[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-cvs] administration/content/gnu-content/faq CVS_-_Ho...
|
From: |
Sylvain Beucler |
|
Subject: |
[Savannah-cvs] administration/content/gnu-content/faq CVS_-_Ho... |
|
Date: |
Fri, 03 Feb 2006 00:18:17 +0000 |
CVSROOT: /cvsroot/administration
Module name: administration
Branch:
Changes by: Sylvain Beucler <address@hidden> 06/02/03 00:18:17
Modified files:
content/gnu-content/faq:
CVS_-_How_can_I_access_a_repository_from_behind_a_firewall_or_proxy.txt
Log message:
moved FAQ to the Wiki
CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/administration/administration/content/gnu-content/faq/CVS_-_How_can_I_access_a_repository_from_behind_a_firewall_or_proxy.txt.diff?tr1=1.6&tr2=1.7&r1=text&r2=text
Patches:
Index:
administration/content/gnu-content/faq/CVS_-_How_can_I_access_a_repository_from_behind_a_firewall_or_proxy.txt
diff -u
administration/content/gnu-content/faq/CVS_-_How_can_I_access_a_repository_from_behind_a_firewall_or_proxy.txt:1.6
administration/content/gnu-content/faq/CVS_-_How_can_I_access_a_repository_from_behind_a_firewall_or_proxy.txt:1.7
---
administration/content/gnu-content/faq/CVS_-_How_can_I_access_a_repository_from_behind_a_firewall_or_proxy.txt:1.6
Sat Dec 17 11:01:37 2005
+++
administration/content/gnu-content/faq/CVS_-_How_can_I_access_a_repository_from_behind_a_firewall_or_proxy.txt
Fri Feb 3 00:18:17 2006
@@ -1,193 +1 @@
-<p>Note: for anonymous access, we re-activated the pserver access
-method fall of 2005. The following is for project member access.</p>
-
-<p>First, this documentation is <i>complainware</i>. It means that you
-can freely use it provided you complain to your local system
-administrator, or to your Internet Service Provider (ISP), if you are
-using a restrictive Internet environment as described below.</p>
-
-<p>This FAQ is about a system we had to setup so that people behind
-restrictive firewalls, or proxies, or ISP that blocks some ports, can
-access our CVS services. More precisely, those people experience
-outgoing traffic filtering. Please read the following attentively.</p>
-
-<p>There is no security issue in allowing people to access a remote
-CVS repository, or more generaly a remote SSH server. It is rather a
-matter of policy, when administrators decide what kind of action they
-allow their users to perform. For example, some ISPs decided to block
-outgoing traffic to port 25 (smtp) so as to keep people from sending
-mail using any other service than their SMTP smarthost, and think they
-can fight spam (and control their users) that way.</p>
-
-<p>You should know, however, that it is possible to bypass such a
-setup by two ways:</p>
-
-<ul><li><p>First, systems like Tor (http://tor.eff.org) can be used,
-at the price of a decreased connection speed, to redirect your traffic
-to any public computer, and any port, provided you have outgoing
-access to port 80 (http) and 443 (https) - which anybody should have
-whatever their setup. As of 2005-03-27, it does not work from behind a
-proxy, but it is a matter of development, not a technology
-limitation.</p>
-
-<p>Therefore, limiting outgoing traffic with per-protocol rules cannot
-be effectively done. Moreover, a lot of websites now use HTTPs, a
-secure, encrypted protocol that encapsulates HTTP. That means it is
-not possible for the firewall to tell anything more than the fact it
-is SSL-encrypted traffic, and cannot try to analyse the packers to
-discover what the user is actually doing. Preventing HTTPs traffic is
-not an option, unless the system administrator wants to prevent access
-to all e-commerce websites, as well as websites that only use HTTPs
-such as Gna! (https://gna.org).</p></li>
-
-<li><p>The other way to bypass a restrictive setup requires a bit of
-work from the remote host administrators. Basically he opens the same
-service but on port 443 (https). This removes the proxy and speed
-limitation from the above. This is used, for example, by OVH (see
-http://help.ovh.com/EmailConfigurationAOLouTELE2/) so that people can
-send mail even if their ISP block port 25 (smtp). We also setup CVS
-over SSH on port 443 (https) in addition to port 22 (ssh) to allow
-people to access our CVS repositories.</p></li> </ul>
-
-<p>In conclusion, remote outgoing traffic is a burden for us (the
-Savannah hackers) and does not bring any real value.</p>
-
-<p>That's what it is important that you tell your local system
-administrator or your ISP about it. You can for example refer them to
-this page. I mean it: that's the only clean and reliable solution to
-access Savannah and other services on the Internet. You need to
-mention it to your local sysadmin so he realizes that opening outgoing
-traffic is needed, and that trying to control is ineffective and just
-a burden to his/her users.</p>
-
-<p>Now let's see how to access our CVS services using any of those
-methods.</p>
-
-<ul><li><p>Tor (check
-http://wiki.noreply.org/noreply/TheOnionRouter/TorifyHOWTO#head-0ae888b56f2f45ecda014dfc163a0dc0502b664d
-for more information). This method can be used to access any remote
-CVS repository. Here are instructions for a Debian GNU/Linux-based
-distribution:</p>
-
-<pre>
-# Install Tor. Check http://tor.eff.org/download.html for more information
-aptitude install tor
-# Configure Tor
-cat <<'EOF' >> /etc/tor/torrc
-
-FascistFirewall 1
-FirewallPorts 80,443
-EOF
-# Restart Tor
-invoke-rc.d tor restart
-</pre>
-
-Now you should be able to use tor the easy way:
-<pre>
-export CVS_RSH=ssh
-torify cvs -d:ext:<i>username</i>@cvs.savannah.gnu.org/cvsroot/<i>project</i>
co <i>module</i>
-</pre>
-
-<p>If you don't like typing 'torify', you may want to have a look at
-http://shellscripts.org/project/toraliases</p>
-
-<p>If for some reason that doesn't work (notify us!), you can try the
-difficult way:</p>
-
-<pre>
-# Get connect
-wget http://www.taiyo.co.jp/~gotoh/ssh/connect.c
-# Compile it
-gcc connect.c -o connect
-# Install it somewhere in your path
-install -m 755 connect ~/bin/
-# Configure SSH
-cat <<'EOF' >> ~/.ssh/config
-
-Host cvs.savannah.gnu.org
- ProxyCommand connect -S localhost:9050 %h %p
-EOF
-
-# You now can use SSH normally
-export CVS_RSH=ssh
-cvs -d:ext:<i>username</i>@cvs.savannah.gnu.org/cvsroot/<i>project</i> co
<i>module</i>
-...
-</pre>
-
-<p>If you are not root on your machine, you will need to compile Tor
-by hand, but that should not be a problem.</p>
-
-<p>We heard that some ISPs block most of the Tor nodes. If that's the
-case, the fist move is to explain your system administrator that this
-is blocking your legitimate work, and ask him/her the reason of this
-filtering (we would be pleased to know that reason as well). Last time
-a Savannah user had this kind of issue, he didn't contact the sysadmin
-and didn't even know why Tor nodes were blocked - we don't think
-that's the way to go.</p></li>
-
-<li><p>Using cvs.savannah.gnu.org:443. Please note again that this is
-a burden for us to offer this method and is not garanteed in the long
-run, nor will we necessarily apply it consistently to other
-services. Here are generic instructions for the GNU/Linux OS:</p>
-
-<p>If you are connecting through a proxy, you first need to do
-this:</p>
-
-<pre>
-# Get connect
-wget http://www.taiyo.co.jp/~gotoh/ssh/connect.c
-# Compile it
-gcc connect.c -o connect
-# Install it somewhere in your path
-install -m 755 connect ~/bin/
-# Configure SSH
-cat <<'EOF' >> ~/.ssh/config
-
-Host cvs.savannah.gnu.org
- ProxyCommand connect -H <i>proxyhost</i>:<i>proxyport</i> %h %p
-EOF
-</pre>
-
-<p>Replace <i>proxyhost</i> by your proxy host name, and
-<i>proxyport</i> by your proxy port (3128 if you use Squid).</p>
-
-<p>Now, proxy or not, you need to tell SSH to use a different port:</p>
-
-<pre>
-# Create a wrapper, in your path
-cat <<'EOF' > ~/bin/sshwrapper
-#!/bin/sh
-exec ssh -p 443 $*
-EOF
-# Give it executable permissions
-chmod 755 ~/bin/sshwrapper
-
-# You now can use SSH with sshwrapper
-export CVS_RSH=~/bin/sshwrapper
-cvs -d:ext:<i>username</i>@cvs.savannah.gnu.org/cvsroot/<i>project</i> co
<i>module</i>
-...
-</pre>
-</li></ul>
-
-<p>If that doesn't work, try typing:</p>
-
-<pre>
-# Tor
-$ <b>~/bin/connect -S localhost:9050 cvs.savannah.gnu.org 443</b>
-SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4
-<b><i><Ctrl+d to exit></i></b>
-</pre>
-
-<pre>
-# HTTPs Proxy
-$ <b>~/bin/connect -H <i>proxyhost</i>:<i>proxyport</i> cvs.savannah.gnu.org
443</b>
-SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4
-<b><i><Ctrl+d to exit></i></b>
-</pre>
-
-<p>If you don't see the the remote SSH version after a few seconds, then
-there's a problem; please note any error message and contact us if you
-can't fix your configuration.</p>
-
-
-<p style="font-size: smaller">Update $Date: 2005/12/17 11:01:37 $</p>
+FAQ moved here: https://savannah.gnu.org/maintenance/CvsFromBehindFirewall
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Savannah-cvs] administration/content/gnu-content/faq CVS_-_Ho...,
Sylvain Beucler <=