Page MenuHomePhabricator

D16894.diff
No OneTemporary

D16894.diff

diff --git a/src/docs/user/userguide/diffusion_hosting.diviner b/src/docs/user/userguide/diffusion_hosting.diviner
--- a/src/docs/user/userguide/diffusion_hosting.diviner
+++ b/src/docs/user/userguide/diffusion_hosting.diviner
@@ -222,23 +222,92 @@
NOTE: The Phabricator `sshd` service **MUST** be 6.2 or newer, because
Phabricator relies on the `AuthorizedKeysCommand` option.
-**Choose a Port**: These instructions will configure the alternate `sshd` on
+Before continuing, you must choose a strategy for which port each copy of
+`sshd` will run on. The next section lays out various approaches.
+
+
+SSHD Port Assignment
+====================
+
+The normal `sshd` that lets you administrate the host and the special `sshd`
+which serves repositories can't run on the same port. In particular, only one
+of them can run on port `22`, which will make it a bit inconvenient to access
+the other one.
+
+These instructions will walk you through configuring the alternate `sshd` on
port `2222`. This is easy to configure, but if you run the service on this port
-users will clone and push to URIs like `ssh://git@host.com:2222/`, which is
-a little ugly.
+users will clone and push to URIs like `ssh://git@host.com:2222/`, which is a
+little ugly.
+
+There are several different approaches you can use to mitigate or eliminate
+this problem.
+
+**Run on Port 2222**: You can do nothing, and just run the repository `sshd` on
+port `2222` and accept the explicit port in the URIs. This is the simplest
+approach, and you can always start here and clean things up later if you grow
+tired of dealing with the port number.
+
+**Use a Load Balancer**: You can configure a load balancer in front of the host
+and have it forward TCP traffic on port `22` to port `2222`. Then users can
+clone from `ssh://git@host.com/` without an explicit port number and you don't
+need to do anything else.
+
+This may be very easy to set up, particularly if you are hosted in AWS, and
+is often the simplest and cleanest approach.
+
+**Swap Ports**: You can move the administrative `sshd` to a new port, then run
+Phabricator `sshd` on port 22. This is somewhat complicated and can be a bit
+risky if you make a mistake. See "Moving the sshd Port" below for help.
+
+**Change Client Config**: You can run on a nonstandard port, but configure SSH
+on the client side so that `ssh` automatically defaults to the correct port
+when connecting to the host. To do this, add a section like this to your
+`~/.ssh/config`:
+
+```
+Host phabricator.corporation.com
+ Port 2222
+```
+
+(If you want, you can also add a default `User`.)
+
+Command line tools like `ssh`, `git` and `hg` will now default to port
+`2222` when connecting to this host.
+
+A downside to this approach is that your users will each need to set up their
+`~/.ssh/config` files individually.
+
+This file also allows you to define short names for hosts using the `Host` and
+`HostName` options. If you choose to do this, be aware that Phabricator uses
+remote/clone URIs to figure out which repository it is operating in, but can
+not resolve host aliases defined in your `ssh` config. If you create host
+aliases they may break some features related to repository identification.
-The easiest way to fix this is to put a load balancer in front of the host and
-have it forward TCP traffic on port `22` to port `2222`. Then users can clone
-from `ssh://git@host.com/` without an explicit port number and you don't need
-to do anything else.
+If you use this approach, you will also need to specify a port explicitly when
+connecting to administrate the host. Any unit tests or other build automation
+will also need to be configured or use explicit port numbers.
-Alternatively, you can move the administrative `sshd` to a new port, then run
-Phabricator `sshd` on port 22. This is complicated and risky. See "Moving the
-sshd Port" below for help.
+**Port Multiplexing**: If you have hardware access, you can power down the host
+and find the network I/O pins on the motherboard (for onboard networking) or
+network card.
+
+Carefully strip and solder a short piece of copper wire between the pins for
+the external interface `22` and internal `2222`, so the external interface can
+receive traffic for both services.
+
+(Make sure not to desolder the existing connection between external `22` and
+internal `22` or you won't be able to connect normally to administrate the
+host.)
+
+The obvious downside to this approach is that it requires physical access to
+the machine, so it won't work if you're hosted on a cloud provider.
+
+
+SSHD Setup
+==========
-Finally, you can just run on port `2222` and accept the explicit port in the
-URIs. This is the simplest approach, and you can start here and clean things
-up later.
+Now that you've decided how you'll handle port assignment, you're ready to
+continue `sshd` setup.
If you plan to connect to a port other than `22`, you should set this port
as `diffusion.ssh-port` in your Phabricator config:

File Metadata

Mime Type
text/plain
Expires
Fri, Dec 20, 3:03 AM (19 h, 5 m)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6909314
Default Alt Text
D16894.diff (4 KB)

Event Timeline