服务器升级debian9

The author selected the Open Internet/Free Speech Fund to receive a donation as part of the Write for DOnations program.

作者选择了“ 开放互联网/言论自由基金会”作为“ Write for DOnations”计划的一部分来接受捐赠。

介绍 (Introduction)

Private networks generally provide internet access to the hosts using NAT (network address translation), sharing a single public IP address with all hosts inside the private network. In NAT systems, the hosts inside the private network are not visible from outside the network. To expose services running on these hosts to the public internet, you would usually create NAT rules in the gateway, commonly called port forwarding rules. In several situations, though, you wouldn’t have access to the gateway to configure these rules. For situations such as this, tunneling solutions like PageKite come in handy.

专用网络通常使用NAT (网络地址转换)为主机提供Internet访问，并与专用网络内的所有主机共享一个公用IP地址。 在NAT系统中，从网络外部看不到专用网络内部的主机。 要将在这些主机上运行的服务公开到公共Internet，通常会在网关中创建NAT规则，通常称为端口转发规则。 但是，在某些情况下，您将无权访问网关来配置这些规则。 在这种情况下，像PageKite这样的隧道解决方案会派上用场。

PageKite is a fast and secure tunneling solution that can expose a service inside a private network to the public internet without the need for port forwarding. To do this, it relies on an external server, called the front-end server, to which the server behind NAT and the clients connect to allow communication between them. By default, PageKite uses its own commercial pagekite.net service, but as it is a completely open-source project, it allows you to set up a private frontend on a publicly accessible host, such as a DigitalOcean Droplet. With this setup, you can create a vendor-independent solution for remote access to hosts behind NAT. By configuring the remote hosts with the PageKite client to connect to the frontend and exposing the SSH port, it is possible to access them via the command line interface shell using SSH. It’s also possible to access a graphical user interface using a desktop sharing system such as VNC or RDP running over an SSH connection.

PageKite是一种快速，安全的隧道解决方案，可以将专用网络中的服务公开到公共Internet，而无需端口转发。 为此，它依赖于称为前端服务器的外部服务器，NAT后的服务器与客户端连接到该外部服务器以允许它们之间的通信。 默认情况下，PageKite使用其自己的商业pagekite.net服务，但是由于它是一个完全开源的项目，因此它允许您在可公开访问的主机(例如DigitalOcean Droplet)上设置私有前端。 通过此设置，您可以创建独立于供应商的解决方案，以远程访问NAT之后的主机。 通过使用PageKite客户端配置远程主机以连接到前端并公开SSH端口，可以使用SSH通过命令行界面外壳访问它们。 也可以使用桌面共享系统(例如通过SSH连接运行的VNC或RDP)访问图形用户界面。

In this tutorial, you will install and set up a PageKite front-end service on a server running Debian 9. You will also set up two more Debian 9 servers to simulate a local and a remote environment. When you’re finished, you will have set up a server for multiple clients, and tested it with a practical solution for remote access using SSH and VNC.

在本教程中，您将在运行Debian 9的服务器上安装并设置PageKite前端服务。还将设置另外两台Debian 9服务器以模拟本地和远程环境。 完成后，您将为多个客户端设置服务器，并使用实用的解决方案对其进行了测试，以使用SSH和VNC进行远程访问。

先决条件 (Prerequisites)

Before following this guide you’ll need the following:

在遵循本指南之前，您需要具备以下条件：

• A DigitalOcean account to set up the Droplets that will be used in the tutorial.

  一个DigitalOcean帐户来设置将在本教程中使用的Droplet。

• A server running Debian 9 with a public IP address to act as the front-end server, set up according to the Initial Server Setup with Debian 9 guide. A standard DigitalOcean Droplet with 1GB of memory is enough for testing purposes or for applications with a few connections. We’ll refer to this server by the host name front-end-server and its public IP address by Front_End_Public_IP.

  运行带有公共IP地址的Debian 9的服务器作为前端服务器，根据“ 带有Debian 9的初始服务器设置”指南进行设置 。 具有1GB内存的标准DigitalOcean Droplet足以用于测试目的或用于具有少量连接的应用程序。 我们将通过主机名front-end-server引用此服务器，并通过Front_End_Public_IP其公共IP地址。

• Two hosts running Debian 9, which will play the role of a remote and local host that will connect using the PageKite service, set up according to the Initial Server Setup with Debian 9 guide. The remote host, with internet access through NAT, will be accessed by the local host using a PageKite tunnel. Remote and local hosts will be referred to by the host names remote-host and local-host and their public IP addresses by Remote_Host_Public_IP and Local_Host_Public_IP respectively. This tutorial will use two standard DigitalOcean Droplets with 1GB of memory to represent them. Alternatively, two local or virtual machines could be used to represent these hosts.

  两台运行Debian 9的主机将扮演一个远程和本地主机的角色，这些主机将使用PageKite服务进行连接，这是根据《 带有Debian 9的初始服务器设置》指南进行设置的 。 通过NAT可以访问Internet的远程主机将由本地主机使用PageKite隧道进行访问。 远程主机和本地主机分别由主机名remote-host和local-host以及它们的公用IP地址来Remote_Host_Public_IP ，分别由Remote_Host_Public_IP和Local_Host_Public_IP来Remote_Host_Public_IP 。 本教程将使用两个具有1GB内存的标准DigitalOcean Droplet来表示它们。 或者，可以使用两个本地或虚拟机来代表这些主机。

• A fully registered domain name. This tutorial will use your_domain as an example throughout. You can purchase a domain name on Namecheap, get one for free on Freenom, or use the domain registrar of your choice.

  完全注册的域名。 本教程将始终以your_domain为例。 你可以购买一个域名Namecheap ，免费获得一个在Freenom ，或使用你选择的域名注册商。

• • An A record with pagekite.your_domain pointing to the IP address of the front-end-server.

    带有pagekite. your_domain的A记录pagekite. your_domain pagekite. your_domain指向front-end-server的IP地址。

  • We also need to set up DNS so that every domain ending with pagekite.your_domain also points out to our front-end-server. This can be set up using wildcard DNS entries. In this case, create an A record for the wildcard DNS entry *.pagekite.your_domain to point out to the same IP address, Front_End_Public_IP. This will be used to distinguish the clients that connect to our server by domain name (client-1.pagekite.your_domain and client-2.pagekite.your_domain, for example) and tunnel the requisitions appropriately.

    我们还需要设置DNS，以便每个域都以pagekite. your_domain结尾pagekite. your_domain pagekite. your_domain还会指出我们的front-end-server 。 可以使用通配符DNS条目进行设置。 在这种情况下，为通配符DNS条目*.pagekite. your_domain创建一个A记录*.pagekite. your_domain *.pagekite. your_domain指向相同的IP地址Front_End_Public_IP 。 这将被用来区分，通过域名连接到我们的服务器(客户端client-1.pagekite. your_domain和client-2.pagekite. your_domain的申请适当，例如)和隧道。

  Both of the following DNS records set up for your server. You can follow this introduction to DigitalOcean DNS for details on how to add them.

  为服务器设置了以下两个DNS记录。 您可以按照DigitalOcean DNS简介进行操作，以获取有关如何添加它们的详细信息。

• • On Windows, you can use TightVNC, RealVNC, or UltraVNC.

    在Windows上，可以使用TightVNC ， RealVNC或UltraVNC 。

  • On macOS, you can use the built-in Screen Sharing program, or can use a cross-platform app like RealVNC.

    在macOS上，您可以使用内置的屏幕共享程序，也可以使用RealVNC之类的跨平台应用程序。

  • On Linux, you can choose from many options, including vinagre, krdc, RealVNC, or TightVNC.

    在Linux上，可以从许多选项中进行选择，包括vinagre ， krdc ， RealVNC或TightVNC 。

第1步-设置服务器 (Step 1 — Setting Up the Servers)

In this tutorial, we are going to use three DigitalOcean Droplets to play the role of front-end-server, local-host, and remote-host. To do this, we will first set the local-host and remote-host up to have access to the graphical environment and to mimic the behavior of a remote-host under NAT, so that PageKite can be used as a solution to access its services. Besides that, we also need to configure the front-end-server Droplet firewall rules to allow it to work with PageKite and intermediate the connection between local-host and remote-host.

在本教程中，我们将使用三个DigitalOcean Droplet来扮演front-end-server ， local-host和remote-host的角色。 为此，我们首先将local-host和remote-host设置为可以访问图形环境，并模拟NAT下remote-host的行为，以便PageKite可以用作访问其服务的解决方案。 。 除此之外，我们还需要配置front-end-server Droplet防火墙规则，以使其能够与PageKite一起使用，并在local-host和remote-host之间建立中间连接。

As we are going to work with multiple servers, we’re going to use different colors in the command listings to identify which server we are using, as follows:

当我们要使用多台服务器时，我们将在命令列表中使用不同的颜色来标识我们正在使用的服务器，如下所示：

Let’s first go through the steps for both remote-host and local-host Droplets, to install the dependencies and set up access to the graphical environment using VNC. After that, we will cover the firewall configuration in each of the three Droplets to allow the front-end-server to run PageKite and mimic a connection using NAT on remote-host.

首先，让我们完成针对remote-host和local-host Droplet的步骤，以安装依赖项并使用VNC设置对图形环境的访问。 之后，我们将介绍三个Droplet中的每一个的防火墙配置，以允许front-end-server运行PageKite并在remote-host上使用NAT模拟连接。

安装依赖项 (Installing Dependencies)

We will need access to the graphical interface on both local-host and remote-host hosts to run through this demonstration. On local-host, we will use a VNC session to access its graphical interface and test our setup using the browser. On remote-host, we will set up a VNC session that we will access from local-host.

我们将需要访问local-host和remote-host上的图形界面，以运行此演示。 在local-host ，我们将使用VNC会话访问其图形界面，并使用浏览器测试设置。 在remote-host ，我们将设置一个VNC会话，我们将从local-host访问该会话。

To set up VNC, first we need to install some dependencies on local-host and remote-host. But before installing any package, we need to update the package list of the repositories, by running the following on both servers:

要设置VNC，首先我们需要在local-host和remote-host上安装一些依赖项。 但是在安装任何软件包之前，我们需要通过在两台服务器上运行以下命令来更新存储库的软件包列表：

Next, we install the VNC server and a graphical user environment, which is needed to start a VNC session. We will use the Tight VNC server and the Xfce desktop environment, which can be installed by running:

接下来，我们安装VNC服务器和图形用户环境，这是启动VNC会话所必需的。 我们将使用Tight VNC服务器和Xfce桌面环境，可以通过运行以下命令进行安装：

In the middle of the graphical environment installation, we’ll be asked about the keyboard layout we wish to use. For a QWERTY US keyboard, select English (US).

在图形环境安装的中间，将询问我们要使用的键盘布局。 对于QWERTY US键盘，选择English (US) 。

In addition to these, on local-host we’re going to need a VNC viewer and an internet browser to be able to perform the connection to remote-host. This tutorial will install the Firefox web browser and the xtightvncviewer. To install them, run:

除了这些，在local-host我们将需要VNC查看器和Internet浏览器以执行到remote-host的连接。 本教程将安装Firefox Web浏览器和xtightvncviewer 。 要安装它们，请运行：

When a graphical environment is installed, the system initializes in graphical mode by default. By using the DigitalOcean console, it is possible to visualize the graphical login manager, but it is not possible to log in or to use the command line interface. In our setup, we are mimicking the network behavior as if we were using NAT. To do this, we will need to use the DigitalOcean console, since we won’t be able to connect using SSH. Therefore, we need to disable the graphical user interface from automatically starting on boot. This can be done by disabling the login manager on both servers:

安装图形环境后，系统默认以图形方式初始化。 通过使用DigitalOcean控制台，可以可视化图形登录管理器，但是无法登录或使用命令行界面。 在我们的设置中，我们像在使用NAT一样模仿网络行为。 为此，我们将需要使用DigitalOcean控制台，因为我们将无法使用SSH进行连接。 因此，我们需要禁止图形用户界面在启动时自动启动。 这可以通过在两个服务器上禁用登录管理器来完成：

After disabling the login manager, we can restart the Droplets and test if we can log in using the DigitalOcean console. To do that, run the following:

禁用登录管理器后，我们可以重新启动Droplet并测试是否可以使用DigitalOcean控制台登录。 为此，请运行以下命令：

Next, access the DigitalOcean console by navigating to the Droplet page in the DigitalOcean Control Panel, selecting your local-host Droplet, and clicking on the word Console in the top right corner, near the switch to turn the Droplet on and off:

接下来，访问DigitalOcean控制台，方法是导航到DigitalOcean控制面板中的Droplet页面，选择local-host Droplet，然后单击右上角控制台附近的Console一词，以打开和关闭Droplet：

Once you press enter in the console, you will be prompted for your username and password. Enter these credentials to bring up the command line prompt:

在控制台中按Enter键后，系统将提示您输入用户名和密码。 输入以下凭据以显示命令行提示符：

Once you have done this for the local-host, repeat for the remote-host.

对local-host完成此操作后，请对remote-host重复此操作。

With the console up for both Droplets, we can now set up the VNC.

在两个Droplet的控制台都安装好之后，我们现在可以设置VNC。

设置VNC (Setting Up VNC)

Here, we will put together a basic VNC setup. If you would like a more in-depth guide on how to set this up, check out our How to Install and Configure VNC on Debian 9 tutorial.

在这里，我们将整理一个基本的VNC设置。 如果您想更深入地了解如何进行设置，请查看我们的《 如何在Debian 9上安装和配置VNC》教程。

To start a VNC session, run the following on both local-host and remote-host Droplets:

要启动VNC会话，请在local-host和remote-host Droplet上运行以下命令：

On the first run, the system will create the configuration files and ask for the main password. Input your desired password, then verify it. The VNC server will also ask for a view-only password, used for viewing another user’s VNC session. As we won’t need a view-only VNC session, type n for this prompt.

首次运行时，系统将创建配置文件并询问主密码。 输入所需的密码，然后进行验证。 VNC服务器还将要求提供仅查看密码，该密码用于查看另一个用户的VNC会话。 由于我们不需要仅查看的VNC会话，因此在此提示下键入n 。

The ouput will look similar to this:

输出将类似于以下内容：

sammy@remote-host:/home/sammy$ vncserverYou will require a password to access your desktops.Password:
Verify:
Would you like to enter a view-only password (y/n)? n
xauth:  file /home/sammy/.Xauthority does not existNew 'X' desktop is remote-host:1Creating default startup script /home/sammy/.vnc/xstartup
Starting applications specified in /home/sammy/.vnc/xstartup
Log file is /home/sammy/.vnc/remote-host:1.log

The :1 after the host name represents the number of the VNC session. By default, the session number 1 is run on port 5901, session number 2 on port 5902, and so on. Following the previous output, we can access remote-host by using a VNC client to connect to Remote_Host_Public_IP on port 5901.

主机名后面的:1表示VNC会话的编号。 默认情况下，会话号1在端口5901上运行，会话号2在端口5902 ，依此类推。 在前面的输出之后，我们可以使用VNC客户端访问端口5901上的Remote_Host_Public_IP来访问remote-host 。

One problem of the previous configuration is that it is not persistent, which means it won’t be started by default when the Droplet is restarted. To make it persistent, we can create a Systemd service and enable it. To do that, we will create the vncserver@.service file under /etc/systemd/system, which can be done using nano:

先前配置的一个问题是它不是持久性的，这意味着在Droplet重新启动时默认情况下不会启动它。 为了使其持久，我们可以创建一个Systemd服务并启用它。 为此，我们将在/etc/systemd/system下创建vncserver@.service文件，可以使用nano来完成：

Place the following contents in the file, replacing sammy with your username:

将以下内容放入文件中，将sammy替换为您的用户名：

[Unit]
Description=Start TightVNC server at startup
After=syslog.target network.target[Service]
Type=forking
User=sammy
PAMName=login
PIDFile=/home/sammy/.vnc/%H:%i.pid
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i
ExecStop=/usr/bin/vncserver -kill :%i[Install]
WantedBy=multi-user.target

This file creates a vncserver Systemd unit, which can be configured as a system service using the systemctl tool. In this case, when the service is started, it kills the VNC session if it is already running (line ExecStartPre) and starts a new session using the resolution set to 1280x800 (line ExecStart). When the service is stopped, it kills the VNC session (line ExecStop).

该文件创建了一个vncserver Systemd单元，可以使用systemctl工具将其配置为系统服务。 在这种情况下，启动服务后，如果服务已经在运行， ExecStartPre VNC会话(行ExecStartPre )，并使用设置为1280x800的分辨率启动新会话(行ExecStart )。 服务停止后，它将终止VNC会话(行ExecStop )。

Save the file and quit nano. Next, we’ll make the system aware of the new unit file by running:

保存文件并退出nano 。 接下来，我们将通过运行以下命令使系统知道新的单位文件：

Then, enable the service to be automatically started when the server is initialized by running:

然后，通过运行以下命令启用服务器初始化时自动启动服务：

When we use the enable command with systemctl, symlinks are created so that the service is started automatically when the system is initialized, as informed by the output of the previous command:

当我们将enable命令与systemctl ，将创建符号链接，以便在初始化系统时自动启动服务，如前一个命令的输出所告知：

Created symlink /etc/systemd/system/multi-user.target.wants/vncserver@1.service → /etc/systemd/system/vncserver@.service.

With the VNC server properly configured, we may restart the Droplets to test if the service is automatically started:

在正确配置VNC服务器之后，我们可以重新启动Droplet来测试服务是否自动启动：

After the system initializes, log in using SSH and check if VNC is running with:

系统初始化后，使用SSH登录并检查VNC是否正在运行：

The output will indicate the service is running:

输出将指示服务正在运行：

● vncserver@1.service - Start TightVNC server at startupLoaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: enabled)Active: active (running) since Thu 2019-08-29 19:21:12 UTC; 1h 22min agoProcess: 848 ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :1 (code=exited, status=0/SUCCESS)Process: 760 ExecStartPre=/usr/bin/vncserver -kill :1 > /dev/null 2>&1 (code=exited, status=2)Main PID: 874 (Xtightvnc)Tasks: 0 (limit: 4915)CGroup: /system.slice/system-vncserver.slice/vncserver@1.service‣ 874 Xtightvnc :1 -desktop X -auth /home/sammy/.Xauthority -geometry 1280x800 -depth 24 -rfbwaitAug 29 19:21:10 remote-host systemd[1]: Starting Start TightVNC server at startup...
Aug 29 19:21:10 remote-host systemd[760]: pam_unix(login:session): session opened for user sammy by (uid=0)
Aug 29 19:21:11 remote-host systemd[848]: pam_unix(login:session): session opened for user sammy by (uid=0)
Aug 29 19:21:12 remote-host systemd[1]: Started Start TightVNC server at startup.
~

This finishes the VNC configuration. Remember to follow the previous steps on both remote-host and local-host. Now let’s cover the firewall configurations for each host.

这样就完成了VNC配置。 记住要在remote-host和local-host上都遵循前面的步骤。 现在让我们介绍每个主机的防火墙配置。

配置防火墙 (Configuring the Firewall)

Starting with the remote-host, we will configure the firewall to deny external connections to the Droplets’ services to mimic the behavior from behind NAT. In this tutorial, we are going to use port 8000 for HTTP connections, 22 for SSH, and 5901 for VNC, so we will configure the firewall to deny external connections to these ports.

从remote-host ，我们将配置防火墙以拒绝与Droplet服务的外部连接，以模仿来自NAT背后的行为。 在本教程中，我们将使用端口8000进行HTTP连接，使用端口22进行SSH，使用端口5901进行VNC，因此我们将配置防火墙以拒绝与这些端口的外部连接。

By following the initial setup for Debian 9, remote-host will have a firewall rule to allow connections to SSH. We can review this rule by running:

通过遵循Debian 9的初始设置 ， remote-host将具有防火墙规则，以允许连接到SSH。 我们可以通过运行以下规则来检查该规则：

The output will be the following:

输出将如下所示：

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skipTo                         Action      From
--                         ------      ----
22/tcp (OpenSSH)           ALLOW IN    Anywhere
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)

Remove these SSH rules to mimic the behavior behind NAT.

删除这些SSH规则以模仿NAT背后的行为。

Warning: Closing port 22 means you will no longer be able to use SSH to remotely log in to your server. For Droplets, this is not a problem because you can access the server’s console via the DigitalOcean Control Panel, as we did at the end of the Installing Dependencies section of this step. However, if you are not using a Droplet, be careful: closing off port 22 could lock you out of your server if you have no other means of accessing it.

警告：关闭端口22意味着您将不再能够使用SSH远程登录服务器。 对于Droplet，这不是问题，因为您可以通过DigitalOcean控制面板访问服务器的控制台，就像在此步骤的“ 安装依赖项”部分的结尾处所做的那样。 但是，如果您不使用Droplet，请当心：如果您没有其他访问方式，关闭端口22可能会将您锁定在服务器之外。

To deny SSH access, use ufw and run:

要拒绝SSH访问，请使用ufw并运行：

We can verify the SSH rules were removed by checking the status of the firewall again:

我们可以通过再次检查防火墙的状态来验证SSH规则已被删除：

The output will show no firewall rules, as in the following:

输出将不显示防火墙规则，如下所示：

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

Although the firewall is configured, the new configuration is not running until we enable it with:

尽管已配置了防火墙，但新配置直到我们通过以下方式启用它后才会运行：

After enabling it, note that we won’t be able to access remote-host via SSH anymore, as mentioned in the output of the command:

启用它之后，请注意，我们将不再能够通过SSH访问remote-host ，如命令输出中所述：

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Log out of the remote-host, then test the configuration by trying to establish an SSH or a VNC connection. It will not be possible. From now on, we may access remote-host exclusively by the DigitalOcean console.

注销remote-host ，然后尝试通过建立SSH或VNC连接来测试配置。 这将是不可能的。 从现在开始，我们可以通过DigitalOcean控制台专门访问remote-host 。

On local-host, we will leave the SSH ports open. We only need one firewall rule to allow access to the VNC session:

在local-host ，我们将使SSH端口保持打开状态。 我们只需要一个防火墙规则就可以访问VNC会话：

After modifying the firewall rules, enable it by running:

修改防火墙规则后，通过运行以下命令启用它：

Now we may test the VNC connection using the prerequisite VNC client on your local machine to connect to local-host on port 5901 using the VNC password you’ve set up.

现在，我们可以使用本地计算机上的必备VNC客户端来测试VNC连接，以使用您设置的VNC密码连接到端口5901上的local-host 。

To do this, open up your VNC client and connect to Local_Host_Public_IP:5901. Once you enter the password, you will connect to the VNC session.

为此，请打开您的VNC客户端并连接到Local_Host_Public_IP :5901 。 输入密码后，您将连接到VNC会话。

Note: If you have trouble connecting to the VNC session, restart the VNC service on local-host with sudo systemctl restart vncserver@1 and try to connect again.

注意：如果在连接到VNC会话时遇到问题，请使用sudo systemctl restart vncserver@1在local-host上重新启动VNC服务，然后尝试重新连接。

On its first start, Xfce will ask about the initial setup of the environment:

Xfce首次启动时会询问环境的初始设置：

For this tutorial, select the Use default config option.

对于本教程，选择使用默认配置选项。

Finally, we need to allow connections to port 80 on the front-end-server, which will be used by PageKite. Open up a terminal on front-end-server and use the following command:

最后，我们需要允许连接到front-end-server上的端口80 ，PageKite将使用该端口。 在front-end-server上打开一个终端，然后使用以下命令：

Additionally, allow traffic on port 443 for HTTPS:

此外，在端口443上允许HTTPS流量：

To enable the new firewall configuration, run the following:

要启用新的防火墙配置，请运行以下命令：

Now that we’ve set up the Droplets, let’s configure the PageKite front-end server.

现在我们已经设置了Droplet，让我们配置PageKite前端服务器。

第2步-在前端服务器上安装PageKite (Step 2 — Installing PageKite on the Front-End Server)

Although it is possible to run PageKite using a Python script to set up the front-end server, it is more reliable to run it using a system service. To do so, we will need to install PageKite on the server.

尽管可以使用Python脚本运行PageKite来设置前端服务器，但使用系统服务运行它更可靠。 为此，我们将需要在服务器上安装PageKite。

The recommended way to install a service on a Debian server is to use a distribution package. This way, it is possible to obtain automated updates and configure the service to start up on boot.

在Debian服务器上安装服务的推荐方法是使用分发包 。 这样，就有可能获得自动更新并配置服务以在启动时启动。

First, we will configure the repository to install PageKite. To do that, update the package list of the repositories:

首先，我们将配置存储库以安装PageKite。 为此，请更新存储库的软件包列表：

Once the update is done, install the package dirmngr, which is necessary to support the key-ring import from the PageKite repository to ensure a secure installation:

更新完成后，安装软件包dirmngr ，这对于支持从PageKite存储库导入密钥环是必需的，以确保安全安装：

Next, add the repository to the /etc/apt/sources.list file, by running:

接下来，通过运行以下命令将存储库添加到/etc/apt/sources.list文件中：

After setting up the repository, import the PageKite packaging key to our trusted set of keys, so that we can install packages from this repository. Packaging key management is done with the apt-key utility. In this case, we have to import the key AED248B1C7B2CAC3 from the key server keys.gnupg.net, which can be done by running:

设置存储库后，将PageKite打包密钥导入到我们受信任的密钥集中，以便我们可以从该存储库安装软件包。 打包密钥管理是使用apt-key实用程序完成的。 在这种情况下，我们要导入密钥AED248B1C7B2CAC3从密钥服务器keys.gnupg.net ，这可以通过运行来完成：

Next, update the package lists of the repositories again, so that the pagekite package gets indexed:

接下来，再次更新存储库的软件包列表，以便对pagekite软件包建立索引：

Finally, install it with:

最后，使用以下命令安装它：

Now that we have PageKite installed, let’s set up the front-end server and configure the service to run on boot.

现在我们已经安装了PageKite，让我们设置前端服务器并将服务配置为在启动时运行。

步骤3 —配置前端服务器 (Step 3 — Configuring the Front-End Server)

The PageKite package we have just installed can be used to configure a connection to a PageKite front-end server. It can also be used to set up a front-end service to receive PageKite connections, which is what we want to do here. In order to do so, we have to edit PageKite’s configuration files.

我们刚刚安装的PageKite软件包可用于配置与PageKite前端服务器的连接。 它也可以用于设置前端服务以接收PageKite连接，这是我们在这里要做的。 为此，我们必须编辑PageKite的配置文件。

PageKite stores its configuration files in the directory /etc/pagekite.d. The first change we have to do is disable all lines in the /etc/pagekite.d/10_account.rc file, since this file is only used when PageKite is set up as a client to connect to a front-end server. We can edit the file using nano:

PageKite将其配置文件存储在目录/etc/pagekite.d 。 我们要做的第一个更改是禁用/etc/pagekite.d/10_account.rc文件中的所有行，因为仅在将PageKite设置为客户端以连接到前端服务器时才使用此文件。 我们可以使用nano编辑文件：

To disable the lines, add a # to disable the active lines of the file:

要禁用行，请添加#以禁用文件的活动行：

#################################[ This file is placed in the Public Domain. ]#
# Replace the following with your account details.# kitename   = NAME.pagekite.me
# kitesecret = YOURSECRET# Delete this line!
# abort_not_configured

After making the changes, save them and quit nano. Next, edit the file /etc/pagekite.d/20_frontends.rc:

进行更改后，保存它们并退出nano 。 接下来，编辑文件/etc/pagekite.d/20_frontends.rc ：

Add the following highlighted lines to the file and comment out the defaults line, making sure to replace your_domain with the domain name you are using and examplepassword with a password of your choice:

将以下突出显示的行添加到文件中，并注释掉defaults行，请确保将your_domain替换为您使用的域名，并将examplepassword替换为您选择的密码：

#################################[ This file is placed in the Public Domain. ]#
# Front-end selection
#
# Front-ends accept incoming requests on your behalf and forward them to
# your PageKite, which in turn forwards them to the actual server.  You
# probably need at least one, the service defaults will choose one for you.# Use the pagekite.net service defaults.
# defaults# If you want to use your own, use something like:
#     frontend = hostname:port
# or:
#     frontends = COUNT:dnsname:portisfrontend
ports=80,443protos=http,https,raw
domain=http,https,raw:*.pagekite.your_domain:examplepasswordrawports=virtual

Let’s explain these lines one by one. First, to configure PageKite as a front-end server, we added the line isfrontend. To configure the ports on which the server will be listening, we added ports=80,443. We also configured the protocols PageKite is going to proxy. To use HTTP, HTTPS, and RAW (which is used by SSH connections), we add the line protos=http,https,raw. We also disable the defaults settings so that there are no conflicting configurations for the server.

让我们一一解释这些行。 首先，要将PageKite配置为前端服务器，我们添加了isfrontend行。 为了配置服务器将在其上侦听的ports=80,443 ，我们添加了ports=80,443 。 我们还配置了PageKite将要代理的协议。 要使用HTTP，HTTPS和RAW(SSH连接使用)，我们添加以下行protos=http,https,raw 。 我们还禁用defaults设置，以便服务器没有冲突的配置。

Besides that, we configured the domain we are going to use for the front-end-server. For each client, a subdomain will be used, which is why we needed the DNS configurations in the Prerequisites section. We also set up a password that will be used to authenticate the clients. Using the placeholder password examplepassword, these configurations were done by adding the line domain=http,https,raw:*.pagekite.your_domain:examplepassword. Finally, we added an extra line in order to connect using SSH (which is not documented, as discussed here): rawports=virtual.

除此之外，我们还配置了要用于front-end-server 。 对于每个客户端，将使用一个子域，这就是为什么我们需要“先决条件”部分中的DNS配置的原因。 我们还设置了用于验证客户端身份的密码。 使用占位符密码examplepassword ，通过添加domain=http,https,raw:*.pagekite. your_domain : examplepassword来完成这些配置domain=http,https,raw:*.pagekite. your_domain : examplepassword domain=http,https,raw:*.pagekite. your_domain : examplepassword 。 最后，我们为了使用SSH(其没有记录，如所讨论的连接中加入一个额外的行这里 ：) rawports=virtual 。

Save the file and quit nano. Restart the PageKite service, by running:

保存文件并退出nano 。 通过运行以下命令重新启动PageKite服务：

Then enable it to start on boot with:

然后启用它以启动时使用以下命令启动：

Now that we have front-end-server running, let’s test it by exposing an HTTP port on remote-host and connecting to it from local-host.

现在我们已经运行了front-end-server ，让我们通过暴露remote-host上的HTTP端口并从local-host连接到它来对其进行测试。

步骤4 —连接到NAT后面的主机 (Step 4 — Connecting to the Host Behind NAT)

To test the front-end-server, let’s start an HTTP service on remote-host and expose it to the internet using PageKite, so that we can connect to it from local-host. Remember, we have to connect to remote-host using the DigitalOcean console, since we have configured the firewall to deny incoming SSH connections.

为了测试front-end-server ，让我们在remote-host上启动HTTP服务，并使用PageKite将其公开到Internet，以便我们可以从local-host连接到它。 请记住，因为我们已将防火墙配置为拒绝传入的SSH连接，所以我们必须使用DigitalOcean控制台连接到remote-host 。

To start up an HTTP server for testing, we can use the Python 3 http.server module. Since Python is already installed even on the minimal Debian installation and http.server is part of the standard Python library, to start the HTTP server using port 8000 on remote-host we’ll run:

要启动HTTP服务器进行测试，我们可以使用Python 3 http.server模块。 因为即使在最小的Debian安装中就已经安装了Python，并且http.server是标准Python库的一部分，所以要在remote-host上使用端口8000启动HTTP服务器，我们将运行：

As Debian 9 still uses Python 2 by default, it is necessary to invoke Python by running python3 to start the server. The ending & character indicates for the command to run in the background, so that we can still use the shell terminal. The output will indicate that the server is running:

由于Debian 9默认仍然使用Python 2，因此有必要通过运行python3来启动服务器来调用Python。 末尾&字符表示命令在后台运行，因此我们仍然可以使用Shell终端。 输出将指示服务器正在运行：

sammy@remote-host:~$ python3 -m http.server 8000 &
[1] 1782
sammy@remote-host:~$ Serving HTTP on 0.0.0.0 port 8000 ...

Note: The number 1782 that appears in this output refers to the ID that was assigned to the process started with this command and may be different depending on the run. Since it is running in the background, we can use this ID to terminate (kill) the process by issuing kill -9 1782.

注意：此输出中出现的数字1782是指分配给使用此命令启动的进程的ID，并且可能因运行而有所不同。 由于它在后台运行，因此我们可以使用此ID通过发出kill -9 1782来终止(终止)进程。

With the HTTP server running, we may establish the PageKite tunnel. A quick way to do this is by using the pagekite.py script. We can download it to remote-host running:

在HTTP服务器运行的情况下，我们可以建立PageKite隧道。 一种快速的方法是使用pagekite.py脚本。 我们可以将其下载到正在运行的remote-host上：

After downloading it, mark it as executable by running:

下载后，通过运行将其标记为可执行文件：

Note: Since PageKite is written in Python 2 and this is the current default version of Python in Debian 9, the proceeding command works without errors. However, since default Python is being progressively migrated to Python 3 in several Linux distributions, it may be necessary to alter the first line of the pagekite.py script to set it to run with Python 2 (setting it to #!/usr/bin/python2).

注意：由于PageKite是用Python 2编写的，并且这是Debian 9中Python的当前默认版本，因此procedure命令可以正常运行。 但是，由于默认Python正在逐步从多个Linux发行版迁移到Python 3，因此可能有必要更改pagekite.py脚本的第一行以将其设置为与Python 2一起运行(将其设置为#!/usr/bin/python2 )。

With pagekite.py available in the current directory, we can connect to front-end-server and expose the HTTP server on the domain remote-host.pagekite.your_domain by running the following, substituting your_domain and examplepassword with your own credentials:

使用当前目录中的pagekite.py ，我们可以连接到front-end-server并在remote-host.pagekite. your_domain域上公开HTTP服务器remote-host.pagekite. your_domain remote-host.pagekite. your_domain运行以下，代your_domain ，并examplepassword用自己的凭据：

Let’s take a look at the arguments in this command:

让我们看一下此命令中的参数：

• --clean is used to ignore the default configuration.

  --clean用于忽略默认配置。

• --frontend=pagekite.your_domain:80 specifies the address of our frontend. Note we are using port 80, since we have set the front end to run on this port in Step 3.

  --frontend=pagekite. your_domain :80 --frontend=pagekite. your_domain :80指定前端地址。 请注意，由于我们在步骤3中将前端设置为在该端口上运行，因此我们正在使用端口80 。

• In the last argument, --service_on=http:remote-host.pagekite.your_domain:localhost:8000:examplepassword, we set up the service we are going to expose (http), the domain we are going to use (remote-host.pagekite.your_domain), the local address and port where the service is running (localhost:8000 since we are exposing a service on the same host we are using to connect to PageKite), and the password to connect to the frontend (examplepassword).

  在最后一个参数中，-- --service_on=http:remote-host.pagekite. your_domain :localhost:8000: examplepassword --service_on=http:remote-host.pagekite. your_domain :localhost:8000: examplepassword ，我们建立了我们将要暴露(服务http )，我们将要使用的域( remote-host.pagekite. your_domain )，本地地址和端口的服务正在运行( localhost:8000因为我们要在用于连接到PageKite的同一主机上公开服务，并提供用于连接到前端的密码( examplepassword )。

Once this command is run, we will see the message Kites are flying and all is well displayed in the console. After that, we may open a browser window in the local-host VNC session and use it to access the HTTP server on remote-host by accessing the address http://remote-host.pagekite.your_domain. This will display the file system for remote-host:

一旦运行此命令，我们将看到消息“ Kites are flying and all is well显示在控制台中。 之后，我们可以在local-host VNC会话中打开浏览器窗口，并通过访问地址http://remote-host.pagekite. your_domain使用它来访问remote-host上的HTTP服务器http://remote-host.pagekite. your_domain http://remote-host.pagekite. your_domain 。 这将显示remote-host的文件系统：

To stop PageKite’s connection on remote-host, hit CTRL+C in the remote-host console.

要在remote-host上停止PageKite的连接，请在remote-host remote-host控制台中按CTRL+C

Now that we have tested front-end-server, let’s configure remote-host to make the connection with PageKite persistent and to start on boot.

现在我们已经测试了front-end-server ，让我们配置remote-host来使与PageKite的连接持久化并在启动时启动。

第5步—使主机配置持久化 (Step 5 — Making the Host Configuration Persistent)

The connection between the remote-host and the front-end-server we set up in Step 4 is not persistent, which means that the connection will not be re-established when the server is restarted. This will be a problem if you would like to use this solution long-term, so let’s make this setup persistent.

我们在步骤4中设置的remote-host与front-end-server之间的连接不是持久的，这意味着在重新启动服务器时不会重新建立连接。 如果您想长期使用此解决方案，这将是一个问题，因此让我们将此设置永久化。

It is possible to set up PageKite to run as a service on remote-host, so that it is started on boot. To do this, we can use the same distribution packages we used for the front-end-server in Step 3. In the remote-host console accessed through the DigitalOcean control panel, run the following command to install dirmngr:

可以将PageKite设置为在remote-host上作为服务运行，以便在启动时启动。 为此，我们可以使用在步骤3中用于front-end-server分发包。在通过DigitalOcean控制面板访问的remote-host控制台中，运行以下命令来安装dirmngr ：

Then to add the PageKite repository and import the GPG key, run:

然后要添加PageKite存储库并导入GPG密钥，请运行：

To update the package list and install PageKite, run:

要更新软件包列表并安装PageKite，请运行：

To set up PageKite as a client, we will configure the front-end-server address and port in the file /etc/pagekite.d/20_frontends.rc. We can edit it using nano:

要将PageKite设置为客户端，我们将在文件/etc/pagekite.d/20_frontends.rc配置front-end-server地址和端口。 我们可以使用nano来编辑它：

In this file, comment the line with defaults to avoid using pagekite.net service defaults. Also, configure the front-end-server address and port by using the parameter frontend, adding the line frontend = pagekite.your_domain:80 to the end of the file. Be sure to replace your_domain with the domain you are using.

在此文件中，使用defaults注释该行，以避免使用pagekite.net服务默认值。 另外，通过使用参数frontend配置front-end-server地址和端口，并添加frontend = pagekite. your_domain :80 frontend = pagekite. your_domain :80到文件末尾。 请确保将your_domain替换为您正在使用的域。

Here is the full file with the edited lines highlighted:

这是完整的文件，突出显示了编辑的行：

#################################[ This file is placed in the Public Domain. ]#
# Front-end selection
#
# Front-ends accept incoming requests on your behalf and forward them to
# your PageKite, which in turn forwards them to the actual server.  You
# probably need at least one, the service defaults will choose one for you.# Use the pagekite.net service defaults.
# defaults# If you want to use your own, use something like:frontend = pagekite.your_domain:80
# or:
#     frontends = COUNT:dnsname:port

After saving the modifications and quitting nano, continue the configuration by editing the file /etc/pagekite.d/10_account.rc and setting the credentials to connect to front-end-server. First, open up the file by running:

保存修改并退出nano ，通过编辑文件/etc/pagekite.d/10_account.rc并设置凭据以连接到front-end-server来继续配置。 首先，运行以下命令打开文件：

To set up the domain we are going to use the domain name and the password to connect to our front-end-server, editing the parameters kitename and kitesecret respectively. We also have to comment out the last line of the file to enable the configuration, as highlighted next:

要设置域，我们将使用域名和密码连接到我们的front-end-server ，分别编辑参数kitename和kitesecret 。 我们还必须注释掉文件的最后一行以启用配置，如下所示：

#################################[ This file is placed in the Public Domain. ]#
# Replace the following with your account details.kitename   = remote-host.pagekite.your_domain
kitesecret = examplepassword# Delete this line!
# abort_not_configured

Save and quit from the text editor.

保存并退出文本编辑器。

We will now configure our services that will be exposed to the internet. For HTTP and SSH services, PageKite includes sample configuration files with extensions ending in .sample in its configuration directory /etc/pagekite.d. Let’s start by copying the sample configuration file into a valid one for HTTP:

现在，我们将配置将公开到互联网的服务。 对于HTTP和SSH服务， .sample在其配置目录/etc/pagekite.d包含示例配置文件，扩展名以.sample /etc/pagekite.d 。 让我们首先将示例配置文件复制到一个有效的HTTP文件中：

The HTTP configuration file is almost set up. We only have to adjust the HTTP port, which we can do by editing the file we just copied:

HTTP配置文件已设置完毕。 我们只需要调整HTTP端口，就可以通过编辑刚刚复制的文件来做到这一点：

The parameter service_on defines the address and port of the service we wish to expose. By default, it exposes localhost:80. As our HTTP server will be running on port 8000, we just have to change the port number, as highlighted next:

参数service_on定义了我们希望公开的服务的地址和端口。 默认情况下，它公开localhost:80 。 由于我们的HTTP服务器将在端口8000上运行，我们只需更改端口号，如下所示：

#################################[ This file is placed in the Public Domain. ]#
# Expose the local HTTPDservice_on = http:@kitename : localhost:8000 : @kitesecret# If you have TLS/SSL configured locally, uncomment this to enable end-to-end
# TLS encryption instead of relying on the wild-card certificate at the relay.#service_on = https:@kitename : localhost:443 : @kitesecret#
# Uncomment the following to globally DISABLE the request firewall.  Do this
# if you are sure you know what you are doing, for more details please see
#                <http://pagekite.net/support/security/>
#
#insecure
#
# To disable the firewall for one kite at a time, use lines like this::
#
#service_cfg = KITENAME.pagekite.me/80 : insecure : True

Note: The service_on parameter syntax is similar to the one used with the pagekite.py script. However, the domain name we are going to use and the password are obtained from the /etc/pagekite.d/10_account.rc file and inserted by the markers @kitename and @kitesecret respectively.

注意： service_on参数的语法类似于pagekite.py脚本所使用的pagekite.py 。 但是，我们要使用的域名和密码是从/etc/pagekite.d/10_account.rc文件中获得的，并分别由标记@kitename和@kitesecret插入。

After saving the modifications to this configuration file, we have to restart the service so that the changes take effect:

将修改保存到此配置文件后，我们必须重新启动服务，以使更改生效：

To start the service on boot, enable the service with:

要在启动时启动服务，请使用以下命令启用该服务：

Just as we have done before, use the http.server Python module to emulate our HTTP server. It will be already running since we started it to run in the background in Step 4. However, if for some reason it is not running, we may start it again with:

就像我们之前所做的那样，使用http.server Python模块来模拟我们的HTTP服务器。 自从我们在步骤4中启动它在后台运行以来，它已经在运行。但是，如果由于某种原因它没有在运行，则可以使用以下命令重新启动它：

Now that we have the HTTP server and the PageKite service running, open a browser window in the local-host VNC session and use it to access remote-host by using the address http://remote-host.pagekite.your_domain. This will display the file system of remote-host in the browser.

现在，我们已经运行了HTTP服务器和PageKite服务，请在local-host VNC会话中打开浏览器窗口，并使用其通过地址http://remote-host.pagekite. your_domain访问remote-host http://remote-host.pagekite. your_domain http://remote-host.pagekite. your_domain 。 这将在浏览器中显示remote-host的文件系统。

We have seen how to configure a PageKite front-end server and a client to expose a local HTTP server. Next, we’ll set up remote-host to expose SSH and allow remote connections.

我们已经看到了如何配置PageKite前端服务器和客户端以公开本地HTTP服务器。 接下来，我们将设置remote-host以公开SSH并允许远程连接。

第6步—使用PageKite公开SSH (Step 6 — Exposing SSH with PageKite)

Besides HTTP, PageKite can be used to proxy other services, such as SSH, which is useful to access hosts remotely behind NAT in environments where it is not possible to modify networking and a router’s configurations.

除HTTP外，PageKite还可以用于代理其他服务，例如SSH，它在无法修改网络和路由器配置的环境中用于远程访问位于NAT之后的主机。

In this section, we are going to configure remote-host to expose its SSH service using PageKite, then open an SSH session from local-host.

在本节中，我们将配置remote-host使用PageKite公开其SSH服务，然后从local-host打开SSH会话。

Just like we have done to configure HTTP with PageKite, for SSH we will copy the sample configuration file into a valid one to expose the SSH service on remote-host:

就像我们已经完成了使用PageKite配置HTTP一样，对于SSH，我们会将示例配置文件复制到一个有效的文件中，以在remote-host上公开SSH服务：

This file is pre-configured to expose the SSH service running on port 22, which is the default configuration. Let’s take a look at its contents:

该文件已预先配置为公开在端口22上运行的SSH服务，这是默认配置。 让我们看一下它的内容：

This will show you the file:

这将向您显示文件：

#################################[ This file is placed in the Public Domain. ]#
# Expose the local SSH daemonservice_on = raw/22:@kitename : localhost:22 : @kitesecret

This file is very similar to the one used to expose HTTP. The only differences are the port number, which is 22 for SSH, and the protocol, which must be set to raw when exposing SSH.

该文件与用于公开HTTP的文件非常相似。 唯一的区别是端口号(对于SSH为22和协议(在公开SSH时必须设置为raw 。

Since we do not need to make any changes here, exit from the file.

由于我们不需要在此处进行任何更改，因此请从文件中退出。

Restart the PageKite service:

重新启动PageKite服务：

Note: We could also expose SSH using the pagekite.py script if the PageKite service wasn’t installed. We would just have to use the --service-on argument, setting the protocol to raw with the proper domain name and password. For example, to expose it using the same parameters we have configured in the PageKite service, we would use the command ./pagekite.py --clean --frontend=pagekite.your_domain:80 --service_on=raw:remote-host.pagekite.your_domain:localhost:22:examplepassword.

注意：如果未安装PageKite服务，我们也可以使用pagekite.py脚本公开SSH。 我们只需要使用--service-on参数，即可使用适当的域名和密码将协议设置为raw 。 例如，要使用我们在PageKite服务中配置的相同参数公开它，我们将使用命令./pagekite.py --clean --frontend=pagekite. your_domain :80 --service_on=raw:remote-host.pagekite. your_domain :localhost:22: examplepassword ./pagekite.py --clean --frontend=pagekite. your_domain :80 --service_on=raw:remote-host.pagekite. your_domain :localhost:22: examplepassword ./pagekite.py --clean --frontend=pagekite. your_domain :80 --service_on=raw:remote-host.pagekite. your_domain :localhost:22: examplepassword 。

On local-host, we will use the SSH client to connect to remote-host. PageKite tunnels the connections using HTTP, so that to use SSH over PageKite, we will need an HTTP proxy. There are several options of HTTP proxies we could use from the Debian repositories, such as Netcat(nc) and corkscrew. For this tutorial, we will use corkscrew, since it requires fewer arguments than nc.

在local-host ，我们将使用SSH客户端连接到remote-host 。 PageKite使用HTTP隧道化连接，因此要在PageKite上使用SSH，我们将需要一个HTTP代理。 我们可以从Debian存储库中使用HTTP代理的几种选项，例如Netcat ( nc )和corkscrew 。 在本教程中，我们将使用corkscrew ，因为它比nc需要更少的参数。

To install corkscrew on local-host, use apt-get install with the package of the same name:

要将corkscrew安装在local-host ，请使用apt-get install和相同名称的软件包：

Next, generate an SSH key on local-host and append the public key to the .ssh/authorized_keys file of remote-host. To do this, follow the How to Set Up SSH Keys on Debian 9 guide, including the Copying Public Key Manually section in Step 2.

接下来，在local-host上生成SSH密钥，并将公共密钥附加到remote-host的.ssh/authorized_keys文件中。 为此，请遵循“ 如何在Debian 9上设置SSH密钥”指南，包括步骤2中的“ 手动复制公共密钥”部分。

To connect to an SSH server using a proxy, we will use ssh with the -o argument to pass in ProxyCommand and specify corkscrew as the HTTP proxy. This way, on local-host, we will run the following command to connect to remote-host through the PageKite tunnel:

要使用代理服务器连接到SSH服务器，我们将使用ssh与-o参数中传递ProxyCommand并指定corkscrew作为HTTP代理。 这样，在local-host ，我们将运行以下命令以通过PageKite隧道连接到remote-host ：

Notice we provided some arguments to corkscrew. The %h and %p are tokens that the SSH client replaces by the remote host name (remote-host.pagekite.your_domain) and remote port (22, implicitly used by ssh) when it runs corkscrew. The 80 refers to the port on which PageKite is running. This port refers to the communication between the PageKite client and the front-end server.

注意，我们为corkscrew提供了一些参数。 的%h和%p是令牌通过远程主机名(SSH客户端内容替换remote-host.pagekite. your_domain )和远程端口( 22 ，隐式使用ssh当它运行) corkscrew 。 80是指运行PageKite的端口。 此端口是指PageKite客户端与前端服务器之间的通信。

Once you run this command on local-host, the command line prompt for remote-host will appear.

在local-host上运行此命令后，将出现命令行提示输入remote-host 。

With our SSH connection working via PageKite, let’s next set a VNC session on remote_server and access it from local-host using VNC over SSH.

借助通过PageKite进行的SSH连接，接下来让我们在remote_server上设置VNC会话，并使用基于SSH的VNC从local-host访问它。

步骤7 —在SSH上使用VNC (Step 7 — Using VNC Over SSH)

Now we can access a remote host using a shell, which solves a lot of the problems that arise from servers hidden behind NAT. However, in some situations, we require access to the graphical user interface. SSH provides a way of tunneling any service in its connection, such as VNC, which can be used for graphical remote access.

现在，我们可以使用外壳访问远程主机，该外壳解决了许多隐藏在NAT后面的服务器所引起的问题。 但是，在某些情况下，我们需要访问图形用户界面。 SSH提供了一种在其连接中建立任何服务的通道的方式，例如VNC，可用于图形远程访问。

With remote-host configured to expose SSH using our front-end server, let’s use an SSH connection to tunnel VNC and have access to the remote-host graphical interface.

在将remote-host配置为使用前端服务器公开SSH的情况下，让我们使用SSH连接来建立VNC通道并访问remote-host图形界面。

Since we have already configured a VNC session to start automatically on remote-host, we will use local-host to connect to remote-host using ssh with the -L argument:

由于我们已经配置了VNC会话以在remote-host上自动启动，因此我们将使用带-L参数的ssh使用local-host连接到remote-host ：

The -L argument specifies that connections to a given local port should be forwarded to a remote host and port. Together with this argument, we provided a port number followed by a colon, then an IP address, domain, or host name, followed by another colon and a port number. Let’s take a look at this information in detail:

-L参数指定到给定本地端口的连接应转发到远程主机和端口。 与此参数一起，我们提供了一个端口号，后跟一个冒号，然后是一个IP地址，域或主机名，然后是另一个冒号和一个端口号。 让我们详细了解一下这些信息：

• The first port number refers to the one we are going to use on the host that is starting the SSH connection (in this case local-host), to receive the tunneled connection from the remote host. In this case, from the point of view of local-host, the VNC Session from remote-host will be available locally, on port 5902. We could not use the port 5901 since it is already being used on local-host for its own VNC session.

  第一个端口号是指我们将在启动SSH连接的主机(在本例中为local-host )上使用的端口号，以从远程主机接收隧道连接。 在这种情况下，从local-host的角度来看，来自remote-host的VNC会话将在端口5902上本地可用。 我们无法使用端口5901因为该端口已在local-host用于其自己的VNC会话。

• After the first colon, we provide the host name (or IP address) of the device that is serving the VNC session we wish to tunnel. If we provide a host name, it will be resolved into an IP address by the host that is serving SSH. In this case, since remote-host is serving the SSH connection and the VNC session is also served by this same host, we can use localhost.

  在第一个冒号之后，我们提供正在为希望通过隧道传输的VNC会话提供服务的设备的主机名(或IP地址)。 如果我们提供主机名，则将通过提供SSH的主机将其解析为IP地址。 在这种情况下，由于remote-host提供SSH连接，而VNC会话也由该同一主机提供服务，因此我们可以使用localhost 。

• After the second colon, we provide the port in which the service to be tunneled is served. We use port 5901, since VNC is running on this port on the remote-host.

  在第二个冒号之后，我们提供将要建立隧道服务的端口。 We use port 5901 , since VNC is running on this port on the remote-host .

After the connection is established, we will be presented with a remote shell on remote-host.

After the connection is established, we will be presented with a remote shell on remote-host .

Now we can reach the remote-host VNC session from local-host by connecting to port 5902 itself. To do so, open a shell from the local-host GUI in your VNC client, then run:

Now we can reach the remote-host VNC session from local-host by connecting to port 5902 itself. To do so, open a shell from the local-host GUI in your VNC client, then run:

Upon providing the remote-host VNC password, we will be able to access its graphical environment.

Upon providing the remote-host VNC password, we will be able to access its graphical environment.

Note: If the VNC session has been running for too long, you may encounter an error in which the GUI on remote-host is replaced by a gray screen with an X for a cursor. If this happens, try restarting the VNC session on remote-host with sudo systemctl restart vncserver@1. Once the service is running, try connecting again.

Note: If the VNC session has been running for too long, you may encounter an error in which the GUI on remote-host is replaced by a gray screen with an X for a cursor. If this happens, try restarting the VNC session on remote-host with sudo systemctl restart vncserver@1 . Once the service is running, try connecting again.

This setup can be useful for support teams using remote access. It is possible to use SSH to tunnel any service that can be reached by remote-host. This way, we could set up remote-host as a gateway to a local attached network with many hosts, including some running Windows or another OS. As long as the hosts have a VNC server with a VNC session set up, it would be possible to access them with a graphical user interface through SSH tunneled by our PageKite front-end-server.

This setup can be useful for support teams using remote access. It is possible to use SSH to tunnel any service that can be reached by remote-host . This way, we could set up remote-host as a gateway to a local attached network with many hosts, including some running Windows or another OS. As long as the hosts have a VNC server with a VNC session set up, it would be possible to access them with a graphical user interface through SSH tunneled by our PageKite front-end-server .

In the final step, we will configure the PageKite frontend to support more clients with different passwords.

In the final step, we will configure the PageKite frontend to support more clients with different passwords.

Step 8 — Configuring the Front-End Server for Many Clients (Optional) (Step 8 — Configuring the Front-End Server for Many Clients (Optional))

Suppose we are going to use our front-end-server to offer remote access to many clients. In this multi-user setup, it would be a best practice to isolate them, using a different domain name and password for each one to connect to our server. One way of doing this is by running several PageKite services on our server on different ports, each one configured with its own subdomain and password, but this can be difficult to keep organized.

Suppose we are going to use our front-end-server to offer remote access to many clients. In this multi-user setup, it would be a best practice to isolate them, using a different domain name and password for each one to connect to our server. One way of doing this is by running several PageKite services on our server on different ports, each one configured with its own subdomain and password, but this can be difficult to keep organized.

Fortunately, the PageKite frontend supports the configuration of multiple clients itself, so that we can use the same service on a single port. To do this, we would configure the front end with the domain names and passwords.

Fortunately, the PageKite frontend supports the configuration of multiple clients itself, so that we can use the same service on a single port. To do this, we would configure the front end with the domain names and passwords.

As we have configured the wildcard DNS entry *.pagekite.your_domain pointing out to our front-end-server, DNS entries in subdomains like remote-host.client-1.pagekite.your_domain can also point out to our server, so that we could use domains ending in client1.pagekite.your_domain and client2.pagekite.your_domain to identify hosts of different clients with different passwords.

As we have configured the wildcard DNS entry *.pagekite. your_domain pointing out to our front-end-server , DNS entries in subdomains like remote-host.client-1.pagekite. your_domain can also point out to our server, so that we could use domains ending in client1.pagekite. your_domain and client2.pagekite. your_domain to identify hosts of different clients with different passwords.

To do this on the front-end-server, open the /etc/pagekite.d/20_frontends.rc file:

To do this on the front-end-server , open the /etc/pagekite.d/20_frontends.rc file:

Add the domains using the domain keyword and set different passwords for each one. To set up the domains we’ve mentioned, add:

Add the domains using the domain keyword and set different passwords for each one. To set up the domains we've mentioned, add:

#################################[ This file is placed in the Public Domain. ]#
# Front-end selection
#
# Front-ends accept incoming requests on your behalf and forward them to
# your PageKite, which in turn forwards them to the actual server.  You
# probably need at least one, the service defaults will choose one for you.# Use the pagekite.net service defaults.
# defaults# If you want to use your own, use something like:
#     frontend = hostname:port
# or:
#     frontends = COUNT:dnsname:portisfrontend
ports=80,443protos=http,https,raw
domain=http,https,raw:*.pagekite.your_domain:examplepassword
domain=http,https,raw:*.client-1.pagekite.your_domain:examplepassword2
domain=http,https,raw:*.client-2.pagekite.your_domain:examplepassword3rawports=virtual

Save and exit the file.

保存并退出文件。

After modifying the configuration files, restart PageKite:

After modifying the configuration files, restart PageKite:

On the remote hosts, let’s configure the PageKite client to connect according to the new domains and passwords. For example, in remote-host, to connect using client-1.pagekite.your_domain, modify the file /etc/pagekite.d/10_account.rc, where the credentials to connect to front-end-server are stored:

On the remote hosts, let's configure the PageKite client to connect according to the new domains and passwords. For example, in remote-host , to connect using client-1.pagekite. your_domain , modify the file /etc/pagekite.d/10_account.rc , where the credentials to connect to front-end-server are stored:

Change kitename and kitesecret to the appropriate credentials. For the domain remote-host.client-1.pagekite.your_domain, the configuration would be:

Change kitename and kitesecret to the appropriate credentials. For the domain remote-host.client-1.pagekite. your_domain , the configuration would be:

#################################[ This file is placed in the Public Domain. ]#
# Replace the following with your account details.kitename   = remote-host.client-1.pagekite.your_domain
kitesecret = examplepassword2# Delete this line!

Save and exit the file.

保存并退出文件。

After modifying the file, restart the PageKite service:

After modifying the file, restart the PageKite service:

Now, on local-host, we can connect to remote-host via SSH with:

Now, on local-host , we can connect to remote-host via SSH with:

We could use the domain client-2.pagekite.your-domain for another client. This way, we could administrate the services in an isolated way, with the possibility to change the password of one client or even disable one of them without affecting the other.

We could use the domain client-2.pagekite. your-domain for another client. This way, we could administrate the services in an isolated way, with the possibility to change the password of one client or even disable one of them without affecting the other.

结论 (Conclusion)

In this article, we set up a private PageKite front-end server on a Debian 9 Droplet and used it to expose HTTP and SSH services on a remote host behind NAT. We then connected to these services from a local-host server and verified the PageKite functionality. As we have mentioned, this could be an effective setup for remote access applications, since we can tunnel other services in the SSH connection, such as VNC.

In this article, we set up a private PageKite front-end server on a Debian 9 Droplet and used it to expose HTTP and SSH services on a remote host behind NAT. We then connected to these services from a local-host server and verified the PageKite functionality. As we have mentioned, this could be an effective setup for remote access applications, since we can tunnel other services in the SSH connection, such as VNC.

If you’d like to learn more about PageKite, check out the PageKite Support Info. If you would like to dive deeper into networking with Droplets, take a look through DigitalOcean’s Networking Documentation.

If you'd like to learn more about PageKite, check out the PageKite Support Info . If you would like to dive deeper into networking with Droplets, take a look through DigitalOcean's Networking Documentation .

翻译自: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-pagekite-front-end-server-on-debian-9

服务器升级debian9