HAproxy with Vmware Remote Console (VMRC) forwarding multiple ports



  • Vsphere 7.0 webclient over 443 works fine through haproxy. If a console session is initiated using VMRC gets an error "connection error: could not negotiate SSL." Going directly to vsphere host works fine. Based on reading other ports are required namely 902 TCP/UDP and 903 TCP. Someone revealed a working config using nginx proxy as seen below.

    I added port 902 and 903 w/o SSL offloading to the front end, and removed the 443 port designation on the backend. I read that leaving the port blank will forward w/e port from the front end. However the backend is still set to "encrypt" as vpshere is only open on SSL encrypted. I think this may be part of the issue but i'm not sure. Relevant haproxy config included. I cant figure out how to specify UDP or forward the ports properly like in the nginx file. Any help appreciated.

    frontend Internal_Cloud
    bind 192.168.2.151:443 name 192.168.2.151:443 no-sslv3 ssl crt-list /var/etc/haproxy/Internal_Cloud.crt_list
    bind 192.168.2.151:902 name 192.168.2.151:902
    bind 192.168.2.151:903 name 192.168.2.151:903
    mode http
    log global
    option http-server-close
    option forwardfor
    acl https ssl_fc
    http-request set-header X-Forwarded-Proto http if !https
    http-request set-header X-Forwarded-Proto https if https
    timeout client 30000
    acl yonxx-guac var(txn.txnhost) -m str -i yonxx-guac.beeron.net
    acl yonxx-nas var(txn.txnhost) -m str -i yonxx-nas.beeron.net
    acl yonxx-unifi var(txn.txnhost) -m str -i yonxx-unifi.beeron.net
    acl yonxx-docker var(txn.txnhost) -m str -i yonxx-docker.beeron.net
    acl yonxx-duplicati var(txn.txnhost) -m str -i yonxx-duplicati.beeron.net
    acl rcn-router var(txn.txnhost) -m str -i rcn-router.beeron.net
    acl yonxxpfsense var(txn.txnhost) -m str -i yonxxpfsense.beeron.net
    acl yonxx-vsphere var(txn.txnhost) -m str -i yonxx-vsphere.beeron.net
    http-request set-var(txn.txnhost) hdr(host)
    use_backend yonxx-guac_ipvANY if yonxx-guac
    use_backend yonxx-nas_ipvANY if yonxx-nas
    use_backend yonxx-unifi_ipvANY if yonxx-unifi
    use_backend yonxx-docker_ipvANY if yonxx-docker
    use_backend yonxx-duplicati_ipvANY if yonxx-duplicati
    use_backend rcn-router_ipvANY if rcn-router
    use_backend yonxxpfsense_ipvANY if yonxxpfsense
    use_backend yonxx-vsphere_ipvANY if yonxx-vsphere
    default_backend yonxx-nas_ipvANY

    backend yonxx-vsphere_ipvANY
    mode http
    id 132
    log global
    balance leastconn
    timeout connect 30000
    timeout server 30000
    retries 3
    server yonxx-vsphere 192.168.2.90 id 108 ssl verify none

    https://communities.vmware.com/thread/585684

    Redirect HTTP to HTTPS

    server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$host$request_uri;
    }

    Main Server Configuration

    server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

        # SSL Configuration
    ssl_certificate /etc/nginx/EXAMPLE.com-SSL/EXAMPLEcom.crt;
    ssl_certificate_key /etc/nginx/EXAMPLE.com-SSL/EXAMPLEcom.key;
    ssl_prefer_server_ciphers on;
    
        # Doesn't really matter - everything is proxied
        root /var/www/html;
        index index.html;
        server_name _;
    
        # By default, proxy over 443 to vsphere webclient
        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_ssl_verify off; # No need on isolated LAN
                proxy_pass https://192.168.2.41; # esxi IP Address
    	proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
    	
    	proxy_buffering off;
    	client_max_body_size 0;
    	proxy_read_timeout 36000s;
    	proxy_redirect off;
    	proxy_ssl_session_reuse off;
        }
    
    # ESXi
    location /ui/ {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass https://192.168.2.41; # esxi IP Address
                proxy_ssl_verify off; # No need on isolated LAN
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
    
    	#ADD A password so that people don't see this is an ESXI server
                #auth_basic "Restricted Content";
                #auth_basic_user_file /etc/nginx/passwd;
    
                proxy_buffering off;
                client_max_body_size 0;
                proxy_read_timeout 36000s;
                proxy_redirect off;
                proxy_ssl_session_reuse off;
        }
    

    }

    #nginx config
    user www-data;
    worker_processes auto;
    pid /run/nginx.pid;

    events {
    worker_connections 768;
    # multi_accept on;
    }

    http {

    ##
    # Basic Settings
    ##
    
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 120;
    types_hash_max_size 2048;
    # server_tokens off;
    
    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;
    
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    
    ##
    # SSL Settings
    ##
    
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /etc/nginx/EXAMPLE.com-SSL/dhparam.pem;
    
    ##
    # Logging Settings
    ##
    
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    
    ##
    # Gzip Settings
    ##
    
    gzip on;
    gzip_disable "msie6";
    
    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
    
    ##
    # Virtual Host Configs
    ##
    
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
    

    }

    stream {
    upstream bninetwo {
    server 192.168.2.41:902;
    }

    upstream bninethree {
        server 192.168.2.41:903;
    }
    
    upstream bfourtwoseven {
        server 192.168.2.41:427;
    }
    
    server {
        listen 902;
        proxy_pass bninetwo;
    }
    
    server {
        listen 902 udp;
        proxy_pass bninetwo;
    }
    
    server {
        listen 903;
        proxy_pass bninethree;
    }
    
    server {
    listen 427 udp;
    proxy_pass bfourtwoseven;
    }
    

    }


Log in to reply