This page details how to use the Encrypted Tunnel method from Access Your Database.

Availability

Encrypted Tunnel is only available on Shared Resources databases.

For Dedicated Resources databases, use direct access with firewall allowlists. See Access Your Database.

Build the Tunnel

The DB tunnel encrypts traffic between your computer and Scalingo, so data is not sent in clear text over the network. It does not add an extra access-control layer: we only check that your public key is registered on the platform.

By running the following command, an encrypted SSH tunnel is built between you and your database:

scalingo --app my-app db-tunnel DATABASE_URL

You can use any database environment variable according to the database you are using (for example SCALINGO_POSTGRESQL_URL or SCALINGO_MYSQL_URL).

Each database engine can have specific tunnel prerequisites or client-side details. For engine-specific instructions, see:

• Scalingo for PostgreSQL®
• Scalingo for MySQL®
• Scalingo for OpenSearch
• Scalingo for MongoDB®
• Scalingo for Caching

Use Any Client to Read, Import, or Export Data

Once the tunnel has been built, you can use any tool by connecting it to 127.0.0.1:<localport>.

Example

$ scalingo --app my-app db-tunnel MONGO_URL
Building tunnel to <dbhost>:<dbport>
You can access your database on '127.0.0.1:10000'

# In another terminal
$ scalingo --app my-app env | grep MONGO_URL
MONGO_URL=mongo://user:secret@<dbhost>:<dbport>/database?options

$ mongo "mongo://user:secret@<dbhost>:<dbport>/database?options"
$ mongodump -u user -p secret -h localhost:10000 -d database

If you connect using SSL/TLS, add both options --ssl and --sslAllowInvalidCertificates to the mongo command.

Build the Tunnel with the OpenSSH Client

Our command line tool handles this in a single command, but you can also build the tunnel with the standard OpenSSH client:

ssh -L <local port>:<database host>:<database port> git@<SSH hostname> -p <SSH port> -N

The SSH hostname and port depend on the region of your application:

• osc-fr1: ssh.osc-fr1.scalingo.com
• osc-secnum-fr1: ssh.osc-secnum-fr1.scalingo.com

The database host and database port can be found in the connection string environment variable of your database instance:

• SCALINGO_<TYPE>_URL

The value of this variable is a URL which represents:

scheme://user:password@host:port/database_name

You need to get host and port from this URL.

Example with an app in region osc-fr1:

SCALINGO_POSTGRESQL_URL=postgresql://user:secret@my-db.postgresql.a.osc-fr1.scalingo-dbs.com:30000/my-db

Command:

ssh -L 10000:my-db.postgresql.a.osc-fr1.scalingo-dbs.com:30000 git@ssh.osc-fr1.scalingo.com -N

Then connect on localhost:10000 to reach your database. You still need to authenticate with the credentials from the connection string.