5

I am not sure how to put it in words, so created a illustration to show what my setup is like.

DB Server and Web Server are in a VLAN, Web Server has a public IP, but DB Server does not. Normally DB can only talk to Web Server. Exception is that it should also be able to talk to Main Server, yet it should be inaccessible remotely.

I thought of it could be setup as DB>>Web>>Main Server, but I am at very beginner level with SSH configuration, so cant do anything on my own.

DB to Main connection should be permanent two way and is only needed via port 80.

DB and Web Server are CentOS 7.2, Main Server is Debian 8

Is this actually possible and if so, how? Any help is very much appreciated. Thanks.

enter image description here

code90
  • 173
  • 1
  • 7
  • For a connection made from DB_server to wherever public, the key word is masquerade. Any port would work. I recommend to configure it securely on a network device (a router). I don't recommend to use a ssh tunnel for this. For a ssh connection made from wherever public to 10.*.*.* (to DB_server's sshd on port 22), the key word is either a bastion or a proxy; these are not synonyms. – kubanczyk Jan 01 '17 at 13:35
  • @Sven Your hidden comment doesn't compile. My answers are made of words, do you expect smells or noises? Words can be looked up, or not, total freedom here. Isn't it all the norm around here? I don't think your intervention helped me or OP or anyone else. – kubanczyk Jan 01 '17 at 13:56
  • @kubanczyk: An answer would be "Follow these steps - A - B -C to achieve your goal". Your answer was only "Look up masquerading, proxies and bastion hosts" without further explanation. This isn't forming a useful answer on its own. – Sven Jan 01 '17 at 14:12
  • @code90: Please add information to your post. Do you want to connect to the database on the DB server from the "main server"? Do you want to have maintenance (SSH) access? Do you want the connection to be permanent or only on demand? – Sven Jan 01 '17 at 14:19
  • This setup is on cloud, so i dont think i can configure anything on the router. And this should be a permanent connection. FYI, i am trying to setup ISPConfig multi-server, may be this makes more sense about why i need this. – code90 Jan 01 '17 at 14:22
  • @Sven I won't form such statements and post them as my answers. Bye. – kubanczyk Jan 01 '17 at 14:36

1 Answers1

4

If you are on a cloud platform where a server on a private-only allocation is truly isolated, I believe a better solution for you will be something like stunnel. This would allow you to open a port on the Web server, that when opened tunnels to the main server. In effect, this is turning your web server into a limited form of an application-layer proxy.

  1. Use stunnel to open port 8080 on the web server's private IP, and forward all connections to the main server on port 80.
  2. Configure the db server to talk to the main server on the private IP of the web server on port 80.

A similar system could be accomplished with a more general proxy solution such as or even .

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300