From owner-freebsd-questions@FreeBSD.ORG Mon Oct 20 19:25:26 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 55C6E106566B for ; Mon, 20 Oct 2008 19:25:26 +0000 (UTC) (envelope-from jalmberg@identry.com) Received: from mx1.identry.com (on.identry.com [66.111.0.194]) by mx1.freebsd.org (Postfix) with ESMTP id 0CB538FC14 for ; Mon, 20 Oct 2008 19:25:25 +0000 (UTC) (envelope-from jalmberg@identry.com) Received: (qmail 94519 invoked by uid 89); 20 Oct 2008 19:25:24 -0000 Received: from unknown (HELO ?192.168.1.110?) (jalmberg@75.127.142.66) by mx1.identry.com with ESMTPA; 20 Oct 2008 19:25:24 -0000 Mime-Version: 1.0 (Apple Message framework v753.1) In-Reply-To: <48D8F881.1010000@unsane.co.uk> References: <8B945891-5F96-4FBF-8175-15F67F03DD92@identry.com> <48D8F881.1010000@unsane.co.uk> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <912A74FB-0292-4A53-B480-34FE69D9C465@identry.com> Content-Transfer-Encoding: 7bit From: John Almberg Date: Mon, 20 Oct 2008 15:25:23 -0400 To: freebsd-questions@freebsd.org X-Mailer: Apple Mail (2.753.1) Subject: Re: mysql connection through ssl tunnel X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2008 19:25:26 -0000 On Sep 23, 2008, at 10:09 AM, Vincent Hoffman wrote: > John Almberg wrote: >> I have two FreeBSD machines. One is a application server, the other a >> database server running mysql. These machines are in two different >> locations. I'd like to allow the application server to access mysql >> through an SSH tunnel. >> >> Being a newbie admin, I've never set up an SSH tunnel. I've been >> reading about them all morning and (as always) there seems to be more >> than one way to skin this cat. >> >> I'm looking for ease of set up and maintenance, as well as security >> (which I assume is a given.) I'd prefer NOT to have to recompile the >> kernels (pure cowardice... the application server is a production >> server that I don't want to experiment with.) Both servers have >> OpenSSL. >> >> Any recommendations, much appreciated. >> >> Thanks: John >> > > A very basic ssh tunnel is a simple as > ssh -L3306:127.0.0.1:3306 user@remote.host > > This will forward any connections to localhost on port 3306 through > the > ssh connection to remote.host then on to localhost at that end on port > 3306. if you have mysql running on the app server as well then change > -L3306:127.0.0.1:3306 to -L33006:127.0.0.1:3306 where 33006 is an > unused tcp port on the application server. If you do use an ssh tunnel > you may want to use security/autossh which will monitor the tunnel and > re-establish it if it loses connection for some reason. After a few hours of work today, I have all this working perfectly. I'm using autossh to automatically create and monitor the ssh tunnel, and I can make mysql connections through the tunnel with no problems. Very cool. And that's through PF firewalls on both machines, which added flavor to the exercise ;-) One question... and maybe this is a general, philosophical question... If autossh watches over my ssh tunnel, who or what watches over autossh? As a related question, how can I make autossh start automatically after a reboot? At the moment, I start autossh from the command line, like so: > autossh -M 20000 -fNg -L 33006:127.0.0.1:3306 admin@dbs.example.com There doesn't seem to be an rc.d file for autossh... Do I have to figure out how to make one? Not that this machine gets rebooted more than once a year, but so far, everything running on this machine start automatically, and I'd like to keep it that way. Any tips much appreciated. Thanks: John