Console not working with SSL and web sockets (non secure ), haproxy and letsencrypt

Spent months on this problem so I thought I would document it for the community:

Sunstone 5.0.3 KVM Ubuntu 16.04

behavior: sunstone works well with SSL but the VM consoles do not open.

Hint: I use firefox and the Firefox browser console screams:

Firefox can’t establish a connection to the server at ws://panel.example.com:29876/?token=m8pagdywnm9c178esz6t. main.js:59451:30

Setup is like this:

Internet line
|
Firewall
|
haproxy VM
include SSL termination from letsencrypt certificates
|
one server with http and vnc proxy ports open

Haproxy config:
Normal https front-end:

frontend https-in

####letsencrypt config
         bind *:443 ssl crt /etc/haproxy/certs/example.com.pem
             reqadd X-Forwarded-Proto:\ https
         acl letsencrypt-acl path_beg /.well-known/acme-challenge/
             use_backend letsencrypt-backend if letsencrypt-acl

Websockets front end:

# Fronted 29876  VM Consoles  #############################################
frontend consoles-in

####letsencrypt config
         bind *:29876 ssl crt /etc/haproxy/certs/example.com.pem
          reqadd X-Forwarded-Proto:\ https
         acl letsencrypt-acl path_beg /.well-known/acme-challenge/
             use_backend letsencrypt-backend if letsencrypt-acl
         default_backend example_backed
####end letsencrypt config


        acl host_panelconsoles hdr(host) -i panel.example.com   # 
        use_backend be_panelconsoles if host_panelconsoles


###  Frontend *29876 ########################################## END

Back-ends of ONE:

backend be_panel
        balance leastconn                                # 243
        option httpclose                                 # 243
        option forwardfor                                # 243
        compression algo gzip                           # 243
        compression type text/css text/less text/plain text/xml application/xml application/json application/javascript         # 243
        compression offload                              # 243
        no log                           # 243
        cookie JSESSIONID prefix                                # 243
        server panel 10.11.180.19:9869 cookie A check             # 243

backend be_panelconsoles
        balance leastconn                                # 243
        option httpclose                                 # 243
        option forwardfor                                # 243
        compression algo gzip                           # 243
        compression type text/css text/less text/plain text/xml application/xml application/json application/javascript         # 243
        compression offload                              # 243
        no log                           # 243
        cookie JSESSIONID prefix                                # 243
        server panel 10.11.180.19:29876 cookie A check            # 243

In novnc.log some hints:

158.132.139.138: ignoring socket not ready
10.11.180.13: ignoring socket not ready
158.132.139.138: SSL connection but '/self.pem' not found
10.11.180.13: ignoring socket not ready
158.132.139.138: SSL connection but '/self.pem' not found

So, here is how I solved the issue:

the problem was that haproxy was receiving a websocket through SSL and sending it to the back-end with ssl, while it is not using wss (secure) but just ws as per Sunstone config.

Here is my sunstone-server.conf

:vnc_proxy_port: 29876
:vnc_proxy_support_wss: no
:vnc_proxy_cert:
:vnc_proxy_key:
:vnc_proxy_ipv6: false
:vnc_request_password: false

The solution was to comment out this line in haproxy config, that was wrongly indicating SSL to ONE novnc server:

reqadd X-Forwarded-Proto:\ https

Websockets front end:

# Fronted 29876  VM Consoles  #############################################
frontend consoles-in

####letsencrypt config
         bind *:29876 ssl crt /etc/haproxy/certs/example.com.pem
# ==============>>>          reqadd X-Forwarded-Proto:\ https
         acl letsencrypt-acl path_beg /.well-known/acme-challenge/
             use_backend letsencrypt-backend if letsencrypt-acl
         default_backend example_backed
####end letsencrypt config


        acl host_panelconsoles hdr(host) -i panel.example.com   # 
        use_backend be_panelconsoles if host_panelconsoles


###  Frontend *29876 ########################################## END

After that, Sunstone was seeing the incoming websocket connexion as not secure as per its configuration, and that solved it !