New Stackato Client: Tunneling and HTTPS
by Jeff Hobbs

Jeff Hobbs, December 1, 2011
Stackato Tunnel

I'm very happy to provide an update to Troy's post from last week about connecting to database services in stackato. In that post, he said:

Since we are maintaining API compatibility with Cloud Foundry, we'll be adding an equivalent 'stackato tunnel' command to emulate 'vmc tunnel'.

Well, we've just released a new version of the stackato client which implements the 'tunnel' command. In doing this, we evaluated how the client communicated and otherwise operated, and found a few places we felt should be improved.

Password? What password?

For example, the vmc client requires you specify a password when pushing the tunnel initially, to authenticate future tunnel connections. However, if you subsequently type an incorrect password it doesn't deny access. It interprets that as if the tunnel hadn't been deployed, deletes any existing tunnel, and redeploys using the new password.

$ vmc tunnel
1: mysql-d05c5
Which service to tunnel to?: 1
Password: *****
Redeploying tunnel application 'caldecott'.
Uploading Application:
  Checking for available resources: OK
  Packing application: OK
  Uploading (1K): OK   
Push Status: OK
Binding Service [mysql-d05c5]: OK

Not a critical security hole, since the vmc user has been previously authenticated, but it's likely unintentional behavior. The 'stackato tunnel' command doesn't do this:

$ stackato tunnel
1. postgresql-gtd
Which service to tunnel to: 1
Password: *****
Getting tunnel url: OK, at
Error: Bad password, authentication to tunnel failed

HTTPS by default...

Another aspect is that vmc tunnel operates by default over HTTP, and we have moved that to HTTPS. We have now made this the default protocol for targets, to ensure more secure operation. We went one step further and now require an explicit '--allow-http' to make an insecure HTTP connection.

$ stackato target
Successfully targeted to []

and other conveniences...

On the server side, we generalized the application name 'caldecott' to just 'tunnel', as well as providing a '--url' option when first creating a tunnel to specify the mapped url. This is more for convenience, but is handy when you want to fix a name in cases where you have inflexible DNS handling.

An option to specify the password on the command line was added to support batch mode testing, as we have a growing code base of tests for our system that leverage the client and REST APIs directly.

So if you're already in the Stackato Beta program, please download the new client and try out the improvements. If you're not in the program yet, by all means sign up. We'd love to get your feedback.

Subscribe to ActiveState Blogs by Email

Share this post:

Category: stackato
About the Author: RSS

Jeff Hobbs is our CTO & VP, Engineering and oversees all ActiveState product development including our cloud solutions. Though he’s responsible for leading and fostering our talented development team, Jeff is a coder at heart! He is passionate about technologies that just work, making the lives of developers easier. His current obsession is making Stackato the best private PaaS platform for developers: using any language, any infrastructure, and leveraging open source - so that applications just deploy and scale in any cloud.