wiki:jazz/08-04-25

Version 7 (modified by jazz, 17 years ago) (diff)

--

Week Report

2008-04-22

  • 讓 Pootle 中文翻譯網站可以同時支援 80 跟 8080 port
    • [源起] 由於 pootle 是使用 Python 撰寫的 PO 翻譯網頁介面,雖然可以直接用 --port=80 的方式強制執行, 但如果加在 /etc/default/pootle 的 POOTLE_OPTIONS 中, 卻會遇到權限的問題.
    • [參考]
    • 安裝 libapache2-mod-proxy-html
      # apt-get install libapache2-mod-proxy-html
      
    • 鏈結 proxy.conf , proxy.load, proxy_http.load
      # cd /etc/apache2/mods-enabled/
      /etc/apache2/mods-enabled# ln -s ../mods-available/proxy.conf
      /etc/apache2/mods-enabled# ln -s ../mods-available/proxy.load
      /etc/apache2/mods-enabled# ln -s ../mods-available/proxy_http.load
      
    • 修改 /etc/apache2/mods-enabled/proxy.conf
      • proxy.conf

        old new  
        44
        55        ProxyRequests Off
        66
        7         <Proxy *>
        8                 AddDefaultCharset off
        9                 Order deny,allow
        10                 Deny from all
        11                 #Allow from .example.com
        12         </Proxy>
         7        #<Proxy *>
         8        #        AddDefaultCharset off
         9        #        Order deny,allow
         10        #        Deny from all
         11        #        #Allow from .example.com
         12        #</Proxy>
         13
         14       # 2008-04-21: Jazz add this for pootle website
         15       <Proxy localhost:8080>
         16               Order Allow,Deny
         17               Allow from localhost
         18       </Proxy>
        1319
        1420        # Enable/disable the handling of HTTP/1.1 "Via:" headers.
        1521        # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
    • 編輯 /etc/apache2/sites-enabled/pootle.conf
      <VirtualHost *:*>
       ServerName pootle.nchc.org.tw
       ProxyPass /images !
       ProxyPass /js !
       ProxyPass /pootle.css !
       ProxyPass /favicon.ico !
       ProxyPass / http://localhost:8080/
       ProxyPassReverse / http://localhost:8080/
       <Directory proxy:http://localhost:8080/*>
           Order deny,allow
           Allow from all
       </Directory>
       ErrorLog /var/log/pootle-error_log
       CustomLog /var/log/pootle-access_log common
       # Fallback for static html content
       DocumentRoot "/usr/share/pootle/html"
       <Directory "/usr/share/pootle/html">
         Order deny,allow
         Allow from all
       </Directory>
      </VirtualHost>
      
  • ssh port forwarding
    • [源起] 許多機器往往因為網路環境的緣故(Ex: 在防火牆背後 或 浮動位址)而無法直接存取 SSH port. 此時可以採用 SSH port forwarding 來穿透.
    • [參考] man ssh(1)
      -R [bind_address:]port:host:hostport
          By default, the listening socket on the server will be bound to
          the loopback interface only.  This may be overriden by specifying
          a bind_address.  An empty bind_address, or the address ‘*’, 
          indicates that the remote socket should listen on all interfaces.
          Specifying a remote bind_address will only succeed if the
          server’s GatewayPorts option is enabled (see sshd_config(5)).
      
    • [網路架構]
      • HiddenPC = 在防火牆後面的主機, 帳號是 username_At_HiddenPC
      • middleman = 在公開網域/可存取得到 SSH port 的主機, 帳號是 username_at_middleman
      • notebook = 行動辦公的電腦
    • [作法]
      • 從 HiddenPC 上執行 ssh -R 的指令把 localhost:22 綁到 middleman:10000
        HiddenPC:~$ nohup ssh -f -N -R 10000:localhost:22 username_at_middleman@middleman
        
      • 從 middleman 執行 ssh 連到 localhost 的 port 10000 就可以等同於連線到 HiddenPC 的 port 22
        middleman:~$ ssh localhost -p 10000 -l username_At_HiddenPC
        
    • [缺點]
      • 以上的作法, 只能從 middleman 這台主機連 localhost, 無法從第三台機器 notebook 直接連 middleman 的 port 10000. 當然這樣做比較能夠確保系統安全, 因為你必須先連到 middleman 才能連到 HiddenPC, 且如果你又有把 HiddenPC 的 public_key 放到 middleman 的 authorized_keys 好讓 crontab 可以定期確保 ssh 連線, 開放 middleman port 10000 直接對外服務, 相對是比較危險的.
    • [情境二]
    • [解法] 此時就需要把 /etc/ssh/sshd_config 的 GatewayPorts 設為 enable, 並在 ssh -R 的地方加上 bind_address
      GatewayPorts
          Specifies whether remote hosts are allowed to connect to ports
          forwarded for the client.  By default, sshd binds remote port
          forwardings to the loopback address.  This prevents other remote
          hosts from connecting to forwarded ports.  GatewayPorts can be
          used to specify that sshd should allow remote port forwardings to
          bind to non-loopback addresses, thus allowing other hosts to con‐
          nect.  The argument may be “no” to force remote port forwardings
          to be available to the local host only, “yes” to force remote
          port forwardings to bind to the wildcard address, or
          “clientspecified” to allow the client to select the address to
          which the forwarding is bound.  The default is “no”.
      
    • [作法]
      HiddenPC:~$ nohup ssh -f -N -R middleman_ip:8080:localhost:80 username_at_middleman@middleman