Sunday, April 24, 2005
Using SSH to reduce connectivity overhead between servers
Usually, when you have this kind of connectivity requirements, you would use SSL encryption between servers to prevent data leak via sniffing. You would also setup a IP filtering or mutual authentication via certificates on both sides to prevent un-authorized connections.
Every time your application connects to the other server using a combo of mutual authentication and SSL, it is an expensive operation in terms of the CPU usage and time spent in the connection handshake.
How could you reduce this unnecessary overhead? If you setup a permanent SSH tunnel between your server and the other server, then the SSL connection handshake becomes just a one time cost. All your requests go to your local SSH end-point. SSH would encrypt all the data, send it over to the other server, decrypt it and present it for the other server to process. The only caveat being that you need an account on the other server to setup a permanent SSH tunnel between your and the other server.
Here is how you would setup the SSH tunnel:
ssh -L local_port:target_server:target_port
You just need to modify your application to send all its requests to the local_port on the local machine and it will automatically be forwarded to the target_server by the SSH tunnel.
SSH not only provides end-to-end encryption, it can also be setup to perform authentication using private/public key combo instead of passwords.
Copyright Anand Jain 2004, 2005. All rights