Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm unwilling to trust IP access control for anything in 2011.

If I could do SSH port forwarding, that'd probably be my first choice. I have a AES-128-CTR+HMAC-SHA256 encrypted sleeve for the Redis protocol with an attendant Redis::Connection driver, but this is exactly the kind of thing I'm always telling people not to do.




This motivated me to play around with Net::SSH port forwarding this afternoon and evening. What I ended up with was a tiny patch that allows you to forward a local UNIX domain socket to a remote TCP port over an SSH connection. It's a fun hack if nothing else:

https://gist.github.com/1144486 https://github.com/imbriaco/net-ssh/commit/aa453511f546cd524...


Closing the loop and replying to myself, I got carried away and wound up with a full Sinatra demo app that does this:

https://github.com/imbriaco/heroku-redis-sshtunnel


It's not ip access control - it's hypervisor control.


I'm a lot more worried about allowing arbitrary EC2 hosts to connect to my Redis port than I am about people sniffing the traffic.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: