Tinkerwell
In this post, we configure ProxyJump to connect to a remote server via a jumphost. This setup allows you to limit SSH connections to a production environment to a single IP address and add an extra layer of protection to your application. Additionally, we use local port forwarding to connect to the remote server via Tinkerwell.
Tinkerwell does not support ProxyJump or ProxyCommand automatically, so if you go through a JumpHost to connect to a production environment and can't access the target host directly, Tinkerwell does not know how to connect.
For this post, we have set up two new Ubuntu 22.04 servers for demonstration purposes. They are called ubuntu-jump and ubuntu-remote. ubuntu-jump is accessible via SSH from anywhere, but ubuntu-remote only allows SSH connections from ubuntu-jump. So if we try to connect to ubuntu-remote via the IP directly, the connection times out.
This setup is the bare minimum that is required to show how it works and it is not related to Tinkerwell directly but useful for anyone who want an extra layer of security for their production environments.
ProxyJump and port forwarding are built into SSH, so the main task is setting up the configuration in our ~/.ssh/config file.
Host ubuntu-jump HostName 165.22.74.123 User root IdentityFile /Users/seb/.ssh/id_rsa ControlPath ~/.ssh/cm-%r@%h:%p ControlMaster auto ControlPersist 10m Host ubuntu-remote HostName 165.22.65.119 User root IdentityFile /Users/seb/.ssh/id_rsa ProxyJump ubuntu-jumpFor a real world application, you likely don't connect via the root user but a dedicated user for your purposes. As a recommendation, both servers should also have dedicated key pairs as well. As you can see, the remote host uses your key pair, so even if someone gains access to ubuntu-jump, they can't access ubuntu-remote.
This setup allows us to connect to ubuntu-remote via ubuntu-jump with a single ssh ubuntu-remote command in our local terminal.
If you look at this screenshot closely, you can see that the last login is from the IP address if the jumphost and not from our local machine.
This is already a huge security improvement, but how do we use this in Tinkerwell? Tinkerwell itself can't handle this SSH magic directly, but we can use local port forwarding to connect to a local port with the app – and actually run code on ubuntu-remote.
Go to your terminal and forward a local port – this example uses 2222 to port 22 on ubuntu-remote via localhost.
ssh -NL 2222:localhost:22 ubuntu-remoteAfter that, create a new SSH connection in Tinkerwell and point it to localhost with port 2222.
So even if the remote host is not accessible for Tinkerwell, the app connects to the local port and gets a tunnel to ubuntu-remote. Connect and run some code to see the magic:
This setup also works for other apps like Transmit or any other app that supports SSH connections but does not automatically use your SSH config file and the ProxyJump command.
“Tinkerwell allows me to prototype ideas in the most efficient way possible. I feel like my life was different before it.”Benjamin Crozat
Indie Hacker & Blogger
“Tinkerwell quickly became an essential part of my daily Laravel workflow. It’s easily the biggest upgrade to my dev experience in years.”
Gilbert Pellegrom
CTO at Lemon Squeezy
The must-have companion to your favorite IDE. Quickly iterate on PHP code within the context of your web application.
Buy now Learn more