I'm developing javascript applications in Webstorm. For now I am connecting to a remote deployment server through sftp. (tools > deployment)
For security reasons we want to do it this way:
First make an ssh connection (tunnel) to server1, and from there connect to server2/devFolder.
Is this possible in Webstorm? Any plug-ins?
Even if it isn't possible directly with Webstorm, you can always make a tunnel through server1 to server2 with ssh. You do need an account on both servers, and you need to setup agent forwarding, so you don't need your private key on server1.
I do this frequently.
Let's say server2 is on a private network only accessible from server1, here's how you'd setup a tunnel to server2 (assume it's 10.0.0.5, and x.x.x.x is the ip of server1 on your workstation:
ssh -f you#x.x.x.x -L 2022:10.0.0.5:22 -N
Now that you have the tunnel up, just connect with Webstorm using localhost:2022.
The only thing you need in Webstorm to make this work is the ability to change the default sftp port in the config to 2022.
Related
Can DBeaver create two SSH tunnels and then connect to a database?
I have successfully created one SSH tunnel but not two.
I am trying to connect to an AWS RDS database via Bastion host. Bastion host only allows SSH access from my corporate IP range.
This means that when I am in the office I can connect to the RDS from DBeaver just fine:
My computer is in the allowed IP range
DBeaver creates an SSH tunnel to a Bastion host in my VPC inside the AWS cloud
DBeaver connects to the RDS database
The issue arises when I work from home.
I would have to add "zero" step to have an allowed IP address for the Bastion host connection:
0) Connect to the machine inside the office
I have not yet managed to achieve this. Has anyone got an idea of how to do this?
Kudos to #erik258 for pointing me in the right direction.
I have created an SSH tunnel between an office machine and the Bastion host. When in the office machine, when I access http://localhost:<local_port> I am in effect communicating with the <RDS_endpoint> on port <remote_port>.
Steps:
Create an SSH tunnel from the office machine to the Bastion host. Source
$ ssh -L <local_port>:<RDS_endpoint>:<remote_port> -i <path_to_ssh_key> ec2-user#<Bastion_host public IP>
<local_port> - random port
<remote_port> - port RDS endpoint listens to (5432 for PostgreSQL)
<RDS_endpoint> - endpoint specified on the AWS RDS page
Create DBeaver connection. In the "SSH" section specify your office machine. In "Main" section, set "Host" as localhost, and "Port" as <local_port>.
Background
Three subnets exist in an AZ in AWS. Two of them are private and one is public.
The Public Subnet has a Jumpbox which can be connected to from my local machine via ssh using a pem file (Sample - ssh -i my-key-file.pem ec2-user#host1
The First private subnet has an EC2 Instance that acts as a Application Server. It can only be reached from the Jumbox via ssh. The same pem file is used here. (Sample - ssh -i my-key-file.pem ec2-user#host2). This command is executed on host1.
The second private subnet hosts an Oracle Instance using AWS RDS Service. It is running on port 1521. The DB Can only be accessed from the App Server/host2.
How I am working currently
host2 has sqlplus client installed.
First,I connect to host1, then to host2, and then execute sqlplus to execute Queries at the Command line (No GUI).
I am planning to use GUI tools like SQL Developer to connect right from my local machine. I thought using Port forwarding/SSH Tunneling It can be achieved.
I tried using different options, but with no success. The following links are useful:
https://superuser.com/questions/96489/an-ssh-tunnel-via-multiple-hops
https://rufflewind.com/2014-03-02/ssh-port-forwarding
My Approach to SSH Tunneling
ssh -N -L 9999:127.0.0.1:1234 ec2-user#host1 -i my-key-file.pem -v -v -v
This is executed on my local machine.
It does not do much as I can already connect to host1 using ssh. I did not know how to forward many levels. Using this host as my first hop. After this, ssh listens on port 9999 which is Local to my machine. It forwards any traffic to host1 to Port 1234. My assumption is that, If I use sqlplus on my local machine connecting to localhost:9999, the traffic will arrive at host1:1234
I used 127.0.0.1 because the target of SSH tunneling is with respect to the SSH Server, which is host1. Basically, Both Target, SSH Server are on the same host.
ssh -N -L 1234:db-host:1521 ec2-user#host2 -i my-key-file.pem -v -v- v
This is executed on host1
After this, ssh forwards any incoming traffic on port 1234 to target host (DB Host)/1521 using host2 as the Tunnel.
Again, my assumption is that, ssh is listening on port 1234 on host1. Any traffic arriving from anywhere will be delivered to DB Host using host2 as the tunnel.
I executed both commands and did not see any error. I verified which ports are listening using netstat -tulpn | grep LISTEN.
After these two, My plan was to connect to the Database using Hostname as localhost and Port number as 9999.
What's going wrong !
But when I try to connect to the DB from my local machine, getting an error from my SQL Client Got minus one from a read call. I could not understand the Debug messages from ssh logs.
I believe my understanding of how port forwarding works might not be right. Any inputs would be helpful.
Thanks for your time !
I'm attempting to find a completely remote / cloud-based development workflow.
I've created an aws free-tier ec2 instance and on that box I've been developing a gatsby site (the framework doesn't matter, the solution I'm looking for should be framework agnostic). Since the code is on another box, I can't run the dev server and then from the local computer hit localhost as I would normally.
So,
What do I need to do so that I can run gatsby develop and hit my dev server that's hosted on the ec2 box?
How do I provide public access to that endpoint?
Is it possible to provide temporary access so that when I log off of the box, it's no longer accessible?
Is there some mechanism I can put into place so that I'm the only one that can hit that endpoint?
Are there other features that I should be taking advantage to secure that endpoint?
Thanks.
I can't run the dev server and then from the local computer hit localhost as I would normally
You can. You can use ssh to tunnel your remote port to your localhost, and access the server from your localhost.
What do I need to do so that I can run gatsby develop and hit my dev server that's hosted on the ec2 box?
ssh into the dev server, run gatsby develop and either access it on localhost through ssh tunnel or make it public to access through its public IP address.
Use sshfs to mount a development folder on the dev server onto your localhost.
Alternatively, you can setup vncserver on the dev server, tunnel vnc connection using ssh, and access the dev server using through a remove desktop. Something liteweight would be good, e.g. fluxbox as a desktop environment for vnc.
Is it possible to provide temporary access so that when I log off of the box, it's no longer accessible?
yes. through ssh tunnel. You close tunnel and the access is finished.
Is there some mechanism I can put into place so that I'm the only one that can hit that endpoint?
ssh tunnel along with security group to allow ssh for your IP address only.
Are there other features that I should be taking advantage to secure that endpoint?
Security groups and ssh tunneling would be primary choices to ensure secure access to the dev server.
You can also make the endpoint public, but set security group of your dev server to allow internet access only from your IP.
You could also put the dev server in a private subnet for full separation from the internet. Use bastion host to access it or setup double ssh tunnel to your localhost.
Other way is to do all development on localhost, push code to CodeCommit and have CodePipeline manage deployment of your code to your dev server using CodeDeploy.
You can also partially eliminate ssh by using SSM Session Manager.
Hope this helps.
Does anyone have an idea on steps of setting up an SSH tunnel for the CloudFoundry? I want to do remote debugging on cloud, but am blocked behind a firewall. So need to setup an SSH tunnel for that.
I wrote a blog post on setting up remote debugging for Java apps on Cloud Foundry. It covers using an SSH Tunnel to work around a firewall / NAT.
The answer from the article is this...
Obtain a public server.
Install SSHD. Edit /etc/ssh/sshd_config, add or set GatewayPorts to yes. Restart SSHD.
On your local machine run ssh -f -N -T -R 0.0.0.0:<public-port>:127.0.0.1:<debugger-port> <user>#<public-server-ip> (Windows users can use cygwin or possibly Putty, although the command will be different). This will instruct SSH to connect to the remote host, setup a reverse tunnel and go into the background. The reverse tunnel will listen on your public server on the port you specify (i.e. public-port) and forward traffic to the debugger port on your local machine. You can use different port numbers, but it is easiest if you just use the same port.
Start the debugger and listen on the same port (i.e. debugger-port) that you used in the SSH command.
Edit your manifest.yml file. Set JAVA_OPTS to -agentlib:jdwp=transport=dt_socket,address=<your-ip>:<your-port>.
Run cf push.
For a gentler walk through, see the post.
I'm a total newbie when it comes to servers and EC2 but I have an EC2 instance running which was stopped and restarted. Since that I haven't been able to connect via a web-browser to the site but can connect via SSH. Are there any ideas why this could be the case?
Here is the debug checklist:
Check your server, make sure it is up and running in AWS management console.
Check port security setting, from your local machine. If it is close open it in security group.
telnet your_ip 80 # Check http port
telnet your_ip 22 # Check SSH port
Check your web server, Apache, Nginx, etc. If you cannot find your process, start it.
ps -ef | grep -e nginx -e httpd -e apache
Check your virtual host config, make sure you web server is listening to port 80 (http) or 443 (https).
Run chkconfig and make sure your web server will start as a service.
Check the security group in your instance property, it is probably allowing only SSH (default), you may want to add a inbound rule allowing HTTP traffic.