recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Document even more ways to manage `sshd` ports

Summary: Fixes T11882. Document using `~/.ssh/config` to mitigate the inconvenience of port 2222.

Test Plan: Read document.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T11882

Differential Revision: https://secure.phabricator.com/D16894

epriestley a590e0e7 2befd239

+82 -13
+82 -13
src/docs/user/userguide/diffusion_hosting.diviner
··· 222 222 NOTE: The Phabricator `sshd` service **MUST** be 6.2 or newer, because 223 223 Phabricator relies on the `AuthorizedKeysCommand` option. 224 224 225 - **Choose a Port**: These instructions will configure the alternate `sshd` on 225 + Before continuing, you must choose a strategy for which port each copy of 226 + `sshd` will run on. The next section lays out various approaches. 227 + 228 + 229 + SSHD Port Assignment 230 + ==================== 231 + 232 + The normal `sshd` that lets you administrate the host and the special `sshd` 233 + which serves repositories can't run on the same port. In particular, only one 234 + of them can run on port `22`, which will make it a bit inconvenient to access 235 + the other one. 236 + 237 + These instructions will walk you through configuring the alternate `sshd` on 226 238 port `2222`. This is easy to configure, but if you run the service on this port 227 - users will clone and push to URIs like `ssh://git@host.com:2222/`, which is 228 - a little ugly. 239 + users will clone and push to URIs like `ssh://git@host.com:2222/`, which is a 240 + little ugly. 241 + 242 + There are several different approaches you can use to mitigate or eliminate 243 + this problem. 244 + 245 + **Run on Port 2222**: You can do nothing, and just run the repository `sshd` on 246 + port `2222` and accept the explicit port in the URIs. This is the simplest 247 + approach, and you can always start here and clean things up later if you grow 248 + tired of dealing with the port number. 249 + 250 + **Use a Load Balancer**: You can configure a load balancer in front of the host 251 + and have it forward TCP traffic on port `22` to port `2222`. Then users can 252 + clone from `ssh://git@host.com/` without an explicit port number and you don't 253 + need to do anything else. 254 + 255 + This may be very easy to set up, particularly if you are hosted in AWS, and 256 + is often the simplest and cleanest approach. 257 + 258 + **Swap Ports**: You can move the administrative `sshd` to a new port, then run 259 + Phabricator `sshd` on port 22. This is somewhat complicated and can be a bit 260 + risky if you make a mistake. See "Moving the sshd Port" below for help. 261 + 262 + **Change Client Config**: You can run on a nonstandard port, but configure SSH 263 + on the client side so that `ssh` automatically defaults to the correct port 264 + when connecting to the host. To do this, add a section like this to your 265 + `~/.ssh/config`: 266 + 267 + ``` 268 + Host phabricator.corporation.com 269 + Port 2222 270 + ``` 271 + 272 + (If you want, you can also add a default `User`.) 273 + 274 + Command line tools like `ssh`, `git` and `hg` will now default to port 275 + `2222` when connecting to this host. 276 + 277 + A downside to this approach is that your users will each need to set up their 278 + `~/.ssh/config` files individually. 279 + 280 + This file also allows you to define short names for hosts using the `Host` and 281 + `HostName` options. If you choose to do this, be aware that Phabricator uses 282 + remote/clone URIs to figure out which repository it is operating in, but can 283 + not resolve host aliases defined in your `ssh` config. If you create host 284 + aliases they may break some features related to repository identification. 285 + 286 + If you use this approach, you will also need to specify a port explicitly when 287 + connecting to administrate the host. Any unit tests or other build automation 288 + will also need to be configured or use explicit port numbers. 289 + 290 + **Port Multiplexing**: If you have hardware access, you can power down the host 291 + and find the network I/O pins on the motherboard (for onboard networking) or 292 + network card. 293 + 294 + Carefully strip and solder a short piece of copper wire between the pins for 295 + the external interface `22` and internal `2222`, so the external interface can 296 + receive traffic for both services. 229 297 230 - The easiest way to fix this is to put a load balancer in front of the host and 231 - have it forward TCP traffic on port `22` to port `2222`. Then users can clone 232 - from `ssh://git@host.com/` without an explicit port number and you don't need 233 - to do anything else. 298 + (Make sure not to desolder the existing connection between external `22` and 299 + internal `22` or you won't be able to connect normally to administrate the 300 + host.) 301 + 302 + The obvious downside to this approach is that it requires physical access to 303 + the machine, so it won't work if you're hosted on a cloud provider. 304 + 234 305 235 - Alternatively, you can move the administrative `sshd` to a new port, then run 236 - Phabricator `sshd` on port 22. This is complicated and risky. See "Moving the 237 - sshd Port" below for help. 306 + SSHD Setup 307 + ========== 238 308 239 - Finally, you can just run on port `2222` and accept the explicit port in the 240 - URIs. This is the simplest approach, and you can start here and clean things 241 - up later. 309 + Now that you've decided how you'll handle port assignment, you're ready to 310 + continue `sshd` setup. 242 311 243 312 If you plan to connect to a port other than `22`, you should set this port 244 313 as `diffusion.ssh-port` in your Phabricator config: