Spice viewer with reverse proxy

mbc

Member
Oct 12, 2020
16
0
6
25
Hi there,


I recently setup a reverse proxy (using Nginx proxy manager) to access pve from something.mydomain.com.
It works correctly except Spice.

Looking at the spice file I can see that there's a line:
proxy=http://something.mydomain.com:3128

From my limited knowledge this won't work, since something.mydomain.com is listening on port 443 and redirecting to 8006 (proxmox pve port)

I could create another subdomain called spice.mydomain.com that redirects to port 8123. So then on the spice config files I should introduce
proxy=https://spice.mydomain.com:443

But this doesn't work, am I missing something?
 
hi,

have you allowed inbound connections to port 3128 on the firewall?

So then on the spice config files I should introduce
proxy=https://spice.mydomain.com:443
no need, it should work when you allow the port
 
  • Like
Reactions: mbc
hi,

have you allowed inbound connections to port 3128 on the firewall?


no need, it should work when you allow the port
Hi,

Yes, port 3128 is open.


Three tested scenarios:
- Entering proxmox and downloading the spice file from 192.168.1.xxx (local network). This is the "Control test" --> it works
- Entering proxmox and downloading the spice file from something.mydomain.com (local network) --> doesn't work
- Entering proxmox and downloading the spice file from something.mydomain.com (outside network) --> doesn't work


More things (that might be useful). The domain something.mydomain.com is redirected through Cloudflare using CNAME.
 
Really no one has tried to access SPICE from outside the network?
 
Works for me.
No ports open? Apart from 3128

Accessing via SSL?

Maybe the problem is that I'm using reverse proxy, But even if I change the port on the spice file I get errors.
 
I do have the same problem :( firewall is disabled on all levels and still cant access it via tunnel or vpn. but i can access just fine from lan

Edit: I've wrote a mail to it asking if the port is filtered somehow :)
 
Last edited:
@mbc have you figured that out?
I have the same issue, trying to use spice through Nginx proxy manager(NPM).

Firewall Ports opened, stream configured in NPM for 3128 and also cloudflare with CNAME configuration for port 8006.

But I can't put it to work.
 
Same problem here. The proxy line in the .vv file shows http instead of https, the reverse proxy hostname and the port.
I wonder if i can configure spice in proxmox somewhere so it uses the ip address instead of the reverse proxy hostname

As a workaround i can just edit the .vv file in an editor. But still.
 
Last edited:
Has anybody been able to solve this? Here is an interesting post of the same problem in Traefik. I have been tinkering for a few days with NPM, but I'm realizing that maybe it's too poorly documented for more advanced setups.
 
  • Like
Reactions: marcosvfc
Exact same problem here. Unable to connect to a vm with spice through my domain. Using nginx as reverse proxy
 
As mentioned in Proxmox documentation here, Spice uses TCP port 3128. So, in your reverse proxy configuration you need to set the mode to TCP for spice to work. I don't know about nginx, but there is a solution here in this forum post which can be adapted to your use case.

For HAProxy, here is a simple solution:
Code:
frontend Proxmox-spice-access

    bind EnterLISTENIPHere:3128 name EnterLISTENIPHere:3128

    mode tcp

    default_backend proxmox-spice   

backend proxmox-spice

    mode tcp

    balance source

    server proxmox-spice-server IPofProxmoxServer:3128

By the way, accessing VMs using spice console is not a good idea as the connection is set to transmit over http which is why the spice .vv file has http. Also its inconvenient to login to proxmox and then access spice console each time. Instead access using Apache Gaucamole or Teleport or similar option over TLS encryption.
 
  • Like
Reactions: Darkk
I would use Apache Gaucamole which will simplify things.
How can you set Gauacamole.... as it will connect directly to prox console, but you can't open the spice from there ? Or if you can explain how you can get access ... thanks
 
Guacamole don't support Spice, so with that option you have to use VNC or RDP. RDP is pretty good performance wise, but in my experience Spice gives better performance than VNC. If the VM is linux based you can install xRDP.
 
I am able to make SPICE work behind traefik.

Add these 2 entry points in my traefik.yml:
YAML:
entryPoints:
  ...
  spice:
    address: ":3128"
  spice-tls:
    address: ":61000"
providers:
  file:
    directory: /etc/traefik/config
    watch: true

Created the file config/proxmox-spice.yml with the content below:

YAML:
tcp:
  routers:
    pve-spice:
      entryPoints:
        - spice
      service: pve-spice
      rule: HostSNI(`pve.homelab.xyz`)
      tls:
        passthrough: true
    pve-spice-tls:
      entryPoints:
        - spice-tls
      service: pve-spice-tls
      rule: HostSNI(`pve.homelab.xyz`)
      tls:
        passthrough: true

  services:
    pve-spice:
      loadBalancer:
        servers:
          - address: http://192.168.1.123:3128
    pve-spice-tls:
      loadBalancer:
        servers:
          - address: http://192.168.1.123:61000

If you are using docker to run traefik, make sure you add 3128 and 61000 to the ports.

The concept should also work on other reverse proxy but I haven't tried.

Hope this helps.
 
I am able to make SPICE work behind traefik.

Add these 2 entry points in my traefik.yml:
YAML:
entryPoints:
  ...
  spice:
    address: ":3128"
  spice-tls:
    address: ":61000"
providers:
  file:
    directory: /etc/traefik/config
    watch: true

Created the file config/proxmox-spice.yml with the content below:

YAML:
tcp:
  routers:
    pve-spice:
      entryPoints:
        - spice
      service: pve-spice
      rule: HostSNI(`pve.homelab.xyz`)
      tls:
        passthrough: true
    pve-spice-tls:
      entryPoints:
        - spice-tls
      service: pve-spice-tls
      rule: HostSNI(`pve.homelab.xyz`)
      tls:
        passthrough: true

  services:
    pve-spice:
      loadBalancer:
        servers:
          - address: http://192.168.1.123:3128
    pve-spice-tls:
      loadBalancer:
        servers:
          - address: http://192.168.1.123:61000

If you are using docker to run traefik, make sure you add 3128 and 61000 to the ports.

The concept should also work on other reverse proxy but I haven't tried.

Hope this helps.

Sorry I retested the above config but it doesn't work.

I tried to dig some more and found this link:
https://github.com/traefik/traefik/issues/9708#issuecomment-1538143069

Got some hints and tried the below config:
YAML:
http:
  routers:
    pve-spice:
      entryPoints:
        - spice
      service: pve-spice
      # rule: HostRegexp(`pvespiceproxy{.*}`)
      rule: Method(`CONNECT`)
#     tls:
#       passthrough: true
  services:
    pve-spice:
      loadBalancer:
        servers:
          - url: http://192.168.1.250:3128

The above got me past the 404 error from traefik but I couldn't get the TLS to work.

I also tried TCP with the config below:

YAML:
tcp:
  routers:
    pve-spice:
      entryPoints:
        - spice
      service: pve-spice
      rule: HostSNIRegexp(`pvespiceproxy{.*}`)
      tls:
        passthrough: true

  services:
    pve-spice:
      loadBalancer:
        servers:
          - address: 192.168.50.250:3128

This one I could not get past the 404 error. Not sure how to match the rule.

BTW, from wireshark, the request data being sent to traefik is:
YAML:
CONNECT pvespiceproxy:64dcb2b6:107:pve::4bf434f0028afb6ef5dc85c6b5f2520c21cd532a:61000 HTTP/1.0\r\n

Hopefully someone could point us to the right direction.
 
For those that still wants to redirect the connection of spice via a reverse proxy, I think a found a solution. I’m using Traefik as a reverse proxy, so the files that I will share are the static and dynamic configuration of Traefik.

Add to static file: PLEASE READ YOUR "pve_spice.vv" AND MAKE SURE OF YOUR tls-port.
YAML:
entryPoints:
  spice:
    address: ":3128"
  spice-tls:
    address: ":61001"

Add to the dynamic files:
YAML:
tcp:
  routers:
    spice:
      rule: HostSNI(`*`)
      entrypoints: spice
      tls: false
      service: spice
    spice-tls:
      entryPoints:
        - spice-tls
      service: spice-tls
      rule: HostSNI(`proxmox.domain.tld`)
      tls:
        passthrough: true

  services:
    spice:
      loadbalancer:
        servers:
          - address: "10.10.10.100:3128"
    spice-tls:
      loadBalancer:
        servers:
          - address: "10.10.10.100:61001"

This is the configuration that's working for me right now, I hope that it helps someone else to solve this problem.
 
Last edited:
  • Like
Reactions: ZombieLurker

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!