mysql connection through ssl tunnel
Peter Boosten
peter at boosten.org
Mon Oct 20 12:50:01 PDT 2008
John Almberg wrote:
>
> On Sep 23, 2008, at 10:09 AM, Vincent Hoffman wrote:
>
>> John Almberg wrote:
>>> I have two FreeBSD machines. One is a application server, the other a
>>> database server running mysql. These machines are in two different
>>> locations. I'd like to allow the application server to access mysql
>>> through an SSH tunnel.
>>>
>>> Being a newbie admin, I've never set up an SSH tunnel. I've been
>>> reading about them all morning and (as always) there seems to be more
>>> than one way to skin this cat.
>>>
>>> I'm looking for ease of set up and maintenance, as well as security
>>> (which I assume is a given.) I'd prefer NOT to have to recompile the
>>> kernels (pure cowardice... the application server is a production
>>> server that I don't want to experiment with.) Both servers have OpenSSL.
>>>
>>> Any recommendations, much appreciated.
>>>
>>> Thanks: John
>>>
>>
>> A very basic ssh tunnel is a simple as
>> ssh -L3306:127.0.0.1:3306 user at remote.host
>>
>> This will forward any connections to localhost on port 3306 through the
>> ssh connection to remote.host then on to localhost at that end on port
>> 3306. if you have mysql running on the app server as well then change
>> -L3306:127.0.0.1:3306 to -L33006:127.0.0.1:3306 where 33006 is an
>> unused tcp port on the application server. If you do use an ssh tunnel
>> you may want to use security/autossh which will monitor the tunnel and
>> re-establish it if it loses connection for some reason.
>
> After a few hours of work today, I have all this working perfectly. I'm
> using autossh to automatically create and monitor the ssh tunnel, and I
> can make mysql connections through the tunnel with no problems. Very cool.
>
> And that's through PF firewalls on both machines, which added flavor to
> the exercise ;-)
>
> One question... and maybe this is a general, philosophical question...
>
> If autossh watches over my ssh tunnel, who or what watches over autossh?
>
> As a related question, how can I make autossh start automatically after
> a reboot? At the moment, I start autossh from the command line, like so:
>
>> autossh -M 20000 -fNg -L 33006:127.0.0.1:3306 admin at dbs.example.com
>
> There doesn't seem to be an rc.d file for autossh... Do I have to figure
> out how to make one?
>
You can do this all by not using autossh at all: let init watch and
re-establish your ssh tunnel:
This is in my /etc/ttys (wrapped for readability):
ttyv8 "/usr/bin/ssh -l syslogng -nNTx -R 3306:local.domain.tld:3306
remote.domain.tld >/dev/null 2>&1" unknown on
I let my central machine control the tunnel, not the sending one.
Peter
--
http://www.boosten.org
More information about the freebsd-questions
mailing list