SSH隧道解决方案

设置到您的 MySQL 数据库服务器的 SSH 隧道(通过 Jumpbox 代理以确保安全).

SSH Tunnel Solution

Set up an SSH tunnel to your MySQL database server (through a Jumpbox proxy for security).

根据您的要求，您可以使用带有内置 SSH 隧道支持的 GUI MySQL 客户端，例如 Visual Studio Code 转发端口/创建 SSH 隧道, TablePlus 或使用 PuTTY 设置本地em> 端口转发.

Depending on your requirements, you can use a GUI MySQL client with SSH Tunnelling support built-in such as Visual Studio Code Forwarding a port / creating SSH tunnel, TablePlus or use PuTTY to setup local port forwarding.

在 macOS 上，我喜欢 Secure Pipes 或 TablePlus.

On macOS, I like Secure Pipes or TablePlus.

第一步.

ssh -fNg -L 3307:10.3.1.55:3306 username@ssh-jumpbox.com 

这里的关键是 '-L' 开关，它告诉 ssh 我们正在请求本地端口转发.

The key here is the '-L' switch which tells ssh we're requesting local port forwarding.

我选择使用上面的端口 3307.我本地机器上定向到这个端口的所有流量现在都将通过我的ssh客户端端口转发"到运行在服务器上的ssh服务器主机地址 ssh-jumpbox.com.

I've chosen to use port 3307 above. All traffic on my local machine directed to this port will now be 'port-forwarded' via my ssh client to the ssh server running on the host at address ssh-jumpbox.com.

Jumpbox ssh 代理服务器将解密流量并代表您建立与 MySQL 数据库服务器的网络连接，在这种情况下，10.3.1.55:3306.MySQL 数据库服务器看到来自 Jumpbox 内部网络地址的连接.

The Jumpbox ssh proxy server will decrypt the traffic and establish a network connection to your MySQL database server on your behalf, 10.3.1.55:3306, in this case. The MySQL database server sees the connection coming in from your Jumpbox' internal network address.

本地端口转发语法
语法有点棘手，但可以看作是:

Local Port Forwarding Syntax
The syntax is a little tricky but can be seen as:

<local_workstation_port>:<database_server_addr_remote_end_of_tunnel>:<database_server_port_remote_end> username@ssh_proxy_host.com

如果您对其他开关感兴趣，它们是:

If you're interested in the other switches, they are:

-f(转到后台)
-N(不执行远程命令)
-g(允许远程主机连接到本地转发端口)

-f (go to background)
-N (do not execute a remote command)
-g (allow remote hosts to connect to local forwarded ports)

私钥认证，在上面添加(-i)开关:

Private Key Authentication, add (-i) switch to above:

-i/path/to/private-key

-i /path/to/private-key

第 2 步.

告诉您的本地 MySQL 客户端通过您机器上的本地端口 3307 (-h 127.0.0.1) 通过您的 SSH 隧道进行连接，该端口现在通过您在步骤 1 中建立的 SSH 隧道转发发送给它的所有流量.

Tell your local MySQL client to connect through your SSH tunnel via the local port 3307 on your machine (-h 127.0.0.1) which now forwards all traffic sent to it through the SSH tunnel you established in step 1.

mysql -h 127.0.0.1 -P 3307 -u dbuser -p passphrase

客户端和服务器之间的数据交换现在通过加密的 SSH 连接发送并且是安全的.

Data exchange between client and server is now sent over the encrypted SSH connection and is secure.

安全说明
不要直接隧道到您的数据库服务器.拥有可从 Internet 直接访问的数据库服务器是一项巨大的安全责任.将隧道目标地址设为您的 Jumpbox/堡垒主机的互联网地址(参见步骤 1 中的示例)，并将您的数据库设为远程网络上数据库服务器的内部 IP 地址.SSH 将完成剩下的工作.

Security note
Don’t tunnel directly to your database server. Having a database server directly accessible from the internet is a huge security liability. Make the tunnel target address the internet address of your Jumpbox/Bastion Host (see example in step 1) and your database target the internal IP address of your database server on the remote network. SSH will do the rest.

第 3 步.

现在连接您的 PHP 应用程序:

Now connect up your PHP application with:

<?php
      $smysql = mysql_connect( "127.0.0.1:3307", "dbuser", "passphrase" );
      mysql_select_db( "db", $smysql ); 
?>

感谢 Chris Snyder 出色的文章，详细介绍了 ssh 命令行隧道用于 MySQL 连接.

Credit to Chris Snyder's great article detailing ssh command line tunnelling for MySQL connectivity.