Webauth setup for cluster

[nicobos]

Hi everyone,

I am setting up a Proxmox 8 cluster with nodes a.example.com, b.example.com and c.example.com
As per documentation all nodes have a valid trusted Letsencrypt certificate.
Next I would like to setup Webauth MFA but, as I understood, there are caveats when used in a cluster.
As I understood, situations can arise where WebAuth will work on one node of the cluster, but not on the others.

I came across this thread stating the leaving the Origin field in Datacenter --> Options --> WebAuth Settings blank should do the trick.
In my situation, after clicking the 'Auto-fill' button the 'name' and 'ID' field are propagated with the fully qualified hostname of my node A. For instance a.example.com.

Will these settings result in a situation that Webauth works on a.example.com, b.example.com and c.example.com? Or do I need that other steps to get this result?

Nico

 

[vanderlpp]

For me, filling in the options in webauth solved the problem.

I just had to give it a name later in the webauth configuration and it worked right away.

===========================

Para mim resolveu preencher as opções la em webauth nas opções.

bastou dar um nome depois na config do webauth e funcionou de primeira.

 

[aj@root]

Since search brought me here while I was looking for some answers, I'm posting back here with more details as well.

The ID refers to the Relying Party ID and must be the specific domain of the node, or a parent domain for all nodes.
The Name is essentially just a comment.
Origin should only be set if you want to prevent the behavior of allowing subdomains to have access to signed Passkeys proofs (i.e. block foo.pve1.lab1.example.com from being able to request a passkey that would work for pve1.lab1.example.com

So for a network like this:

     lab1.example.com  # parent domain, Relying Party ID
pve1.lab1.example.com
pve2.lab1.example.com
pve3.lab1.example.com

You'd want this configuration for a cluster:

Name: My Cluster
Origin: (unset)
ID: lab1.example.com

Or this configuration to lock down to a single node:

Name: My Node
Origin: https://pve1.lab1.example.com:8006
ID: pve1.lab1.example.com

We ran into some subtle issues that we challenging to debug, so I made a guide for this that covers the gotchas: https://forum.proxmox.com/threads/h...cluster-or-on-single-node.165331/#post-765465

 

[guruevi]

I simply ended up making a small container with HAProxy that has a ‘common’ name and set it up with HA - boots in a matter of milliseconds, checks the server is up before routing to a particular node. Passkeys for any system on the domain are dodgy and didn’t work (well) with my password manager. You should also make sure your ‘root’ account has other methods (eg. Recovery Key or TOTP) or else you end up in a situation where nothing works (eg. DNS is down). You could do something similar with a floating IP.