Reverse Proxying
It is possible to use OpenSSH to reverse proxy to HGKeeper's SSH server. There are a number of reasons you may want to do this. You don't want to expose HGKeeper to your network or the internet, you want to use your existing OpenSSH server so you don't need to specify a different port, or maybe you have another reason we can't think of right now.
Once you have setup either a standalone or standalone container instance you can proxy it through an OpenSSH server in a few steps.
Prerequisites
For this to work, you will need to specify the --external-hostname argument
via the command line or its environment variable counter part. If you're running
on a port other than 22222 you'll need to do the same with --external-port.
You will also need curl installed on the machine running the OpenSSH Server.
Create The hg User
You can name this user whatever you like, but for the sake of simplicity, we
will just be using hg here. We are also going to create an hg group to keep
to make sure file permissions remain tight. For most Linux/BSD distributions,
you can create the hg user and group with the following commands:
sudo groupadd --system hg
sudo useradd --home-dir /var/lib/hg --create-home --system --gid hg
This is the username that you will need to specify when connecting to the OpenSSH Server and is how we will configure the server to tell it how to serve Mercurial repositories.
NOTE: This user must have a valid and usable shell. If not you will get mysterious and difficult to debug failures.
SSH Known Hosts
Before we update the OpenSSH Server to do the remote proxy, we need to store
the HGKeeper's public host keys in our hg users known_hosts file. The
easiest way to do this is to open a shell as the hg user and use
ssh-keyscan to acquire the keys.
You can use the following commands to accomplish this. Make sure to swap in the
proper values for <external-hostname> and <external-port> for your
environment.
sudo su hg
ssh-keyscan -H -p <external-port> <external-hostname> | tee -a ~/.ssh/known_hosts
Configuring OpenSSH Server
Configuring OpenSSH Server is very straight forward. All we need to do is drop
the following snippet into /etc/ssh/sshd_config. Of course, if you customized
the hg username you will have to adjust the snippet.
You may be able to use /etc/ssh/sshd_config.d/hgkeeper.conf but in our
testing on Debian unstable we were unable to get it working properly. If you
have some pointers here, we'd love to hear them!
In the following snippet, be sure to replace <external-hostname>, <external-post>, and the hg user with the proper values for your environment.
Match User hg
AuthorizedKeysCommand /usr/bin/curl -q --get --data-urlencode "pubkey=%t %k" http://<external-hostname>:<external-http-port>/hgk/authorized_keys
AuthorizedKeysCommandUser hg
PasswordAuthentication no
Open you've saved the file, you will need to reload OpenSSH Server. This is
usually done via sudo service ssh reload but will vary based on your
operating system.
Testing
You should now be able to clone the hgkeeper administration repository
through your existing OpenSSH Server. You can use the following command to
verify that everything has been setup correctly.
hg clone ssh://hg@example.com/hgkeeper
If the repository cloned, you are good to go!
If that didn't work, be sure to check the logs from your OpenSSH Server as well as your HGKeeper instance, and be sure to double check your configuration.