0

I have a MySQL database on my VPS that I only want to be accessible by my local IP (no problem in doing that) and an IroneWorker Ruby app, which may use any of these AWS East IPs.

So far, the only way I can think of doing this is by adding a rule, to the VPS firewall/iptables, that will only allow connections by all AWS East IPs on the MySQL port, and refuse all other connections.

Given the large number of IPs, is there a better way to do this.

NOTE: The VPS is not on AWS, so using their security rules is not an option.

Also, access will only be granted for a user created specifically for IronIO access.

UPDATE: As suggested by tadman, I've come to the conclusion that establishing a remote SSH connection is the safest route. I tracked down the Net::SSH and Net:SSH::Gateway gems that would make this possible, however I am still unsure how to do this using key authentication, so created a new question here.

Community
  • 1
Gus Shortz
  • 113
  • 1
  • 4
  • 1
    Sounds like a job for a VPN, really. Opening up all of AWS East is not exactly secure. – tadman Apr 18 '13 at 18:46
  • Yep, not ideal or secure, but the guys at Iron.IO couldn't narrow down the IP that would be accessing it. Oh, and, of course, it would only be one user specifically created for IronIO access (maybe I should of added that in description...) –  Apr 18 '13 at 20:58
  • Leaving your MySQL port open to AWS is nearly as bad as leaving it open to everyone. Are you sure you can't use an SSH tunnel or some kind of simple VPN to connect to your remote database? – tadman Apr 18 '13 at 21:08
  • Barring that, you could try [port knocking](http://www.portknocking.org/) to manipulate your firewall rules automatically. – tadman Apr 18 '13 at 21:08
  • @tadman how would I make the IronWorker connect using an SSH tunnel or VPN? I understand using SSH or VPN to connect locally, but this is a running task (some times scheduled) that I want to grant access. Maybe I'm not using IronWorker for what it is designed to do, it seems (to me anyway) that ensuring secure access by a "worker" to a db would be a standard function of the API. –  Apr 18 '13 at 22:28
  • Looks like I can do the ssh method using the net-ssh-gateway or net-ssh gems. I'll try it when I find some examples to work from :) –  Apr 19 '13 at 00:42

2 Answers2

0

If you're able to use AWS security groups: http://dev.iron.io/worker/reference/environment/#security_groups_and_ip_ranges

If not (permissions to wide though): https://forums.aws.amazon.com/ann.jspa?annID=1701 (aws-east region)

Sadly, there are no good solution for that. Amazon can assign almost any ip within the range

thousandsofthem
  • 101
  • As noted the VPS is not on AWS, so AWS Security Groups are not an option. –  Apr 18 '13 at 22:23
0

Using SSH you can set up a tunnel from each machine requiring access to the database to the remote machine. For example:

ssh -L 3306:localhost:3306 -f remote_database.host

The -L option specifies the local port to listen on and the remote address and port to connect to. In this case, local 3306 is connected to the remote 3306 on the machine you're connecting with SSH to.

You'll probably want to ensure that you're using SSH public/private key authentication, and that you've got a way of keeping this tunnel up if something goes wrong with it.

tadman
  • 123
  • 1
  • 9