Week Report

2008-04-22

• 讓 Pootle 中文翻譯網站可以同時支援 80 跟 8080 port
  • [源起] 由於 pootle 是使用 Python 撰寫的 PO 翻譯網頁介面,雖然可以直接用 --port=80 的方式強制執行, 但如果加在 /etc/default/pootle 的 POOTLE_OPTIONS 中, 卻會遇到權限的問題.
  • [參考]
  • 安裝 libapache2-mod-proxy-html

    # apt-get install libapache2-mod-proxy-html
    

  • 鏈結 proxy.conf , proxy.load, proxy_http.load

    # cd /etc/apache2/mods-enabled/
    /etc/apache2/mods-enabled# ln -s ../mods-available/proxy.conf
    /etc/apache2/mods-enabled# ln -s ../mods-available/proxy.load
    /etc/apache2/mods-enabled# ln -s ../mods-available/proxy_http.load
    

  • 修改 /etc/apache2/mods-enabled/proxy.conf

    proxy.conf

    @@ -4 +4 @@
     
             ProxyRequests Off
     
    -        <Proxy *>
    -                AddDefaultCharset off
    -                Order deny,allow
    -                Deny from all
    -                #Allow from .example.com
    -        </Proxy>
    +        #<Proxy *>
    +        #        AddDefaultCharset off
    +        #        Order deny,allow
    +        #        Deny from all
    +        #        #Allow from .example.com
    +        #</Proxy>
    +
    +       # 2008-04-21: Jazz add this for pootle website
    +       <Proxy localhost:8080>
    +               Order Allow,Deny
    +               Allow from localhost
    +       </Proxy>
     
             # Enable/disable the handling of HTTP/1.1 "Via:" headers.
             # ("Full" adds the server version; "Block" removes all outgoing Via: headers)

  • 編輯 /etc/apache2/sites-enabled/pootle.conf

    <VirtualHost *:*>
     ServerName pootle.nchc.org.tw
     ProxyPass /images !
     ProxyPass /js !
     ProxyPass /pootle.css !
     ProxyPass /favicon.ico !
     ProxyPass / http://localhost:8080/
     ProxyPassReverse / http://localhost:8080/
     <Directory proxy:http://localhost:8080/*>
         Order deny,allow
         Allow from all
     </Directory>
     ErrorLog /var/log/pootle-error_log
     CustomLog /var/log/pootle-access_log common
     # Fallback for static html content
     DocumentRoot "/usr/share/pootle/html"
     <Directory "/usr/share/pootle/html">
       Order deny,allow
       Allow from all
     </Directory>
    </VirtualHost>
    

• ssh port forwarding
  • [源起] 許多機器往往因為網路環境的緣故(Ex: 在防火牆背後 或 浮動位址)而無法直接存取 SSH port. 此時可以採用 SSH port forwarding 來穿透.
  • [參考] man ssh(1)

    -R [bind_address:]port:host:hostport
        By default, the listening socket on the server will be bound to
        the loopback interface only.  This may be overriden by specifying
        a bind_address.  An empty bind_address, or the address ‘*’, 
        indicates that the remote socket should listen on all interfaces.
        Specifying a remote bind_address will only succeed if the
        server’s GatewayPorts option is enabled (see sshd_config(5)).
    

  • [網路架構]
    • HiddenPC = 在防火牆後面的主機, 帳號是 username_At_HiddenPC
    • middleman = 在公開網域/可存取得到 SSH port 的主機, 帳號是 username_at_middleman
    • notebook = 行動辦公的電腦
  • [作法]
    • 從 HiddenPC 上執行 ssh -R 的指令把 localhost:22 綁到 middleman:10000

      HiddenPC:~$ nohup ssh -f -N -R 10000:localhost:22 username_at_middleman@middleman
      

    • 從 middleman 執行 ssh 連到 localhost 的 port 10000 就可以等同於連線到 HiddenPC 的 port 22

      middleman:~$ ssh localhost -p 10000 -l username_At_HiddenPC
      

  • [缺點]
    • 以上的作法, 只能從 middleman 這台主機連 localhost, 無法從第三台機器 notebook 直接連 middleman 的 port 10000. 當然這樣做比較能夠確保系統安全, 因為你必須先連到 middleman 才能連到 HiddenPC, 且如果你又有把 HiddenPC 的 public_key 放到 middleman 的 authorized_keys 好讓 crontab 可以定期確保 ssh 連線, 開放 middleman port 10000 直接對外服務, 相對是比較危險的.
  • [情境二]
    • 那萬一我想把 HiddenPC 的 80 port 轉送到 middleman 的 8080 port, 而且想讓 notebook 可以直接存取 ​http://middleman:8080 就等同於存取 ​http://HiddenPC ?
  • [解法] 此時就需要把 /etc/ssh/sshd_config 的 GatewayPorts 設為 enable, 並在 ssh -R 的地方加上 bind_address

    /etc/ssh/sshd_config

    @@ -30 +30 @@
     PermitRootLogin no
     StrictModes yes
     
    +# SSH Port Forwarding
    +GatewayPorts yes
    +
     RSAAuthentication yes
     PubkeyAuthentication yes
     

    GatewayPorts
        Specifies whether remote hosts are allowed to connect to ports
        forwarded for the client.  By default, sshd binds remote port
        forwardings to the loopback address.  This prevents other remote
        hosts from connecting to forwarded ports.  GatewayPorts can be
        used to specify that sshd should allow remote port forwardings to
        bind to non-loopback addresses, thus allowing other hosts to con‐
        nect.  The argument may be “no” to force remote port forwardings
        to be available to the local host only, “yes” to force remote
        port forwardings to bind to the wildcard address, or
        “clientspecified” to allow the client to select the address to
        which the forwarding is bound.  The default is “no”.
    

  • [作法]

    HiddenPC:~$ nohup ssh -f -N -R middleman_ip:8080:localhost:80 username_at_middleman@middleman