GLKVM Reverse Proxy

From W9CR
Revision as of 13:30, 6 October 2025 by Bryan (talk | contribs)
Jump to navigation Jump to search

This is for configuring GLKVM behind an Apache reverse proxy.

There are some details online about this in their forum here, but it's for NGINX only. As this is based on the pikvm, there's some examples of this, but not 100% working. My setup also uses SSH to punch an outbound to my server

SSH proxy

I wanted to use something like https://wiki.w9cr.net/index.php/Secure_Tunnel_Service on this, but they don't use systemd, and I can't modify the inittab as it's on an overlay filesystem.

What I did was run a program from crontab, not great, but it works.

  1. make a ssh key using the drop bear utility.
  1. 2 Make this script /root/sshtunnel.sh

This will ssh to host.org as kvm, so you'll need to setup an account there and ensure ssh key login works. Also ensure 34505 and 34506 ports are not in use on the host. 

#!/bin/sh
PIDFILE="/tmp/sshtunnelpid"

if [ -e "${PIDFILE}" ] && (ps -u $(whoami) -opid= |
                           grep "^\s*$(cat ${PIDFILE})$" &> /dev/null); then
  echo "Already running."
  exit 99
fi
ssh -y -K 60 -NT kvm@host.org -i /root/.ssh/dropbear_id_ed25519  -R 34505:127.0.0.1:22 -R 34506:127.0.0.1:443 &


as root add this in your crontab (crontab -e) 

* * * * * /root/sshtunnel.sh > /dev/null

This will now restart this every min and if it's running, exit.


Apache config

This is the config for your domain in apache. Note that this needs to be a root, you can't use like domain.com/kvm as the files are hard linked to /

<VirtualHost kvm.example.com:443> 

       ServerName kvm.example.com
       ServerAdmin me@you.org
       RewriteEngine On
       ProxyPreserveHost On
       SSLProxyEngine On
       SSLProxyVerify none
       SSLProxyCheckPeerCN off
       SSLProxyCheckPeerName off
       SSLProxyCheckPeerExpire off

       ProxyPass / https://127.0.0.1:34506/
       ProxyPassReverse / https://127.0.0.1:34506/
       RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
       RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}
       RewriteCond ${HTTP:UPGRADE} ^WebSocket$ [NC]
       RewriteCond ${HTTP:CONNECTION} ^Upgrade$ [NC]
       RewriteRule .* wss://127.0.0.1:34506/%{REQUEST_URI} [P,L]

       ProxyPass /extras/webterm/ttyd/ws wss://127.0.0.1:34506/extras/webterm/ttyd/ws
       ProxyPass /extras/webterm/ttyd/ https://127.0.0.1:34506/extras/webterm/ttyd/
       ProxyPassReverse /extras/webterm/ttyd/ https://127.0.0.1:34506/extras/webterm/ttyd/

       <Location /api/ws>
               Order allow,deny
               Allow from all
               ProxyPass wss://127.0.0.1:34506/api/ws
               ProxyPassReverse wss://127.0.0.1:34506/api/ws
       </Location>
       <Location /janus/ws>
               Order allow,deny
               Allow from all
               ProxyPass wss://127.0.0.1:34506/janus/ws
               ProxyPassReverse wss://127.0.0.1:34506/janus/ws
       </Location>

</VirtualHost>

Retrieved from "https://wiki.w9cr.net/index.php?title=GLKVM_Reverse_Proxy&oldid=8388"