[[PageOutline]]
= Week Report =
== 2008-04-22 ==
* 讓 Pootle 中文翻譯網站可以同時支援 80 跟 8080 port
* [源起] 由於 pootle 是使用 Python 撰寫的 PO 翻譯網頁介面,雖然可以直接用 --port=80 的方式強制執行, 但如果加在 /etc/default/pootle 的 POOTLE_OPTIONS 中, 卻會遇到權限的問題.
* [參考]
* 安裝 libapache2-mod-proxy-html
{{{
# apt-get install libapache2-mod-proxy-html
}}}
* 鏈結 proxy.conf , proxy.load, proxy_http.load
{{{
# cd /etc/apache2/mods-enabled/
/etc/apache2/mods-enabled# ln -s ../mods-available/proxy.conf
/etc/apache2/mods-enabled# ln -s ../mods-available/proxy.load
/etc/apache2/mods-enabled# ln -s ../mods-available/proxy_http.load
}}}
* 修改 /etc/apache2/mods-enabled/proxy.conf
{{{
#!diff
--- proxy.conf.dpkg 2008-04-22 06:22:16.000000000 +0200
+++ proxy.conf 2008-04-22 05:48:46.000000000 +0200
@@ -4,12 +4,18 @@
ProxyRequests Off
-
- AddDefaultCharset off
- Order deny,allow
- Deny from all
- #Allow from .example.com
-
+ #
+ # AddDefaultCharset off
+ # Order deny,allow
+ # Deny from all
+ # #Allow from .example.com
+ #
+
+ # 2008-04-21: Jazz add this for pootle website
+
+ Order Allow,Deny
+ Allow from localhost
+
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
}}}
* 編輯 /etc/apache2/sites-enabled/pootle.conf
{{{
ServerName pootle.nchc.org.tw
ProxyPass /images !
ProxyPass /js !
ProxyPass /pootle.css !
ProxyPass /favicon.ico !
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
Order deny,allow
Allow from all
ErrorLog /var/log/pootle-error_log
CustomLog /var/log/pootle-access_log common
# Fallback for static html content
DocumentRoot "/usr/share/pootle/html"
Order deny,allow
Allow from all
}}}
* ssh port forwarding
* [源起] 許多機器往往因為網路環境的緣故(Ex: 在防火牆背後 或 浮動位址)而無法直接存取 SSH port. 此時可以採用 SSH port forwarding 來穿透.
* [參考] man ssh(1)
{{{
-R [bind_address:]port:host:hostport
By default, the listening socket on the server will be bound to
the loopback interface only. This may be overriden by specifying
a bind_address. An empty bind_address, or the address ‘*’,
indicates that the remote socket should listen on all interfaces.
Specifying a remote bind_address will only succeed if the
server’s GatewayPorts option is enabled (see sshd_config(5)).
}}}
* [網路架構]
* HiddenPC = 在防火牆後面的主機, 帳號是 username_At_HiddenPC
* middleman = 在公開網域/可存取得到 SSH port 的主機, 帳號是 username_at_middleman
* notebook = 行動辦公的電腦
* [作法]
* 從 HiddenPC 上執行 ssh -R 的指令把 localhost:22 綁到 middleman:10000
{{{
HiddenPC:~$ nohup ssh -f -N -R 10000:localhost:22 username_at_middleman@middleman
}}}
* 從 middleman 執行 ssh 連到 localhost 的 port 10000 就可以等同於連線到 HiddenPC 的 port 22
{{{
middleman:~$ ssh localhost -p 10000 -l username_At_HiddenPC
}}}
* [缺點] 以上的作法, 只能從 middleman 這台主機連 localhost, 無法從第三台機器 notebook 直接連 middleman 的 port 10000. 當然這樣做比較能夠確保系統安全, 因為你必須先連到 middleman 才能連到 HiddenPC, 且如果你把 HiddenPC 的 public_key 放到 middleman 的話, 相對是比較危險的.
* [情境二] 那萬一我想把 HiddenPC 的 80 port 轉送到 middleman 的 8080 port, 而且想讓 notebook 可以直接存取 http://middleman:8080 就等同於存取 http://HiddenPC ?
* [解法] 此時就需要把 /etc/ssh/sshd_config 的 GatewayPorts 設為 enable, 並在 ssh -R 的地方加上 bind_address
{{{
GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client. By default, sshd binds remote port
forwardings to the loopback address. This prevents other remote
hosts from connecting to forwarded ports. GatewayPorts can be
used to specify that sshd should allow remote port forwardings to
bind to non-loopback addresses, thus allowing other hosts to con‐
nect. The argument may be “no” to force remote port forwardings
to be available to the local host only, “yes” to force remote
port forwardings to bind to the wildcard address, or
“clientspecified” to allow the client to select the address to
which the forwarding is bound. The default is “no”.
}}}
* [作法]
{{{
HiddenPC:~$ nohup ssh -f -N -R middleman_ip:8080:localhost:80 username_at_middleman@middleman
}}}