Home Explore Blog CI



postgresql
38th chunk of `doc/src/sgml/runtime.sgml`
cc5ab18ccfca244539a71c5205ff1817712bfc5b530a92870000000100000838
 local port number of the tunnel; it can be any unused port.  (IANA
   reserves ports 49152 through 65535 for private use.)  The name or IP
   address after this is the remote bind address you are connecting to,
   i.e., <literal>localhost</literal>, which is the default.  The second
   number, 5432, is the remote end of the tunnel, e.g., the port number
   your database server is using.  In order to connect to the database
   server using this tunnel, you connect to port 63333 on the local
   machine:
<programlisting>
psql -h localhost -p 63333 postgres
</programlisting>
   To the database server it will then look as though you are
   user <literal>joe</literal> on host <literal>foo.com</literal>
   connecting to the <literal>localhost</literal> bind address, and it
   will use whatever authentication procedure was configured for
   connections by that user to that bind address.  Note that the server will not
   think the connection is SSL-encrypted, since in fact it is not
   encrypted between the
   <application>SSH</application> server and the
   <productname>PostgreSQL</productname> server.  This should not pose any
   extra security risk because they are on the same machine.
  </para>

  <para>
   In order for the
   tunnel setup to succeed you must be allowed to connect via
   <command>ssh</command> as <literal>joe@foo.com</literal>, just
   as if you had attempted to use <command>ssh</command> to create a
   terminal session.
  </para>

  <para>
   You could also have set up port forwarding as
<programlisting>
ssh -L 63333:foo.com:5432 joe@foo.com
</programlisting>
   but then the database server will see the connection as coming in
   on its <literal>foo.com</literal> bind address, which is not opened by
   the default setting <literal>listen_addresses =
   'localhost'</literal>.  This is usually not what you want.
  </para>

  <para>
   If you have to <quote>hop</quote> to the database server via some
   login host, one possible setup could look like this:
<programlisting>
ssh -L 63333:db.foo.com:5432 joe@shell.foo.com
</programlisting>
   Note that this way
Title: Configuring SSH Tunnels for PostgreSQL
Summary
This section explains how to set up SSH tunnels to securely connect to a PostgreSQL server, including specifying the local port, remote bind address, and remote port, and how to configure the tunnel to work with the database server's authentication and bind address settings.