Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAproxy with Vmware Remote Console (VMRC) forwarding multiple ports

    Scheduled Pinned Locked Moved Cache/Proxy
    1 Posts 1 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      blarg3891
      last edited by

      Vsphere 7.0 webclient over 443 works fine through haproxy. If a console session is initiated using VMRC gets an error "connection error: could not negotiate SSL." Going directly to vsphere host works fine. Based on reading other ports are required namely 902 TCP/UDP and 903 TCP. Someone revealed a working config using nginx proxy as seen below.

      I added port 902 and 903 w/o SSL offloading to the front end, and removed the 443 port designation on the backend. I read that leaving the port blank will forward w/e port from the front end. However the backend is still set to "encrypt" as vpshere is only open on SSL encrypted. I think this may be part of the issue but i'm not sure. Relevant haproxy config included. I cant figure out how to specify UDP or forward the ports properly like in the nginx file. Any help appreciated.

      frontend Internal_Cloud
      bind 192.168.2.151:443 name 192.168.2.151:443 no-sslv3 ssl crt-list /var/etc/haproxy/Internal_Cloud.crt_list
      bind 192.168.2.151:902 name 192.168.2.151:902
      bind 192.168.2.151:903 name 192.168.2.151:903
      mode http
      log global
      option http-server-close
      option forwardfor
      acl https ssl_fc
      http-request set-header X-Forwarded-Proto http if !https
      http-request set-header X-Forwarded-Proto https if https
      timeout client 30000
      acl yonxx-guac var(txn.txnhost) -m str -i yonxx-guac.beeron.net
      acl yonxx-nas var(txn.txnhost) -m str -i yonxx-nas.beeron.net
      acl yonxx-unifi var(txn.txnhost) -m str -i yonxx-unifi.beeron.net
      acl yonxx-docker var(txn.txnhost) -m str -i yonxx-docker.beeron.net
      acl yonxx-duplicati var(txn.txnhost) -m str -i yonxx-duplicati.beeron.net
      acl rcn-router var(txn.txnhost) -m str -i rcn-router.beeron.net
      acl yonxxpfsense var(txn.txnhost) -m str -i yonxxpfsense.beeron.net
      acl yonxx-vsphere var(txn.txnhost) -m str -i yonxx-vsphere.beeron.net
      http-request set-var(txn.txnhost) hdr(host)
      use_backend yonxx-guac_ipvANY if yonxx-guac
      use_backend yonxx-nas_ipvANY if yonxx-nas
      use_backend yonxx-unifi_ipvANY if yonxx-unifi
      use_backend yonxx-docker_ipvANY if yonxx-docker
      use_backend yonxx-duplicati_ipvANY if yonxx-duplicati
      use_backend rcn-router_ipvANY if rcn-router
      use_backend yonxxpfsense_ipvANY if yonxxpfsense
      use_backend yonxx-vsphere_ipvANY if yonxx-vsphere
      default_backend yonxx-nas_ipvANY

      backend yonxx-vsphere_ipvANY
      mode http
      id 132
      log global
      balance leastconn
      timeout connect 30000
      timeout server 30000
      retries 3
      server yonxx-vsphere 192.168.2.90 id 108 ssl verify none

      https://communities.vmware.com/thread/585684

      Redirect HTTP to HTTPS

      server {
      listen 80 default_server;
      listen [::]:80 default_server;
      return 301 https://$host$request_uri;
      }

      Main Server Configuration

      server {
      listen 443 ssl default_server;
      listen [::]:443 ssl default_server;

          # SSL Configuration
      ssl_certificate /etc/nginx/EXAMPLE.com-SSL/EXAMPLEcom.crt;
      ssl_certificate_key /etc/nginx/EXAMPLE.com-SSL/EXAMPLEcom.key;
      ssl_prefer_server_ciphers on;
      
          # Doesn't really matter - everything is proxied
          root /var/www/html;
          index index.html;
          server_name _;
      
          # By default, proxy over 443 to vsphere webclient
          location / {
                  proxy_set_header Host $host;
                  proxy_set_header X-Real-IP $remote_addr;
                  proxy_ssl_verify off; # No need on isolated LAN
                  proxy_pass https://192.168.2.41; # esxi IP Address
      	proxy_http_version 1.1;
                  proxy_set_header Upgrade $http_upgrade;
                  proxy_set_header Connection "upgrade";
      	
      	proxy_buffering off;
      	client_max_body_size 0;
      	proxy_read_timeout 36000s;
      	proxy_redirect off;
      	proxy_ssl_session_reuse off;
          }
      
      # ESXi
      location /ui/ {
                  proxy_set_header Host $host;
                  proxy_set_header X-Real-IP $remote_addr;
                  proxy_pass https://192.168.2.41; # esxi IP Address
                  proxy_ssl_verify off; # No need on isolated LAN
                  proxy_http_version 1.1;
                  proxy_set_header Upgrade $http_upgrade;
                  proxy_set_header Connection "upgrade";
      
      	#ADD A password so that people don't see this is an ESXI server
                  #auth_basic "Restricted Content";
                  #auth_basic_user_file /etc/nginx/passwd;
      
                  proxy_buffering off;
                  client_max_body_size 0;
                  proxy_read_timeout 36000s;
                  proxy_redirect off;
                  proxy_ssl_session_reuse off;
          }
      

      }

      #nginx config
      user www-data;
      worker_processes auto;
      pid /run/nginx.pid;

      events {
      worker_connections 768;
      # multi_accept on;
      }

      http {

      ##
      # Basic Settings
      ##
      
      sendfile on;
      tcp_nopush on;
      tcp_nodelay on;
      keepalive_timeout 120;
      types_hash_max_size 2048;
      # server_tokens off;
      
      # server_names_hash_bucket_size 64;
      # server_name_in_redirect off;
      
      include /etc/nginx/mime.types;
      default_type application/octet-stream;
      
      ##
      # SSL Settings
      ##
      
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
      ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
      ssl_prefer_server_ciphers on;
      ssl_session_cache shared:SSL:10m;
      ssl_dhparam /etc/nginx/EXAMPLE.com-SSL/dhparam.pem;
      
      ##
      # Logging Settings
      ##
      
      access_log /var/log/nginx/access.log;
      error_log /var/log/nginx/error.log;
      
      ##
      # Gzip Settings
      ##
      
      gzip on;
      gzip_disable "msie6";
      
      # gzip_vary on;
      # gzip_proxied any;
      # gzip_comp_level 6;
      # gzip_buffers 16 8k;
      # gzip_http_version 1.1;
      # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
      
      ##
      # Virtual Host Configs
      ##
      
      include /etc/nginx/conf.d/*.conf;
      include /etc/nginx/sites-enabled/*;
      

      }

      stream {
      upstream bninetwo {
      server 192.168.2.41:902;
      }

      upstream bninethree {
          server 192.168.2.41:903;
      }
      
      upstream bfourtwoseven {
          server 192.168.2.41:427;
      }
      
      server {
          listen 902;
          proxy_pass bninetwo;
      }
      
      server {
          listen 902 udp;
          proxy_pass bninetwo;
      }
      
      server {
          listen 903;
          proxy_pass bninethree;
      }
      
      server {
      listen 427 udp;
      proxy_pass bfourtwoseven;
      }
      

      }

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.