< SSH
Brucekomike(讨论 | 贡献) (→心跳) |
Brucekomike(讨论 | 贡献) 无编辑摘要 |
||
| 第73行: | 第73行: | ||
echo "Tunnel is working fine" | echo "Tunnel is working fine" | ||
fi | fi | ||
</pre> | |||
<pre> | |||
stream{ | |||
upstream ssh { | |||
server 127.0.0.1:22; | |||
} | |||
upstream web { | |||
server 127.0.0.1:80; | |||
} | |||
# SSH and SSL on the same port | |||
map $ssl_preread_protocol $upstream { | |||
default web; | |||
"" ssh; | |||
"TLSv1.0" web; | |||
"TLSv1.1" web; | |||
"TLSv1.2" web; | |||
"TLSv1.3" web; | |||
} | |||
map $ssl_server_name $srv_name { | |||
~(.+)\.ssh ssh; | |||
default web; | |||
} | |||
#server { | |||
# listen 8443; | |||
# proxy_pass $upstream; | |||
# ssl_preread on; | |||
#} | |||
server { | |||
listen 8443 ssl; | |||
proxy_pass $srv_name; | |||
ssl_preread on; | |||
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certb> | |||
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Cer> | |||
} | |||
} | |||
</pre> | </pre> | ||
2024年12月4日 (三) 08:48的版本
论如何创建一套完整的反向代理
创建用户
最好两边都搞上这种没权限的用户
sudo useradd -m -s /usr/sbin/nologin proxyuser # 当然可以先默认使用bash,之后再调整
反代命令
这个自己整好就行
ssh -NR 11451:0.0.0.0:19198 -p 25565 -i <ssh-key> proxyuser@<IP>
系统服务
单个端口
/etc/systemd/systemd/ssh-proxy
[Unit] Description=Reverse SSH Tunnel for Reverse Proxy After=network.target [Service] ExecStart=/usr/bin/ssh proxy Restart=always User=moteproxy RestartSec=5 [Install] WantedBy=multi-user.target
端口模板
/etc/systemd/system/ssh-proxy@
[Unit] Description=SFTP Tunnel %i After=network.target [Service] User=yourusername ExecStart=/usr/bin/ssh -N -R 0.0.0.0:%i:127.0.0.1:%i proxy Restart=always RestartSec=5 [Install] WantedBy=multi-user.target
ssh 配置
因为感觉不稳定,最后换上了高级的ssh over ssl
Host proxy HostName 0.0.0.0 User proxyuser IdentityFile ~/.ssh/proxy-key ProxyCommand openssl s_client -quiet -servername o.ssh -connect ip:port ServerAliveInterval 60 ServerAliveCountMax 2 TCPKeepAlive yes RemoteForward 0.0.0.0:11451 127.0.0.1:25565
心跳
# debian/ubuntu sudo apt install netcat-openbsd
#!/bin/bash # Define the remote host and port REMOTE_HOST="example.com" REMOTE_PORT=9090 LOCAL_PORT=8080 USER="user" # Check if the remote port is open nc -z $REMOTE_HOST $REMOTE_PORT if [ $? -ne 0 ]; then echo "Tunnel is down, restart it" systemctl restart moteproxy else echo "Tunnel is working fine" fi
stream{
upstream ssh {
server 127.0.0.1:22;
}
upstream web {
server 127.0.0.1:80;
}
# SSH and SSL on the same port
map $ssl_preread_protocol $upstream {
default web;
"" ssh;
"TLSv1.0" web;
"TLSv1.1" web;
"TLSv1.2" web;
"TLSv1.3" web;
}
map $ssl_server_name $srv_name {
~(.+)\.ssh ssh;
default web;
}
#server {
# listen 8443;
# proxy_pass $upstream;
# ssl_preread on;
#}
server {
listen 8443 ssl;
proxy_pass $srv_name;
ssl_preread on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certb>
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Cer>
}
}