Understanding SSH tunnel connections
SteelSQL use SSH tunnel (ssh2) using local port forwarding to connect to a remote database
SSH Local Port Forwarding to Database
(Professional Technical Documentation)
Diagram
+---------------+ +----------------+ +------------------+
| Local Host | <===> | SSH Server | <===> | Database Server |
| (Your PC) | | (Jump Host) | | (e.g., MySQL) |
+---------------+ +----------------+ +------------------+
↑ ↑ ↑
| 1. Local connection | 2. SSH encryption | 3. Direct access
| (127.0.0.1:63306) | (port 22) | (e.g., 3306)
↓ ↓ ↓
[Application] ────> [SSH Encrypted Tunnel] ────> [Remote Database]Key Components
- Local Machine
- Runs SSH client
- Binds to
127.0.0.1:63306
- SSH Server
- Acts as encrypted gateway
- Requires SSH authentication
- Database Server
- Only needs to accept connections from SSH server
- Never exposed to the internet
Step-by-Step Setup
- Establish Tunnel:
ssh -L 63306:db_host:3306 user@ssh_host -N -v
-L: Local port forwarding-N: No remote command-v: Verbose logging (optional)
- Application Configuration:
- Host: 127.0.0.1
- Port: 63306
- Auth: Remote DB credentials.
Local App → localhost:63306 → SSH Encrypted Tunnel → SSH Server → Remote DB:3306
Security Best Practices
- ✅ Use SSH keys (disable password auth)
- ✅ Restrict with
-L 127.0.0.1:63306...(no LAN binding) - ✅ Monitor with
netstat -tulnp | grep 63306
Last updated on