Pages

Saturday, 31 March 2012

Nginx整合tomcat方法

nginx是一个高性能的 HTTP 和 反向代理 服务器,目前许多大型的门户网站都用它来提供WEB服务。如果你的网站访问量很大,可以考虑使用这款软件来取代Apache和IIS。可以到官方网站或本站的软件下载中进行下载。
由于nginx为一款运行于类Unix/Linux环境中的服务器软件,所以本文仅以Linux环境来说明,Windows用户可以到网上下载windows移植版并参考进行安装配置。
安装命令:
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_flv_module --with-http_addition_module --with-http_ssl_module
make
make install
make clean
安装完成后,如果有多个站点,应在tomcat和nginx中分别设定虚拟主机,并进行整合。
下面的配置文件为两个虚拟主机的例子:
 server {
        listen       80;
        server_name  www.mysite1.com;
        root   /home/mysite1/public_html;
        location / {
            index  index.html index.htm  index.jsp;
        }
        #下面是将jsp交给tomcat来处理
        location ~ .*.jsp$
        {
                index index.jsp;
                proxy_pass http://www.mysite1.com:8080;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
   }
server {
        listen       80;
        server_name  www.mysite2.com;
        root   /home/mysite2/public_html;
        location / {
            index  index.html index.htm  index.jsp;
        }
        location ~ .*.jsp$
        {
                index index.jsp;
                proxy_pass http://www.mysite2.com:8080;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
}
修改后测试一下
/usr/local/nginx/sbin/nginx -t
如果提示成功,就可以运行了:
/usr/local/nginx/sbin/nginx
最后需要说明的是此种整合方法,必须开放服务器的8080端口。否则可能造成无法访问jsp文件。
tomcat配置参考:
www.mysite1.com" kesrc=">www.mysite1.com" appBase="webapps"  unpackWARs="true" autoDeploy="true">




establish ssh connection through proxy with NTML authentication

Open ssh connection through proxy with NTML authentication

Here is the explanation of how to pass a ssh connection through a proxy that use NTLM authentication protocol (cryptographic authentication) instead of a plain login/password authenication.

First follow the steps describes here :
http://blog.mansonthomas.com/2008/01/open-ssh-connection-through-http-proxy.html

Next we have to deal with NTLM authentication.

Putty do not know how to talk with proxy that use NTML authentication, so we need a soft that will handle the authentication and encapsulate the network packet.

To do that we'll use cntlm which is a port of an unix programms using cygwin (no need to make a insall of cygwin though...).

Once you unzip the files, edit the configuration file cntlm.ini

You have to change 4 values :

login: Your Windows login name
domain: Your domain name

You can get theses information by hitting CTRL+ALT+SUPPR, a window display and in the first fieldset you can see something like "Thomas Manson has opened a session as DOMAIN\LOGIN"

proxy url and port : See the previous post to see how to get this informations
ctnlm port : the local port on which CNTML will listen (Local that is : on your computer). The port shoud be above 1024 (as below, ports are reserved for specific use) and not used (use netstat -a > c:\netstat.log and check that the port you choosed is not in the file). Take for example 5865.



Example :
Expand this zone !
#
# Cntlm Authentication Proxy Configuration
#
# NOTE: all values are parsed literally, do NOT escape spaces,
# do not quote. Use 0600 perms if you use plaintext password.
#

Username __LOGIN__
Domain  __DOMAIN__
#Password password  # Use hashes instead (-H)
#Workstation netbios_hostname # Should be auto-guessed

Proxy  __PROXY-URL__:__PROXY-PORT__
#Proxy  10.217.112.42:8080

#
# This is the port number where Cntlm will listen
#
Listen  __CNTLM_PORT_NUMBER__
#Listen  5865

#
# If you wish to use the SOCKS5 proxy feature as well, uncomment
# the following option, SOCKS5. It can be used several times
# to have SOCKS5 on more than one port or on different network
# interfaces (specify explicit source address for that).
#
# WARNING: The service accepts all requests, unless you use
# SOCKS5User and make authentication mandatory. SOCKS5User
# can be used repeatedly for a whole bunch of individual accounts.
#
#SOCKS5Proxy 8010
#SOCKS5User dave:password

#
# Use -M first to detect the best NTLM settings for your proxy.
# Default is to use the only secure hash, NTLMv2, but it is not
# as available as the older stuff.
#
# This example is the most universal setup known to man, but it
# uses the weakest hash ever. I won't have it's usage on my
# conscience. :) Really, try -M first.
#
Auth  LM
#Flags  0x06820000

#
# Enable to allow access from other computers
#
#Gateway yes

#
# Useful in Gateway mode to allow/restrict certain IPs
#
#Allow  127.0.0.1
#Deny  0/0

#
# GFI WebMonitor-handling plugin parameters, disabled by default
#
#ISAScannerSize 1024
#ISAScannerAgent Wget/
#ISAScannerAgent APT-HTTP/
#ISAScannerAgent Yum/

#
# Headers which should be replaced if present in the request
#
#Header  User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
Header  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

#
# Tunnels mapping local port to a machine behind the proxy
#
#Tunnel  11443:remote.com:443

Next we need configure putty to use the CNTLM program.

On connection->proxy settings.
On Proxy hostname field, type "localhost", on port field, type the port number you choose for cntlm (ex : 5865).

On username field : your windows login.
On password field : your windows password.

Save theses inputs in a session (so you don't have to type it each time).

Run cntml, open your connection with putty and you should be able to login on your login box.

Notice that each time your windows password changes, you have to change it in putty too.

from http://blog.mansonthomas.com/2008/04/open-ssh-connection-through-proxy-with.html
------------------------------------------------------------------------

Open a SSH connection through an http proxy and dig tunnels :)

I'm working for an IT Services & Software Engineering company, and I often work for some time (3 months to a year) by the client company's office...

And often, I'm behind a ****ing proxy that filters http request, provide antivirus analysis etc.. Useful for the company securtity and efficiency, but really borring for me.

Those proxy allows http (tcp/80) and https (tcp/443) connections and nothing else...

So no tcp/22 for SSH, and I miss it really much for many reasons.

So here is what to do, to get an SSH connexion to a linux box.

But beware that doing that will certainly break the security contract you signed when you enter the company. Doing that allow you to bypass the content filtering and security. And you could be fired for that...

This blog post will show you how to bypass an http proxy with a basic authentication.

The following post will show you a way to bypass a proxy with NTLM authentication mecanism.

Server configuration



You're a geek like me, so you have a linux box somewhere running 24hours a day running a ssh server in a linux box.

The ssh server usually listen on the tcp/22 port, but this port is filtered by the proxy. The proxy allow tcp/80 & tcp/443.

As the tcp/80 is probably used by your web server, we'll focus on tcp/443, the https port which you probably don't need. But you can do the same with tcp/80 port.

What we need is that your linux box accepts a ssh connection on the tcp/443 port.

We can either change the ssh server setting to listen on port 443 or redirect the connection established on the 443 port to 22 port.

I prefer the second option that leaves untouch the ssh server configuration, and let your linux box be accessed trough ssh on it's standart port.

You can redirect you 443 port to the 22 port using iptables or other tools.
You may even have a graphical interface that allow you to do that easily.

With the sme server, i've such a tools (a web interface attainable only though my local network)

You can find information on how to do that here :

http://tldp.org/HOWTO/IP-Masquerade-HOWTO/forwarders.html

http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

if this can help, here is the lines of my iptables-save output that involves the 443 port :

Expand this zone !
-A PortForwarding_22383 -p tcp -m tcp --dport 443 -j DNAT --to-destination 80.1.1.1:22
-A InboundTCP_22383 -d 80.1.1.1 -p tcp -m tcp --dport 443 -j ACCEPT


where 80.1.1.1 is my external public ip address.

Once this is done, you can test it by trying to open an ssh connection on the port 443, or use telnet (telnet youBoxIp 443) and you should see you open ssh server version : SSH-2.0-OpenSSH_3.9p1.


Configure your ssh client



Putty is a marvelous ssh client for windows, I couldn't live without it.

You can get it here : http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html


All settings describe below can be change on the fly when the ssh connection is open (except for the proxy setting... of course) by right clicking in the title window->change settings.

Basic settings





In the hostname field, enter the ip or domain name of your linux box.
in the port field, enter 443 (or 80 if you use the 80 port)

In Saved sessions, enter a string that remind you your trully loved linux box ;o)

Putty's number of lines of scrollback



this is not really a mandatory step, but really usefull.



Replace the 200 value by 20000000 (it should be enough). Adding more zeros could lead putty the behave strangely... i've tried ;o)

Putty's encoding





In order to have a proper display of characters in your putty, you need to set the encoding of putty accordingly to your linux box configuration (mostly UTF-8 or your country's specific charset).

You can find these setting on your linux box in /etc/sysconfig/i18n

cat /etc/sysconfig/i18n
LANG="fr_FR@euro"
SUPPORTED="fr_Fr@euro:fr_FR:fr"
SYSFONT="lat0-sun16"
SYSFONTACM="iso15"


here it's fr_FR which is ISO-8859-1 charset.
You can find which charset match with your country code in /usr/share/i18n/locales/your country code

cat /usr/share/i18n/locales/fr_FR
comment_char %
escape_char  /
%
% French Language Locale for France
% Source: RAP
% Address: Sankt Jo//rgens Alle 8
%    DK-1615 Ko//benhavn V, Danmark
% Contact: Keld Simonsen
% Email: Keld.Simonsen@dkuug.dk
% Tel: +45 - 31226543
% Fax: +45 - 33256543
% Language: fr
% Territory: FR
% Revision: 4.3
% Date: 1996-10-15
% Users: general
% Charset: ISO-8859-1
% Distribution and use is free, also
% for commercial purposes.



Keep alive settings





The http proxy will automatically close an idling connection. To avoid that, putty has the keep alive parameter which simulate an activity and thus avoid the proxy to close the connection.

Set it to 4 seconds which is a good value.

Proxy settings





Here is the tricky part...

You need to get the proxy url and port, login and password.

In most case, your company uses Microsoft windows and Internet explorer.

You can get the proxy settings from internet explorer, in :
Tools->Internet Options->Networking->Network parameters





If the checkbox in the proxy server fieldset is ticked, then just use the information in this fieldset (have a look in Advanced also) but in most case, it will use a script.
copy and paste the proxy script in the internet explorer address bar, save the content to a file and read it...

You need to determine what is the proxy url you use.
The proxy scripts usually use your network address and subnet to determine which is the proxy server you should use with function such as dnsDomainIs(host, "aDomain.com") or isInNet (host, "10.0.123.0", "255.255.255.0")

if ( dnsDomainIs (host, ".domain.com.") ||
        dnsDomainIs (host, ".sub.domaine.com.") ||
        dnsDomainIs (host, ".domain.net.") ||
 dnsDomainIs (host, ".domain2.com.") ||
 isInNet (host, "10.0.112.0", "255.255.255.0") ||
 isInNet (host, "10.1.112.0", "255.255.255.0"))

{

 if (isInNet (myIpAddress (),"10.3.0.0", "255.255.0.0"))
   return "PROXY srv-proxy-01.site.dom:8090;" +
          "PROXY srv-proxy-02.site.dom:8090";
   else
     return "PROXY srv-proxy-01.site2.dom:8090;" +
            "PROXY srv-proxy-02.site2.dom:8090";
}


in this case, the proxy usr would be one of the srv-proxy-02.site2.dom and the port would be 8090.

In a command console(Windows key+R, type cmd), you can get your ip address with the following command :
ipconfig /all

Which will help you to determine the proxy settings that is calculated by the scripts.

Or more basically you can run, still in a console

netstat -a


and look for something like a proxy...

The proxy url might contains the word proxy so
netstat -a | find "proxy"



Once you have it (or you can try each url & port in the script)
paste it in the proxy hostname an port.

Username is usually your NT Domain\windows account username.
You can get it by hitting CTRL+ALT+SUPPR, it will be displayed the the window that appears. (type escape to return to where you were)

SSH compression





Enabling ssh compression will make the connexion smoother...

SSH tunnels






SSH Tunnels, one of the wounderfull functionnality of the SSH protocol.

in the source port, type 22, in the destination 127.0.0.1:22.

this will create a tunnel that will take the tcp traffic on the port 22 of the local machine to the remote 22/tcp port with the ip 127.0.0.1 : your linux box, all that throug the ssh connection (established on the 443 port, forwarded to the 22 port)

Like this, you can browse file with a secure ftp programm like winscp, filezilla, or any text editor that supports SSH like ultraedit.

You'll just need to point this programs to localhost:22.
Not on yourLinuxBoxIp:443, because this link won't be kept alive by default by these programs.

Another usefull tunnel is L3390->192.168.1.24:3389

where 192.168.1.24 machine would be a windows computer with remote desktop activated (Windows Key+pause, remote connection tab, remote desktop fieldset) on your private network that can be reached by your linux box.

with this, you can run Microsoft Terminal Service Client : windows key + R, type mstsc, type localhost:3390 and you'll be able to use your windows computer which is also up 24h a day ;o) and browse the web as if you were at home (a bit slowly though).

You can see why i wrote this post :
http://mansonthomas.blogspot.com/2008/01/remote-desktop-client-with-windows-2000.html


Save settings




Save all these settings.

If it doesn't works, try other proxy settings in the proxy configuration script.
If it still don't work, it may be because your company uses the NTLM authentication protocol. This will be described in a next article.

from http://blog.mansonthomas.com/2008/01/open-ssh-connection-through-http-proxy.html

ssh tricks

 from http://news.ycombinator.com/item?id=3543334
My favorite trick is transparently bouncing via ProxyCommand+netcat:
    Host target.domain
        Hostname target.local
        ProxyCommand ssh -q bounce_host.domain nc -q0 %h 22
Also, authorizing by key but restricting the (passwordless) key to certain commands, allowing for remote action automation. [0]Ssh agent forwarding is also particularly awesome instead of naively scattering keys.
Ssh ControlMaster allowing to reuse connections can really improve responsiveness. Tip: start the master connection as a daemon (-f), so as not to mistakenly close the terminal which handles it, else you will close the channel for all other currently opened slave sessions. I wish ssh would fork and start the master on demand then close it when the last channel closes.
[0] http://www.cmdln.org/2008/02/11/restricting-ssh-commands/
-----
andrewaylett 58 days ago | link

If you're connecting from a *nix-y box, you may also be interested in sshuttle: https://github.com/apenwarr/sshuttleIt gives you most of the benefits of VPN, without requiring tun/tap and without needing root on the remote box -- all you need is the ability to run python. Very useful if you're on an insecure network and you want to tunnel everything over a secure connection, or if you have SSH access to a box inside your firewall and want to access other resources without having to specify each port individually.
-----
JoshTriplett 57 days ago | link

> Ssh ControlMaster allowing to reuse connections can really improve responsiveness. Tip: start the master connection as a daemon (-f), so as not to mistakenly close the terminal which handles it, else you will close the channel for all other currently opened slave sessions. I wish ssh would fork and start the master on demand then close it when the last channel closes.Good news: as of OpenSSH 5.6p1, it can. Just set "ControlPersist 60" in ~/.ssh/config (in addition to setting ControlMaster auto and ControlPath), and ssh will automatically spawn an SSH master connection in the background, and close it 60 seconds after the last client exits. (You can obviously change the timeout to taste.)
-----
gnaritas 58 days ago | link

> Ssh ControlMaster allowing to reuse connections can really improve responsiveness.Yes it does, but I've noticed when I do this, it breaks my rsnapshot backups. Is this something you've heard of or know a fix for?
-----
lloeki 58 days ago | link

I don't use rsnapshot but you can set up arguments you pass to ssh, in which case you can selectively disable ControlMaster. If you can't, maybe rsnapshot respects .ssh/config so you can set up a Host entry with the relevant config. If you want to also use ControlMaster the host you connect to with rsnapshot, you can set up a Host with a dummy name and set its Hostname option to the real host.-----
gnaritas 57 days ago | link

> I don't use rsnapshot but you can set up arguments you pass to ssh, in which case you can selectively disable ControlMasterJust FYI, that worked perfectly.
-----
gnaritas 58 days ago | link

Some good ideas, thanks, I'll give it a shot. I really like the speed of the persistent connections.-----
yycom 57 days ago | link

    host *%*
        proxycommand ssh $(echo %h | cut -d%% -f1) nc $(echo %h | cut -d%% -f2) %p

usage:
    ssh gateway%target
-----
a3_nm 57 days ago | link

Awesome. Here is another version to support chaining multiple gateways:
  Host *%*
    Proxycommand ssh $(echo %h | rev | cut -d%% -f2- | rev) nc $(echo %h | rev | cut -d%% -f1 | rev) %p
usage:
    ssh gateway1%gateway2%target
(Not very clean, improvements welcome.)
-----
a3_nm 57 days ago | link

A shorter version of the same thing:
  Host *%*
    Proxycommand bash -c "h=%h; ssh \${h%%\\%%*} nc \${h##*%%} %p"
It would be shorter and cleaner if I knew a way to apply string operators on a constant string rather than defining the intermediate variable $h.
-----
vidarh 57 days ago | link

That syntax gave me flashbacks to good old bang paths...-----
haridsv 50 days ago | link

Very cool! Is there any security risk in running nc on the gateway this way?-----
ryan-c 55 days ago | link

A more featureful version of that hack:https://github.com/ryancdotorg/ssh-chain
-----
zobzu 57 days ago | link

you don't mention whats awesome about the proxycommand to go through hosts:here's what! it uses the intermediate hosts as a tunnel, which means no ssh agent is listening on the hosts (the regular way to do this is ssh -A hostx ssh -A hosty ssh finalhost)
This means no attacker can use your agent while connected.
Additionally, its less cumbersome when its setup.
-----
haridsv 50 days ago | link

How do you use the -f option for the master? Do you run a command that just waits for ever? What command do you run?-----
mattdeboard 58 days ago | link

Is there a "tech blogger of the year" category somewhere so we can nominate this guy? Every single one of his posts is epic. The peri-relational metaphor for shell command composition, this one, and every one before should be required reading.-----
mattmight 58 days ago | link

Thanks for the kind words!These recent posts are part of the lecture notes for my "Scripting Language Design and Implementation" course.
There are slides that go along with some of them:
http://matt.might.net/teaching/scripting-languages/spring-20...
I prefer spartan slides, so I'm not sure how useful they are without me presenting them.
But, I'll throw them out there since there are a few nuggets in them that are not in the posts.
There are also slides for non-existent posts (e.g. bash), because I don't always have time to transcribe my notes into a blog post.
-----
beambot 57 days ago | link

Hey Matt, to echo yycom's concern below... can you please add dates to your articles? We have context as they're posted today, but it gets muddled 10+ years out.-----
babarock 58 days ago | link

I would also mention the following 2 articles that constitue an absolutely amazing TODO list:What every CS major should know (http://matt.might.net/articles/what-cs-majors-should-know/)12 resolutions for programmers (http://matt.might.net/articles/programmers-resolutions/)
-----
mburns 58 days ago | link

http://2012.bloggi.es/#technology-----
yycom 57 days ago | link

Really? Where are they? Article index is empty.And article needs a date before any award is bestowed.
-----
ColdAsIce 57 days ago | link

Are you being sarcastic? How could one not know that ssh could do these things? Have you been using it instead of telnet?-----
mattdeboard 56 days ago | link

Save your snark and go read the rest of his blog posts.-----
nlh 58 days ago | link

One addition:Re: iOS -- Panic (makers of Coda, etc.) developed a _really_ nice little iOS app for SSH called 'Prompt'. It got some coverage here when it was released, and I immediately replaced iSSH with it and haven't looked back once.http://www.panic.com/blog/2011/04/introducing-prompt-ssh-for...
-----
sciurus 58 days ago | link

I wouldn't call these tricks, just using ssh properly.Here is an article with some less known features of ssh: http://www.jedi.be/blog/2010/08/27/ssh-tricks-the-usual-and-...
-----
moe 58 days ago | link

As a small addendum to "Copying files", you can also copy entire directories:
  $ tar czf - foo | ssh remote "cd /where/to/unpack && tar xzf -"
This is often significantly faster than rsync, e.g. when copying a directory with many files for the first (or only) time.
-----
msmith 58 days ago | link

I'm not sure how it compares in performance, but I've always used scp -r for this:
   $ scp -r remote foo /where/to/unpack
-----
loeg 58 days ago | link

scp has some end-to-end latency for each file transferred. This means that for lots of small files, a single tar file stream is much quicker than 'scp -r'.-----
kahawe 57 days ago | link

The most fun I ever had was doing exactly this, piping a stream through ssh, but on the one end was a CD image, on the other end was a cd burner. It is kinda obvious you could also do that because pipes and ssh are ubiquitous on UNIX but I still couldn't stop giggling.-----
dchest 58 days ago | link

Is it possible to pipe something into already opened ssh connection?-----
__alexs 57 days ago | link

Using named pipes (mkfifo) I suspect you could do that. I've not tried it in practice and there will be some warts to work around. e.g. the password prompt comes to mind.-----
timrod 58 days ago | link

if you're piping the output of tar, instead of using "tar f -", you can leave off the f argument (since you don't want to specify a file anyway) and tar will default to stdin/stdout:
    $ tar cz foo | ssh remote "cd /where/to/unpack && tar xz"
-----
ars 58 days ago | link

You may not need the z either since it's common to configure ssh to do compression.Or use ssh -C
-----
ralph 57 days ago | link

For GNU tar these days that's true, unless you can be sure $TAPE is in its environment. Historically, tar defaulted to a tape device, e.g. /dev/mt0, and you still find vestiges of that, e.g. OpenBSD defaults to /dev/rst0.IOW, specify "f -". :-)
-----
rbonvall 58 days ago | link

    > $ cat .ssh/id_dsa.pub | ssh host 'cat >> ~/.ssh/authorized_keys'
Using ssh-copy-id is simpler:
    ssh-copy-id host
(Works On My Machine™)
-----
stretchwithme 58 days ago | link

does not work on mac, but this guy has a script:http://phildawson.tumblr.com/post/484798267/ssh-copy-id-in-m...
-----
pavel_lishin 58 days ago | link

Homebrew also has a recipe for it.
    brew install ssh-copy-id
-----
nzmsv 58 days ago | link

I would add the use of the ControlMaster and ControlPath options for connection sharing, as well as keepalive settings for those cases where connections drop when idle.The remote port forwarding feature can be very handy. I've used a combination of ssh and daemontools to set up remote access to a machine behind a particularly nasty firewall.
-----
paxswill 58 days ago | link

And if your SSH client supports it ControlPersist. It keeps the shared connection around in case you're coming back. It's a fairly new feature though.-----
newman314 50 days ago | link

I tried enabling this and it seems that support for this on MacOS is pretty iffy. It's not too stable and my issues went away as soon as I disabled it.-----
xxqs 58 days ago | link

haha, I wrote an article exactly about this (see my other comment)-----
mike-cardwell 58 days ago | link

Only yesterday, I wrote up how I use a smart card and reader with hardware pin pad for SSH authentication. Seems relevant:https://grepular.com/Smart_Cards_and_SSH_Authentication
-----
zobzu 57 days ago | link

yeah, been using that for a while, and its quite handy. I want to switch to the cryptostick tho, because having a pinpad/reader around sux.don't you have one of those?
-----
mike-cardwell 57 days ago | link

My laptop has a built in smart card reader, and my desktop has a USB one plugged in with a hardware pin-pad.The cryptostick does look cool. I've come across it before. I like the smart card because I can just pop it in my wallet like a credit card.You can also get keyboards with built in smart card readers, where the numeric keypad has a mode to operate as a hardware pin pad (rather than sending the keypresses to the computer) I'm thinking of getting one of these at some point.
-----
beagle3 57 days ago | link

Do you know of anyone who sells them in the US? (or OpenPGP cards or any other Linux usable tokens for that matter?) or do I have to order them from Germany?-----
Estragon 58 days ago | link

My main problem with sshfs lately has been that on a flakey connection it sometimes hangs irretrievably, often taking out the process trying to use it (usually emacs.)-----
vectorpush 58 days ago | link

I've had this problem too. Try appending "-o reconnect" flag, I haven't had a hang since.-----
xtacy 58 days ago | link

Good list of useful configuration options. I'd also like to add the "Compression yes" option that you can add on a per-host basis, and this could save some bytes sent over the wire. To see how much it saved, invoke with verbose ("ssh -v"), and it outputs the number of bytes saved after the session ends.Another config option that has saved me a lot of time is the "ProxyCommand" option that lets you specify a command, whose stdin is used as a pipe to talk to a remote server. So, something like:
    Host inside
        ProxyCommand ssh gateway nc inside 22
Would allow you to just type "ssh inside" and ssh to a machine behind a gateway, without ssh-ing twice!