Fly Postgres - Hightouch.io Peering

That would be a HUGE help!

This is sort of what I was thinking, let me give it a try, looking forward to your example!

Any suggest for best image to use for the dockerfile?

Thanks again

@danwetherald Here’s what I’d base an image off docker-ssh-tunnel/Dockerfile at master · cagataygurturk/docker-ssh-tunnel · GitHub

Can try it with this, and I’ll write up a guide / example in a bit.

If I am being completely honest, I am not sure which is which variables are which haha.

Also, this does not include anything with the key.pem file.

Can you help me out?

Yeah, I’ll post an example specific to Hightouch soon.

1 Like

Ah okay, yea I was taking this approach too literally haha

1 Like

Can try a file like

FROM alpine:3.2

RUN apk add --update openssh-client && rm -rf /var/cache/apk/*
ADD ./key.pem key.pem
CMD ssh -I key.pem \
    -R 0.0.0.0:56000:$SERVICE_HOST:$SERVICE_PORT \
    tunnel.hightouch.io -p 49100 \
    -o ExitOnForwardFailure=yes

with SERVICE_HOST set to the database app, like dbapp.internal
and SERVICE_PORT set to 5432 or 5433 if you’re pointing it at a read replica.

1 Like

So I have it “working” but its using the release step and that will just hang forever and never “deploy”.

For some reason I get errors when trying to get this working with everything in the CMD of the dockerfile.

latest Dockerfile:

FROM alpine:latest

RUN apk add --update openssh-client && rm -rf /var/cache/apk/*

COPY key.pem .

CMD rm -rf /root/.ssh && mkdir -p /root/.ssh && cp -R /root/ssh/* /root/.ssh/ && chmod -R 600 /root/.ssh/*

EXPOSE 1-65535

I’ve just posted and example as you posted this :smiley: Fly Postgres - Hightouch.io Peering - #10 by sudhir.j

This reference was accepting a tunnel, you want to establish one in reverse, so the commands are different, and there’s no port exposed.

1 Like

I believe that last Dockerfile worked!!! :tada::tada::tada::tada::tada::tada::tada::tada:

Thank you so much @sudhir.j - this was a pain in the ass haha.

1 Like

Nice! Just remember to prefer a read replica for this, run the tunnel app in the same region you’re running the DB, etc. Otherwise things can slow down in a lot of cases.

Absolutely! Another awesome part of fly postgres, read replicas :raised_hands:t2:.

Just ran into the next issue lol - no SSL Mode settings at hightouch

The server does not support SSL connections

Any ideas?

You’re seeing this in the log output of the tunnelling container? Or when Hightouch is trying to connect to the DB?

On hightouch side, meaning they have no config for ssl mode.

Yeah, I think you’ll want to turn OFF SSL mode on Hightouch. The tunnel app to DB is protected internally by Fly’s networking, and the tunnel to Hightouch is also encrypted with the key you have at key.pem. The connection from Hightouch to the DB doesn’t need SSL, and you’ll want to disable that.

Yup, problem is its not a setting on their dashboard, chatting with their support now :confused:

1 Like

Okay, they were able to add a SSL Mode flag for me :raised_hands:t2:

1 Like

@sudhir.j asking them about it, but seeing a lot of

ssh: connect to host tunnel.hightouch.io port 49100: Operation timed out

Which of course causes the VM to restart, wondering if you would know anything about this?

Hmm. Autossh autossh(1): monitor/restart ssh sessions - Linux man page can prevent the VM exiting and restarting (they’ve suggested it in their docs as well — you could install it and run ssh through it) but this probably something I’d raise with Hightouch. Maybe they could give you a port that’s more available and reliable?

Gotcha! Okay I will look into both, waiting to hear what they think about the issue.

Thanks again for all your help, you rock!

Do you get these issues when trying to run a tunnel to Hightouch from a local machine pointed at a local DB as well? We can rule out it being a Fly problem if it behaves differently on your dev machine.