[TCLUG] more of mysql tunneling

Tue Mar 20 12:05:52 CST 2001

On Mon, Mar 19, 2001 at 11:28:39PM -0600, Jason J wrote:
>Stunnel doesnt suck. I have been using this method to tunnel my database
>interaction for atleast 6 months.

No matter what I do, it seems like it's going to connect and then I get 
SSL_connect: error:0000000000::lib(0) :func:(0) :reason(0)
in the log on client side
and

stunnel: localhost.3306 connected from web.server.ip:some_randomportnumber
stunnel: remote connect: Connection Refused (111)

in the log on the server side. I am not trying to go through my firewall yet.
and am running the exact same commands I see both in this mail and on
stunnel.org

>
>Client Web Server Side:
>IP: Any IP
>box1# /usr/local/sbin/stunnel  -c -p /usr/local/ssl/certs/stunnel.pem -d
>127.0.0.1:3306 -r 10.10.10.5:3306    # Only bound to local loopback, not
>accessible from any other interfaces
>
>Server MySQL Side:
>IP: 10.10.10.5
>box2# /usr/local/sbin/stunnel -p /usr/local/ssl/certs/stunnel.pem -d
>10.10.10.5:3306 -r 127.0.0.1:3306     # Only bound to ethX and forwards traffic
>from ethX to local loopback
>/usr/local/bin/safe_mysqld --bind-address=127.0.0.1    # Only bound to local
>loopback interface, not accessible from any other interfaces
>
>Test:
>box1# telnet 127.0.0.1 3306
>Trying 127.0.0.1...
>Connected to 127.0.0.1.
>Escape character is '^]'.
>?
>3.22.32KiQ;n=&A
>
>3.22.32 is the version of mysql currently running on the old dev box I ran this
>test on. So it worked.
>
>
>the binding of mysql on 3306 only on 'lo' and stunnel on 3306 only on 'ethX'
>wont conflict. Plus, you dont have to use the same port numbers anyway, I just
>do it for convience, mysql always running on 3306.
>
>
>
>
>Ben Lutgens wrote:
>
>> O.k. so I am trying to tunnel mmysql using stunnel. So far I'm convinced it's
>> not possible. How can you bind port 3306 on your tunnel when mysql is using
>> that port? It makes no sense to me.
>>
>> On the server side if you run stunnel -p $PEMFILE -d $REMOTEIP -r
>> 127.0.0.1:3306
>>
>> I get "Can't bind requested address"
>>
>> Tunneling stuff through ssh sucks, and it seems stunnel sucks too.
>>
>> --
>> Ben Lutgens             cell: 612.670.4789
>> Sistina Software Inc.   work: 612.379.3951
>> Code Monkey Support (A.K.A. System Administrator)
>>
>> "It's hard to believe that's the same frail woman who once sprained her wrist
>> from having too much dip on a cracker!" -- Frazier Crane
>>
>>   ------------------------------------------------------------------------
>>    Part 1.2Type: application/pgp-signature
>
>_______________________________________________
>tclug-list mailing list
>tclug-list at mn-linux.org
>https://mailman.mn-linux.org/mailman/listinfo/tclug-list

-- 
Ben Lutgens		cell: 612.670.4789
Sistina Software Inc.	work: 612.379.3951
Code Monkey Support (A.K.A. System Administrator)

"It's hard to believe that's the same frail woman who once sprained her wrist
from having too much dip on a cracker!" -- Frazier Crane
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20010320/c23d3a81/attachment.pgp