{{ section.section }}

  1. Connecting to Holistics
  2. Manually Set Up Reverse SSH Tunnels

Setting up Reverse SSH Tunnel

Setting up reverse tunnel is great if you want to open a dedicated connection from your bastion server to our tunnel server.

All connections from Holistics will then through the tunnel for a more secure data transfer. All connections to your DB will look as if it originates from your bastion server.

Guide

We'll be using autossh to make the reverse SSH tunnel, autossh manages the SSH connections automatically for us, restarting it when it dies/drops off, so that we'll try to have a persistent tunnel as much as possible.

Diagram

Generating SSH Key Pair

Generate a new SSH key pair with:

ssh-keygen -t rsa -b 4096

When asked for a passphrase, press 'Enter'. A pair of files will be created as per the path you entered.

Already Have Key Pair

If you already have a keypair, please ensure your private key is read only by your use account:

chmod 400 <path_to_your_private_key_file>

Send Us Your Key Pair

Send us the public key (file ~/.ssh/id_rsa.pub) via [email protected] so we can add it to our tunnel server.

We will confirm with you after we have installed your public key and send you the available secured ports to connect to. Make sure you received the confirmation from us before you continue with the steps below, otherwise the command will fail.

Setting Up Tunnel

Install autossh:

sudo apt-get update
sudo apt-get install autossh

We'll be running autossh in a screen, you can run it as a background daemon too, but that's more difficult to manage. Install screen with sudo apt-get install screen, then run:

screen -S holistics

Now that you're inside a screen:

autossh -M 0 -N -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" \
-R *:[tunnel_port]:[yourdb.server.com]:[db_port] \
[email protected] -p 50022 \
-i <path_to_your_private_key_file>

Before you run, change the second line to fit with the connection string to your database server:

-R *:[tunnel_port]:[aws.ip.to.redshift.com]:[redshift_port]

Example of a command:

autossh -M 0 -N -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" \
  -R *:20032:db.somehost.com:5432 \
  [email protected] -p 50022 \
  -i ~/.ssh/id_rsa

In the above example:

  • Your db host is: db.somehost.com, port 5432 (PostgreSQL)
  • The tunnel port you choose is: 20032

Notes:

  • [tunnel_port] is the port we'll use when connecting to tunnel.holistics.io. We've opened up the range 20000:20100 for tunneling purpose, so if you create a second tunnel, please pick a port in this range.
  • We've restricted traffic for tunnel.holistics.io port 20000:20100 to only the Holistics web server, so connecting to these ports from other computers will not succeed.

Add New Data Source

Now open Holistics and add a data source, use the credentials you have, except:

  • Host: tunnel.holistics.io
  • Port: [tunnel_port]

Yu1hmqj

You should be good to go.

About GNU screen:

  • To exit the screen: Ctrl-a d
  • To enter the screen again: screen -x holistics