mysql connection through ssl tunnel

John Almberg jalmberg at identry.com
Mon Oct 20 12:25:26 PDT 2008


On Sep 23, 2008, at 10:09 AM, Vincent Hoffman wrote:

> John Almberg wrote:
>> I have two FreeBSD machines. One is a application server, the other a
>> database server running mysql. These machines are in two different
>> locations. I'd like to allow the application server to access mysql
>> through an SSH tunnel.
>>
>> Being a newbie admin, I've never set up an SSH tunnel. I've been
>> reading about them all morning and (as always) there seems to be more
>> than one way to skin this cat.
>>
>> I'm looking for ease of set up and maintenance, as well as security
>> (which I assume is a given.) I'd prefer NOT to have to recompile the
>> kernels (pure cowardice... the application server is a production
>> server that I don't want to experiment with.) Both servers have  
>> OpenSSL.
>>
>> Any recommendations, much appreciated.
>>
>> Thanks: John
>>
>
> A very basic ssh tunnel is a simple as
> ssh -L3306:127.0.0.1:3306 user at remote.host
>
> This will forward any connections to localhost on port 3306 through  
> the
> ssh connection to remote.host then on to localhost at that end on port
> 3306. if you have mysql running on the app server as well then change
> -L3306:127.0.0.1:3306 to -L33006:127.0.0.1:3306  where 33006 is an
> unused tcp port on the application server. If you do use an ssh tunnel
> you may want to use security/autossh which will monitor the tunnel and
> re-establish it if it loses connection for some reason.

After a few hours of work today, I have all this working perfectly.  
I'm using autossh to automatically create and monitor the ssh tunnel,  
and I can make mysql connections through the tunnel with no problems.  
Very cool.

And that's through PF firewalls on both machines, which added flavor  
to the exercise ;-)

One question... and maybe this is a general, philosophical question...

If autossh watches over my ssh tunnel, who or what watches over autossh?

As a related question, how can I make autossh start automatically  
after a reboot? At the moment, I start autossh from the command line,  
like so:

 > autossh -M 20000 -fNg -L 33006:127.0.0.1:3306 admin at dbs.example.com

There doesn't seem to be an rc.d file for autossh... Do I have to  
figure out how to make one?

Not that this machine gets rebooted more than once a year, but so  
far, everything running on this machine start automatically, and I'd  
like to keep it that way. Any tips much appreciated.

Thanks: John


More information about the freebsd-questions mailing list