Install Teleport behind HAProxy

[damienbutt]

Hi all,

I have installed Teleport on an Ubuntu Server 20.04 LTS.

Following the docs, I have gotten as far as running the teleport configure command to generate a default config.

I run HAProxy on my network that does all my SSL terminations using Let's Encrypt.

Is it possible to generate a self-signed cert with Teleport, or even use it without a cert? And then proxy through to it using HAProxy and the Let's Encrypt cert? This is how I run all my other internal/external services.

Thanks,

D

[webvictim]

If you start Teleport without providing a certificate (either via https_keypairs in the config file, or using acme), its default behaviour is to generate a self-signed certificate and use that when serving the proxy's web UI. As long as haproxy doesn't attempt to validate the self-signed certificate presented by the Teleport backend, it should work fine.

You can use it without a cert if you really want by using teleport start --insecure-no-tls, but I don't recommend this.

[damienbutt]

I can't seem to get the web UI up on port 443.

Teleport is running. I have opened the necessary ports. Teleport doesn't seem to be listening on any IPv4 ports. Any ideas?

[webvictim]

Set this in your config file and restart Teleport.

proxy_service:
  web_listen_addr: 0.0.0.0:443

[webvictim]

For your use case it sounds more like you want to have haproxy listen on 443 and redirect to the Teleport backend on port 3080.

[damienbutt]

Yes, HAProxy does my SSL termination. So having an HTTP backend or self-signed HTTPS backend is fine as HAProxy will take care of that. Although I would prefer to run the backend on HTTPS with a self-signed cert if possible.

HAProxy listens on ports 443 and 80.

I have two internal DNS CNAME entries set up.

teleport.domain.com and *.teleport.domain.com, which both point to haproxy.internal.domain.com.

In HAProxy, I have a front end set up to look for teleport.domain.com and proxy that traffic to the IP address of my teleport instance on port 3080. This is currently working. The login page is loading with SSL via HAProxy. I haven't done any more than that yet.

Do I need to proxy traffic from *.teleport.domain.com through to anything?

Again, I would prefer to run with a self-signed cert on the backend but I couldn't seem to get that working.

[webvictim]

If you don’t specify https_keypairs or acme, it should generate and use a self-signed cert.

If you want to use Teleport’s application access, you’ll need to proxy the wildcard domain through so you can use subdomains for applications. If you’re not using that, you don’t need to.

[damienbutt]

I have only been able to get this working without using a cert. Unless I did something wrong.

I think the documentation could be a bit better. It doesn't seem to cover the self-cert/no-cert options...

[damienbutt]

Also found that without a cert the service listens on port 3080, which isn't mentioned in the docs. Unless I missed that too.