Week Report
2008-04-22
- 讓 Pootle 中文翻譯網站可以同時支援 80 跟 8080 port
- [源起] 由於 pootle 是使用 Python 撰寫的 PO 翻譯網頁介面,雖然可以直接用 --port=80 的方式強制執行, 但如果加在 /etc/default/pootle 的 POOTLE_OPTIONS 中, 卻會遇到權限的問題.
- [參考]
- 安裝 libapache2-mod-proxy-html
# apt-get install libapache2-mod-proxy-html
- 鏈結 proxy.conf , proxy.load, proxy_http.load
# cd /etc/apache2/mods-enabled/ /etc/apache2/mods-enabled# ln -s ../mods-available/proxy.conf /etc/apache2/mods-enabled# ln -s ../mods-available/proxy.load /etc/apache2/mods-enabled# ln -s ../mods-available/proxy_http.load
- 修改 /etc/apache2/mods-enabled/proxy.conf
-
proxy.conf
old new 4 4 5 5 ProxyRequests Off 6 6 7 <Proxy *> 8 AddDefaultCharset off 9 Order deny,allow 10 Deny from all 11 #Allow from .example.com 12 </Proxy> 7 #<Proxy *> 8 # AddDefaultCharset off 9 # Order deny,allow 10 # Deny from all 11 # #Allow from .example.com 12 #</Proxy> 13 14 # 2008-04-21: Jazz add this for pootle website 15 <Proxy localhost:8080> 16 Order Allow,Deny 17 Allow from localhost 18 </Proxy> 13 19 14 20 # Enable/disable the handling of HTTP/1.1 "Via:" headers. 15 21 # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
-
- 編輯 /etc/apache2/sites-enabled/pootle.conf
<VirtualHost *:*> ServerName pootle.nchc.org.tw ProxyPass /images ! ProxyPass /js ! ProxyPass /pootle.css ! ProxyPass /favicon.ico ! ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/ <Directory proxy:http://localhost:8080/*> Order deny,allow Allow from all </Directory> ErrorLog /var/log/pootle-error_log CustomLog /var/log/pootle-access_log common # Fallback for static html content DocumentRoot "/usr/share/pootle/html" <Directory "/usr/share/pootle/html"> Order deny,allow Allow from all </Directory> </VirtualHost>
- ssh port forwarding
- [源起] 許多機器往往因為網路環境的緣故(Ex: 在防火牆背後 或 浮動位址)而無法直接存取 SSH port. 此時可以採用 SSH port forwarding 來穿透.
- [參考] man ssh(1)
-R [bind_address:]port:host:hostport By default, the listening socket on the server will be bound to the loopback interface only. This may be overriden by specifying a bind_address. An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the server’s GatewayPorts option is enabled (see sshd_config(5)).
- [網路架構]
- HiddenPC = 在防火牆後面的主機, 帳號是 username_At_HiddenPC
- middleman = 在公開網域/可存取得到 SSH port 的主機, 帳號是 username_at_middleman
- notebook = 行動辦公的電腦
- [作法]
- 從 HiddenPC 上執行 ssh -R 的指令把 localhost:22 綁到 middleman:10000
HiddenPC:~$ nohup ssh -f -N -R 10000:localhost:22 username_at_middleman@middleman
- 從 middleman 執行 ssh 連到 localhost 的 port 10000 就可以等同於連線到 HiddenPC 的 port 22
middleman:~$ ssh localhost -p 10000 -l username_At_HiddenPC
- 從 HiddenPC 上執行 ssh -R 的指令把 localhost:22 綁到 middleman:10000
- [缺點]
- 以上的作法, 只能從 middleman 這台主機連 localhost, 無法從第三台機器 notebook 直接連 middleman 的 port 10000. 當然這樣做比較能夠確保系統安全, 因為你必須先連到 middleman 才能連到 HiddenPC, 且如果你又有把 HiddenPC 的 public_key 放到 middleman 的 authorized_keys 好讓 crontab 可以定期確保 ssh 連線, 開放 middleman port 10000 直接對外服務, 相對是比較危險的.
- [情境二]
- 那萬一我想把 HiddenPC 的 80 port 轉送到 middleman 的 8080 port, 而且想讓 notebook 可以直接存取 http://middleman:8080 就等同於存取 http://HiddenPC ?
- [解法] 此時就需要把 /etc/ssh/sshd_config 的 GatewayPorts 設為 enable, 並在 ssh -R 的地方加上 bind_address
-
/etc/ssh/sshd_config
old new 30 30 PermitRootLogin no 31 31 StrictModes yes 32 32 33 # SSH Port Forwarding 34 GatewayPorts yes 35 33 36 RSAAuthentication yes 34 37 PubkeyAuthentication yes 35 38
GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to con‐ nect. The argument may be “no” to force remote port forwardings to be available to the local host only, “yes” to force remote port forwardings to bind to the wildcard address, or “clientspecified” to allow the client to select the address to which the forwarding is bound. The default is “no”.
-
- [作法]
HiddenPC:~$ nohup ssh -f -N -R middleman_ip:8080:localhost:80 username_at_middleman@middleman
Last modified 17 years ago
Last modified on Apr 22, 2008, 11:36:48 PM