Postgresql 中文操作指南
19.11. Secure TCP/IP Connections with SSH Tunnels #
可以使用 SSH 来加密客户端和 PostgreSQL 服务器之间的网络连接。如果正确完成,即使对于没有 SSL 功能的客户端,这也会提供足够安全的网络连接。
It is possible to use SSH to encrypt the network connection between clients and a PostgreSQL server. Done properly, this provides an adequately secure network connection, even for non-SSL-capable clients.
首先确保 SSH 服务器与 PostgreSQL 服务器在同一台计算机上正常运行,并且您可以使用 ssh 作为某个用户登录;然后可以建立到远程服务器的安全隧道。安全隧道侦听本地端口并将所有流量转发到远程计算机上的端口。发送到远程端口的流量可以到达其 localhost 地址,或者根据需要使用其他绑定地址;它不会显示为来自您的本地计算机。命令从客户端计算机 foo.com 创建到远程计算机的安全隧道:
First make sure that an SSH server is running properly on the same machine as the PostgreSQL server and that you can log in using ssh as some user; you then can establish a secure tunnel to the remote server. A secure tunnel listens on a local port and forwards all traffic to a port on the remote machine. Traffic sent to the remote port can arrive on its localhost address, or different bind address if desired; it does not appear as coming from your local machine. This command creates a secure tunnel from the client machine to the remote machine foo.com:
ssh -L 63333:localhost:5432 joe@foo.com
-L 参数中的第一个数字 63333 是隧道的本地端口号;它可以是任何未使用的端口。(IANA 将端口 49152 至 65535 保留给私人使用。)之后的名称或 IP 地址是您连接的远程绑定地址,即,localhost,这是默认值。第二个数字 5432 是隧道的远程端,例如,您数据库服务器正在使用的端口号。为了使用此隧道连接到数据库服务器,您可以连接到本地计算机上的端口 63333:
The first number in the -L argument, 63333, is the local port number of the tunnel; it can be any unused port. (IANA reserves ports 49152 through 65535 for private use.) The name or IP address after this is the remote bind address you are connecting to, i.e., localhost, which is the default. The second number, 5432, is the remote end of the tunnel, e.g., the port number your database server is using. In order to connect to the database server using this tunnel, you connect to port 63333 on the local machine:
psql -h localhost -p 63333 postgres
对数据库服务器来说,看起来您就是 joe 用户,在 foo.com 主机上连接到 localhost 绑定地址,并且它将使用为该用户对该绑定地址的连接配置的任何验证过程。请注意,服务器不会认为连接是 SSL 加密的,因为实际上它并没有在 SSH 服务器和 PostgreSQL 服务器之间加密。由于它们位于同一台计算机上,因此这不会造成任何额外的安全风险。
To the database server it will then look as though you are user joe on host foo.com connecting to the localhost bind address, and it will use whatever authentication procedure was configured for connections by that user to that bind address. Note that the server will not think the connection is SSL-encrypted, since in fact it is not encrypted between the SSH server and the PostgreSQL server. This should not pose any extra security risk because they are on the same machine.
为了使隧道设置成功,您必须被允许作为 joe@foo.com 通过 ssh 连接,就像您尝试使用 ssh 创建终端会话一样。
In order for the tunnel setup to succeed you must be allowed to connect via ssh as joe@foo.com, just as if you had attempted to use ssh to create a terminal session.
您还可以将端口转发设置为
You could also have set up port forwarding as
ssh -L 63333:foo.com:5432 joe@foo.com
但随后数据库服务器会看到该连接来自其 foo.com 绑定地址,而该绑定地址未通过默认设置 listen_addresses = 'localhost' 打开。通常这不是您想要的。
but then the database server will see the connection as coming in on its foo.com bind address, which is not opened by the default setting listen_addresses = 'localhost'. This is usually not what you want.
如果您必须通过某些登录主机“跳”到数据库服务器,一个可能的设置看起来如下:
If you have to “hop” to the database server via some login host, one possible setup could look like this:
ssh -L 63333:db.foo.com:5432 joe@shell.foo.com
请注意,通过这种方式,从 shell.foo.com 到 db.foo.com 的连接将不会通过 SSH 隧道进行加密。当网络以各种方式受到限制时,SSH 提供很多配置可能性。请参阅 SSH 文档了解详情。
Note that this way the connection from shell.foo.com to db.foo.com will not be encrypted by the SSH tunnel. SSH offers quite a few configuration possibilities when the network is restricted in various ways. Please refer to the SSH documentation for details.