Proxmox behind Traefik

Hello together!

Maybe someone can help me with the following case: I would like to include my proxmox behind my Traefik reverse proxy.

To do this, I tried to follow the instructions in the Proxmox wiki, which describes instructions for a Proxmox behind an nginx reverse proxy.

This is my current configuration at the moment:

http:
routers:
proxmox-https-router:
rule: "Host(proxmox.home.xxxxx.yyy)"
service: my-proxmox
entryPoints:
- https
tls:
certResolver: http
middlewares:
- basicAuth

proxmox-http-router:
  rule: "Host(`proxmox.home.xxxxx.yyy`)"
  service: my-proxmox
  entryPoints:
    - http
  middlewares:
    - redirect

services:
my-proxmox:
loadBalancer:
servers:
- url: https://192.168.1.97:8006

middlewares:
https_redirect:
redirectScheme:
scheme: https
permanent: true

I've gotten as far as being able to access the web interface, but VNC or SPICE don't work at all.
And I also see many settings in the sample nginx configuration that are certainly missing here.
Unfortunately I am not that experienced in the field of reverse proxies. Can someone help me here maybe?

TIA

Hello @candoom,

Thank you for your interest in Traefik!

Can you format your configuration file to make it more readable?

Regarding SPICE, the proxmox documentation says:

This daemon listens on TCP port 3128, and implements an HTTP proxy to forward CONNECT request from the SPICE client to the correct Proxmox VE VM. It runs as user www-data and has very limited permissions.

Regarding VNC it seems to be listening on TCP port 5900.

Your current configuration is routing all requests matching the Host matcher "proxmox.home.xxxxx.yyy" to "https://192.168.1.97:8006/", so you only set up a route to reach the web interface.

For SPICE, as I understand it expects CONNECT request, you'll need to add a new router with a rule with the previous host matcher plus a method matcher: Method(`CONNECT`). You'll also have to create the appropriate service to reach the correct port on proxmox.

For VNC, you'll probably have to set up a TCP router and service.

Hello @rtribotte,

Thank you very much for your answer. I have adjusted my configuration according to your suggestions. It makes sense what you said. I think it should be right now?

http:
  routers:
    proxmox-https-router:
      rule: "Host(`proxmox.home.xxxxx.yyy`)"
      service: my-proxmox
      entryPoints:
        - https
      tls:
        certResolver: http
#      middlewares:
#        - basicAuth

    proxmox-http-router:
      rule: "Host(`proxmox.home.xxxxx.yyy`)"
      service: my-proxmox
      entryPoints:
        - http
      middlewares:
        - redirect
		
	proxmox-spice-router:
      rule: "Host(`proxmox.home.xxxxx.yyy`) &&  Method(`CONNECT`)"
      service: spice-proxmox
      entryPoints:
        - http
      middlewares:
        - redirect

  services:
    my-proxmox:
      loadBalancer:
        servers:
          - url: https://192.168.1.97:8006
		  
  middlewares:
    https_redirect:
      redirectScheme:
        scheme: https
        permanent: true
tcp:
  services:
	spice-proxmox:
	  loadbalancer:
	    servers:
		  - address: 192.168.1.97:3128

Hello @candoom,

Sorry for the delay, the proxmox-spice-router cannot reference a TCP service, it should be an HTTP service.

Hello @candoom

I have traefik running on my server and its routing traffic to my bitwarden, I want to use traefik to route traffic to proxmox. What you have above is if the config file, can you please share your traefik docker-compose file to see how the config file is called.

Thanks

I was able to get this working.
However, this will only work with 1 proxmox host/cluster.
I have not yet found a way to redirect via SNI.

In my traefik.yml

entryPoints:
# SPICE Proxmox Proxy
  spice:
    address: ":3128"

In my Spice file config

tcp:
  routers:
    spice:
      rule: HostSNI(`*`)
      entrypoints: spice
      tls: false
      service: spice
  services:
    spice:
      loadbalancer:
        servers:
          - address: "proxmox.host.tld:3128"
1 Like

Hi @djarbz

I tried this same solution but cannot get it working.

The error I get from remote-viewer is: Cannot determine the connection type from URI

The generated pve-spice.vv file is:

[virt-viewer]
host-subject=OU=PVE Cluster Node,O=Proxmox Virtual Environment,CN=pve.home.papasmurf.nl
title=VM 101 - ubuntu-test
delete-this-file=1
tls-port=61000
type=spice
proxy=http://proxmox.home.papasmurf.nl:3128
ca=-----BEGIN CERTIFICATE-----xxxxx-the certificate is left out-xxxxx\n-----END CERTIFICATE-----\n
password=xxxxxx-the-password-xxxxxx
release-cursor=Ctrl+Alt+R
secure-attention=Ctrl+Alt+Ins
toggle-fullscreen=Shift+F11
host=pvespiceproxy:626525b4:101:pve::dc88a7f15a905e5d8fb50bd34f15a50b582e9988

In my traefik.yml:

entryPoints:                                                                                        
  web:                                                                                              
    address:·":80"                                                                                  
    http:                                                                                           
      redirections:                                                                                 
        entryPoint:                                                                                 
          to:·web-secure                                                                            
          scheme:·https                                                                             
          permanent:·true                                                                           
  web-secure:                                                                                       
address:·":443"                                                                                 
  spice:                                                                                            
    address:·":3128"         

config.yml:

tcp:                                                                                                           
  routers:                                                                                          
    spice:                                                                                          
      rule: HostSNI(`*`)                                                                            
      entrypoints: spice                                                                            
      tls: false                                                                                    
      service: spice                                                                                
  services:                                                                                         
    spice:                                                                                          
      loadBalancer:                                                                                 
        servers:                                                                                    
          - address: "192.168.144.10:3128"                                                          
                                                                                                    
http:                                                                                               
  routers:  
(here follows my http router config)

Part of the http config is a router for the Proxmox web interface

...
proxmox:
  rule: "Host(`proxmox.home.papasmurf.nl`) "
  service: proxmox
...
services:
  proxmox:
    loadBalander:
      servers:
        - url: "https://192.168.144.10:8006"

By the way: the hostname of the proxmox server is `pve'.
When I do nothing in the Traefik config, and I quickly change the url in the pve-spice file to 'pve.home.papasmurf.nl', then I can connect successfully.

It looks like you are from the Netherlands, does your pve-spice.vv file contain any non-ASCII characters?
HERE is an issue where a Cyrillic file name was causing this issue.

Other than that, your configuration looks correct.