Personal blog
最近剛搬到 Slicehost,有個大問題就是 SSH 沒放多久就自動斷線
明明隔壁視窗的 Bluehost 都放了兩天 idle 都沒斷,為啥 Slicehost 才半個小時就葛掉了
稍微找了一下 (其實我丟了一張 ticket :$),發現其實只要再 sshd 裡面修改一下就好了:
編輯 /etc/ssh/sshd_config
KeepAlive yes
ClientAliveInterval 60
還有因為我是從 Ubuntu 下面 GTerm 連過去的,所以其實還可以這樣改:
編輯 ~/.ssh/config
ServerAliveInterval 60
然後很奇妙的是,不再斷線了 XD
Bye bye SSH disconnecting every so fu*ing often :)
Linking libraries from its default location
ln -s /usr/include /opt/include ln -s /usr/lib64 /opt/lib
Now configuring with new location:
./configure --prefix=/usr/local --enable-force-cgi-redirect --enable-fastcgi --with-libxml --with-zlib --with-bz2 --with-curl --with-gd --enable-mbstring --with-mysql --with-jpeg-dir=/opt --with-png-dir=/opt --with-mysql=/opt
On my 1&1 VPS II server, it comes with only 256MB of dedicated memory, which is pathetic. If I run a separate mysqld, it’s going to take 1xxMB away from this super limit memory pool. It makes sense to me to make use of MySQL databases on another shared hosting account. BlueHost and HostMonster both comes with firewall enabled by default for their MySQL servers. Going about white listing server’s IP can be done via:
But the connection between the VPS server and Shared Host’s MySQL database is insecure. It’s natural to come to this conclusion as the best option: ssh tunnel.
Assuming you have shell access to both VPS and Shared Host, and both are running OpsnSSH.
Setup Public Key Authentication
cd ~/.ssh
(create it if not exist)
ssh-keygen -t dsa
scp id_dsa.pub sharedhost:/home/username/.ssh/server_id_psa.pub
cd ~/.ssh cat server_id_psa.pub >> authorized_keys
ssh username@sharedhost
If everything is setup properly, no password is prompted.
If in doubt, [this] is a good place to consult about Public Key Authentication.
Setting up a host name
When MySQL is connecting to localhost, it will try to use socket, regardless of the efforts trying to tell it the service is actually not running on localhost, but rather a tunnel to a remote host. To overcome this issue, create an entry in /etc/hosts:
127.0.0.1 localhost mysqlhost
This points the host name ‘mysqlhost’ to 127.0.0.1 which essentially is also localhost, but mysql is too dumb to understand.
Create the tunnel
service stop mysqld
ssh -f username@sharedhost -N -L 3306:localhost:3306
This creates a ssh tunnel in background and forward connection to port 3306 on localhost to port 3306 on sharedhost.
Automate the process
What if the ssh tunnel died? What if the VPS restarts? How to make sure the connection stays live? The answer is to use autossh.
yum install autossh
su VPSusername -c 'autossh -M 5307 -f SHAREDHOSTusername@sharedhost -N -L 3306:*:3306' &
This tells the server to execute the command in ‘ ‘ as VPSusername and put the process into background at startup. autossh will use port 5307 to monitor the ssh tunnel to sharedhost, and reconnect if it drops. Also make sure to disable the local MySQL daemon from starting automatically, or the tunnel cannot be created.
Server
# easy-rsa parameter settings # NOTE: If you installed from an RPM, # don't edit this file in place in # /usr/share/openvpn/easy-rsa -- # instead, you should copy the whole # easy-rsa directory to another location # (such as /etc/openvpn) so that your # edits will not be wiped out by a future # OpenVPN package upgrade. # This variable should point to # the top level of the easy-rsa # tree. export D=`pwd` # This variable should point to # the openssl.cnf file included # with easy-rsa. export KEY_CONFIG=$D/openssl.cnf # Edit this variable to point to # your soon-to-be-created key # directory. # # WARNING: clean-all will do # a rm -rf on this directory # so make sure you define # it correctly! export KEY_DIR="/etc/openvpn/keys" # Issue rm -rf warning echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR # Increase this to 2048 if you # are paranoid. This will slow # down TLS negotiation performance # as well as the one-time DH parms # generation process. export KEY_SIZE=1024 # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY=US export KEY_PROVINCE=CA export KEY_CITY=SANDIEGO export KEY_ORG="TAROTOAST.COM" export KEY_EMAIL="chang.peter@gmail.com"
port 1194 proto tcp dev tun ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh1024.pem server 10.11.12.0 255.255.255.0 client-config-dir ccd push "dhcp-option DNS SERVERIP" push "dhcp-option DNS SERVERDNS" ifconfig-pool-persist ipp.txt push "redirect-gateway" keepalive 10 120 comp-lzo persist-key persist-tun status server-tcp.log verb 3
/sbin/modprobe tun >/dev/null 2>&1
Insert after line 115
iptables -t nat -A POSTROUTING -s 10.11.12.3 -j SNAT --to SERVERIP iptables -t nat -A POSTROUTING -s 10.11.12.4 -j SNAT --to SERVERIP iptables -t nat -A POSTROUTING -s 10.11.12.5 -j SNAT --to SERVERIP iptables -t nat -A POSTROUTING -s 10.11.12.6 -j SNAT --to SERVERIP iptables -t nat -A POSTROUTING -s 10.11.12.7 -j SNAT --to SERVERIP iptables -t nat -A POSTROUTING -s 10.11.12.8 -j SNAT --to SERVERIP iptables -t nat -A POSTROUTING -s 10.11.12.9 -j SNAT --to SERVERIP iptables -t nat -A POSTROUTING -s 10.11.12.10 -j SNAT --to SERVERIP
Client (Windows Vista with UAC on)
client dev tun proto tcp remote SERVERIP 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert AMD64.crt key AMD64.key ns-cert-type server push "dhcp-option DNS SERVERIP" push "dhcp-option DNS SERVERDNSIP" comp-lzo verb 3 route-method exe route-delay 2
DONE [aha
The above mostly follows [this thread] except some minor changes in client side config.
Recent Comments