How to enable AllowTcpForwarding in Jelastic?

Question

It seems that in Jelastic version 5.8 onward AllowTcpForwarding is set to no by default, which means that SSH port forwarding is not possible https://docs.jelastic.com/release-notes-58/#ssh-security.

What is the recommended way to set AllowTcpForwarding to yes for an environment?

Answer 1

A workaround to get port forwarding working even when AllowTcpForwarding is set to false is to use the mutagen network forwarding tool instead of SSH port forwarding.

Example

mutagen forward create --name=my-web-app-repl tcp:localhost:7001 XXXX-XXXX@gate.mircloud.host:3022:tcp::7001

Answer 2

As mentioned in the comments, the best way is to talk to your Jelastic hosting provider to see if they can provide you with a decent solution.

We've just published an add-on (JPS) for this case which you're welcome to use at whichever your provider may be.

The basic idea is that having AllowTcpForwarding enabled by default is a potential security risk in that you may construct security rules (e.g. firewall) for other parts of your topology on the assumption that only local traffic can be there. Although something of an edge case, there's a potential for this assumption to be exploited in order to give access to some application or port that should not be permitted.

However, if you're aware of the risks and only enable this functionality where you have a specific need for it (rather than the old default of indiscriminately enabled everywhere), it should be safe to enable; either manually on request to your Jelastic hosting provider, or via the add-on that I've linked to.

The linked add-on has an option to disable as well, so you can easily flick it on/off on-demand if you wish.