On Thursday 07 May 2009, Steve wrote: > Anthony Metcalf wrote: > > *That* depends on the exact specifics of what he is/isn't allowed to > > be showing....."They" may not even want the service to show as > > existing at that address for whatever reason. > > Thanks for all your discussion... I'll try to clarify - the PPP over > SSH approach does seem to offer the best compromise. > > I've a development site which hosts https and http services for existing > applications both remotely and locally. I'm developing an entirely new > https service under Apache and want to be absolutely sure that I get no > unexpected interactions between configurations for "live" services and > the experimental in-development service - and I definitely don't want a > random member of the public stumbling across the in-development site - > which might expose unacceptable vulnerabilities as rough-cuts of code > are trialled. Have your development https service set up as a virtual host on a webroot of your choice, listening to a random port and also set up user authentication for the webroot fs. In this way, whether accessed via the Internet or LAN, visitors will need to know the port to connect to and will also have to provide suitable credentials. You can even control access to parts of the development https fs using tags to define them and setting different user defined access to them. If you use AuthDigest you can also set separate realms if the fs is extensive and access requirements complex. > It is entirely acceptable for any host on my LAN to access the > in-development service. I want to allow collaborators to access the > in-development service remotely over a SSH tunnel from their LAN, too > (where I'm also not concerned about abuse...) For collaboration setting DAV on is probably a better option as it uses lockfiles and won't have one developer overwritting (un)wittingly changes made by others. > The snag I'm finding at the moment I'm sure I'll overcome... and relates > to access from my LAN. While I can sort-of see how to establish a new > device with a new IP address on the remote LAN (with SSH and pppd) I'm > not sure how to establish a second IP address for my single Ethernet > adaptor to make this work on my LAN (though I'm sure it is do-able...) An adaptor can have more than one public IP address (multi-homing) and you can use something like: ifconfig eth0:0 192.168.0.2 netmask 255.255.255.0 up to set them up (increment eth0:1, eth0:2, etc accordingly). However, if your SSL vhost is listening on a random port you don't need binding of many addresses to one NIC. You can use the same ip address. > I'm also curious to discover if there is a neat Gentooish way to > establish my two instances of Apache. I'm broadly familiar to doing > this a hackish way - but I'd prefer it plays nicely with any emerge > updates. Other than vhost I guest you can run a second instance by reading section 5 here (but I'm not sure you need to do that anyway): http://www.gentoo.org/proj/en/php/php4-php5-configuration.xml -- Regards, Mick