使用Apache作为反向代理访问子域下的Plex
[英]Using Apache as reverse proxy to access Plex under subdomain
问题描述
我有一个在website.com:32400/web运行的 Plex 服务器。 我希望能够使用 Apache 的反向代理功能在plex.website.com上访问它。 以下是我的/etc/apache2/sites-available/plex.website.com.conf文件(的相关部分):
<VirtualHost *:80>
ServerName plex.website.com
ProxyRequests off
ProxyPass / http://website.com:32400/web/
ProxyPassReverse / http://website.com:32400/web/
ProxyHTMLURLMap http://website.com:32400/web http://plex.website.com
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
此设置部分有效; 也就是说,如果我去plex.website.com/index.html然后我得到的 HTML 和我去website.com:32400/web/index.html时完全一样。 然而,除此之外,其他一切似乎都是 404(即 CSS 和 JavaScript)。 例如, http://website.com:32400/web/img/desktop/ios/icon-iphone.png http://plex.website.com/web/img/desktop/ios/icon-iphone.png加载正常,但http://plex.website.com/web/img/desktop/ios/icon-iphone.png产生 404 错误。
不过,似乎我可以直接访问web目录中的任何内容,例如加载良好的plex.website.com/favicon.ico 。 很明显,这是映射子域的问题。
所有必需的 Apache 模块都已启用。
我不太确定我会如何开始尝试解决这个问题。
编辑:我刚刚意识到它是 404'ing 的原因是它仍然包含不应该包含的 URL 的web部分。 在我给出的例子中, http://plex.website.com/web/img/desktop/ios/icon-iphone.png是它试图访问的位置 - 但这应该是http://plex.website.com/img/desktop/ios/icon-iphone.png代替。 所以我怀疑这是ProxyHTMLURLMap的问题。
1 个解决方案
解决方案1
5 2019-04-17 21:12:18
你非常接近。 我正在为那些正在搜索和偶然发现这篇文章的人发布我的答案。 你需要使用 Apache2 >= 2.4.17 来使用这个和几个启用的 mods(proxy、ssl、proxy_wstunnel、http、dir、defalte、env、headers、proxy_balancer、proxy_http、rewrite 我认为都是):
2019 年 8 月编辑
添加了一些新信息,现在以下配置使您可以观看预告片并听到电视节目主题音乐。
2021 年 2 月编辑
- 更新的内容安全政策
- 添加权限策略
- 删除重写
- 添加了
<Location>部分 - 通用文件(javascript、xml 等)的 gzip defalte
- 更新密码
使用 SSL(2021 年 2 月新增)
DEFINE plex_url 192.168.1.9
DEFINE plex_port 32400
DEFINE serv_name plex.domain.com
ServerTokens Prod
SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
SSLSessionCache "shmcb:${APACHE_LOG_DIR}/ssl_scache(512000)"
SSLSessionCacheTimeout 300
### If you have Google's Mod PageSpeed, disable it ###
<IfModule mod_pagespeed_ap24.c>
ModPagespeed Off
</IfModule>
<VirtualHost *:80>
ServerName ${serv_name}
Redirect / https://plex.domain.com
ErrorLog ${APACHE_LOG_DIR}/plex.error.log
CustomLog ${APACHE_LOG_DIR}/plex.access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName ${serv_name}
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/plex.error.log
CustomLog ${APACHE_LOG_DIR}/plex.access.log combined
### Let's Encrypt Section ###
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
### Deny http1.0 requests ###
Protocols h2 http/1.1
### Harden Security ###
ProxyRequests Off
ProxyPreserveHost On
ProxyTimeout 600
SSLProxyEngine On
RequestHeader set Front-End-Https "On"
ServerSignature Off
SSLCompression Off
SSLUseStapling On
SSLStaplingResponderTimeout 20
SSLStaplingReturnResponderErrors Off
SSLSessionTickets Off
### Add headers ###
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
Header always set Strict-Transport-Security "max-age=15552000;"
Header always set X-Content-Type-Options nosniff
Header always set X-Robots-Tag none
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "same-origin"
Header always set Permissions-Policy "geolocation=(self), midi=(self), sync-xhr=(self), microphone=(self), camera=(self), magnetometer=(self), gyroscope=(self), fullscreen=(self), payment=(self)"
### Content Security Policy for the overly paranoid - may break with Plex server updates (works with server version 1.21.3.4046 and 1.21.3.4021) ###
Header always set Content-Security-Policy "default-src 'none'; base-uri 'self' ${serv_name}; font-src 'self' data: ${serv_name}; media-src 'self' data: blob: ${serv_name} https://*.plex.direct:32400 https://video.internetvideoarchive.net https://*.cloudfront.net; script-src 'self' 'unsafe-inline' 'unsafe-eval' domain.com ${serv_name}; style-src 'self' 'unsafe-inline' ${serv_name}; img-src 'self' data: blob: https: ${serv_name}; worker-src * blob:; frame-src 'self'; connect-src 'self' https: domain.com ${serv_name} wss://*.plex.direct:32400 wss://pubsub.plex.tv; object-src 'self' ${serv_name}; frame-ancestors 'self' domain.com ${serv_name}; form-action 'self' ${serv_name}; manifest-src 'self' ${serv_name}; script-src-elem 'self' 'unsafe-inline' domain.com ${serv_name} www.gstatic.com"
### Add secure ciphers ###
SSLCipherSuite TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
### Only enable TLSv1.2 and TLSv1.3 ###
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
### Tell clients to use server defined ciphers and orders ###
SSLHonorCipherOrder On
### If path is for Let's Encrypt, don't proxy ###
ProxyPassMatch ^/.well-known !
### Plex Specific Section ###
## Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices, disable this section
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE text/xml
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
</IfModule>
## Proxy all web traffic here ##
<Location />
ProxyPass http://${plex_url}:${plex_port}/
ProxyPassReverse http://${plex_url}:${plex_port}/
</Location>
## Proxy all websocket requests here ##
<Location /:/>
ProxyPass wss://${plex_url}:${plex_port}/:/
ProxyPassReverse wss://${plex_url}:${plex_port}/:/
</Location>
### Don't know if we still need this ###
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
#RewriteEngine on
#RewriteCond %{REQUEST_URI} !^/web
#RewriteCond %{HTTP:X-Plex-Device} ^$
#RewriteCond %{REQUEST_METHOD} !^(OPTIONS)$
#RewriteCond %{QUERY_STRING} (^|&)X-Plex-Device=(&|$) [OR]
#RewriteCond %{QUERY_STRING} !(^|&)X-Plex-Device=
#RewriteRule ^/$ /web/$1 [R,L]
</VirtualHost>
使用 SSL(旧 2019 年 8 月)
DEFINE plex_url 127.0.0.1
DEFINE plex_port 32400
DEFINE public_url subdomain.plex.tv
DEFINE email admin@subdomain.plex.tv
ServerTokens Prod
SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
SSLSessionCache "shmcb:${APACHE_LOG_DIR}/ssl_scache(512000)"
SSLSessionCacheTimeout 300
### If you have Google's Mod PageSpeed, disable it
#ModPagespeed Off
<VirtualHost *:80>
ServerName ${public_url}
DocumentRoot /var/www/offline
ServerAdmin ${email}
RewriteEngine on
RewriteCond %{SERVER_NAME} =${public_url}
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
ServerName ${public_url}
DocumentRoot /var/www/offline
ServerAdmin ${email}
ErrorLog ${APACHE_LOG_DIR}/${public_url}.error.log
CustomLog ${APACHE_LOG_DIR}/${public_url}.access.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/${public_url}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/${public_url}/privkey.pem
#Include /etc/letsencrypt/options-ssl-apache.conf
### Forbid the http1.0 protocol ###
Protocols h2 http/1.1
#Options -Includes -ExecCGI
#LimitRequestBody 512000
#FileETag None
#TraceEnable off
Timeout 360
ProxyRequests Off
ProxyPreserveHost On
ProxyTimeout 600
ProxyReceiveBufferSize 4096
SSLProxyEngine On
RequestHeader set Front-End-Https "On"
ServerSignature Off
SSLCompression Off
SSLUseStapling On
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors Off
SSLSessionTickets Off
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
Header always set Strict-Transport-Security "max-age=15552000; preload"
Header always set X-Content-Type-Options nosniff
Header always set X-Robots-Tag none
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Content-Security-Policy "default-src 'self' https:; font-src 'self' data: ${plex_url} ${public_url}; media-src 'self' blob: data: https: ${plex_url} ${public_url} *.plex.direct *.plex.tv plex.tv; script-src 'self' 'unsafe-inline' 'unsafe-eval' ${plex_url} ${public_url} plex.tv *.plex.tv gstatic.com *.gstatic.com *.plex.direct; style-src 'self' ${plex_url} ${public_url} *.plex.direct; img-src 'self' data: blob: ${plex_url} ${public_url} plex.tv *.plex.tv *.plex.direct; worker-src *; frame-src 'none'; connect-src 'self' wss: https: ${plex_url} ${public_url} plex.tv *.plex.direct *.plex.tv;"
## If you want to be safer, remove the 'unsafe-inline' 'unsafe-eval' from above and use Chrome to get the sha-256 sums and input below (below was for Server version: 1.16.5.1488; Web version: 3.108.2)
#Header always set Content-Security-Policy "default-src 'self' https:; font-src 'self' data: ${plex_url} ${public_url}; media-src 'self' blob: data: https: ${plex_url} ${public_url} *.plex.direct *.plex.tv plex.tv; script-src 'self' 'sha256-8yKKbip2qr14RHV8H1qDEbRAm9Mmf5ePeQh+wB5pMCw=' 'sha256-pKO/nNgeauDINvYfxdygP3mGssdVQRpRNxaF7uPRoGM=' 'sha256-mrLkgfrqAhdxc2TvIODT0I7QtvuQLMS9AgtfLL9eMXo=' ${plex_url} ${public_url} plex.tv *.plex.tv gstatic.com *.gstatic.com *.plex.direct; style-src 'self' ${plex_url} ${public_url} *.plex.direct; img-src 'self' data: blob: ${plex_url} ${public_url} plex.tv *.plex.tv *.plex.direct; worker-src *; frame-src 'none'; connect-src 'self' wss: https: ${plex_url} ${public_url} plex.tv *.plex.direct *.plex.tv;"
Header always set Feature-Policy "geolocation 'self'; midi 'self'; sync-xhr 'self'; microphone 'self'; camera 'self'; magnetometer 'self'; gyroscope 'self'; speaker 'self'; fullscreen 'self'; payment 'self'"
### Use next two for very secure connections ###
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
### Use next two for secure connections and supports more endpoints ###
#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
#SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
### Actually proxy the traffic and really the only important part ###
ProxyPass / http://${plex_url}:${plex_port}/
ProxyPassReverse / http://${plex_url}:${plex_port}/
ProxyPass /:/ ws://${plex_url}:${plex_port}/:/
ProxyPassReverse /:/ ws://${plex_url}:${plex_port}/:/
ProxyPass /:/ wss://${plex_url}:${plex_port}/:/
ProxyPassReverse /:/ wss://${plex_url}:${plex_port}/:/
LimitRequestBody 512000
FileETag None
TraceEnable off
#Header edit Set-Cookie ^(.*)$ ;HttpOnly;Secure
Timeout 60
<Location /:/websockets/notifications>
ProxyPass wss://${plex_url}:${plex_port}/:/websockets/notifications
ProxyPassReverse wss://${plex_url}:${plex_port}/:/websockets/notifications
</Location>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/web
RewriteCond %{HTTP:X-Plex-Device} ^$
RewriteCond %{REQUEST_METHOD} !^(OPTIONS)$
RewriteCond %{QUERY_STRING} (^|&)X-Plex-Device=(&|$) [OR]
RewriteCond %{QUERY_STRING} !(^|&)X-Plex-Device=
RewriteRule ^/$ /web/$1 [R,L]
</VirtualHost>
没有 SSL
DEFINE plex_url 192.168.1.22
DEFINE plex_port 32400
DEFINE serv_name plex.domain.com
ServerTokens Prod
<VirtualHost *:80>
ServerName ${serv_name}
DocumentRoot /var/www/html
ServerAdmin aw@hell.no
ErrorLog ${APACHE_LOG_DIR}/${serv_name}.error.log
CustomLog ${APACHE_LOG_DIR}/${serv_name}.access.log combined
Options -Includes -ExecCGI
### Deny http1.0 requests ###
RewriteEngine On
RewriteCond %{SERVER_PROTOCOL} ^HTTP/1\.0$
#RewriteCond %{REQUEST_URI} !^/404/$
RewriteRule ^ - [F]
### Plex Specific Section ###
ProxyPass / http://${plex_url}:${plex_port}/
ProxyPassReverse / http://${plex_url}:${plex_port}/
ProxyPass /:/ ws://${plex_url}:${plex_port}/:/
ProxyPassReverse /:/ ws://${plex_url}:${plex_port}/:/
ProxyPass /:/ wss://${plex_url}:${plex_port}/:/
ProxyPassReverse /:/ wss://${plex_url}:${plex_port}/:/
LimitRequestBody 512000
FileETag None
TraceEnable off
#Header edit Set-Cookie ^(.*)$ ;HttpOnly;Secure
Timeout 60
<Location /:/websockets/notifications>
ProxyPass ws://${plex_url}:${plex_port}/:/websockets/notifications
ProxyPassReverse ws://${plex_url}:${plex_port}/:/websockets/notifications
</Location>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/web
RewriteCond %{HTTP:X-Plex-Device} ^$
RewriteCond %{REQUEST_METHOD} !^(OPTIONS)$
RewriteCond %{QUERY_STRING} (^|&)X-Plex-Device=(&|$) [OR]
RewriteCond %{QUERY_STRING} !(^|&)X-Plex-Device=
RewriteRule ^/$ /web/$1 [R,L]
</VirtualHost>
需要这个设置但对于nginx吗?
使用带有子域的apache做反向代理的问题
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.