I just watched Tom’s latest video on Kasm.
I was able to set it up thanks to his video. My installation is vanilla at the moment.
I have HAProxy set up thanks to his video about that with PFsense.
I am trying to get the two to work together but keep getting the 503 Service unavailable. Does anyone have this working that could provide some insight?
Thanks in advance.
503 means that haproxy cannot reach the IP and port of the destination.
I do have HAProxy working with my other services on other VMs so I think the problem probably lies with how I have Kasm configured for proxies.
Do you have HAProxy in use with Kasm? What is your config for Kasm here?
I have seen this documentation but I am not sure where to place this configuration file. Not within Pfsense correct?
Does this go somewhere within my Kasm VM?
That documentation shows an example of an haproxy.conf file and assumes that haproxy is running on the same host as Kasm. It shows a pretty a pretty typical haproxy config, so there may not be anything exotic missing from your setup.
One simple place where these 503 errors happen is with HAProxy’s health checks. Have a look at the proxy’s stats page and see what your backend is doing. It’s likely failing an L7 health check. Very often just disabling that check will bring the host online. In the config file you’d just eliminate the word check from the kasm backend, but in pfSense, I think there’s some drop-down menu to adjust (also under the kasm backend).
Not a silver bullet, but it’s a simple first step to try.
With it configured on Pfsense, I don’t have the health check marked:
Thank you for your suggestion but I don’t think that is the issue.
If your kasm instance in internal you would use the private IP, not the public IP.
I know I am a weirdo and it’s not proper networking.
That is the private.
You probably know this already, but that’s an actual public address assigned to AT&T. I doubt that’s what’s causing you problems here if you’ve set up your routing to never reach out to the public internet for this, but don’t be surprised if this causes issues someday.
Here’s a thought: 8443 is usually used for https connections, however, you have Encrypt (SSL) set to “no.” Change that to “yes” and see if it makes a difference. Leave SSL checks set to “no”; presumably Kasm would use a self-signed cert.
By the way, that SSL checks option isn’t the check I was talking about in my prior comment. There’s a healthcheck field somewhere below that table. But try the Encrypt field before worrying about that.
Tested, resulted in the same error 503. I was pretty sure Ecrypt needed to be off because Kasm provides its own cert.
I wonder if this is more of a Docker/Container issue with proxies…
If Kasm’s providing a cert, Encrypt definitely needs to be set to yes. As a sanity check, if you go to https://12.0.0.31:8443, you get to Kasm, right?
I’m realizing there’s a lot of assumptions I’m making about your setup that would be good to confirm. What are the addresses you’re dealing with (what is the IP of your client computer, pfSense, HAProxy, etc.) and what does your dns record for the domain look like? Does looking up (with dig or nslookup) kasm.example.com (or whatever you’re using) resolve correctly from the client? It should return the HAProxy address.
If you think there could be a docker problem, post the compose file you’re using.
Correct, if I go to the address itself with that port, it works.
Client that Kasm resides on: 12.0.0.31
My computer: 12.0.0.104
PFsense hosting HAProxy also DHCP server: 12.0.0.1
domain dns setup with cloudflare:
Using pihole for DNS
nslookup to kasm.domain.com proxy results in my public address.
I’m not sure what your entire setup is like. Out of curiosity I stood up a kasm instance on a VM locally on my network and I had no issues using HAproxy. Maybe you missed a step somewhere. I noticed you are using port 8443. When I did the install it is using 443. I think for further assistance it would be nice to see a diagram of the networking, configs, and so on. There wouldn’t be any reason this shouldn’t work.
Below is a rough drawing of the infrastructure:
I originally did the install without using the flag -L to specify the port to 8443. Just a standard normal install. Reading through the proxy documentation it seemed like they were saying HAProxy operated on 443 so I should use something like 8443 for Kasm to listen on.
Please let me know if you need more information/explanation.
Are you using HA Proxy within PFSense? Could I see your config for that?
I redid the install for Kasm and am still getting the same error. So default port 443.
I also tried putting port 443 in the port textbox. Got a bad request (400).
Having exactly same issue. Documentation config doesn’t work, and following method that works for other servers is also yielding a 503 error. I think the problem is that it has a self-signed certification and not sure it is being accepted by the RP ?
