Unlike other connection methods, reverse SSH enables Stitch to establish a connection to a database in your private network without opening holes in your network’s firewall. A reverse SSH tunnel is an outbound connection from a machine on your network that connects securely over the internet to Stitch.


Prerequisites

  • A Stitch Enterprise plan. Reverse SSH tunnels are available only on a Stitch Enterprise plan. Reach out to Stitch Sales for more info.

  • Some familiarity with Linux and the command line. While we’ve provided the commands you’ll need to establish the reverse SSH tunnel, you should know how to access a server using the command line and feel comfortable running commands.


Step 1: Contact Stitch with your SSH public key

To set up a reverse SSH tunnel, you’ll need to provide Stitch with the following:

  • The public key corresponding to the SSH keypair you plan to use to establish the tunnel
  • The IP address(es) that you’ll connect to the Stitch SSH server from

Once our team receives this information, we’ll set up a secure SSH server for you to connect to. We’ll provide you with the SSH_HOST, SSH_USER, and TUNNEL_PORT info needed to establish the SSH connection.


Step 2: Establish the reverse SSH tunnel

After you receive the SSH connection information from us, you can establish the SSH tunnel. There are two methods you can use to accomplish this:

With autossh (recommended)

We recommend running SSH through autossh, which will start a copy of SSH, monitor it, and automatically restart the tunnel if it goes down or stops passing traffic. If you don’t already have autossh installed, you’ll need to do so before continuing. Refer to autossh’s documentation for instructions.

The following command will establish the tunnel using autossh. When you run this, replace the items in brackets:

autossh -M 0 -f -N -R <TUNNEL_PORT>:<DATABASE_HOST_OR_IP>:<DATABASE_PORT> -i <SSH_PRIVATE_KEY> <SSH_USER>@<SSH_HOST> -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -o ExitOnForwardFailure=yes

The <DATABASE_HOST_OR_IP> and <DATABASE_PORT> values are the host/endpoint and port of the database you’re connecting from, respectively. For <TUNNEL_PORT>, <SSH_USER>, and <SSH_HOST>, use the SSH connection values you received from our team.

For example: Here’s the same command, but with all the values inserted:

autossh -M 0 -f -N -R 10000:database.private.yourcompany.com:5432 -i id_rsa.pem yourcompany@33.44.55.66 -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -o ExitOnForwardFailure=yes

Without autossh

To establish the tunnel without using autossh, run the following command, replacing the items in brackets:

ssh -f -N -R <TUNNEL_PORT>:<DATABASE_HOST_OR_IP>:<DATABASE_PORT> -i <SSH_PRIVATE_KEY> <SSH_USER>@<SSH_HOST>

The <DATABASE_HOST_OR_IP> and <DATABASE_PORT> values are the host/endpoint and port of the database you’re connecting from, respectively. For <TUNNEL_PORT>, <SSH_USER>, and <SSH_HOST>, use the SSH connection values you received from our team.

Here’s the same command, but with all the values inserted:

ssh -f -N -R 10000:database.private.yourcompany.com:5432 -i id_rsa.pem yourcompany@33.44.55.66


Questions? Feedback?

Did this article help? If you have questions or feedback, feel free to submit a pull request with your suggestions, open an issue on GitHub, or reach out to us.