Apache Reverse Proxy for SSH Tunnel

Question

I want to set up an Apache reverse proxy for my Home-Assistant(hass) instance running in my local network.

I tunnelled the traffic of the local hass instance to a remote server with ssh -N proxy@example.com -R 8123:localhost:8123.

Now I tried to set up a plain reverse proxy in Apache:

<VirtualHost *:443>
    ServerName hass.example.com

    SSLEngine On

    # If you manage SSL certificates by yourself, these paths will differ.
    SSLCertificateFile fullchain.pem
    SSLCertificateKeyFile privkey.pem

    SSLProxyEngine on
    SSLProxyProtocol +TLSv1.2 +TLSv1.3
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

    ProxyPreserveHost On
    ProxyRequests Off
    ProxyVia On
    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
    
            
    # Proxy all traffic to hass
    ProxyPass / http://localhost:8123/ nocanon
    ProxyPassReverse / http://localhost/
    ErrorLog ${APACHE_LOG_DIR}/hass.example.com-error.log
    CustomLog ${APACHE_LOG_DIR}/hass.example.com-access.log combined
    <IfModule security2_module>
        SecRuleEngine off
    </IfModule>
</VirtualHost>

<VirtualHost *:80>
    ServerName hass.example.com

    Redirect permanent / "https://hass.example.com"

    ErrorLog ${APACHE_LOG_DIR}/hass.example.com-error.log
    CustomLog ${APACHE_LOG_DIR}/hass.example.com-access.log combined
</VirtualHost>

Sadly if I try to open hass.example.com, the browser responds with 400: Bad Request.

Is your `hass` configured to run at domain name `hass.example.com`? — Tero Kilkanen, Jan 07 '22 at 07:51
@Tero Kilkanen No. It's just an vanilla docker container listening on localhost. — Toorero, Jan 07 '22 at 10:51
@djdomi I don't use SSH with Apache. I just use the (via SSH) local port `8123` and just want to proxy it. — Toorero, Jan 07 '22 at 10:53
The `hass` should have configuration for its root domain name. You need to check that. — Tero Kilkanen, Jan 07 '22 at 11:01
I actually don't get why this should be a problem because it's a transperent proxy. The proxy only requests `localhost:8123`. I should add: If I do something along the lines of `ssh -L 8123:localhost:8123 -N proxy@example.com` I can easily access `localhost:8123` on the machine I executed the command. So the SSH tunnel itself is working. — Toorero, Jan 07 '22 at 13:22
@TeroKilkanen I also tried to open the port 8123 to the public and I'm able to access my hass instance via example.com:8123 but that's not really what I want, since I want to route my traffic through the Apache proxy. I don't think the root domain name is in any way configurable and doesn't matter. — Toorero, Feb 19 '22 at 17:15

Toorero · Accepted Answer · 2022-02-19T18:40:36.600

It all boils down to Home-Assistant blocking revers-proxy attempts and that you have to proxy websocket requests as well.

Adjusted hass-config (config/configuration.yaml):

http:
  use_x_forwarded_for: true
  trusted_proxies:
  - ::1
  - 127.0.0.1
  ip_ban_enabled: true
  login_attempts_threshold: 5

Apache config:

<VirtualHost *:443>
    ServerName hass.example.com

    SSLEngine On

    # If you manage SSL certificates by yourself, these paths will differ.
    SSLCertificateFile fullchain.pem
    SSLCertificateKeyFile privkey.pem

    SSLProxyEngine on
    SSLProxyProtocol +TLSv1.2 +TLSv1.3
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

    ProxyPreserveHost On
    ProxyRequests Off
    ProxyVia On
    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
    
            
    # Proxy all traffic to hass
    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket
    RewriteRule /(.*) ws://localhost:8123/$1 [P]
    RewriteCond %{HTTP:Upgrade} !=websocket
    RewriteRule /(.*) http://localhost:8123/$1 [P]
    ProxyPassReverse / http://localhost:8123


    ErrorLog ${APACHE_LOG_DIR}/hass.example.com-error.log
    CustomLog ${APACHE_LOG_DIR}/hass.example.com-access.log combined
    <IfModule security2_module>
        SecRuleEngine off
    </IfModule>
</VirtualHost>

<VirtualHost *:80>
    ServerName hass.example.com

    Redirect permanent / "https://hass.example.com"

    ErrorLog ${APACHE_LOG_DIR}/hass.example.com-error.log
    CustomLog ${APACHE_LOG_DIR}/hass.example.com-access.log combined
</VirtualHost>

Apache Reverse Proxy for SSH Tunnel

1 Answers1