GLKVM Reverse Proxy

From W9CR
Revision as of 13:35, 6 October 2025 by Bryan (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This is for configuring GLKVM behind an Apache reverse proxy.

There are some details online about this in their forum here, but it's for NGINX only. As this is based on the pikvm, there's some examples of this, but not 100% working. My setup also uses SSH to punch an outbound to my server.

These are under 100 USD on amazon now.

SSH proxy

I wanted to use something like https://wiki.w9cr.net/index.php/Secure_Tunnel_Service on this, but they don't use systemd, and I can't modify the inittab as it's on an overlay filesystem.

What I did was run a program from crontab, not great, but it works.

  1. make a ssh key using the drop bear utility.
  2. Make this script /root/sshtunnel.sh

This will ssh to host.org as kvm, so you'll need to setup an account there and ensure ssh key login works. Also ensure 34505 and 34506 ports are not in use on the host. 

#!/bin/sh
PIDFILE="/tmp/sshtunnelpid"

if [ -e "${PIDFILE}" ] && (ps -u $(whoami) -opid= |
                           grep "^\s*$(cat ${PIDFILE})$" &> /dev/null); then
  echo "Already running."
  exit 99
fi
ssh -y -K 60 -NT kvm@host.org -i /root/.ssh/dropbear_id_ed25519  -R 34505:127.0.0.1:22 -R 34506:127.0.0.1:443 &


  2. as root add this in your crontab (crontab -e)
* * * * * /root/sshtunnel.sh > /dev/null

This will now restart this every min and if it's running, exit.

Apache config

This is the config for your domain in apache. Note that this needs to be a root, you can't use like domain.com/kvm as the files are hard linked to / 

<VirtualHost kvm.example.com:443>
        ServerName kvm.example.com
        ServerAdmin me@you.org
        RewriteEngine On
        ProxyPreserveHost On
        SSLProxyEngine On
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        ProxyPass / https://127.0.0.1:34506/
        ProxyPassReverse / https://127.0.0.1:34506/
        RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
        RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}
        RewriteCond ${HTTP:UPGRADE} ^WebSocket$ [NC]
        RewriteCond ${HTTP:CONNECTION} ^Upgrade$ [NC]
        RewriteRule .* wss://127.0.0.1:34506/%{REQUEST_URI} [P,L]

        ProxyPass /extras/webterm/ttyd/ws wss://127.0.0.1:34506/extras/webterm/ttyd/ws
        ProxyPass /extras/webterm/ttyd/ https://127.0.0.1:34506/extras/webterm/ttyd/
        ProxyPassReverse /extras/webterm/ttyd/ https://127.0.0.1:34506/extras/webterm/ttyd/

        <Location /api/ws>
                Order allow,deny
                Allow from all
                ProxyPass wss://127.0.0.1:34506/api/ws
                ProxyPassReverse wss://127.0.0.1:34506/api/ws
        </Location>
        <Location /janus/ws>
                Order allow,deny
                Allow from all
                ProxyPass wss://127.0.0.1:34506/janus/ws
                ProxyPassReverse wss://127.0.0.1:34506/janus/ws
        </Location>
</VirtualHost>
Retrieved from "https://wiki.w9cr.net/index.php?title=GLKVM_Reverse_Proxy&oldid=8391"