Access teleport behind a reverse proxy

I have Teleport set up and working for direct connections, but I want to further customize my setup by placing Teleport behind a reverse proxy for load balancing reasons. Currently, I can log in and see my clusters/nodes, but when I try to connect to a node, I get ‘ssh connection dropped’ displayed in the session window. This only happens when connecting from the reverse proxy host.

I really appreciate any help you can provide.

Does your reverse proxy also proxy websockets? The Teleport web UI relies on these for its in-browser SSH sessions.

Bingo! That was it. Thank you very much for the pointer to the fix.

I’ll post the solution here for future parties. I hope that is okay. It assumes a modern version of NGINX (currently I am on 1.14.2 running on Debian 10) but the logic should translate to other server engines as long as web socket support is available.

This snippet needs to go in your nginx.conf:

        map $http_upgrade $connection_upgrade {
            default upgrade;
            '' close;

…and the following snippet needs to be added to the server {} definition within the location block of the config file that defines site configuration:

            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;

One special note though: The ‘map’ stanza is only allowed within the base NGINX configuration. Should you try to add it to the site config it will error.

Thanks again.


1 Like

Glad to hear that sorted it! Thank you for posting details for others :slight_smile: