HAproxy with Vmware Remote Console (VMRC) forwarding multiple ports
-
Vsphere 7.0 webclient over 443 works fine through haproxy. If a console session is initiated using VMRC gets an error "connection error: could not negotiate SSL." Going directly to vsphere host works fine. Based on reading other ports are required namely 902 TCP/UDP and 903 TCP. Someone revealed a working config using nginx proxy as seen below.
I added port 902 and 903 w/o SSL offloading to the front end, and removed the 443 port designation on the backend. I read that leaving the port blank will forward w/e port from the front end. However the backend is still set to "encrypt" as vpshere is only open on SSL encrypted. I think this may be part of the issue but i'm not sure. Relevant haproxy config included. I cant figure out how to specify UDP or forward the ports properly like in the nginx file. Any help appreciated.
frontend Internal_Cloud
bind 192.168.2.151:443 name 192.168.2.151:443 no-sslv3 ssl crt-list /var/etc/haproxy/Internal_Cloud.crt_list
bind 192.168.2.151:902 name 192.168.2.151:902
bind 192.168.2.151:903 name 192.168.2.151:903
mode http
log global
option http-server-close
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl yonxx-guac var(txn.txnhost) -m str -i yonxx-guac.beeron.net
acl yonxx-nas var(txn.txnhost) -m str -i yonxx-nas.beeron.net
acl yonxx-unifi var(txn.txnhost) -m str -i yonxx-unifi.beeron.net
acl yonxx-docker var(txn.txnhost) -m str -i yonxx-docker.beeron.net
acl yonxx-duplicati var(txn.txnhost) -m str -i yonxx-duplicati.beeron.net
acl rcn-router var(txn.txnhost) -m str -i rcn-router.beeron.net
acl yonxxpfsense var(txn.txnhost) -m str -i yonxxpfsense.beeron.net
acl yonxx-vsphere var(txn.txnhost) -m str -i yonxx-vsphere.beeron.net
http-request set-var(txn.txnhost) hdr(host)
use_backend yonxx-guac_ipvANY if yonxx-guac
use_backend yonxx-nas_ipvANY if yonxx-nas
use_backend yonxx-unifi_ipvANY if yonxx-unifi
use_backend yonxx-docker_ipvANY if yonxx-docker
use_backend yonxx-duplicati_ipvANY if yonxx-duplicati
use_backend rcn-router_ipvANY if rcn-router
use_backend yonxxpfsense_ipvANY if yonxxpfsense
use_backend yonxx-vsphere_ipvANY if yonxx-vsphere
default_backend yonxx-nas_ipvANYbackend yonxx-vsphere_ipvANY
mode http
id 132
log global
balance leastconn
timeout connect 30000
timeout server 30000
retries 3
server yonxx-vsphere 192.168.2.90 id 108 ssl verify nonehttps://communities.vmware.com/thread/585684
Redirect HTTP to HTTPS
server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://$host$request_uri;
}Main Server Configuration
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;# SSL Configuration ssl_certificate /etc/nginx/EXAMPLE.com-SSL/EXAMPLEcom.crt; ssl_certificate_key /etc/nginx/EXAMPLE.com-SSL/EXAMPLEcom.key; ssl_prefer_server_ciphers on; # Doesn't really matter - everything is proxied root /var/www/html; index index.html; server_name _; # By default, proxy over 443 to vsphere webclient location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_ssl_verify off; # No need on isolated LAN proxy_pass https://192.168.2.41; # esxi IP Address proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_redirect off; proxy_ssl_session_reuse off; } # ESXi location /ui/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass https://192.168.2.41; # esxi IP Address proxy_ssl_verify off; # No need on isolated LAN proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; #ADD A password so that people don't see this is an ESXI server #auth_basic "Restricted Content"; #auth_basic_user_file /etc/nginx/passwd; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_redirect off; proxy_ssl_session_reuse off; }}
#nginx config
user www-data;
worker_processes auto;
pid /run/nginx.pid;events {
worker_connections 768;
# multi_accept on;
}http {
## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 120; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/nginx/EXAMPLE.com-SSL/dhparam.pem; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*;}
stream {
upstream bninetwo {
server 192.168.2.41:902;
}upstream bninethree { server 192.168.2.41:903; } upstream bfourtwoseven { server 192.168.2.41:427; } server { listen 902; proxy_pass bninetwo; } server { listen 902 udp; proxy_pass bninetwo; } server { listen 903; proxy_pass bninethree; } server { listen 427 udp; proxy_pass bfourtwoseven; }}