SSH Tunnels for Secure Connections to Pantheon Services

For additional security, Pantheon provides the ability to securely connect to your database and caching service over an encrypted connection using secure shell tunneling. This will increase the security of your remote connection, especially in a public or untrusted environment.

This technique configures an SSH client to forward a local port to a port on Pantheon. Once the tunnel is established, you can connect to the local port to access the remote service using the encrypted connection.

Currently, there are two services on Pantheon that support SSH tunneling:

Prerequisites

Manually Create an SSH Tunnel to Connect to a MySQL Database

From the Site Dashboard, access the environment you want to connect with, and click Connection Info. This will give you the required environment specific values for the command example below.

Connection info

Use the required values from the Connection Info tab, the desired environment (Dev, Test, or Live), and the site uuid found in the Dashboard URL within the following command:

ssh -f -N -L PORT:localhost:PORT -p 2222 ENV.SITE_UUID@dbserver.ENV.SITE_UUID.drush.in

Next, using the values found within the Connection Info tab, execute the following:

mysql -u pantheon -h 127.0.0.1 -p -P PORT pantheon -pPASSWORD

You can destroy the tunnel by using the port value found within the Connection Info tab and your computer's USERNAME in the following command:

ps -fU USERNAME | grep "ssh -f" | grep "PORT:" | awk '{print $2}' | xargs kill

Use Sequel Pro to SSH Tunnel to a MySQL Database

Sequel Pro is an open-source MySQL database client that supports SSH tunneling on Mac. You can configure other MySQL clients in a similar manner.

Manually Create an SSH Tunnel to a Redis Cache Server

From the site environment, get the one-line connection string. It will be in the following format:

redis-cli -h HOSTNAME -p PORT -a PASSWORD

Use the port value from the above one-live connection string, the desired environment (Dev, Test, or Live), and the site uuid found in the Dashboard URL within the following command:

ssh -f -N -L PORT:localhost:PORT -p 2222 ENV.SITE_UUID@cacheserver.ENV.SITE_UUID.drush.in

Using the password and port found in the one-line connection string, run the following command:

redis-cli -h 127.0.0.1 -p PORT -a PASSWORD

You can destroy the tunnel by using the port value found within the Connection Info tab and your computer's USERNAME in the following command:

ps -fU USERNAME | grep "ssh -f" | grep "PORT:" | awk '{print $2}' | xargs kill
Join our weekly training. Every Thursday at 10am PDT REGISTER NOW