查看“SSH/反向代理”的源代码

论如何创建一套完整的反向代理
== 创建用户 ==
最好两边都搞上这种没权限的用户
 sudo useradd -m -s /usr/sbin/nologin proxyuser
 # 当然可以先默认使用bash,之后再调整

== 反代命令 ==
这个自己整好就行
 ssh -NR 11451:0.0.0.0:19198 -p 25565 -i <ssh-key> proxyuser@<IP>

== 系统服务 ==
=== 单个端口 ===
/etc/systemd/systemd/ssh-proxy
 [Unit]
 Description=Reverse SSH Tunnel for Reverse Proxy
 After=network.target
 
 [Service]
 ExecStart=/usr/bin/ssh proxy
 Restart=always
 User=moteproxy
 RestartSec=5
 
 [Install]
 WantedBy=multi-user.target

=== 端口模板 ===
/etc/systemd/system/ssh-proxy@
 [Unit]
 Description=SFTP Tunnel %i
 After=network.target
 
 [Service]
 User=yourusername
 ExecStart=/usr/bin/ssh -N -R 0.0.0.0:%i:127.0.0.1:%i proxy
 Restart=always
 RestartSec=5
 
 [Install]
 WantedBy=multi-user.target

== ssh 配置 ==
因为感觉不稳定,最后换上了高级的ssh over ssl
 Host proxy
  HostName 0.0.0.0
  User proxyuser
  IdentityFile ~/.ssh/proxy-key
  ProxyCommand openssl s_client -quiet -servername o.ssh -connect ip:port
  ServerAliveInterval 60
  ServerAliveCountMax 2
  TCPKeepAlive yes
  RemoteForward 0.0.0.0:11451 127.0.0.1:25565

== 心跳 ==
 # debian/ubuntu
 sudo apt install netcat-openbsd

<pre>
#!/bin/bash

# Define the remote host and port
REMOTE_HOST="example.com"
REMOTE_PORT=9090
LOCAL_PORT=8080
USER="user"

# Check if the remote port is open
nc -z $REMOTE_HOST $REMOTE_PORT
if [ $? -ne 0 ]; then
  echo "Tunnel is down, restart it"
  systemctl restart moteproxy
else
  echo "Tunnel is working fine"
fi
</pre>

<pre>
stream{
    upstream ssh {
        server 127.0.0.1:22;
    }

    upstream web {
        server 127.0.0.1:80;
    }


    # SSH and SSL on the same port
    map $ssl_preread_protocol $upstream {
        default web;
        "" ssh;
        "TLSv1.0" web;  
        "TLSv1.1" web;
        "TLSv1.2" web;
        "TLSv1.3" web;

    }
    map $ssl_server_name $srv_name {
        ~(.+)\.aaac ssh;
        default web;
    }
    #server {
    #    listen 8443;
    #    proxy_pass $upstream;
    #    ssl_preread on;
    #}
    server {
        listen 8443 ssl;
        proxy_pass $srv_name;
        ssl_preread on;
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certb>
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Cer>
    }
}

</pre>