Setting upp Proxmox behind HAProxy

M

Mattias Hedman

Well-Known Member
Jan 19, 2019
122
10
58
55
For days now I have been struggling to get Proxmox to sit behind HAProxy as my reverse-proxy, so far I have failed.
Using dig I get the right IP, using openssl I see that it gets the right valid certificate.
Still I can't use the internal url.

I discovered that Proxmox has created a self-signed certificate can it be that one that hinders me?

I get a page that says that it is not a https site. Yesterday I get a Cloudflare 522 error.
 
I configured HAProxy based on this post, but simplified it and adjusted it for my environment. So far, it works and looks like this:

Code: 
global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
    log    global
    mode    http
    option    httplog
    option    dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000

frontend web
    bind *:443
    mode tcp
    option tcplog
    default_backend pveweb

backend pveweb
    mode tcp
    balance source
    server bert 192.168.30.7:8006 check
    server ernie 192.168.30.8:8006 check

frontend spice
    bind *:3128
    mode tcp
    option tcplog
    default_backend pvespice

backend pvespice
    mode tcp
    balance source
    server bert 192.168.30.7:3128 check
    server ernie 192.168.30.8:3128 check

As you can see, I have a 2-node cluster ("ernie" and "bert").
 
  • Like
Reactions: Johannes S
backend.png

Since I cannot export just the HAProxy config form pfSense I gor screenshots.
This is the backend config. Ive added more screenshots. This setup gets me a "Warning only https-mode" "Secure web not avaiable".
 

Attachments

  • frontend3.png
    frontend3.png
    131.6 KB · Views: 15
  • frontend2.png
    frontend2.png
    123.8 KB · Views: 15
  • frontend1.png
    frontend1.png
    100.3 KB · Views: 14
  • certificate.png
    certificate.png
    30.9 KB · Views: 15
You must log in or register to reply here.
Top Bottom