SSH Tunneling and AutoSSH

We recently integrated a search facility into Futureproofs and like some of our previous stack decided to use for our ElasticSearch stack. at the time had 2 ways to connect to the ElasticSearch instance, either whitelist your IP addresses or setup an SSH Tunnel.

We weren't in a position to whitelist IP addresses as we dynamically spin up boxes behind a load balancer (no static IPs here), so had no choice but to follow the white rabbit.

Firstly you have to enable and create an SSH user in your ES settings (copying in a suitable public key); be sure the private key is on the server thats needs ES access and I'd recommend for this particular task not adding a passphrase.

You can now test your access by copying and pasting the SSH command into your server that provide.

###SSH Shortcut

I personally don't want to have to copy/paste or remember these details each time I wanted to create an SSH tunnel, and so opted to put a reference in my SSH config file.

    Port 10651
    User compose
    LocalForward 10.xx.1xx.34:9200
    LocalForward 10.xx.1xx.35:9200
    LocalForward 10.xx.1xx.36:9200

You can test this works by running:


If everything has gone to plan at this point, we should have an SSH user we can connect to via a handy SSH shortcut, pucka. The final part of the process is to automate the connection of the SSH tunnel so that on reboot and/or on disconnection the tunnel is re-established.

###AutoSSH Fortunately a tool already exists to handle this process, its called autossh and if you're on Ubuntu can be installed by running:

apt-get install autossh

You can test this has worked by running:

autossh -N

it is worth noting you can add a ‘-f’ to this command to make the tunnel a background process.

###Launch cron Almost all the parts of our puzzle are now in place and we just need to ensure the autoSSH service starts on boot, with our specified config. To do that we're going to create a cron.d entry. I'm using ubuntu so within the file:


add the entry (remembering to always a blank line after the last cron line):

@reboot root autossh -f -N

If you reboot your server you should find that the tunnel is setup automatically and you can test the health of your ElasticSearch instance by:

###Testing the connection

curl 'http://localhost:9200/_cluster/health?pretty'

Thats it folks :)

Ben Squire

Read more posts by this author.

Leicestershire, United Kingdom