Cervol

Cervol

HomeArchives

Using Local Proxy on the Server to Achieve Scientific Internet Access — SSH Reverse Forwarding

204
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
To set up a network proxy on a server, modify the `.zshrc` or `.bashrc` file to configure the HTTP and HTTPS proxy settings. Update the local SSH configuration file `~/.ssh/config` to include a `RemoteForward` directive that forwards a remote port to a local proxy port. Ensure that the proxy software has the "Allow LAN" option enabled, as this allows it to accept connection requests from the local network, including those forwarded through the SSH tunnel. By default, proxy services only listen on the local loopback interface (127.0.0.1), which prevents them from accepting requests from the LAN. Enabling "Allow LAN" allows the proxy to listen on all interfaces (0.0.0.0), thus accepting requests from other devices on the network and through the SSH tunnel. This is essential for the proxy to function correctly with traffic forwarded from the remote server.

On the server, modify ~/.zshrc (or ~/.bashrc) to set the network proxy:

# set reverse forward port, connect to local proxy port
export http_proxy=http://127.0.0.1:<port_remote>
export https_proxy=http://127.0.0.1:<port_remote>

Modify the local SSH configuration file ~/.ssh/config, and add an entry under the corresponding Host section on the server:

RemoteForward localhost:<port_remote> localhost:<port_local>

Replace <port_remote> with the port that the user wishes to use for the proxy on the server, and <port_local> with the proxy port used by the local proxy software. This means that when establishing an SSH connection, a remote port <port_remote> is forwarded to the local port <port_local>.

The proxy software needs to enable Allow LAN option.

The reason for enabling the "Allow LAN" option is that the local proxy service needs to be able to accept connection requests initiated from the local area network (including traffic forwarded through SSH reverse proxy).

  1. By default, the proxy only listens on the local loopback interface:

    • When the "Allow LAN" option is turned off, Clash or other proxy services only listen on 127.0.0.1 (i.e., the local loopback interface). This means that only connections initiated from the local machine (via localhost or 127.0.0.1) can be received by the proxy service.
    • In the reverse proxy scenario, the remote server forwards traffic to the local proxy port through the SSH tunnel, but these requests are not initiated directly from the local machine; they are transmitted through the local area network interface. Therefore, the local proxy service cannot accept these requests from the local area network or external interfaces, causing the proxy to fail to work properly.

  2. After enabling Allow LAN, the proxy can accept external requests:

    • After enabling "Allow LAN," Clash will listen on 0.0.0.0, which means all network interfaces, not just 127.0.0.1. This way, the local proxy service can accept connection requests from other network interfaces, including:
    • Requests from other devices within the local area network.
    • Requests forwarded from the remote server through the SSH tunnel (because these requests appear to be from other devices within the local area network).

  3. Reverse proxy and local area network requests:

    • When you use SSH reverse proxy, you are effectively opening a port (e.g., 8000) on the remote server and forwarding requests from that port to the local proxy port (e.g., 7890). These requests enter the local network from the remote server through the SSH tunnel, so for the local proxy, these requests are considered "external requests" or "local area network requests."
    • If Clash does not listen on the local area network (i.e., "Allow LAN" is not enabled), it cannot accept the traffic coming through the tunnel, resulting in failed proxy requests.

Therefore, enabling "Allow LAN" is key to allowing your local proxy to handle traffic forwarded from the remote server.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.