SSH/反向代理:修订间差异

来自OSSmedia
< SSH
可视化wikitext
无编辑摘要
无编辑摘要
 
第97行: 第97行:
     }
     }
     map $ssl_server_name $srv_name {
     map $ssl_server_name $srv_name {
         ~(.+)\.ssh ssh;
         ~(.+)\.aaac ssh;
         default web;
         default web;
     }
     }

2024年12月4日 (三) 08:48的最新版本

论如何创建一套完整的反向代理

创建用户

最好两边都搞上这种没权限的用户 

sudo useradd -m -s /usr/sbin/nologin proxyuser
# 当然可以先默认使用bash,之后再调整

反代命令

这个自己整好就行 

ssh -NR 11451:0.0.0.0:19198 -p 25565 -i <ssh-key> proxyuser@<IP>

系统服务

单个端口

/etc/systemd/systemd/ssh-proxy 

[Unit]
Description=Reverse SSH Tunnel for Reverse Proxy
After=network.target

[Service]
ExecStart=/usr/bin/ssh proxy
Restart=always
User=moteproxy
RestartSec=5

[Install]
WantedBy=multi-user.target

端口模板

/etc/systemd/system/ssh-proxy@ 

[Unit]
Description=SFTP Tunnel %i
After=network.target

[Service]
User=yourusername
ExecStart=/usr/bin/ssh -N -R 0.0.0.0:%i:127.0.0.1:%i proxy
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

ssh 配置

因为感觉不稳定,最后换上了高级的ssh over ssl 

Host proxy
 HostName 0.0.0.0
 User proxyuser
 IdentityFile ~/.ssh/proxy-key
 ProxyCommand openssl s_client -quiet -servername o.ssh -connect ip:port
 ServerAliveInterval 60
 ServerAliveCountMax 2
 TCPKeepAlive yes
 RemoteForward 0.0.0.0:11451 127.0.0.1:25565

心跳

# debian/ubuntu
sudo apt install netcat-openbsd

#!/bin/bash

# Define the remote host and port
REMOTE_HOST="example.com"
REMOTE_PORT=9090
LOCAL_PORT=8080
USER="user"

# Check if the remote port is open
nc -z $REMOTE_HOST $REMOTE_PORT
if [ $? -ne 0 ]; then
  echo "Tunnel is down, restart it"
  systemctl restart moteproxy
else
  echo "Tunnel is working fine"
fi

stream{
    upstream ssh {
        server 127.0.0.1:22;
    }

    upstream web {
        server 127.0.0.1:80;
    }


    # SSH and SSL on the same port
    map $ssl_preread_protocol $upstream {
        default web;
        "" ssh;
        "TLSv1.0" web;  
        "TLSv1.1" web;
        "TLSv1.2" web;
        "TLSv1.3" web;

    }
    map $ssl_server_name $srv_name {
        ~(.+)\.aaac ssh;
        default web;
    }
    #server {
    #    listen 8443;
    #    proxy_pass $upstream;
    #    ssl_preread on;
    #}
    server {
        listen 8443 ssl;
        proxy_pass $srv_name;
        ssl_preread on;
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certb>
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Cer>
    }
}
取自“https://ossmedia.cn:443/index.php?title=SSH/反向代理&oldid=722
最后修改时间
此页面最后编辑于2024年12月4日 (星期三) 08:48。
著作权
除非另有声明,本网站内容采用知识共享署名授权。