@@ -2543,34 +2543,39 @@ openssl x509 -req -in server.csr -text -days 365 \
25432543 First make sure that an <application>SSH</application> server is
25442544 running properly on the same machine as the
25452545 <productname>PostgreSQL</productname> server and that you can log in using
2546- <command>ssh</command> as some user. Then you can establish a secure
2547- tunnel with a command like this from the client machine:
2546+ <command>ssh</command> as some user; you then can establish a
2547+ secure tunnel to the remote server. A secure tunnel listens on a
2548+ local port and forwards all traffic to a port on the remote machine.
2549+ Traffic sent to the remote port can arrive on its
2550+ <literal>localhost</literal> address, or different bind
2551+ address if desired; it does not appear as coming from your
2552+ local machine. This command creates a secure tunnel from the client
2553+ machine to the remote machine <literal>foo.com</literal>:
25482554<programlisting>
25492555ssh -L 63333:localhost:5432 joe@foo.com
25502556</programlisting>
25512557 The first number in the <option>-L</option> argument, 63333, is the
2552- port number of your end of the tunnel; it can be any unused port.
2553- (IANA reserves ports 49152 through 65535 for private use.) The
2554- second number, 5432, is the remote end of the tunnel: the port
2555- number your server is using. The name or IP address between the
2556- port numbers is the host with the database server you are going to
2557- connect to, as seen from the host you are logging in to, which
2558- is <literal>foo.com</literal> in this example. In order to connect
2559- to the database server using this tunnel, you connect to port 63333
2560- on the local machine:
2558+ local port number of the tunnel; it can be any unused port. (IANA
2559+ reserves ports 49152 through 65535 for private use.) The name or IP
2560+ address after this is the remote bind address you are connecting to,
2561+ i.e., <literal>localhost</literal>, which is the default. The second
2562+ number, 5432, is the remote end of the tunnel, e.g., the port number
2563+ your database server is using. In order to connect to the database
2564+ server using this tunnel, you connect to port 63333 on the local
2565+ machine:
25612566<programlisting>
25622567psql -h localhost -p 63333 postgres
25632568</programlisting>
2564- To the database server it will then look as though you are really
2569+ To the database server it will then look as though you are
25652570 user <literal>joe</literal> on host <literal>foo.com</literal>
2566- connecting to <literal>localhost</literal> in that context , and it
2571+ connecting to the <literal>localhost</literal> bind address , and it
25672572 will use whatever authentication procedure was configured for
2568- connections from this user and host . Note that the server will not
2573+ connections by that user to that bind address . Note that the server will not
25692574 think the connection is SSL-encrypted, since in fact it is not
25702575 encrypted between the
25712576 <application>SSH</application> server and the
25722577 <productname>PostgreSQL</productname> server. This should not pose any
2573- extra security risk as long as they are on the same machine.
2578+ extra security risk because they are on the same machine.
25742579 </para>
25752580
25762581 <para>
@@ -2582,12 +2587,12 @@ psql -h localhost -p 63333 postgres
25822587 </para>
25832588
25842589 <para>
2585- You could also have set up the port forwarding as
2590+ You could also have set up port forwarding as
25862591<programlisting>
25872592ssh -L 63333:foo.com:5432 joe@foo.com
25882593</programlisting>
25892594 but then the database server will see the connection as coming in
2590- on its <literal>foo.com</literal> interface , which is not opened by
2595+ on its <literal>foo.com</literal> bind address , which is not opened by
25912596 the default setting <literal>listen_addresses =
25922597 'localhost'</literal>. This is usually not what you want.
25932598 </para>
0 commit comments