There are two ways to setup
With our automated bash script, connecting Holistics to your data source using reverse tunnel is much faster and more convenient.
NOTE: The script supports Debian and RHEL based distros. For other systems, please see this doc on setting up tunnel manually.
(To learn more about reverse tunnel, please also refer to this)
- Enter the
Display Nameof the data source and choose your
Use reverse tunnel
- Fill in the
Portwhere your database can be accessed from your proxy server
Generate Scriptand wait for the script to be generated
- Copy the command and execute it on your proxy/bastion server. You will be asked for sudo privileges to install packages and set up system service. See the last section to know all actions that the script carries out.
- Read the script introduction and follow the script execution
- Return to your browser when this message appears:
- The database configurations will now appear on your form. Fill in and click
- If the connection is successful, you can save the data source by clicking
Save Data Source
- After the data source is saved, the reverse tunnel will be running in a system service called
h_autossh. Note that the display of the status varies between systems.
As described in Script Operation / Final steps below, the reverse tunnel script creates a service for you to manage all tunnel connections to Holistics, and start them automatically on startup.
- to start all Holistics tunnels, run
sudo service h_autossh start
- to stop all Holistics tunnels, run
sudo service h_autossh stop
- to restart all Holistics tunnels, run
sudo service h_autossh restart
- to see the status of Holistics tunnels service, run
sudo service h_autossh status
To remove the service quickly and conveniently, please see the section Removeing Reverse Tunnel section below.
You should only want to remove the reverse tunnel when you remove a data source.
For data sources using reverse tunnel connection, when you click
Delete, we will generate another script for you to execute on the proxy server.
This script removes the reverse tunnel (associated with the chosen data source) from
h_autossh and restart the service.
If the reverse tunnel being removed is the last tunnel in
h_autossh (i.e. you do not have any other reverse tunnel), the
h_autossh service will also be removed.
Finally, the data source will be deleted.
The script takes the following actions (in order)
Creates a directory to store all files related to the whole process.
The script tries to install two main packages:
Used to communicate with Holistics web server.
nssis also updated if possible so that
curlcan handle ssl connection properly
The program to handle the tunnel connection and keep the connection persistent. For distros using
autosshis not always available (such as in RHEL 6). In this case,
makewill also be installed to compile
autosshfrom its source. If you want to install
autosshby yourself instead, please install it prior to the script execution, and the script will not try to install again.
A new key pair will be generated in Holistics directory using
ssh-keygen. If the key pair exists, for example when you have already set up another tunnel, the existing key pair will be used. Then, the public key is submitted to Holistics web server. Holistics will add your public key to the tunnel server so that ssh connection can be established, and also assign a specific port on the tunnel server for your new connection.
The script creates an reverse tunnel ssh connection from your proxy server to our tunnel server. The port on the tunnel server will be the one assigned by Holistics, and the port on your server is the one you configured in the data source form. Afterward, the script will notify Holistics web server about the running tunnel.
At the point the scripts tells you to return to the browser, it starts waiting for your data source result. If the data source is saved successfully, the script will stop the reverse tunnel that was made previously. Then, it creates a new service called
h_autossh, which is stored in
/etc/init.d/ and contains the command to run the reverse tunnel. If the service exists, the script will update it to include the new tunnel configuration. The service is also enabled to run on startup.
Setting up reverse tunnel is great if you want to open a dedicated connection from your
bastion server to our tunnel server.
All connections from Holistics will then through the tunnel for a more secure data transfer. All connections to your DB will look as if it originates from your bastion server.
We'll be using
autossh to make the reverse SSH tunnel,
autossh manages the SSH connections automatically for us, restarting it when it dies/drops off, so that we'll try to have a persistent tunnel as much as possible.
Generate a new SSH key pair with:
ssh-keygen -t rsa -b 4096
When asked for a passphrase, press 'Enter'. A pair of files will be created as per the path you entered.
If you already have a keypair, please ensure your private key is read only by your use account:
chmod 400 <path_to_your_private_key_file>
Send us the public key (file
email@example.com so we can add it to our tunnel server.
We will confirm with you after we have installed your public key and send you the available secured ports to connect to.
Make sure you received the confirmation from us before you continue with the steps below, otherwise the command will fail.
sudo apt-get update sudo apt-get install autossh
We'll be running
autossh in a screen, you can run it as a background daemon too, but that's more difficult to manage. Install screen with
sudo apt-get install screen, then run:
screen -S holistics
Now that you're inside a screen:
autossh -M 0 -N -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" \ -R *:[tunnel_port]:[yourdb.server.com]:[db_port] \ firstname.lastname@example.org -p 50022 \ -i <path_to_your_private_key_file>
Before you run, change the second line to fit with the connection string to your database server:
Example of a command:
autossh -M 0 -N -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" \ -R *:20032:db.somehost.com:5432 \ email@example.com -p 50022 \ -i ~/.ssh/id_rsa
In the above example:
- Your db host is:
- The tunnel port you choose is:
[tunnel_port]is the port we'll use when connecting to
tunnel.holistics.io. We've opened up the range
20000:20100for tunneling purpose, so if you create a second tunnel, please pick a port in this range.
- We've restricted traffic for
20000:20100to only the Holistics web server, so
connecting to these ports from other computers will not succeed.
Now open Holistics and add a data source, use the credentials you have, except:
You should be good to go.
About GNU screen:
- To exit the screen:
- To enter the screen again:
screen -x holistics