[[PageOutline]]

= Week Report =
== 2008-04-22 ==
 * 讓 Pootle 中文翻譯網站可以同時支援 80 跟 8080 port
   * [源起] 由於 pootle 是使用 Python 撰寫的 PO 翻譯網頁介面,雖然可以直接用 --port=80 的方式強制執行, 但如果加在 /etc/default/pootle 的 POOTLE_OPTIONS 中, 卻會遇到權限的問題.
   * [參考] 
   * 安裝 libapache2-mod-proxy-html
{{{
# apt-get install libapache2-mod-proxy-html
}}}
   * 鏈結 proxy.conf , proxy.load, proxy_http.load
{{{
# cd /etc/apache2/mods-enabled/
/etc/apache2/mods-enabled# ln -s ../mods-available/proxy.conf
/etc/apache2/mods-enabled# ln -s ../mods-available/proxy.load
/etc/apache2/mods-enabled# ln -s ../mods-available/proxy_http.load
}}}
   * 修改 /etc/apache2/mods-enabled/proxy.conf
{{{
#!diff
--- proxy.conf.dpkg     2008-04-22 06:22:16.000000000 +0200
+++ proxy.conf  2008-04-22 05:48:46.000000000 +0200
@@ -4,12 +4,18 @@

         ProxyRequests Off

-        <Proxy *>
-                AddDefaultCharset off
-                Order deny,allow
-                Deny from all
-                #Allow from .example.com
-        </Proxy>
+        #<Proxy *>
+        #        AddDefaultCharset off
+        #        Order deny,allow
+        #        Deny from all
+        #        #Allow from .example.com
+        #</Proxy>
+
+       # 2008-04-21: Jazz add this for pootle website
+       <Proxy localhost:8080>
+               Order Allow,Deny
+               Allow from localhost
+       </Proxy>

         # Enable/disable the handling of HTTP/1.1 "Via:" headers.
         # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
}}}
   * 編輯 /etc/apache2/sites-enabled/pootle.conf
{{{
<VirtualHost *:*>
 ServerName pootle.nchc.org.tw
 ProxyPass /images !
 ProxyPass /js !
 ProxyPass /pootle.css !
 ProxyPass /favicon.ico !
 ProxyPass / http://localhost:8080/
 ProxyPassReverse / http://localhost:8080/
 <Directory proxy:http://localhost:8080/*>
     Order deny,allow
     Allow from all
 </Directory>
 ErrorLog /var/log/pootle-error_log
 CustomLog /var/log/pootle-access_log common
 # Fallback for static html content
 DocumentRoot "/usr/share/pootle/html"
 <Directory "/usr/share/pootle/html">
   Order deny,allow
   Allow from all
 </Directory>
</VirtualHost>
}}}
 * ssh port forwarding
   * [源起] 許多機器往往因為網路環境的緣故(Ex: 在防火牆背後 或 浮動位址)而無法直接存取 SSH port. 此時可以採用 SSH port forwarding 來穿透.
   * [參考] man ssh(1)
{{{
-R [bind_address:]port:host:hostport
    By default, the listening socket on the server will be bound to
    the loopback interface only.  This may be overriden by specifying
    a bind_address.  An empty bind_address, or the address ‘*’, 
    indicates that the remote socket should listen on all interfaces.
    Specifying a remote bind_address will only succeed if the
    server’s GatewayPorts option is enabled (see sshd_config(5)).
}}}
   * [網路架構]
     * HiddenPC = 在防火牆後面的主機, 帳號是 username_At_HiddenPC
     * middleman = 在公開網域/可存取得到 SSH port 的主機, 帳號是 username_at_middleman
     * notebook = 行動辦公的電腦
   * [作法]
     * 從 HiddenPC 上執行 ssh -R 的指令把 localhost:22 綁到 middleman:10000
{{{
HiddenPC:~$ nohup ssh -f -N -R 10000:localhost:22 username_at_middleman@middleman
}}}
     * 從 middleman 執行 ssh 連到 localhost 的 port 10000 就可以等同於連線到 HiddenPC 的 port 22
{{{
middleman:~$ ssh localhost -p 10000 -l username_At_HiddenPC
}}}
   * [缺點]
     * 以上的作法, 只能從 middleman 這台主機連 localhost, 無法從第三台機器 notebook 直接連 middleman 的 port 10000. 當然這樣做比較能夠確保系統安全, 因為你必須先連到 middleman 才能連到 HiddenPC, 且如果你又有把 HiddenPC 的 public_key 放到 middleman 的 authorized_keys 好讓 crontab 可以定期確保 ssh 連線, 開放 middleman port 10000 直接對外服務, 相對是比較危險的.
   * [情境二] 
     * 那萬一我想把 HiddenPC 的 80 port 轉送到 middleman 的 8080 port, 而且想讓 notebook 可以直接存取 http://middleman:8080 就等同於存取 http://HiddenPC ?
   * [解法] 此時就需要把 /etc/ssh/sshd_config 的 !GatewayPorts 設為 enable, 並在 ssh -R 的地方加上 bind_address
{{{
#!diff
--- /etc/ssh/sshd_config.org    2008-04-22 23:11:40.000000000 +0800
+++ /etc/ssh/sshd_config        2008-04-22 23:11:56.000000000 +0800
@@ -30,6 +30,9 @@
 PermitRootLogin no
 StrictModes yes

+# SSH Port Forwarding
+GatewayPorts yes
+
 RSAAuthentication yes
 PubkeyAuthentication yes

}}}
{{{
GatewayPorts
    Specifies whether remote hosts are allowed to connect to ports
    forwarded for the client.  By default, sshd binds remote port
    forwardings to the loopback address.  This prevents other remote
    hosts from connecting to forwarded ports.  GatewayPorts can be
    used to specify that sshd should allow remote port forwardings to
    bind to non-loopback addresses, thus allowing other hosts to con‐
    nect.  The argument may be “no” to force remote port forwardings
    to be available to the local host only, “yes” to force remote
    port forwardings to bind to the wildcard address, or
    “clientspecified” to allow the client to select the address to
    which the forwarding is bound.  The default is “no”.
}}}
   * [作法]
{{{
HiddenPC:~$ nohup ssh -f -N -R middleman_ip:8080:localhost:80 username_at_middleman@middleman
}}}