In this post, we configure ProxyJump to connect to a remote server via a jumphost. This setup allows you to limit SSH connections to a production environment to a single IP address and add an extra layer of protection to your application. Additionally, we use local port forwarding to connect to the remote server via Tinkerwell.
Tinkerwell does not support ProxyJump or ProxyCommand automatically, so if you go through a JumpHost to connect to a production environment and can't access the target host directly, Tinkerwell does not know how to connect.
For this post, we have set up two new Ubuntu 22.04 servers for demonstration purposes. They are called ubuntu-jump
and ubuntu-remote
. ubuntu-jump
is accessible via SSH from anywhere, but ubuntu-remote
only allows SSH connections from ubuntu-jump
. So if we try to connect to ubuntu-remote
via the IP directly, the connection times out.
This setup is the bare minimum that is required to show how it works and it is not related to Tinkerwell directly but useful for anyone who want an extra layer of security for their production environments.
ProxyJump and port forwarding are built into SSH, so the main task is setting up the configuration in our ~/.ssh/config
file.
Host ubuntu-jump HostName 165.22.74.123 User root IdentityFile /Users/seb/.ssh/id_rsa ControlPath ~/.ssh/cm-%r@%h:%p ControlMaster auto ControlPersist 10m Host ubuntu-remote HostName 165.22.65.119 User root IdentityFile /Users/seb/.ssh/id_rsa ProxyJump ubuntu-jump
For a real world application, you likely don't connect via the root
user but a dedicated user for your purposes. As a recommendation, both servers should also have dedicated key pairs as well. As you can see, the remote host uses your key pair, so even if someone gains access to ubuntu-jump
, they can't access ubuntu-remote
.
This setup allows us to connect to ubuntu-remote
via ubuntu-jump
with a single ssh ubuntu-remote
command in our local terminal.
If you look at this screenshot closely, you can see that the last login is from the IP address if the jumphost and not from our local machine.
This is already a huge security improvement, but how do we use this in Tinkerwell? Tinkerwell itself can't handle this SSH magic directly, but we can use local port forwarding to connect to a local port with the app – and actually run code on ubuntu-remote
.
Go to your terminal and forward a local port – this example uses 2222
to port 22
on ubuntu-remote
via localhost
.
ssh -NL 2222:localhost:22 ubuntu-remote
After that, create a new SSH connection in Tinkerwell and point it to localhost
with port 2222
.
So even if the remote host is not accessible for Tinkerwell, the app connects to the local port and gets a tunnel to ubuntu-remote
. Connect and run some code to see the magic:
This setup also works for other apps like Transmit or any other app that supports SSH connections but does not automatically use your SSH config file and the ProxyJump command.
“The ability to SSH directly into a server and run diagnostics directly from Tinkerwell is insanely amazing! Can't imagine doing development without it at this point.”Jake Bennett
Director of Technology and Innovation
“Tinkerwell is an invaluable part of my workflow: running ad-hoc code, debugging, and preparing samples for writing projects. It has saved me so much time!”John Koster
Developer
The must-have companion to your favorite IDE. Quickly iterate on PHP code within the context of your web application.
Buy now Learn more