Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 23 Sep 2008 15:09:05 +0100
From:      Vincent Hoffman <vince@unsane.co.uk>
To:        John Almberg <jalmberg@identry.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: mysql connection through ssl tunnel
Message-ID:  <48D8F881.1010000@unsane.co.uk>
In-Reply-To: <8B945891-5F96-4FBF-8175-15F67F03DD92@identry.com>
References:  <8B945891-5F96-4FBF-8175-15F67F03DD92@identry.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
John Almberg wrote:
> I have two FreeBSD machines. One is a application server, the other a
> database server running mysql. These machines are in two different
> locations. I'd like to allow the application server to access mysql
> through an SSH tunnel.
>
> Being a newbie admin, I've never set up an SSH tunnel. I've been
> reading about them all morning and (as always) there seems to be more
> than one way to skin this cat.
>
> I'm looking for ease of set up and maintenance, as well as security
> (which I assume is a given.) I'd prefer NOT to have to recompile the
> kernels (pure cowardice... the application server is a production
> server that I don't want to experiment with.) Both servers have OpenSSL.
>
> Any recommendations, much appreciated.
>
> Thanks: John
>

A very basic ssh tunnel is a simple as
ssh -L3306:127.0.0.1:3306 user@remote.host

This will forward any connections to localhost on port 3306 through the
ssh connection to remote.host then on to localhost at that end on port
3306. if you have mysql running on the app server as well then change
-L3306:127.0.0.1:3306 to -L33006:127.0.0.1:3306  where 33006 is an
unused tcp port on the application server. If you do use an ssh tunnel
you may want to use security/autossh which will monitor the tunnel and
re-establish it if it loses connection for some reason.

You could also look at using stunnel to use a ssl tunnel rather than an
ssh tunnel (see http://www.stunnel.org/examples/mysql.html for a basic
example) I havent used this on FreeBSD (never needed it) so the port may
install an easier way of setting up persistant tunnels.


Vince

>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48D8F881.1010000>