Setting upp Proxmox behind HAProxy

M

Mattias Hedman

Well-Known Member
Jan 19, 2019
122
10
58
54
For days now I have been struggling to get Proxmox to sit behind HAProxy as my reverse-proxy, so far I have failed.
Using dig I get the right IP, using openssl I see that it gets the right valid certificate.
Still I can't use the internal url.

I discovered that Proxmox has created a self-signed certificate can it be that one that hinders me?

I get a page that says that it is not a https site. Yesterday I get a Cloudflare 522 error.
 
I configured HAProxy based on this post, but simplified it and adjusted it for my environment. So far, it works and looks like this:

Code: 
global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
    log    global
    mode    http
    option    httplog
    option    dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000

frontend web
    bind *:443
    mode tcp
    option tcplog
    default_backend pveweb

backend pveweb
    mode tcp
    balance source
    server bert 192.168.30.7:8006 check
    server ernie 192.168.30.8:8006 check

frontend spice
    bind *:3128
    mode tcp
    option tcplog
    default_backend pvespice

backend pvespice
    mode tcp
    balance source
    server bert 192.168.30.7:3128 check
    server ernie 192.168.30.8:3128 check

As you can see, I have a 2-node cluster ("ernie" and "bert").
 
  • Like
Reactions: Johannes S
backend.png

Since I cannot export just the HAProxy config form pfSense I gor screenshots.
This is the backend config. Ive added more screenshots. This setup gets me a "Warning only https-mode" "Secure web not avaiable".
 

Attachments

  • frontend3.png
    frontend3.png
    131.6 KB · Views: 1
  • frontend2.png
    frontend2.png
    123.8 KB · Views: 1
  • frontend1.png
    frontend1.png
    100.3 KB · Views: 0
  • certificate.png
    certificate.png
    30.9 KB · Views: 1
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom