console not working with private network

[Guest Less Fequa]

I have a problem about this thicket
I have a cluster
vcenter ip address is local : 192.168.0.150
and hosts ip addresses is 192.168.0.156 to 192.168.0.160
I can't install sign ssl on private ip address
how can I connect to console without ssl to solve ssl certificate problem ?

[Guest Евгений Romanoff]

I`ve managed to get console working via proxy, 

[Guest Less Fequa]

Can you please send me the steps to run it on private network? like how you make it working with private IP

[Guest Евгений Romanoff]

we have private dns zone storm-pro.net which points to private ip addresses and is available only through our vpn, but also same zone exists in public and all our esxi hostnames points to a single public ip which is on proxy and the proxy in turn direct requests to the particular esxi in our private network according to the Host header

can give you haproxy config we`re using if needed, but i have to obfuscate it a bit).

 

oh, and the proxy uses valid ssl certificate on the public ip

[Guest manvinder]

Can you send the detailed information if someone running the esxi in private network how they can fix Which proxy server are you using?and does the proxy forward the request with port 443 to the esx?so storm-pro.net is a dns service?

 

[Guest manvinder]

hello

Which proxy server are you using?
WHMCS Global Services, 01-11-2019
it`s haproxy

and does the proxy forward the request with port 443 to the esx?
WHMCS Global Services, 01-11-2019
that`s correct

so storm-pro.net is a dns service?
WHMCS Global Services, 01-11-2019
there two independent dns zones: private storm-pro.net and public storm-pro.net

[Guest Евгений Romanoff]

You should have haproxy.cfg file like this 

 

global
    nbproc      2
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     65535
    user        haproxy
    group       haproxy
    log-tag     haproxy20
    log         /dev/log local7 info
    daemon
    #debug

    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCMSHA384
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    tune.ssl.default-dh-param 2048

defaults
    mode                    http
    log                     global
    option                  abortonclose
    option                  httplog clf
    option                  dontlognull
    option                  http-server-close
    option                  http-pretend-keepalive
    no option               redispatch
    retries                 3
    timeout http-request    45s
    timeout queue           60s
    timeout connect         45s
    timeout client          1m
    timeout server          1m
    timeout tunnel          1h
    timeout http-keep-alive 30s
    timeout check           10s
    timeout tarpit          60s
    maxconn                 65535

## FRONTS

listen stats
    bind <PRIVATE_IP>:81
    balance
    mode http
    stats enable
    #stats auth admin:admin
    stats hide-version
    stats uri /hastats

frontend main-https
    bind <PUBLIC_IP>:443 ssl crt /path/to/ssl.bundle alpn http/1.1
    #tcp-request inspect-delay 500ms
    tcp-request content accept if HTTP
    log global

    acl acl_requrl        path_beg       -i /ticket/
    http-request          deny           deny_status 403        if ! acl_requrl

    use_backend           be_dc1-hv1    if { hdr(host) -i dc1-hv1.storm-pro.net }
    use_backend           be_dc2-hv1    if { hdr(host) -i dc2-hv1.storm-pro.net }
    default_backend       be_dummy

## BACKS

backend be_dummy
    http-request         deny            deny_status 403

backend be_dc1-hv1
    log global
    server      dc1-hv1 dc1-hv1.storm-pro.net:443 ssl verify none

backend be_dc2-hv1
    log global
    server      dc2-hv1 dc2-hv1.storm-pro.net:443 ssl verify none

[Guest Guest Kwashi]

On 11/11/2019 at 1:10 AM, Guest Less Fequa said:

Can you please send me the steps to run it on private network? like how you make it working with private IP

were you able to fix it using the proxy? I can also provide you with what I did to make it work. 

[Guest Евгений Romanoff]

On 11/14/2019 at 7:10 PM, Guest Guest Kwashi said:

were you able to fix it using the proxy? I can also provide you with what I did to make it work. 

Yes please it will helpfull.