4:45 p.m.
Hi there,
Many open source projects provide access to their source code via
remote cvs (usually pserver). Unfortunately, many people are prevented
from using these facilities because they are behind firewalls which
prevent uncontrolled tcp access outside of their LAN. However, this is
also often the case for things like HTTPS and so Netscape have defined
a way of circumventing these restrictions by tunnelling connections
through HTTP. See
http://home.netscape.com/newsref/std/tunneling_ssl.html. This facility
can easily be added to cvs and the attached patch achieves this. To use the
proxy www on port 8080 to connect to the external machine there.somedomain
use:
cvs -d
:pserver;proxy=www;proxyport=8080:me@there.somedomain:/somerepository
The patch includes Jim Kingdon's port patch as many web servers
restrict the use of CONNECT to well known ports. A way of
circumventing this is to make a cvs server listen on one of these
ports - for instance 443 the HTTPS port. To access a server set up in this
way do:
cvs -d
:pserver;proxy=www;proxyport=8080;port=443:me@there.somedomain:/somerepository
The patch was inspired by ssh-tunnel.pl written by Urban Kaveus
<urban(a)statt.ericsson.se>. It adheres to HACKING so I hope it can be
incorporated in the main development tree.
andy
---------------------------------------------------------------------------
" .sigs are like your face - rarely seen by you and uglier than you think"
Dr Andy Piper, Technical Architect, Parallax Solutions Ltd
mail: andyp(a)parallax.co.uk web: www.parallax.co.uk/~andyp
8 a.m.
Hi
that would solve all our problems
Andy Piper wrote:
Hi there,
Many open source projects provide access to their source code via
remote cvs (usually pserver). Unfortunately, many people are prevented
from using these facilities because they are behind firewalls which
prevent uncontrolled tcp access outside of their LAN. However, this is
also often the case for things like HTTPS and so Netscape have defined
a way of circumventing these restrictions by tunnelling connections
through HTTP. See
http://home.netscape.com/newsref/std/tunneling_ssl.html. This facility
can easily be added to cvs and the attached patch achieves this. To use the
proxy www on port 8080 to connect to the external machine there.somedomain
use:
cvs -d
:pserver;proxy=www;proxyport=8080:me@there.somedomain:/somerepository
The patch includes Jim Kingdon's port patch as many web servers
restrict the use of CONNECT to well known ports. A way of
circumventing this is to make a cvs server listen on one of these
ports - for instance 443 the HTTPS port. To access a server set up in this
way do:
cvs -d
:pserver;proxy=www;proxyport=8080;port=443:me@there.somedomain:/somerepository
The patch was inspired by ssh-tunnel.pl written by Urban Kaveus
<urban(a)statt.ericsson.se>. It adheres to HACKING so I hope it can be
incorporated in the main development tree.
andy
------------------------------------------------------------------------
Name: tunnel.patch
tunnel.patch Type: Plain Text (text/plain)
Encoding: quoted-printable
------------------------------------------------------------------------
---------------------------------------------------------------------------
" .sigs are like your face - rarely seen by you and uglier than you think"
Dr Andy Piper, Technical Architect, Parallax Solutions Ltd
mail: andyp(a)parallax.co.uk web: www.parallax.co.uk/~andyp
--
ICQ=6445186
AOL IM= KaySG
=========
Everyone has a photographic memory. Some don't have film.
Kay Schulz
kay(a)ciemed.nus.edu.sg
Human Being
9:04 a.m.
I have to wonder, living behind a corporate firewall myself at
my day-job, how the person in charge of security would feel
about this clever tunneling. Why is asking the company security
guru to allow outbound connections to TCP port 443 not the right
solution to this problem? Wriggling under the firewall might
buy you some short term gain--- but it might also get you fired.
5:12 p.m.
At 01:04 05/01/99 -0800, Kyle Jones wrote:
I have to wonder, living behind a corporate firewall myself at
my day-job, how the person in charge of security would feel
about this clever tunneling. Why is asking the company security
guru to allow outbound connections to TCP port 443 not the right
solution to this problem? Wriggling under the firewall might
buy you some short term gain--- but it might also get you fired.
Well there are two answers to this:
1. They can't fire me becuse I have already resigned :)
2. It seems many sysadmins are unhappy to do this. I don't know why this is
but I know that setting up another proxy on our firewall is a pain because
it has to be a specific port for a specific location (so you need a plug
gateway for each cvs server you want to connect to). Allowing access via
the web-proxy is much easier to administer, but I couldn't comment on the
security implications. My sysadmin was happy to allow 2401 on the web proxy
- but then he was also happy to add a plug-gateway for cvs.xemacs.org.
YMMV. BillP might know more.
andy
---------------------------------------------------------------------------
" .sigs are like your face - rarely seen by you and uglier than you think"
Dr Andy Piper, Technical Architect, Parallax Solutions Ltd
mail: andyp(a)parallax.co.uk web: www.parallax.co.uk/~andyp
midnight
Netscape have defined a way of circumventing these restrictions by
tunnelling connections through HTTP. See
That makes a lot of sense (especially if the HTTP server does
authentication, which I don't see any support for in your patch).
I've added your patch to http://www.cyclic.com/cvs/dev-net.html
When I try to access this URL, I get "file not found".
It adheres to HACKING so I hope it can be incorporated in the main
development tree.
Well, there are lots of things to think about before then (for
example, whether there are other ways to interface this kind of
functionality to the CVS client, such as port forwarding). But
sending in the patch and getting it on our web page is a good first
step. I'd encourage people who need this to try out the patched CVS
and provide feedback.
5:24 p.m.
At 19:00 05/01/99 -0500, Jim Kingdon wrote:
> Netscape have defined a way of circumventing these restrictions
by
> tunnelling connections through HTTP. See
That makes a lot of sense (especially if the HTTP server does
authentication, which I don't see any support for in your patch).
No
I've added your patch to http://www.cyclic.com/cvs/dev-net.html
Thanks.
> http://home.netscape.com/newsref/std/tunneling_ssl.html.
When I try to access this URL, I get "file not found".
It appears to have been recently removed. It was there over christmas.
Well, there are lots of things to think about before then (for
example, whether there are other ways to interface this kind of
functionality to the CVS client, such as port forwarding). But
sending in the patch and getting it on our web page is a good first
step. I'd encourage people who need this to try out the patched CVS
and provide feedback.
Thanks
andy
---------------------------------------------------------------------------
" .sigs are like your face - rarely seen by you and uglier than you think"
Dr Andy Piper, Technical Architect, Parallax Solutions Ltd
mail: andyp(a)parallax.co.uk web: www.parallax.co.uk/~andyp
9251
days inactive
9253
days old
5 comments
4 participants
participants (4)
-
Andy Piper -
Jim Kingdon -
Kay Schulz -
Kyle Jones