@@ -2548,34 +2548,39 @@ openssl x509 -req -in server.csr -text -days 365 \
25482548 First make sure that an <application>SSH</application> server is
25492549 running properly on the same machine as the
25502550 <productname>PostgreSQL</productname> server and that you can log in using
2551- <command>ssh</command> as some user. Then you can establish a secure
2552- tunnel with a command like this from the client machine:
2551+ <command>ssh</command> as some user; you then can establish a
2552+ secure tunnel to the remote server. A secure tunnel listens on a
2553+ local port and forwards all traffic to a port on the remote machine.
2554+ Traffic sent to the remote port can arrive on its
2555+ <literal>localhost</literal> address, or different bind
2556+ address if desired; it does not appear as coming from your
2557+ local machine. This command creates a secure tunnel from the client
2558+ machine to the remote machine <literal>foo.com</literal>:
25532559<programlisting>
25542560ssh -L 63333:localhost:5432 joe@foo.com
25552561</programlisting>
25562562 The first number in the <option>-L</option> argument, 63333, is the
2557- port number of your end of the tunnel; it can be any unused port.
2558- (IANA reserves ports 49152 through 65535 for private use.) The
2559- second number, 5432, is the remote end of the tunnel: the port
2560- number your server is using. The name or IP address between the
2561- port numbers is the host with the database server you are going to
2562- connect to, as seen from the host you are logging in to, which
2563- is <literal>foo.com</literal> in this example. In order to connect
2564- to the database server using this tunnel, you connect to port 63333
2565- on the local machine:
2563+ local port number of the tunnel; it can be any unused port. (IANA
2564+ reserves ports 49152 through 65535 for private use.) The name or IP
2565+ address after this is the remote bind address you are connecting to,
2566+ i.e., <literal>localhost</literal>, which is the default. The second
2567+ number, 5432, is the remote end of the tunnel, e.g., the port number
2568+ your database server is using. In order to connect to the database
2569+ server using this tunnel, you connect to port 63333 on the local
2570+ machine:
25662571<programlisting>
25672572psql -h localhost -p 63333 postgres
25682573</programlisting>
2569- To the database server it will then look as though you are really
2574+ To the database server it will then look as though you are
25702575 user <literal>joe</literal> on host <literal>foo.com</literal>
2571- connecting to <literal>localhost</literal> in that context , and it
2576+ connecting to the <literal>localhost</literal> bind address , and it
25722577 will use whatever authentication procedure was configured for
2573- connections from this user and host . Note that the server will not
2578+ connections by that user to that bind address . Note that the server will not
25742579 think the connection is SSL-encrypted, since in fact it is not
25752580 encrypted between the
25762581 <application>SSH</application> server and the
25772582 <productname>PostgreSQL</productname> server. This should not pose any
2578- extra security risk as long as they are on the same machine.
2583+ extra security risk because they are on the same machine.
25792584 </para>
25802585
25812586 <para>
@@ -2587,12 +2592,12 @@ psql -h localhost -p 63333 postgres
25872592 </para>
25882593
25892594 <para>
2590- You could also have set up the port forwarding as
2595+ You could also have set up port forwarding as
25912596<programlisting>
25922597ssh -L 63333:foo.com:5432 joe@foo.com
25932598</programlisting>
25942599 but then the database server will see the connection as coming in
2595- on its <literal>foo.com</literal> interface , which is not opened by
2600+ on its <literal>foo.com</literal> bind address , which is not opened by
25962601 the default setting <literal>listen_addresses =
25972602 'localhost'</literal>. This is usually not what you want.
25982603 </para>
0 commit comments