Ross Boylan wrote:
> On Mon, 2009-10-19 at 16:57 -0500, Ryan Schmidt wrote:
>
>> On Oct 19, 2009, at 15:20, Ross Boylan wrote:
>>
>>
>>> My subversion server is running under Apache, and I have clients from
>>> several machines connecting to it simultaneously via ssh.
>>>
>>> Currently I have Apache listen on multiple ports, and each client
>>> accesses the server through a different port. Is that necessary?
>>>
>>> I did this partly because forward only maps (from the client) do not
>>> seem reliable. That is, in addition to saying that client port 8000
>>> should tunnel to port 80 on the server, I seem to need to say that
>>> remote port 80 needs to be forwarded to local 8000. In my ssh config
>>> file on the client that means I give the server options
>>> LocalForward 8000 localhost:80
>>> RemoteForward 8000 localhost:80
>>>
>>> Is there a simpler way?
>>>
>> Can't all users just access the same URL on the Apache server?
>>
> That was my question. As I said, the apparent need for a reverse tunnel
> was one factor in doing things separately. I'm not sure if a single
> port would work even with forward tunneling only.
>
>> Why
>> have you set up separate Apache port numbers for each user?
>>
> See above.
>
>> Why are
>> users ssh'ing in to the server and then using the Apache URL, instead
>> of using the Apache URL directly from their own computers?
>>
> Firewall and security issues.
>
>> If
>> encryption is the concern, wouldn't using https be the more natural
>> fit than trying to tunnel over ssh?
>>
> The machine is not directly accessible from outside the firewall, so
> https is not an option.
>
>
>> I have no experience with ssh
>> tunneling, but it sounds like it introduces unnecessary complexity.
>>
>
> BTW, on client machines the server appears to be running on the client,
> accessible by, e.g., http://localhost:8000/svn/....
>
>
> Ross
>
> ------------------------------------------------------
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2409150
>
> To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
>
In general, you are on the right track - making people SSH is an easy
way to only expose one port & encrypt the traffic. However, you only
need one SSH port for everyone, as I mentioned in my previous email
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2409173
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-10-20 02:16:10 CEST