SSH 隧道的 Apache 反向代理

tag-icon tag-icon ssh apache-2.4 apache2 ssh-tunnel
SSH 隧道的 Apache 反向代理

我想为在本地网络中运行的 Home-Assistant(hass)实例设置 Apache 反向代理。

我使用 将本地 hass 实例的流量隧道传输到远程服务器。ssh -N [email protected] -R 8123:localhost:8123

现在我尝试在 Apache 中设置一个简单的反向代理:

<VirtualHost *:443>
    ServerName hass.example.com

    SSLEngine On

    # If you manage SSL certificates by yourself, these paths will differ.
    SSLCertificateFile fullchain.pem
    SSLCertificateKeyFile privkey.pem

    SSLProxyEngine on
    SSLProxyProtocol +TLSv1.2 +TLSv1.3
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

    ProxyPreserveHost On
    ProxyRequests Off
    ProxyVia On
    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
    
            
    # Proxy all traffic to hass
    ProxyPass / http://localhost:8123/ nocanon
    ProxyPassReverse / http://localhost/
    ErrorLog ${APACHE_LOG_DIR}/hass.example.com-error.log
    CustomLog ${APACHE_LOG_DIR}/hass.example.com-access.log combined
    <IfModule security2_module>
        SecRuleEngine off
    </IfModule>
</VirtualHost>

<VirtualHost *:80>
    ServerName hass.example.com

    Redirect permanent / "https://hass.example.com"

    ErrorLog ${APACHE_LOG_DIR}/hass.example.com-error.log
    CustomLog ${APACHE_LOG_DIR}/hass.example.com-access.log combined
</VirtualHost>

遗憾的是,如果我尝试打开hass.example.com,浏览器会响应400: Bad Request

答案1

归根结底Home-Assistant 阻止反向代理你必须尝试代理 websocket 请求

调整 hass-config(config/configuration.yaml):

http:
  use_x_forwarded_for: true
  trusted_proxies:
  - ::1
  - 127.0.0.1
  ip_ban_enabled: true
  login_attempts_threshold: 5

Apache 配置:

<VirtualHost *:443>
    ServerName hass.example.com

    SSLEngine On

    # If you manage SSL certificates by yourself, these paths will differ.
    SSLCertificateFile fullchain.pem
    SSLCertificateKeyFile privkey.pem

    SSLProxyEngine on
    SSLProxyProtocol +TLSv1.2 +TLSv1.3
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

    ProxyPreserveHost On
    ProxyRequests Off
    ProxyVia On
    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
    
            
    # Proxy all traffic to hass
    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket
    RewriteRule /(.*) ws://localhost:8123/$1 [P]
    RewriteCond %{HTTP:Upgrade} !=websocket
    RewriteRule /(.*) http://localhost:8123/$1 [P]
    ProxyPassReverse / http://localhost:8123


    ErrorLog ${APACHE_LOG_DIR}/hass.example.com-error.log
    CustomLog ${APACHE_LOG_DIR}/hass.example.com-access.log combined
    <IfModule security2_module>
        SecRuleEngine off
    </IfModule>
</VirtualHost>

<VirtualHost *:80>
    ServerName hass.example.com

    Redirect permanent / "https://hass.example.com"

    ErrorLog ${APACHE_LOG_DIR}/hass.example.com-error.log
    CustomLog ${APACHE_LOG_DIR}/hass.example.com-access.log combined
</VirtualHost>

相关内容