@@ -2509,34 +2509,39 @@ openssl x509 -req -in server.csr -text -days 365 \
25092509 First make sure that an <application>SSH</application> server is
25102510 running properly on the same machine as the
25112511 <productname>PostgreSQL</productname> server and that you can log in using
2512- <command>ssh</command> as some user. Then you can establish a secure
2513- tunnel with a command like this from the client machine:
2512+ <command>ssh</command> as some user; you then can establish a
2513+ secure tunnel to the remote server. A secure tunnel listens on a
2514+ local port and forwards all traffic to a port on the remote machine.
2515+ Traffic sent to the remote port can arrive on its
2516+ <literal>localhost</literal> address, or different bind
2517+ address if desired; it does not appear as coming from your
2518+ local machine. This command creates a secure tunnel from the client
2519+ machine to the remote machine <literal>foo.com</literal>:
25142520<programlisting>
25152521ssh -L 63333:localhost:5432 joe@foo.com
25162522</programlisting>
25172523 The first number in the <option>-L</option> argument, 63333, is the
2518- port number of your end of the tunnel; it can be any unused port.
2519- (IANA reserves ports 49152 through 65535 for private use.) The
2520- second number, 5432, is the remote end of the tunnel: the port
2521- number your server is using. The name or IP address between the
2522- port numbers is the host with the database server you are going to
2523- connect to, as seen from the host you are logging in to, which
2524- is <literal>foo.com</literal> in this example. In order to connect
2525- to the database server using this tunnel, you connect to port 63333
2526- on the local machine:
2524+ local port number of the tunnel; it can be any unused port. (IANA
2525+ reserves ports 49152 through 65535 for private use.) The name or IP
2526+ address after this is the remote bind address you are connecting to,
2527+ i.e., <literal>localhost</literal>, which is the default. The second
2528+ number, 5432, is the remote end of the tunnel, e.g., the port number
2529+ your database server is using. In order to connect to the database
2530+ server using this tunnel, you connect to port 63333 on the local
2531+ machine:
25272532<programlisting>
25282533psql -h localhost -p 63333 postgres
25292534</programlisting>
2530- To the database server it will then look as though you are really
2535+ To the database server it will then look as though you are
25312536 user <literal>joe</literal> on host <literal>foo.com</literal>
2532- connecting to <literal>localhost</literal> in that context , and it
2537+ connecting to the <literal>localhost</literal> bind address , and it
25332538 will use whatever authentication procedure was configured for
2534- connections from this user and host . Note that the server will not
2539+ connections by that user to that bind address . Note that the server will not
25352540 think the connection is SSL-encrypted, since in fact it is not
25362541 encrypted between the
25372542 <application>SSH</application> server and the
25382543 <productname>PostgreSQL</productname> server. This should not pose any
2539- extra security risk as long as they are on the same machine.
2544+ extra security risk because they are on the same machine.
25402545 </para>
25412546
25422547 <para>
@@ -2548,12 +2553,12 @@ psql -h localhost -p 63333 postgres
25482553 </para>
25492554
25502555 <para>
2551- You could also have set up the port forwarding as
2556+ You could also have set up port forwarding as
25522557<programlisting>
25532558ssh -L 63333:foo.com:5432 joe@foo.com
25542559</programlisting>
25552560 but then the database server will see the connection as coming in
2556- on its <literal>foo.com</literal> interface , which is not opened by
2561+ on its <literal>foo.com</literal> bind address , which is not opened by
25572562 the default setting <literal>listen_addresses =
25582563 'localhost'</literal>. This is usually not what you want.
25592564 </para>
0 commit comments