![]() ![]() It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and usually involves access from untrusted networks or computers. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. I believe you can also apply security groups to your RDS instances to simply whitelist connections from certain public IP addresses/networks, but use with caution.A Bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. So I would suggest this approach for local dev/remote access only.įor a persistent connection that you might want to use to connect services/websites over, I would suggest some form of VPN depending on your particular requirements. This is because I have found SSH tunnels to be finnicky, and they do not re-establish themselves after an interruption unless you're using a wrapper script, which is another layer of kludge. To close the connection/turn off the tunnel issue ssh -O exit I would not suggest using SSH tunnels for anything intended to be unattended. To create an SSH tunnel on the command line: ssh -N -L 3306::3306 you should be able to connect via 127.0.0.1:3306 in your PHP script. I would suggest not attempting to establish the tunnel in the context of a PHP script at all, as every request will open another connection and tunnel, potentially creating a lot of overhead on the bastion's SSH server. Also Unix sockets and TCP are very different beasts, so I would suggest not trying to follow that thread any further. It does not create a tunnel like the ssh CLI binary does. Ssh2_tunnel() returns a raw socket resource, which is not going to be usable by any MySQL client libraries. If you know anything or find anything, please tell me, it would mean a lot. I am quite confused as if it is possible to do so, and if so, how. But where is the $tunnel stream really stored ? I am not sure. It's using my own mysqld.sock from my local machine. I have seen a few examples online of some users using, instead of my $db line : $db = new PDO('mysql:unix_socket=/var/run/mysqld/mysqld.sock dbname=myawsdbname,'myusertoaccessmyawsdb','mypasstoaccessmyawsdb') īut this is not working, as I don't have access to this mysql.sock resource as it should be on the bastion host. I think the problem is that when I want to create my new PDO object, I am not whitelisted to access the resource, which means I have to use that $tunnel variable somewhere. I even tried to connect directly to the aws db, and I get disconnected, which means that my bastion host is clearly whitelisted to access the db. ![]() ] 5.5.5-xx.x.xx-MariaDB-xxxxxxmysql_native_password", which means everything works fine. Connected to 'canonical domain name of the db'. ![]() I have tried to connect to the db from the bastion host (by ssh) through my shell, everything works fine, I am greeted by the "Trying 'IPOFTHEAWSDB'. I am trying to create a tunnel using ssh2_tunnel() to a remote AWS database, after being connected in ssh to the bastion host, via php, that has access to this remote MySql db.ĭue to this $db line, I get on my localhost page "Uncaught PDOException: SQLSTATE Connection timed out. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |