proxmox VE servers (v8.1.3).

The web UI works fine, but connections to noVNC consoles break randomly, sometimes every ~15 seconds, sometimes every minute or so, sometimes 10 times over the course of 2 seconds. It's incredibly inconsistent.

The current HAProxy config looks like this:

Code: 
global
  log stdout syslog
 
defaults
  log global
  timeout client 300s
  timeout server 300s
  timeout connect 5s
  timeout http-request 5s

frontend http_front
  bind :80
  mode http
  option httplog
  redirect scheme https code 301 if !{ ssl_fc }

frontend https_front
  bind 192.168.100.20:443 ssl crt /etc/haproxy/certs
  mode http
  option httplog
  http-request redirect location https://%[hdr(host)].local.domain.com%[pathq] if !{ hdr_sub(host) -i local.domain.com }
  ...
  use_backend pve if { hdr(host) -i pve.local.domain.com }

backend pve
  mode http
  balance roundrobin
  option http-server-close
  cookie SERVER insert indirect nocache
  option forwardfor
  timeout tunnel 1h
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  server pve-0 192.168.100.40:8006 ssl verify none check port 8006 inter 5s rise 2 fall 2 cookie pve-0
  server pve-1 192.168.100.41:8006 ssl verify none check port 8006 inter 5s rise 2 fall 2 cookie pve-1

...

If the backend section looks cluttered it's because I tried many different solutions, but to no avail. The cookies are definitely necessary, as everything breaks without them.

TIA. Any help is much appreciated. If you need any more info just ask.
 
  • Like
Reactions: wuppi
It seems to have been a hardware fault of the HAProxy host's SSD. My bad for not realizing that!

For anyone reading this in the future, the cookie related settings are the only important bits to making the web UI and noVNC work.
 
Hey, I was wondering if you know a way to direct any traffic (ssh,mysql etc) from a subdomain to a specific machine with haproxy. The problem is I have multiple Proxmox machines under one Public Ip and I want to access every machine with its own subdomain remotely.
 
You'd be better off setting up a VPN like Wireguard or OpenVPN. SSH to Proxmox hosts and MySQL DBs shouldn't be plainly exposed publicly anyways.

Regarding the question though, HAProxy is primarily an HTTP proxy, TCP/UPD support is limited.
 
Zeash said:
You'd be better off setting up a VPN like Wireguard or OpenVPN. SSH to Proxmox hosts and MySQL DBs shouldn't be plainly exposed publicly anyways.

Regarding the question though, HAProxy is primarily an HTTP proxy, TCP/UPD support is limited.
Click to expand...
But when connecting to the machine I have to connect to the vpn right? I gave the mysql for example. I just want to be able to connect to the machines anywhere from the internet without any additional settings. The problem is that all machines are under one public ip and I want one domain to be routed to one machine and the other to another.
 
I'm sure an SSH proxy exists, haven't played with any. Again though, I'd rather not do this due to the security risk involved. A VPN is easy to set up and for me at least, 99% of the time I administer my lab from the same machines, so running a VPN client on them isn't an issue.
 
You must log in or register to reply here.
Top Bottom