Feature request: deploy through SSH tunnel
11 views
Skip to first unread message
shevron
Jan 29, 2012, 4:33:45 AM1/29/12
to zend-sdk
Hi Zend team :)
I have a feature request: For security reasons, I never open the Zend
Server GUI ports to public access over the network, but only allow
access from localhost. To access the GUI and deploy apps, I open a
tunnel using SSH port forwarding - for example, I run:
$ ssh myserver.example.com -L 20081:localhost:10081
Then I deploy to http://localhost:20081/ZendServer
It would be really nice if the zend SDK could handle this for me -
that is allow me to define targets which in addition to a URL and an
API key allow me to define access through an SSH tunnel, and the SSH
credentials to use (by default it would just use my default RSA
private key).
Another option that would work for me is allowing deployment through
HTTPS with support for client SSL certificates for authentication. If
this will be supported, I will configure the Zend Server lighttpd to
only accept specifically signed client certificates, and will not need
the SSH tunnel.
Keep up the good work!
Shahar.
I have a feature request: For security reasons, I never open the Zend
Server GUI ports to public access over the network, but only allow
access from localhost. To access the GUI and deploy apps, I open a
tunnel using SSH port forwarding - for example, I run:
$ ssh myserver.example.com -L 20081:localhost:10081
Then I deploy to http://localhost:20081/ZendServer
It would be really nice if the zend SDK could handle this for me -
that is allow me to define targets which in addition to a URL and an
API key allow me to define access through an SSH tunnel, and the SSH
credentials to use (by default it would just use my default RSA
private key).
Another option that would work for me is allowing deployment through
HTTPS with support for client SSL certificates for authentication. If
this will be supported, I will configure the Zend Server lighttpd to
only accept specifically signed client certificates, and will not need
the SSH tunnel.
Keep up the good work!
Shahar.
RoyGanor
Jan 29, 2012, 5:06:53 AM1/29/12
to zend-sdk
Hi shevron,
Actually the second scenario you are asking for is already supported
(unintentionally) but you are right it's currently not "streamlined"
very well by the SDK.
So to make sure you can do it you will need to understand how
certificates work with Java by using the keytool command line
http://docs.oracle.com/javase/1.5.0/docs/tooldocs/solaris/keytool.html
This is how we did it for our Cloud solution so you may "take a ride"
with our ~/.zendsdk.keystore file.
Just out of curiosity (maybe I am missing something), why opening the
SSH port for tunneling is better than opening the ZServer port? Do you
open it without shell/commandline?
Thanks,
Roy
On Jan 29, 11:33 am, shevron <shahar.ev...@gmail.com> wrote:
> Hi Zend team :)
>
> I have a feature request: For security reasons, I never open the Zend
> Server GUI ports to public access over the network, but only allow
> access from localhost. To access the GUI and deploy apps, I open a
> tunnel using SSH port forwarding - for example, I run:
>
> $ ssh myserver.example.com -L 20081:localhost:10081
>
> Then I deploy tohttp://localhost:20081/ZendServer
Actually the second scenario you are asking for is already supported
(unintentionally) but you are right it's currently not "streamlined"
very well by the SDK.
So to make sure you can do it you will need to understand how
certificates work with Java by using the keytool command line
http://docs.oracle.com/javase/1.5.0/docs/tooldocs/solaris/keytool.html
This is how we did it for our Cloud solution so you may "take a ride"
with our ~/.zendsdk.keystore file.
Just out of curiosity (maybe I am missing something), why opening the
SSH port for tunneling is better than opening the ZServer port? Do you
open it without shell/commandline?
Thanks,
Roy
On Jan 29, 11:33 am, shevron <shahar.ev...@gmail.com> wrote:
> Hi Zend team :)
>
> I have a feature request: For security reasons, I never open the Zend
> Server GUI ports to public access over the network, but only allow
> access from localhost. To access the GUI and deploy apps, I open a
> tunnel using SSH port forwarding - for example, I run:
>
> $ ssh myserver.example.com -L 20081:localhost:10081
>
shevron
Jan 29, 2012, 11:51:01 AM1/29/12
to zend-sdk
Hey,
On Jan 29, 12:06 pm, RoyGanor <gan...@gmail.com> wrote:
> Hi shevron,
>
> Actually the second scenario you are asking for is already supported
> (unintentionally) but you are right it's currently not "streamlined"
> very well by the SDK.
> So to make sure you can do it you will need to understand how
> certificates work with Java by using the keytool command linehttp://docs.oracle.com/javase/1.5.0/docs/tooldocs/solaris/keytool.html
>
> Just out of curiosity (maybe I am missing something), why opening the
> SSH port for tunneling is better than opening the ZServer port? Do you
> open it without shell/commandline?
Less open ports on the public interface and the inherit security of
using passwordless SSH (private keys only). In all honesty it just
seems like a good practice to only allow access to the Zend Server GUI
to people that already have SSH access to the machine. SSH tunnels can
of course be opened without opening a shell or command line - it's an
ability build-in to SSH. If I wanted to script the process of opening
a tunnel, using the zend sdk to deploy a package and then closing the
tunnel again, I could probably do it with a few lines of bash. In
fact, maybe I will :)
Thanks,
Shahar.
On Jan 29, 12:06 pm, RoyGanor <gan...@gmail.com> wrote:
> Hi shevron,
>
> Actually the second scenario you are asking for is already supported
> (unintentionally) but you are right it's currently not "streamlined"
> very well by the SDK.
> So to make sure you can do it you will need to understand how
>
> This is how we did it for our Cloud solution so you may "take a ride"
> with our ~/.zendsdk.keystore file.
Would be nice to have it streamlined though :)
> This is how we did it for our Cloud solution so you may "take a ride"
> with our ~/.zendsdk.keystore file.
>
> Just out of curiosity (maybe I am missing something), why opening the
> SSH port for tunneling is better than opening the ZServer port? Do you
> open it without shell/commandline?
using passwordless SSH (private keys only). In all honesty it just
seems like a good practice to only allow access to the Zend Server GUI
to people that already have SSH access to the machine. SSH tunnels can
of course be opened without opening a shell or command line - it's an
ability build-in to SSH. If I wanted to script the process of opening
a tunnel, using the zend sdk to deploy a package and then closing the
tunnel again, I could probably do it with a few lines of bash. In
fact, maybe I will :)
Thanks,
Shahar.
Reply all
Reply to author
Forward
0 new messages