Hey all, first post so bear with me. In theory this should be an easy issue to fix, but I’ve been wracking my brain for a few days with no progress.
In case you’re not familiar, Guacamole is a web-based client that allows RDP, SSH, and VNC connections through your browser. In my particular case, I’m running Guac 0.9.12 on a CentOS 7 install. On that server is an Nginx reverse proxy to rewrite the native URL path from “/guacamole” to just “/” and to handle SSL encryption. On the local network, everything works as expected - “https://guac.domain.com” works as you’d expect.
On the HAProxy side, it is running on a pfSense VM and is version 1.7.4. It is currently configured as a shared frontend for three other backends. pfSense has one public IP, so it routes to those backends based on the requested URL, i.e. “https://sonarr.domain.com” redirects to the backend Sonarr server.
I made a new frontend and backend set up exactly like the others for Guacamole, but when attempting to access the site from the internet, Chrome spins around saying “Establishing secure connection…” and eventually times out.
I’ll spare you the details on what I’ve tried thus far since nothing has worked. I’d prefer to start fresh with the troubleshooting haha. I’m almost 100% sure its possible since I’ve read topics elsewhere that they have Guac running behind HAProxy, but I’m completely lost. Any help would be appreciated!
You cannot have multiple frontends or bind lines for a single IP:port. Noreuseport will make a mess out of this.
You need a single frontend, with a single bind line to port 443.
Thanks for the response! It’s possible the terminology that pfSense uses is different since it is a GUI wrapper for HAProxy.
It allows shared frontends to avoid issues like what you mentioned.
Example:
frontend freenas_frontend-merged
bind [SNIPPED IP]:443 name [SNIPPED IP]:443 ssl crt /var/etc/haproxy/freenas_frontend.pem crt /var/etc/haproxy/sonarr_frontend.pem crt /var/etc/haproxy/radarr_frontend.pem
mode http
log global
option dontlog-normal
option log-separate-errors
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl freenas-acl hdr(host) -i freenas.domain.com
acl aclcrt_freenas_frontend hdr_reg(host) -i ^freenas\.domain\.com(:([0-9]){1,5})?$
acl sonarr-acl hdr(host) -i sonarr.domain.com
acl aclcrt_sonarr_frontend hdr_reg(host) -i ^sonarr\.domain\.com(:([0-9]){1,5})?$
acl radarr-acl hdr(host) -i radarr.domain.com
acl aclcrt_radarr_frontend hdr_reg(host) -i ^radarr\.domain\.com(:([0-9]){1,5})?$
use_backend Freenas_backend_http_ipvANY if freenas-acl aclcrt_freenas_frontend
use_backend Sonarr_backend_http_ipvANY if sonarr-acl aclcrt_sonarr_frontend
use_backend Radarr_backend_http_ipvANY if radarr-acl aclcrt_radarr_frontend
In my situation, HAProxy is bound to my public IP on 443 and routes requests to the backends based on what subdomain is requested.
This setup is working completely as expected for the three sites above, but Guacamole (which works via port forwarding) does not.
Thanks again!
Post the guacamole part of the haproxy configuration as well and share logs please.