HAProxy & Guacamole


#1

Hey all, first post so bear with me. In theory this should be an easy issue to fix, but I’ve been wracking my brain for a few days with no progress.

In case you’re not familiar, Guacamole is a web-based client that allows RDP, SSH, and VNC connections through your browser. In my particular case, I’m running Guac 0.9.12 on a CentOS 7 install. On that server is an Nginx reverse proxy to rewrite the native URL path from “/guacamole” to just “/” and to handle SSL encryption. On the local network, everything works as expected - “https://guac.domain.com” works as you’d expect.

On the HAProxy side, it is running on a pfSense VM and is version 1.7.4. It is currently configured as a shared frontend for three other backends. pfSense has one public IP, so it routes to those backends based on the requested URL, i.e. “https://sonarr.domain.com” redirects to the backend Sonarr server.

I made a new frontend and backend set up exactly like the others for Guacamole, but when attempting to access the site from the internet, Chrome spins around saying “Establishing secure connection…” and eventually times out.

I’ll spare you the details on what I’ve tried thus far since nothing has worked. I’d prefer to start fresh with the troubleshooting haha. I’m almost 100% sure its possible since I’ve read topics elsewhere that they have Guac running behind HAProxy, but I’m completely lost. Any help would be appreciated!


#2

You cannot have multiple frontends or bind lines for a single IP:port. Noreuseport will make a mess out of this.

You need a single frontend, with a single bind line to port 443.


#3

Thanks for the response! It’s possible the terminology that pfSense uses is different since it is a GUI wrapper for HAProxy.
It allows shared frontends to avoid issues like what you mentioned.

Example:

frontend freenas_frontend-merged
bind			[SNIPPED IP]:443 name [SNIPPED IP]:443 ssl  crt /var/etc/haproxy/freenas_frontend.pem crt /var/etc/haproxy/sonarr_frontend.pem crt /var/etc/haproxy/radarr_frontend.pem  
mode			http
log			    global
option			dontlog-normal
option			log-separate-errors
option			http-keep-alive
option			forwardfor
acl https ssl_fc
http-request set-header		X-Forwarded-Proto http if !https
http-request set-header		X-Forwarded-Proto https if https
timeout client		30000
acl			freenas-acl	hdr(host) -i freenas.domain.com
acl			aclcrt_freenas_frontend	hdr_reg(host) -i ^freenas\.domain\.com(:([0-9]){1,5})?$
acl			sonarr-acl	hdr(host) -i sonarr.domain.com
acl			aclcrt_sonarr_frontend	hdr_reg(host) -i ^sonarr\.domain\.com(:([0-9]){1,5})?$
acl			radarr-acl	hdr(host) -i radarr.domain.com
acl			aclcrt_radarr_frontend	hdr_reg(host) -i ^radarr\.domain\.com(:([0-9]){1,5})?$
use_backend Freenas_backend_http_ipvANY  if  freenas-acl aclcrt_freenas_frontend
use_backend Sonarr_backend_http_ipvANY  if  sonarr-acl aclcrt_sonarr_frontend
use_backend Radarr_backend_http_ipvANY  if  radarr-acl aclcrt_radarr_frontend

In my situation, HAProxy is bound to my public IP on 443 and routes requests to the backends based on what subdomain is requested.

This setup is working completely as expected for the three sites above, but Guacamole (which works via port forwarding) does not.

Thanks again!


#4

Post the guacamole part of the haproxy configuration as well and share logs please.