Sometimes we need via a gateway connect to server with ssh/scp, like:
Host_C –[ssh/scp]–> Host_G(Gateway) –[ssh/scp]–> Host_S
first, make sure you can ssh from (Host_C –> Host_G) and (Host_G –> Host_S) with ssh-key
- ssh is very simple
ssh to Host_S via Host_G
ssh -t sonic@Host_G ssh Host_S
- scp is more complex
1. at Host_C, edit the file ~/.ssh/config, add follow line:
host Host_S
hostname Host_G
2. at Host_G, edit the file ~/.ssh/authorized_keys, add command before the Host_C’s ssh-key
command="sh -c 'ssh Host_S ${SSH_ORIGINAL_COMMAND:-}'" ...ssh-key...
here is a problem, you can’t ssh to Host_G, each times you ssh to Host_G will shift to Host_S
but we have the other way:
1. at Host_C, set up ssh-key to localhost, then edit the file ~/.ssh/config, add follow line:
host Host_S
hostname localhost
2. at Host_C, edit the file ~/.ssh/authorized_keys, add command before the localhost’s ssh-key
command="sh -c 'ssh -t Host_G ssh Host_S ${SSH_ORIGINAL_COMMAND:-}'" ...ssh-key...
OK, try:
enjoy!
reference:
http://physics.usc.edu/~bzhang/notes/ssh.html
tags: gateway, scp, ssh
posted in Unix Linux by Sonic | No Comments
Install phpCAS to lib/plugins/CAS-1.2.1
Create inc/auth/cas.class.php
<?php
require_once(DOKU_INC
.'inc/auth/plain.class.php');
include_once(DOKU_INC
.'lib/plugins/CAS-1.2.1/CAS.php'); //This is the path to your phpCAS library. In my test it is installed in the auth folder, but this could also be a reference to an absolute path on the server, or it could be in the php include path.
\\Set Your CAS Server Info
(Server
:www
.sonitech
.org
, Port
:80, PATH
:cas
)
phpCAS
::client(CAS_VERSION_2_0
, 'www.sonitech.org', 80, 'cas', false);
class auth_cas
extends auth_plain
{
function auth_cas
() {
global $conf;
$this->cando['external'] = true;
$this->auth_plain();
}
function trustExternal
($user,$pass,$sticky=false){
global $USERINFO;
global $conf;
$sticky ?
$sticky = true : $sticky = false; //sanity check
$session = $_SESSION[$conf['title']]['auth'];
phpCAS
::setNoCasServerValidation(); //I had to set this to avoid an error an authentication.
if(phpCAS
::isAuthenticated()) {
$user = phpCAS
::getUser();
if(isset($session)) {
$_SERVER['REMOTE_USER'] = $user;
$USERINFO = $session['info'];
$_SESSION[$conf['title']]['auth']['user'] = $user;
$_SESSION[$conf['title']]['auth']['pass'] = $session['pass'];
$_SESSION[$conf['title']]['auth']['info'] = $USERINFO;
$_SESSION[$conf['title']]['auth']['buid'] = $session['buid'];
}
else {
$USERINFO = $this->getUserData($user);
$_SERVER['REMOTE_USER'] = $user;
$_SESSION[$conf['title']]['auth']['user'] = $user;
$_SESSION[$conf['title']]['auth']['pass'] = $pass;
$_SESSION[$conf['title']]['auth']['info'] = $USERINFO;
$_SESSION[$conf['title']]['auth']['buid'] = auth_browseruid
();
}
return true;
}
else {
phpCAS
::forceAuthentication();
}
return false;
}
}
?> Edit the file inc/actions.php and replace :
function act_auth($act){
global $ID;
global $INFO;
By:
function act_auth($act){
global $ID;
global $INFO;
global $auth;
if($auth->cando['login'] && $act == 'login') {
$auth->logIn();
}
Hack to fix logout(modify the doku.php):
.......
//send 404 for missing pages if configured or ID has special meaning to bots
if(!$INFO['exists'] &&
($conf['send404'] || preg_match('/^(robots\.txt|sitemap\.xml(\.gz)?|favicon\.ico|crossdomain\.xml)$/',$ID)) &&
($ACT == 'show' || substr($ACT,0,7) == 'export_') ){
header('HTTP/1.0 404 Not Found');
}
if($ACT == 'logout') {
phpCAS::logout();
}
//prepare breadcrumbs (initialize a static var)
breadcrumbs();
// check upstream
checkUpdateMessages();
......
Configuration:
Add to your conf/local.php
$conf['authtype'] = 'cas';
tags: cas
posted in Develop by Sonic | No Comments
在 Ruby 中如果需要请求 https 的资源的时候,比如:
require 'net/https'
https = Net::HTTP.new('mail.google.com', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.request_get('/')
如果出现下面这个错误的话,说明这台机器没有 CA 证书,无法与 SSL 加密的资源进行加密的通讯:
/usr/local/lib/ruby/1.9.1/net/http.rb:678:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
这时候我们需要给这台机器安装 CA 证书,比如在 Ubuntu 上:
apt-get install ca-certificates
安装完成后所有的证书会放在 /etc/ssl/certs 下面,现在再次执行上面那段代码就没有问题了
如果证书不在默认路径下,需要在代码中指定,比如:
require 'net/https'
https = Net::HTTP.new('mail.google.com', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.ca_path = '/home/app/ssl/certs' if File.exists?('/etc/ssl/certs')
https.request_get('/')
tags: openssl, ruby
posted in Ruby on Rails by Sonic | 1 Comment
在 Nginx 中可以方便地使用 Rewrite 进行 URL 重定向,但是有时候条件过多,Nginx 的 if 又不支持嵌套(是不是因为性能的考虑?),怎么办呢?
例子是最好的描述办法,比如说我想要把所有访问 http://www.a.com 的用户请求重定向到 http://www.a.com/app1,所有访问 http://www.b.com 的用户请求重定向到 http://www.b.com/app2,怎么做呢?
这里要使用两个条件来判断:
1. 用户请求的域名 (www.a.com 或者 www.b.com)
2. 请求的 URI (“/” 或者 其他)
虽然 Nginx 的 if 条件判断不支持嵌套,但是我们可以设置一些变量用来做标志位,然后根据标志位进行判断,虽然麻烦了点,问题总算解决了~
# rewrite
set $my_a "no";
set $my_b "no";
if ($host = "www.a.com") {
set $my_a "yes";
}
if ($host = "www.b.com") {
set $my_b "yes";
}
if ($uri != "/") {
set $my_a "no";
set $my_b "no";
}
if ($my_a = "yes") {
rewrite ^(.*) http://www.a.com/app1;
break;
}
if ($my_b = "yes") {
rewrite ^(.*) http://www.b.com/app2;
break;
}
tags: nginx, rewrite
posted in Web Server by Sonic | No Comments
前几天在 Google Reader 上无意间看到移动 CMWAP 无线流量的卡竟然可以上 TD 的网络,心想自己也 OUT 太久了,竟然一无所知~ 正好我有一枚(每月20块,不限流量),现在家里用的北京最烂的“宽带通”也让我忍受很久了,在看了几篇文章之后,立马从 TB 买了一个华为的 ET128-2 3G 双模网卡
如果是 Windows 系统,这个按照大部分文章的思路很快就能搞定了,这篇文章也没必要写了,这篇文章我主要介绍一下 Mac 上的思路
在收到 3G 网卡后马上插到 Mac 上小测了一下,竟然找不到我的 SIM 卡,是不是悲剧了?买到个坏的?什么情况这是?立即换到 Windows 上测试,哈,竟然没有问题,那肯定就是驱动的问题了
ET128-2 的规格参数里面写着支持 Mac,不过没有写支持不支持最新的 Snow Leopard 64 位的系统,到了华为的网站,下载了一个最新的固件,找到一台 XP 机器(华为的固件更新程序只支持 XP),更新后回到 Mac 测试,木有问题了,一切正常。
到这里才进入正题:
我这个卡只支持 CMWAP 的 接入点(APN),但是移动的这个 “Mobile Partner” 连接程序默认是连的 CMNET,并且没有设置的地方,怎么在 Mac 上更改接入点呢?
进入这个软件的 config data 目录:
$ cd /Applications/Mobile Partner.app/Contents/Resources/config/data
编辑 SysProfile.prof 和 ProfileLib.prof 这两个文件,把里面的 CMNET 改为 CMWAP 即可。
这些配置文件里面可以发现一些有趣的东西,比如拨入的号码其实是“*99***1#”
<Profile name="CMCC" type="" readonly="true" device="" user="" password="" phonenumber="*99***1#" autoapn="false" apn="CMWAP" chap="true" pap="false" ip="" dns="" dnsalt="" wins="" winsalt="" imsi="" popusername="" Remember="" langId="" Style="" />
修改完这两个文件之后就可以连接了,但是现在还有问题,我们知道,移动的 CMWAP 包月的卡有个问题,只能通过代理(10.0.0.172:80)访问非 Wap 的站点,所以如果想上网的话,更改 Firefox 的 HTTP 代理为:10.0.0.172:80 就可以了,但是,有些不支持代理的软件不就没办法用了吗? Windows 上可以用类似 “动感大挪移” 的软件来解除限制,但是 Mac 上呢?
与其费那么大的力气,不如来点彻底的,使用 OpenVPN 彻底突破,但是有前提条件:
- OpenVPN 服务器
- OpenVPN 服务端口只能是 443(因为移动只开放了 80 和 443)
网上有很多地方可以提供免费的 OpenVPN 账号,我嫌麻烦,自己架了一个 OpenVPN Server,这里就不写过程了,一搜一大把。
Tunnelblick 是 Mac 上的一个开源的 OpenVPN 客户端,把你 OpenVPN 客户端需要的证书和密钥准备好,我这里是(ca.crt sonitech-client.crt 和 sonitech-client.key)按提示放到 Tunnelblick 的配置文件目录下,然后创建一个配置文件 sonitech-client.ovpn:
client
dev tun
proto tcp
remote 202.x.x.x 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca sonitech/ca.crt
cert sonitech/sonitech-client.crt
key sonitech/sonitech-client.key
ns-cert-type server
comp-lzo
verb 3
http-proxy 10.0.0.172 80
可以先把最后一行 proxy 注释掉,测试一下连接,如果没问题的话,解除最后一行的注释,用 “Mobile Partner” 先连上移动的网络,然后连接 OpenVPN,没问题的话,你就可以畅通无阻了。
跑到窗口采集到的数据,还不错哦。
tags: cmwap, mac, openvpn
posted in Mobile by Sonic | 1 Comment
前段时间做了一台存储,总共五片硬盘,使用 Raid1 + Raid5 配置,有 2T 供存储的空间,拿来用 Samba 做了个 Share Server,从此暂时不用担心空间以及数据安全的问题了
但是恼人的事情在后面,配置好 Samba 之后 Windows 用的很好,但是 Mac 上用 Finder 死活连不上,输入 Samba Server 地址(smb://192.168.1.7,输入用户名密码提示错误),废了两天的时间来郁闷此问题,他奶奶的最后终于解决了~
首先怀疑是用户密码加密问题,从之前的 tdb 存储密码改为 smbpasswd 文件,无奈无果而终
然后看了下 Samba 的日志,也没发现什么关键的错误信息
后来想 Samba 使用 NMB 与 Windows 工作组对接,就看了下 NMB 的日志:
[2011/05/03 21:23:55, 0] nmbd/nmbd_nameregister.c:register_name(484)
register_name: NetBIOS name SoniTech PUBLIC SHARE SERVER is too long. Truncating to SONITECH PUBLIC
不过这也没什么啊,不过想想还是去改短好了,这一改 Mac 端竟然正常了,这是什么鸟问题啊!
tags: mac, samba
posted in Unix Linux by Sonic | 2 Comments
运行中的 Xen Dom0 如果异常掉电的话有可能会造成 Xen DomU 的磁盘镜像文件损坏,如果 DomU 是 Unix/Linux 的话,下一次 Boot 的时候 fsck 会尝试修复文件系统,如果损坏的比较严重,就只能进入 Read-Only File System,我最近就遇到了这个问题,下面是我修复的过程:
首先使用 DomU 的磁盘镜像虚拟成一个 loop 设备(修改后的内核能支持 64 个 loop 设备)
# losetup /dev/loop63 disk.img
使用 kpartx 建立块文件(包括卷管理的LV)到设备文件的映射
如果是用 LVM 的话,读取 LVM 信息(我这里没有是用 LVM ):
使用 e2fsck 对分区进行修复 (使用 LVM 的话路径改为上一步获得的 LVM 的分区)
# e2fsck /dev/loop63
e2fsck 1.39 (29-May-2006)
/dev/loop63 contains a file system with errors, check forced.
Pass 1: Checking inodes, blocks, and sizes
lInodes that were part of a corrupted orphan linked list found. Fix<y>? yes
Inode 984167 was part of the orphaned inode list. FIXED.
Deleted inode 984169 has zero dtime. Fix<y>? yes
Inode 984170 was part of the orphaned inode list. FIXED.
Inode 984176 was part of the orphaned inode list. FIXED.
Inode 984177 was part of the orphaned inode list. FIXED.
Inode 984178 was part of the orphaned inode list. FIXED.
Inode 984192 was part of the orphaned inode list. FIXED.
Inode 984195 was part of the orphaned inode list. FIXED.
Inode 984196 was part of the orphaned inode list. FIXED.
Inode 984197 was part of the orphaned inode list. FIXED.
Inode 984198 was part of the orphaned inode list. FIXED.
Inode 984199 was part of the orphaned inode list. FIXED.
Inode 984201 was part of the orphaned inode list. FIXED.
Inode 984202 was part of the orphaned inode list. FIXED.
Inode 1968728, i_size is 102337, should be 106496. Fix<y>? yes
Inode 1968728, i_blocks is 208, should be 216. Fix<y>? yes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
Block bitmap differences: +7895540
Fix<y>? yes
Free blocks count wrong for group #240 (55, counted=54).
Fix<y>? yes
Free blocks count wrong (2339653, counted=2339652).
Fix<y>? yes
Inode bitmap differences: -984167 -(984169--984170) -(984176--984178) -984192 -(984195--984199) -(984201--984202)
Fix<y>? yes
Free inodes count wrong for group #120 (3664, counted=3678).
Fix<y>? yes
Free inodes count wrong (1523761, counted=1523775).
Fix<y>? yes
/dev/loop63: ***** FILE SYSTEM WAS MODIFIED *****
/dev/loop63: 1097665/2621440 files (1.8% non-contiguous), 8146108/10485760 blocks
tags: img, xen
posted in Virtualization by Sonic | No Comments
Requirement:
- ssh account (not in china)
- chrome browser
Step by step:
- make a bash script for ssh tunnel
$ mkdir bin
$ cd bin
$ touch ssh_tunnel.sh
$ chmod +x ssh_tunnel.sh
$ open .
- open ssh_tunnel.sh use TextEdit
- type in and save it:
#!/bin/bash
ssh -qTfnN -D 8888 username@hostname
- gen ssh key (empty passphrase)
$ ssh-keygen -t dsa
$ ls ~/.ssh
id_dsa id_dsa.pub
- copy ssh pub key to remote host
$ cat ~/.ssh/id_dsa.pub | ssh username@hostname 'cat >> ~/.ssh/authorized_keys'
- connect ssh tunnel
- install google chrome
download link: http://www.google.com/chrome
- install Proxy Switchy! extension
Proxy Switchy! link: https://chrome.google.com/webstore/detail/caehdcpeofiiigpdhbabniblemipncjj
- configure Proxy Switchy! with ssh tunnel
- Proxy Switchy! -> Options
- new profile
- add online gfwlist
http://autoproxy-gfwlist.googlecode.com/svn/trunk/gfwlist.txt
save.
OK, done! click Proxy Switchy! icon change to Auto Switch Mode, then you can try to access youtube.com
- auto start on boot
if you want auto connected ssh tunnel on boot, just drop ssh_tunnel.sh to your login items
tags: gfw, mac, tunnel
posted in Mac by Sonic | 2 Comments
Mac:
sudo dscacheutil -flushcache
rndc flush
or
/etc/init.d/nscd restart
posted in Develop by Sonic | No Comments
Sonic 最近遇到在 Xen 启动 DomU 的时候卡在登陆前的问题,此问题并不影响 Linux 启动,通过 SSH 登陆还是正常的,但是在 Dom0 通过 console 连入 DomU 的时候卡在:
......
* Starting OpenBSD Secure Shell server sshd [ OK ]
* Running local boot scripts (/etc/rc.local) [ OK ]
应该是虚拟 console 权限的问题,解决方法:
添加 extra = ‘console=hvc0′ 到 DomU 配置文件
在 DomU 中修改 /etc/event.d/hvc0
# hvc0 - getty
#
# This service maintains a getty on hvc0 from the point the system is
# started until it is shut down again.
start on stopped rc2
start on stopped rc3
start on stopped rc4
start on stopped rc5
stop on runlevel 0
stop on runlevel 1
stop on runlevel 6
respawn
script
if [ ! -c /dev/hvc0 ]; then
mknod --mode=600 /dev/hvc0 c 204 191;
fi
exec /sbin/getty 38400 hvc0
end script
posted in Virtualization by Sonic | No Comments