Difference between revisions of "GLKVM Reverse Proxy"
Jump to navigation
Jump to search
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
This is for configuring GLKVM behind an Apache reverse proxy. | This is for configuring GLKVM behind an Apache reverse proxy. | ||
| − | There are some details online about this in their [https://forum.gl-inet.com/t/kvm-behind-a-reverse-proxy/61373/7 forum here], but it's for NGINX only. As this is based on the pikvm, there's some examples of this, but not 100% working. My setup also uses SSH to punch an outbound to my server | + | There are some details online about this in their [https://forum.gl-inet.com/t/kvm-behind-a-reverse-proxy/61373/7 forum here], but it's for NGINX only. As this is based on the pikvm, there's some examples of this, but not 100% working. My setup also uses SSH to punch an outbound to my server. |
| + | |||
| + | [https://www.amazon.com/dp/B0F21SQ4S8 These are under 100 USD on amazon now.] | ||
= SSH proxy = | = SSH proxy = | ||
| Line 11: | Line 13: | ||
# '''make a ssh key using the drop bear utility.''' | # '''make a ssh key using the drop bear utility.''' | ||
| − | #2 '''Make this script /root/sshtunnel.sh''' | + | #<li value="2"> '''Make this script /root/sshtunnel.sh'''</li> |
This will ssh to host.org as kvm, so you'll need to setup an account there and ensure ssh key login works. Also ensure 34505 and 34506 ports are not in use on the host. | This will ssh to host.org as kvm, so you'll need to setup an account there and ensure ssh key login works. Also ensure 34505 and 34506 ports are not in use on the host. | ||
| Line 28: | Line 30: | ||
| − | as root add this in your crontab (crontab -e) | + | #<li value="3"> '''as root add this in your crontab (crontab -e)'''</li> |
<pre> | <pre> | ||
* * * * * /root/sshtunnel.sh > /dev/null | * * * * * /root/sshtunnel.sh > /dev/null | ||
</pre> | </pre> | ||
| − | This will now restart this every min and if it's running, exit. | + | This will now restart this every min and if it's running, exit. |
| − | |||
= Apache config = | = Apache config = | ||
| Line 40: | Line 41: | ||
This is the config for your domain in apache. Note that this needs to be a root, you can't use like domain.com/kvm as the files are hard linked to / | This is the config for your domain in apache. Note that this needs to be a root, you can't use like domain.com/kvm as the files are hard linked to / | ||
| − | < | + | <pre> |
<VirtualHost kvm.example.com:443> | <VirtualHost kvm.example.com:443> | ||
ServerName kvm.example.com | ServerName kvm.example.com | ||
Latest revision as of 13:35, 6 October 2025
This is for configuring GLKVM behind an Apache reverse proxy.
There are some details online about this in their forum here, but it's for NGINX only. As this is based on the pikvm, there's some examples of this, but not 100% working. My setup also uses SSH to punch an outbound to my server.
These are under 100 USD on amazon now.
SSH proxy
I wanted to use something like https://wiki.w9cr.net/index.php/Secure_Tunnel_Service on this, but they don't use systemd, and I can't modify the inittab as it's on an overlay filesystem.
What I did was run a program from crontab, not great, but it works.
- make a ssh key using the drop bear utility.
- Make this script /root/sshtunnel.sh
This will ssh to host.org as kvm, so you'll need to setup an account there and ensure ssh key login works. Also ensure 34505 and 34506 ports are not in use on the host.
#!/bin/sh
PIDFILE="/tmp/sshtunnelpid"
if [ -e "${PIDFILE}" ] && (ps -u $(whoami) -opid= |
grep "^\s*$(cat ${PIDFILE})$" &> /dev/null); then
echo "Already running."
exit 99
fi
ssh -y -K 60 -NT kvm@host.org -i /root/.ssh/dropbear_id_ed25519 -R 34505:127.0.0.1:22 -R 34506:127.0.0.1:443 &
- as root add this in your crontab (crontab -e)
* * * * * /root/sshtunnel.sh > /dev/null
This will now restart this every min and if it's running, exit.
Apache config
This is the config for your domain in apache. Note that this needs to be a root, you can't use like domain.com/kvm as the files are hard linked to /
<VirtualHost kvm.example.com:443>
ServerName kvm.example.com
ServerAdmin me@you.org
RewriteEngine On
ProxyPreserveHost On
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass / https://127.0.0.1:34506/
ProxyPassReverse / https://127.0.0.1:34506/
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}
RewriteCond ${HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond ${HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* wss://127.0.0.1:34506/%{REQUEST_URI} [P,L]
ProxyPass /extras/webterm/ttyd/ws wss://127.0.0.1:34506/extras/webterm/ttyd/ws
ProxyPass /extras/webterm/ttyd/ https://127.0.0.1:34506/extras/webterm/ttyd/
ProxyPassReverse /extras/webterm/ttyd/ https://127.0.0.1:34506/extras/webterm/ttyd/
<Location /api/ws>
Order allow,deny
Allow from all
ProxyPass wss://127.0.0.1:34506/api/ws
ProxyPassReverse wss://127.0.0.1:34506/api/ws
</Location>
<Location /janus/ws>
Order allow,deny
Allow from all
ProxyPass wss://127.0.0.1:34506/janus/ws
ProxyPassReverse wss://127.0.0.1:34506/janus/ws
</Location>
</VirtualHost>
