Proxmox behind Traefik

bluepuma77 · February 11, 2025, 5:45pm

knifesk:

      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"

You can simplify. You already got http-to-https redirect on entrypoint and also the X-Forwarded-Proto header is set automatically by Traefik.

Are you sure proxmox-spice-tls with tls: passthrough: true will work? You forward the request encrypted with a Traefik LetsEncrypt TLS cert, but your target service will need access to the TLS cert to decrypt the request.

knifesk · February 11, 2025, 6:01pm

Tbh I don't really know if that part is being used. I'm just getting started with Traefik so I don't have the complete picture. I just moved from Ngnix Proxy Manager and still getting the hang of it..

This config does work, I can click the "Console" button on my Proxmox instance (while accessing via my proxy subdomain) and it does connect with remote-viewer and I can work with my VM just fine (it's an ubuntu 24.04 install), but I don't really know if the resulting connection is encrypted.

ZombieLurker · November 26, 2025, 3:53am

After banging my head against this issue with ChatGPT and this forum thread, ChaptGPT has given me a working ‘config.yml’ section for making this work. Besides this you need the proper entry points in the ‘traefik.yml’ file as shown above in other comments.

Can’t guarantee it will work for everyone or if this is even the proper way to do it or not but it works for my Proxmox VE 9.1.1 cluster.

One thing I have run into is after adding multiple nodes, is that if you bring it up and it says connected but doesn’t list a display to enable, just reconnect with a new spice file and it works.
```

tcp:
  routers:
    proxmox-spice:
      rule: "HostSNI(`*`)"
      entrypoints: "spice"
      tls: false
      service: proxmox-spice

    proxmox-spice-tls-node1:
      rule: "HostSNI(`pve-node1.example.com`)"
      entrypoints: "spice-tls"
      tls:
        passthrough: true
      service: proxmox-spice-tls-node1

    proxmox-spice-tls-node2:
      rule: "HostSNI(`pve-node2.example.com`)"
      entrypoints: "spice-tls"
      tls:
        passthrough: true
      service: proxmox-spice-tls-node2

    proxmox-spice-tls-node3:
      rule: "HostSNI(`pve-node3.example.com`)"
      entrypoints: "spice-tls"
      tls:
        passthrough: true
      service: proxmox-spice-tls-node3

  services:
    proxmox-spice:
      loadbalancer:
        servers:
          - address: "192.168.1.11:3128"
          - address: "192.168.1.12:3128"
          - address: "192.168.1.13:3128"
          - address: "192.168.1.14:3128"

    proxmox-spice-tls-node1:
      loadbalancer:
        servers:
          - address: "192.168.1.11:61000"

    proxmox-spice-tls-node2:
      loadbalancer:
        servers:
          - address: "192.168.1.12:61000"

    proxmox-spice-tls-node3:
      loadbalancer:
        servers:
          - address: "192.168.1.13:61000"

Topic		Replies	Views
Traefik proxy primarily for internal use (unable to connect Proxmox webGUI) Traefik v2 file	1	3405	November 16, 2022
Proxmox behind Traefik on Kubernetes Traefik v2 kubernetes-ingress	0	746	December 13, 2023
Traefik and Proxmox Traefik v3 (latest) docker	2	3275	April 10, 2025
Proxmox with Traefik (Maybe someone can help me ) Traefik v2 file	0	1752	November 24, 2021
Traefik does not redirect to my Proxmox URL Traefik v3 (latest) docker , file	0	519	June 23, 2024

Proxmox behind Traefik

Related topics