This can be done in one of two methods:
- Allow Xplenty direct access to your server by opening a firewall rule.
- Create a reverse SSH tunnel from your network to Xplenty's network.
Provide Xplenty access to your server from Xplenty's network:
- Allow access to your server's host and port from Xplenty's IP addresses.
- Create a user and grant it minimum permissions required for Xplenty to read or write data from the server.
- (See these articles for details of setting up secure access for Amazon Relational Database Service (RDS) and for Amazon Redshift)
Reverse SSH Tunnel
SSH (secure shell) tunneling is the process of forwarding selected ports through an authenticated and encrypted tunnel. In many cases, SSH tunneling is used to connect to a remote server that is secured behind a restrictive firewall or other network restrictions. We recommend that you use autossh which starts an instance of ssh client and monitors it, restarting it as necessary should it die or stop passing traffic. In order to allow Xplenty to connect to your server through an SSH tunnel, you have to complete the following steps:
Add a public key in your user settings. The public key will be propogated to all Xplenty servers in up to 30 minutes.
Create a Tunnel Connection in Xplenty. Name your connection. Select Tunnel Connection from the Access Type dropdown menu. Enter the Database name, User name, and Password. Click Create connection. It will fail because we haven't created the tunnel yet, but the light blue box will appear and you will be able to retrieve Xplenty’s tunnel server (Xplenty server endpoint that includes everything before the colon) and connection port(the number after the colon).
- If you're running Windows, see here about opening an SSH tunnel. If you're on Linux, Install autossh on either the target server or a server that has access to it. On Ubuntu/Debian for example, you can install using apt-get:
For other Linux distributions, follow the instructions here.
sudo apt-get install autossh
- Create directories to keep logs and pid files for the connection. For example:
mkdir -p ~/MyDB/logs ~/MyDB/run
- Add Xplenty's server public key to a knownhosts file. For example:
ssh-keyscan -p 50683 <Xplenty server> >> ~/MyDB/known_hosts
- You can test the tunnel using ssh. Use the following syntax and insert your information at the placeholders:
- Run autossh. Use the following syntax and insert your information at the placeholders:
AUTOSSH_LOGFILE=~/MyDB/logs/tunnel.log AUTOSSH_PIDFILE=~/MyDB/run/autossh.pid autossh -M 0 -f -N -R <connection port>:<my server>:<local port> sshtunnel@<Xplenty server> -g -i <path to private key> -p 50683 -o "ExitOnForwardFailure yes" -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -o UserKnownHostsFile=<path to knownhosts file>For example, if you open the tunnel to a database that listens to port 5432 on host mydbserver, and the connection's assigned host and port at Xplenty are tunnel.xplenty.com and 12345: Note that the ssh port in Xplenty's servers is 50683:
AUTOSSH_LOGFILE=~/MyDB/logs/tunnel.log AUTOSSH_PIDFILE=~/MyDB/run/autossh.pid autossh -M 0 -f -N -R 12345:mydbserver:5432 firstname.lastname@example.org -g -i ~/.ssh/id_rsa -p 50683 -o "ExitOnForwardFailure yes" -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -o UserKnownHostsFile=~/MyDB/known_hosts
- Add crontab record to run autossh automatically to reconnect after reboots. For example:
@rebootAUTOSSH_LOGFILE=~/MyDB/logs/tunnel.log AUTOSSH_PIDFILE=~/MyDB/run/autossh.pid autossh -M 0 -f -N -R 12345:mydbserver:5432 email@example.com -g -i ~/.ssh/id_rsa -p 50683 -o "ExitOnForwardFailure yes" -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -o UserKnownHostsFile=~/MyDB/known_hosts
ssh -NR <connection port>:<my server>:<local port> sshtunnel@<Xplenty server> -g -i <private key file> -p 50683 -o "ExitOnForwardFailure yes" -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -N -v