Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F14347555
D16894.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
4 KB
Referenced Files
None
Subscribers
None
D16894.diff
View Options
diff --git a/src/docs/user/userguide/diffusion_hosting.diviner b/src/docs/user/userguide/diffusion_hosting.diviner
--- a/src/docs/user/userguide/diffusion_hosting.diviner
+++ b/src/docs/user/userguide/diffusion_hosting.diviner
@@ -222,23 +222,92 @@
NOTE: The Phabricator `sshd` service **MUST** be 6.2 or newer, because
Phabricator relies on the `AuthorizedKeysCommand` option.
-**Choose a Port**: These instructions will configure the alternate `sshd` on
+Before continuing, you must choose a strategy for which port each copy of
+`sshd` will run on. The next section lays out various approaches.
+
+
+SSHD Port Assignment
+====================
+
+The normal `sshd` that lets you administrate the host and the special `sshd`
+which serves repositories can't run on the same port. In particular, only one
+of them can run on port `22`, which will make it a bit inconvenient to access
+the other one.
+
+These instructions will walk you through configuring the alternate `sshd` on
port `2222`. This is easy to configure, but if you run the service on this port
-users will clone and push to URIs like `ssh://git@host.com:2222/`, which is
-a little ugly.
+users will clone and push to URIs like `ssh://git@host.com:2222/`, which is a
+little ugly.
+
+There are several different approaches you can use to mitigate or eliminate
+this problem.
+
+**Run on Port 2222**: You can do nothing, and just run the repository `sshd` on
+port `2222` and accept the explicit port in the URIs. This is the simplest
+approach, and you can always start here and clean things up later if you grow
+tired of dealing with the port number.
+
+**Use a Load Balancer**: You can configure a load balancer in front of the host
+and have it forward TCP traffic on port `22` to port `2222`. Then users can
+clone from `ssh://git@host.com/` without an explicit port number and you don't
+need to do anything else.
+
+This may be very easy to set up, particularly if you are hosted in AWS, and
+is often the simplest and cleanest approach.
+
+**Swap Ports**: You can move the administrative `sshd` to a new port, then run
+Phabricator `sshd` on port 22. This is somewhat complicated and can be a bit
+risky if you make a mistake. See "Moving the sshd Port" below for help.
+
+**Change Client Config**: You can run on a nonstandard port, but configure SSH
+on the client side so that `ssh` automatically defaults to the correct port
+when connecting to the host. To do this, add a section like this to your
+`~/.ssh/config`:
+
+```
+Host phabricator.corporation.com
+ Port 2222
+```
+
+(If you want, you can also add a default `User`.)
+
+Command line tools like `ssh`, `git` and `hg` will now default to port
+`2222` when connecting to this host.
+
+A downside to this approach is that your users will each need to set up their
+`~/.ssh/config` files individually.
+
+This file also allows you to define short names for hosts using the `Host` and
+`HostName` options. If you choose to do this, be aware that Phabricator uses
+remote/clone URIs to figure out which repository it is operating in, but can
+not resolve host aliases defined in your `ssh` config. If you create host
+aliases they may break some features related to repository identification.
-The easiest way to fix this is to put a load balancer in front of the host and
-have it forward TCP traffic on port `22` to port `2222`. Then users can clone
-from `ssh://git@host.com/` without an explicit port number and you don't need
-to do anything else.
+If you use this approach, you will also need to specify a port explicitly when
+connecting to administrate the host. Any unit tests or other build automation
+will also need to be configured or use explicit port numbers.
-Alternatively, you can move the administrative `sshd` to a new port, then run
-Phabricator `sshd` on port 22. This is complicated and risky. See "Moving the
-sshd Port" below for help.
+**Port Multiplexing**: If you have hardware access, you can power down the host
+and find the network I/O pins on the motherboard (for onboard networking) or
+network card.
+
+Carefully strip and solder a short piece of copper wire between the pins for
+the external interface `22` and internal `2222`, so the external interface can
+receive traffic for both services.
+
+(Make sure not to desolder the existing connection between external `22` and
+internal `22` or you won't be able to connect normally to administrate the
+host.)
+
+The obvious downside to this approach is that it requires physical access to
+the machine, so it won't work if you're hosted on a cloud provider.
+
+
+SSHD Setup
+==========
-Finally, you can just run on port `2222` and accept the explicit port in the
-URIs. This is the simplest approach, and you can start here and clean things
-up later.
+Now that you've decided how you'll handle port assignment, you're ready to
+continue `sshd` setup.
If you plan to connect to a port other than `22`, you should set this port
as `diffusion.ssh-port` in your Phabricator config:
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Fri, Dec 20, 3:03 AM (19 h, 5 m)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6909314
Default Alt Text
D16894.diff (4 KB)
Attached To
Mode
D16894: Document even more ways to manage `sshd` ports
Attached
Detach File
Event Timeline
Log In to Comment