Tinkerwell 3 is here!

Tinkerwell background image
Tinkerwell Logo Tinkerwell
Go back to Blog

Using ProxyJump to connect to a remote host behind a firewall

In this post, we configure ProxyJump to connect to a remote server via a jumphost. This setup allows you to limit SSH connections to a production environment to a single IP address and add an extra layer of protection to your application. Additionally, we use local port forwarding to connect to the remote server via Tinkerwell.

Tinkerwell does not support ProxyJump or ProxyCommand automatically, so if you go through a JumpHost to connect to a production environment and can't access the target host directly, Tinkerwell does not know how to connect.

For this post, we have set up two new Ubuntu 22.04 servers for demonstration purposes. They are called ubuntu-jump and ubuntu-remote. ubuntu-jump is accessible via SSH from anywhere, but ubuntu-remote only allows SSH connections from ubuntu-jump. So if we try to connect to ubuntu-remote via the IP directly, the connection times out.

This setup is the bare minimum that is required to show how it works and it is not related to Tinkerwell directly but useful for anyone who want an extra layer of security for their production environments.

ProxyJump and port forwarding are built into SSH, so the main task is setting up the configuration in our ~/.ssh/config file.

Host ubuntu-jump
   HostName 165.22.74.123
   User root
   IdentityFile /Users/seb/.ssh/id_rsa
   ControlPath ~/.ssh/cm-%[email protected]%h:%p
   ControlMaster auto
   ControlPersist 10m

Host ubuntu-remote
   HostName 165.22.65.119
   User root
   IdentityFile /Users/seb/.ssh/id_rsa
   ProxyJump ubuntu-jump

For a real world application, you likely don't connect via the root user but a dedicated user for your purposes. As a recommendation, both servers should also have dedicated key pairs as well. As you can see, the remote host uses your key pair, so even if someone gains access to ubuntu-jump, they can't access ubuntu-remote.

This setup allows us to connect to ubuntu-remote via ubuntu-jump with a single ssh ubuntu-remote command in our local terminal.

If you look at this screenshot closely, you can see that the last login is from the IP address if the jumphost and not from our local machine.

This is already a huge security improvement, but how do we use this in Tinkerwell? Tinkerwell itself can't handle this SSH magic directly, but we can use local port forwarding to connect to a local port with the app – and actually run code on ubuntu-remote.

Go to your terminal and forward a local port – this example uses 2222 to port 22 on ubuntu-remote via localhost.

ssh -NL 2222:localhost:22 ubuntu-remote

After that, create a new SSH connection in Tinkerwell and point it to localhost with port 2222.

So even if the remote host is not accessible for Tinkerwell, the app connects to the local port and gets a tunnel to ubuntu-remote. Connect and run some code to see the magic:

This setup also works for other apps like Transmit or any other app that supports SSH connections but does not automatically use your SSH config file and the ProxyJump command.

Tinkerwell: The code runner for PHP

The must-have companion to your favorite IDE. Quickly iterate on PHP code within the context of your web application.

Learn more