I am attempting to tunnel from my localhost (on port 24000) via a Bastion box to my mongo instance (on 27017) that is only available via the VPC private subnet so that I may develop locally whilst connected to the staging db. Using this tunnel command on my OSX box:
ssh -A -L 24000:ip-10-0-11-11.ec2.internal:27017 ec2-3-211-555-333.compute-1.amazonaws.com -N -v
"ip-10-0-11-11.ec2.internal" is the mongo box.
"ec2-3-211-555-333.compute-1.amazonaws.com" is the bastion box.
Aiming to bind local port 24000 to the bastion then from there to the mongo box on 27017.
However upon trying to connect via the tunnel from my local box with:
mongo -u dbUser localhost:24000/db-name
The connection is timing out. Below is the verbose output from ssh tunnel command (presumably from the bastion?).
debug1: channel 3: free: direct-tcpip: listening port 24000 for ip-10-0-11-11.ec2.internal port 27017, connect from 127.0.0.1 port 63451 to 127.0.0.1 port 24000, nchannels 4
channel 4: open failed: connect failed: Connection timed out
Seems to try to be working but it is just not. Any and all help would be appreciated! I do have ssh forwarding enabled on the bastion via the sshd config. I can also connect to the mongo instance while on the bastion no problem.
Circling back... not sure how I got it working or why it wasn't working, but for those looking forward the ssh command to open a tunnel forwarding the keys in your ssh-agent this command is indeed the way todo.
ssh -A -L 24000:ip-10-0-20-141.ec2.internal:27017 ec2-54-165-159-177.compute-1.amazonaws.com -N -v
Related
I am trying to setup an SSH tunnel to a mongoDB cluster hosted In Atlas. I setup the tunnel with the below command
ssh -i <key_file> -N -L <localport>:<atlas_node_hostname>:<atlas_port> <remote_user>#<remote_ip>
And added the atlas_node_hostname in
/etc/hosts
From the machine where I created the SSH tunnel, I can connect to atlas db with the atlas_node_hostname mentioned in the string.
mongo --ssl "mongodb://<username>:<password>#<atlas_node_hostname>:<ssh_tunnel_local_port>/<db_name>?authSource=admin"
But I want to connect using 127.0.0.1 instead of the atlas_node_hostname, this is so that I can give devs access only to the machine where the tunnel is running and they can connect to the DB.
mongo --ssl "mongodb://<username>:<password>#<127.0.0.1:<ssh_tunnel_local_port>/<db_name>?authSource=admin"
But with the above attempt I get the below error
Error: couldn't connect to server 127.0.0.1:27779, connection attempt failed: SSLHandshakeFailed: The server certificate does not match the host name. Hostname: 127.0.0.1 does not match SAN(s): *.345ed5412fd76fb84cd13794.utkqs.mongodb.net, *.utkqs.mesh.mongodb.net, *.utkqs.mongodb.net, CN: *.utkqs.mongodb.net :
Is there any way I can get it working with the 127.0.0.1 instead of giving the atlas_node_hostname? Or any tool that can proxy Atlas MongoDB?
I have an ssh config file like this.
I have a proxy jump to host1 from test2.
Host host1
Hostname xxxxxx.us-east-1.elb.amazonaws.com
Port 2222
User xxxx
IdentityFile ~/.ssh/cert
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
KeepAlive yes
ServerAliveInterval 30
ServerAliveCountMax 30
Host test2
Hostname xx.xxx.xx.xxx
ProxyCommand ssh.exe host1 -q -W %h:%p host1
User ubuntu
IdentityFile ~/.ssh/cert
KeepAlive yes
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
ServerAliveInterval 30
ServerAliveCountMax 30
My mongo db host : xxx-nonprod.cluster-xx.us-east-1.docdb.amazonaws.com
I have to Use SSH Tunneling to Mongodb using Host test2, But it uses Proxy Jump using ProxyCommand
I want to connect to mongodb using SSH Tunneling with a Mongo DB Compass and also with node js mongoose.
How Can I connect using the Mongo DB Compass?
Here I don't have an option to enter ProxyCommand details.
How Can I connect using node js?
I am using tunnel-ssh, I have a reference code ,
var config = {
username:'ubuntu',
host:'xx.xxx.xx.xxx',
agent : process.env.SSH_AUTH_SOCK,
privateKey:require('fs').readFileSync('~/.ssh/cert'),
port:22,
dstPort:27017
};
var server = tunnel(config, function (error, server) {
});
Here as well how can I enter ProxyCommand details here? Or please suggest any node js package which solves this problem.
I am able to connect to the database now.
Make a tunnel through Bastion to the Database from the terminal.
ssh -L 27017:{mongodb-host}:27017 host1
I am able to connect to database via the tunnel from localhost in another terminal.
mongo --host 127.0.0.1:27017 --username {username} --password {password}
So I am able to connect through mongoose too using connection string.
mongodb://dbadmin:{username}:{password}#localhost:27017
I have a Postgres instance under the private subnet, I don't have VPN configured to connect, even it's not allowed with my Bastion ( jump node ).
Is there any way to connect it through my local machine to testing for development?
The default port is 5432.
and I have ssh access to my application server through Bastion node.
Port Forwarding is a process where you can establish a connection from your computer (on the Internet) into the Bastion server, and then forward traffic to the database.
ssh -i key.pem ec2-user#BATION-IP -L 5432:DATABASE-DNS-NAME:5432
Then, in your SQL client, connect to the database via:
localhost:5432
When the SQL client goes to port 5432 on your local computer, the SSH connection will forward that traffic to the bastion server, which will then send it to: DATABASE-DNS-NAME:5432
(You can actually use any port number locally. For example, you could create multiple forwarding connections to different databases, each on a different port.)
As you have ssh access to your application server through Bastion.
Then you may create two-level ssh tunnel proxy. As Postgres is not allowed even though Bastion node, only allowed through the application server.
1: Create a tunnel from the Application Server to the bastion node.
ssh-add ~/.ssh/id_rsa ;ssh -oStrictHostKeyChecking=no -Att -l USER_NAME BASTION IP ssh -oStrictHostKeyChecking=no -Att -l USER_NAME APP_SERVER_IP -L 5432:AWS_POSTGRESS_END_POINT:5432
(keep open this terminal)
2: Create another tunnel from Bastion to local computer:
(open new terminal )
ssh-add ~/.ssh/id_rsa ;ssh -oStrictHostKeyChecking=no -Att -l USER_NAME BASTION_IP -L 5432:localhost:5432
(keep open this terminal)
3: use localhost or 127.0.0.1 with 5432 port in the connection string (to connect from local machine) instead of Postgress endpoint.
Note: replace correct ssh key path and your user name with boldly highlighted text. and keep open both terminal open to maintain the session.
I installed MongoDB v3.6.4 server. I have the following settings in Google Compute Engine:
Configuration
In /etc/mongod.conf file:
net:
port: 27017
bindIp: 0.0.0.0
security:
authorization: enabled
I also did the following:
Removed mongod.lock
Created a firewall rule in VPC for both tcp:27017 and udp:27017 to be open.
Connection:
I can connect locally by:
mongo 127.0.0.1:27017/database -u myusername -p
But, I can not connect remotely using an IP address or domain by:
mongo my.ip.com:27017/database -u myusername -p
mongo <IP ADDRESS>:27017/database -u myusername -p
Error
It gives me the error:
[thread1] Failed to connect to <IP ADDRESS>:27017 after 5000ms milliseconds, giving up.
[thread1] Error: couldn't connect to server my.ip.com:27017, connection attempt failed : connect#src/mongo/shell/mongo.js:237:13
Other Things I've Tried
switched back and forth from different server versions from micro, small, and 1vCPU (thinking it was the processor)
Changed configurations over and over of the net and security
Added a static IP address.
Checked my other servers with the same setting which worked and copied from it.
Checked the logs and it does not give me anything after remotely connecting.
Checked my firewall name, which is default-mongodb for tcp:27017 and udp:27017.
None of the settings in this specific server seem to work.
Other Information
I'm connecting using Mongo client v3.4.9
Did I miss to check something? Why is it not working?
Never mind... I did not enter the range for the VPC Firewall Rule.
It should be 0.0.0.0/0 instead of just 0.0.0.0
Our production databases are only accessible from the production application servers. I am able to login to production app servers and psql to the db, but I would like to setup a ssh tunnel to allow me to access the production db from my work box.
Ideally, it would be a single command that I could run from my workbox that would set up the tunnel/proxy on the production app server
Here is what I have come up with, but it doesnt work.
user#workbox $ ssh -fNT -L 55555:db.projectX.company.com:5432 app.projectX.company.com
user#workbox $ psql -h app.projectX.company.com -p 55555
psql: could not connect to server: No route to host
Is the server running on host "app.projectX.company.com" (10.1.1.55) and accepting
TCP/IP connections on port 55555?
The reported IP address is incorrect.
When connecting to the tunnel endpoint, the hostname is your local host, since that's where the forwarded port is exposed.
ssh -fNT -L 55555:db.projectX.company.com:5432 app.projectX.company.com
psql -h localhost -p 55555
BTW, PgAdmin-III provides ssh tunnel automation. On the other hand, it's a big GUI app without psql's handy \commands.
It's pretty trivial to write a sshpsql bash script that fires up the ssh tunnel, stores the pid of the ssh process, launches psql, lets you do what you want, and on exit kills the ssh tunnel. You'll also want to TRAP "kill $sshpid" EXIT so you kill the tunnel on unclean exits.