[Savannah-cvs] [CvsFromBehindFirewall] (edit) convert to rst + fix typos

[Beuc]

??changed:
-
- CVS member access can be done on cvs.sv.gnu.org:22 and download.sv.gnu.org:443
- (without long-term warranty for the latter).
-
- Anonymous CVS can be done on cvs.sv.gnu.org:2401. As long as you have 
'CONNECT'
- privileges on the proxy, it should work, even if the
- connection is not TLS (eg. cvs pserver is not crypted).
=========

CVS member access can be done on cvs.sv.gnu.org:22 and download.sv.gnu.org:443
(without long-term warranty for the latter).

Anonymous CVS can be done on cvs.sv.gnu.org:2401. As long as you have 'CONNECT'
privileges on the proxy, it should work, even if the
connection is not TLS (eg. cvs pserver is not crypted).

??changed:
-
- First, this documentation is *complainware*. It means that you
==============

First, this documentation is *complainware*. It means that you

??changed:
- 1. First, systems like Tor (http://tor.eff.org/) can be used,
-  at the price of a decreased connection speed, to redirect your traffic
-  to any public computer, and any port, provided you have outgoing
-  access to port 80 (http) and 443 (https) - which anybody should have
-  whatever their setup. Unlike what we stated in a previous version of this 
document, Tor now does work from behind either a firewall or a proxy.
- 
-  Therefore, limiting outgoing traffic with per-protocol rules cannot
-  be effectively done. Moreover, a lot of websites now use HTTPs, a
-  secure, encrypted protocol that encapsulates HTTP. That means it is
-  not possible for the firewall to tell anything more than the fact it
-  is SSL-encrypted traffic, and cannot try to analyse the packers to
-  discover what the user is actually doing. Preventing HTTPs traffic is
-  not an option, unless the system administrator wants to prevent access
-  to all e-commerce websites, as well as websites that only use HTTPs
-  such as Gna! (https://gna.org/).
-
-
- 1. The other way to bypass a restrictive setup requires a bit of
-  work from the remote host administrators. Basically he opens the same
-[7 more lines...]
1. First, systems like Tor (http://tor.eff.org/) can be used,
 at the price of a decreased connection speed, to redirect your traffic
 to any public computer, and any port, provided you have outgoing
 access to port 80 (http) and 443 (https) - which anybody should have
 whatever their setup. Unlike what we stated in a previous version of this 
document,
 Tor now does work from behind either a firewall or a proxy.
 
 Therefore, limiting outgoing traffic with per-protocol rules cannot
 be effectively done. Moreover, a lot of websites now use HTTPs, a
 secure, encrypted protocol that encapsulates HTTP. That means it is
 not possible for the firewall to tell anything more than the fact it
 is SSL-encrypted traffic, and cannot try to analyse the packers to
 discover what the user is actually doing. Preventing HTTPs traffic is
 not an option, unless the system administrator wants to prevent access
 to all e-commerce websites, as well as websites that only use HTTPs
 such as Gna! (https://gna.org/).


2. The other way to bypass a restrictive setup requires a bit of
 work from the remote host administrators. Basically he opens the same
 service but on port 443 (https). This removes the proxy and speed
 limitation from the above. This is used, for example, by OVH (see
 http://help.ovh.com/EmailConfigurationAOLouTELE2/) so that people can
 send mail even if their ISP block port 25 (smtp). We also setup CVS
 over SSH on port 443 (https) in addition to port 22 (ssh) to allow
 people to access our CVS repositories.

Note: we implemented that method, without warranty, for project member SSH 
access only - not anonymous access. Anonymous access is available via *pserver* 
which ought to be available to you, just like HTTP.

??changed:
-
- (check http://wiki.noreply.org/noreply/TheOnionRouter/TorifyHOWTO#SSHtorify
===

(check http://wiki.noreply.org/noreply/TheOnionRouter/TorifyHOWTO#SSHtorify

??changed:
-FascistFirewall 1
-FirewallPorts 80,443
-##If you use a proxy:
-#HttpProxy  yourproxyhost
-#HttpsProxy yourproxyhost
-EOF
 #FascistFirewall 1
 ReachableAddresses *:80,*:443
 FirewallPorts 80,443
 ##If you use a proxy:
 #HttpProxy  yourproxyhost:port
 #HttpsProxy yourproxyhost:port
 EOF

??changed:
-Host cvs.savannah.gnu.org
-       ProxyCommand connect -S localhost:9050 %h %p
-EOF
 Host cvs.savannah.gnu.org
   ProxyCommand connect -S localhost:9050 %h %p
 EOF

??changed:
- cvs -d:ext:<i>username</i>@cvs.savannah.gnu.org/cvsroot/<i>project</i> co 
<i>module</i>
- ...
 cvs -d:ext:address@hidden/cvsroot/PROJECT co MODULE
 ...

??changed:
-
- ***Note***: this was cvs.sv.gnu.org, but we needed that port for https, so 
it's currently moved to another IP.
=============================

??changed:
-       ProxyCommand connect -H <i>proxyhost</i>:<i>proxyport</i> %h %p
- EOF
   ProxyCommand connect -H PROXYHOST:PROXYPORT %h %p
 EOF

??changed:
-#!/bin/sh
-exec ssh -p 443 $*
-EOF
 #!/bin/sh
 exec ssh -p 443 $*
 EOF

++added:
===============

??changed:
-
- It is pretty easy to make any redirection by your own means. Buy a minimal 
virtual server for you and you collegues (as cheap as 9 USD per month), so you 
control an external IP, and use the 'redir' (or 'stunnel') tool to redirect 
port 443 to any plain or crypted port you want. To redirect traffic from 
you.somehosting.net (port 443) to cvs.savannah.gnu.org (22)::
=====================

It is pretty easy to make any redirection by your own means. Buy a minimal 
virtual server for you and you collegues (as cheap as 9 USD per month), so you 
control an external IP, and use the 'redir' (or 'stunnel') tool to redirect 
port 443 to any plain or crypted port you want. To redirect traffic from 
you.somehosting.net (port 443) to cvs.savannah.gnu.org (22)::

??changed:
-
- All those methods are based on a single feature: when https access is 
allowed, there's no way to analyse the (encrypted) traffic. In particular, 
URL-based filtering doesn't work with https. So you can do whatever you want on 
remote port 443.
-
- However, I've already seen networks where https was simply disallowed, 
probably for that reason. Only port 80 was available and thus the only choice 
available to you was: talk the network administrator into allowing outgoing CVS 
access.
-
- So don't believe those tricks can work in the long term. Some admins are 
already blocking Tor nodes, disabling port 443 is just the next step. The only 
real work around is talking with your system administrator.
==============

All those methods are based on a single feature: when https access is allowed, 
there's no way to analyse the (encrypted) traffic. In particular, URL-based 
filtering doesn't work with https. So you can do whatever you want on remote 
port 443.

However, I've already seen networks where https was simply disallowed, probably 
for that reason. Only port 80 was available and thus the only choice available 
to you was: talk the network administrator into allowing outgoing CVS access.

So don't believe those tricks can work in the long term. Some admins are 
already blocking Tor nodes, disabling port 443 is just the next step. The only 
real work around is talking with your system administrator.

++added:
====

--
forwarded from 
https://savannah.gnu.org/maintenance/address@hidden://savannah.gnu.org/maintenance