How can one connect from Heroku to a firewalled host to get data from MongoDb?

Question

I am currently developing a service application that pulls data from Mongo and returns it to consumers. There is a layer of authentication involved and I am using Heroku to host the service. Mongo was being hosted on MongoLabs, but there were some significant performance concerns and so we have moved to hosting Mongo on one of our cloud servers. We want to be able to secure access to Mongo using a firewall, white-listing the ip address of the service app on Heroku.

There are a couple of issues with this.

Issues

Well, at least these are main ones...

1. Heroku, while providing some nice features like easily managing cluster settings, s/w upgrades, etc., draws ip addresses from a pool. While the dns value of an application's url may not change, the underlying ip address can and will change.
2. to be better secured, mongo-server01 is placed behind a firewall that requires rules to be added using static ip addresses to allow access.

Since Heroku can't provide static ip addresses, we need to consider options for how Heroku can access mongo-server01 while still protecting the data it hosts.

Static IP addresses for outbound requests

There seem to be a couple of options, specifically for Heroku. Fixie and QuotaGuard Static both seem to serve that function, but these seem to be geared toward HTTP and HTTPS communication only (perhaps not even HTTPS).

Mongo doesn't use HTTP, it uses its own network protocol over port 27017, by default https://groups.google.com/forum/embed/#!topic/mongodb-user/eX_RIv2cZVw

Does this mean these proxies won't work for calls to Mongo? In theory, there doesn't seem to be any reason that a proxy is only for HTTP or HTTPS requests. That being said, there doesn't seem to be any way to get in to these Heroku plugins and configure the proxy to use a different port or to handle Mongo's particular protocol.

If we could get into the proxy, perhaps we could put an additional set of ssh keys in place so the ssl tunnel chain could continue on to mongo-server01. But there doesn't see to be any way to ssh to these proxies or access configuration through the plugin dashboards.

The question (finally!)

How can one connect from Heroku to a firewalled host to get data from MongoDb? Are there proxies that can be used to achieve this?

The simple approach. Won't work because Heroku applications don't use static ip addresses.

Using a proxy. The Heroku proxy plugins don't know how to proxy mongodb protocol. Can't install ssh keys on proxy for ssh tunneling.

What can be done to get a connection without opening up the Mongo server to the world?

Answer 1

I spoke with the folks at QuotaGuard and they do have something that does the trick.

we offer a SOCKS proxy which should do the trick as it proxies at the TCP layer

https://devcenter.heroku.com/articles/quotaguardstatic#socks-proxy-setup

I did need to make a simple change to bin/qgsocksify

#SOCKS_DIR="$(dirname $(dirname $(readlink -f ${BASH_SOURCE[0]})))/vendor/dante
SOCKS_DIR="${HOME}/vendor/dante"

After that, the proxy worked like a charm.