From owner-freebsd-questions@FreeBSD.ORG Tue Sep 23 14:09:14 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BAC2E106566B for ; Tue, 23 Sep 2008 14:09:14 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:110::2]) by mx1.freebsd.org (Postfix) with ESMTP id 23DC38FC0C for ; Tue, 23 Sep 2008 14:09:13 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from vhoffman.lon.namesco.net (150.117-84-212.staticip.namesco.net [212.84.117.150]) (authenticated bits=0) by unsane.co.uk (8.14.0/8.14.0) with ESMTP id m8NE9qnd055133 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 23 Sep 2008 15:09:58 +0100 (BST) (envelope-from vince@unsane.co.uk) Message-ID: <48D8F881.1010000@unsane.co.uk> Date: Tue, 23 Sep 2008 15:09:05 +0100 From: Vincent Hoffman User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: John Almberg References: <8B945891-5F96-4FBF-8175-15F67F03DD92@identry.com> In-Reply-To: <8B945891-5F96-4FBF-8175-15F67F03DD92@identry.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: mysql connection through ssl tunnel X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Sep 2008 14:09:14 -0000 John Almberg wrote: > I have two FreeBSD machines. One is a application server, the other a > database server running mysql. These machines are in two different > locations. I'd like to allow the application server to access mysql > through an SSH tunnel. > > Being a newbie admin, I've never set up an SSH tunnel. I've been > reading about them all morning and (as always) there seems to be more > than one way to skin this cat. > > I'm looking for ease of set up and maintenance, as well as security > (which I assume is a given.) I'd prefer NOT to have to recompile the > kernels (pure cowardice... the application server is a production > server that I don't want to experiment with.) Both servers have OpenSSL. > > Any recommendations, much appreciated. > > Thanks: John > A very basic ssh tunnel is a simple as ssh -L3306:127.0.0.1:3306 user@remote.host This will forward any connections to localhost on port 3306 through the ssh connection to remote.host then on to localhost at that end on port 3306. if you have mysql running on the app server as well then change -L3306:127.0.0.1:3306 to -L33006:127.0.0.1:3306 where 33006 is an unused tcp port on the application server. If you do use an ssh tunnel you may want to use security/autossh which will monitor the tunnel and re-establish it if it loses connection for some reason. You could also look at using stunnel to use a ssl tunnel rather than an ssh tunnel (see http://www.stunnel.org/examples/mysql.html for a basic example) I havent used this on FreeBSD (never needed it) so the port may install an easier way of setting up persistant tunnels. Vince > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"