M
Meza AI

🔒 SSH Tunnel Connection

Securely connect to databases behind firewalls using SSH tunnels.

Overview

If your database is behind a firewall or in a private network, you can use an SSH tunnel to securely connect Meza AI. This method routes the database connection through a bastion host (jump server) that has access to both the internet and your private network.

How It Works

Meza AI
→ SSH →
Bastion Host
→ Internal →
Database

Meza AI establishes an encrypted SSH connection to your bastion host, then connects to your database through the internal network. All data is encrypted end-to-end.

Prerequisites

  • A bastion host or jump server accessible from the internet
  • SSH access to the bastion host (port 22)
  • Network connectivity from bastion to your database
  • Ability to add SSH public keys to the bastion host

Setup Steps

1

Get Meza AI Public Key

In ConfigurationDatabases, click Add Connection, select your database type, and enable SSH Tunnel.

Copy the displayed SSH public key.

2

Add Key to Bastion Host

Connect to your bastion host and add the public key:

# Append the key to authorized_keys
echo "ssh-rsa AAAA...your_key_here..." >> ~/.ssh/authorized_keys

# Ensure correct permissions
chmod 600 ~/.ssh/authorized_keys
3

Configure SSH Tunnel in Meza AI

Enter your bastion host details (hostname, port, username).

4

Enter Database Details

Enter your database connection using internal hostnames or private IPs.

5

Test Connection

Click Test Connection to verify the tunnel and database connection work.

SSH Tunnel Parameters

ParameterDescriptionExample
SSH HostBastion server public hostname or IPbastion.example.com
SSH PortSSH port (default: 22)22
SSH UsernameUser account on bastion hostmeza
Database HostInternal database hostname or private IP10.0.1.50 or db.internal
Database PortDatabase port5432

⚠️ Warning

Make sure your bastion host can reach the database on the specified port. Test with nc -zv db.internal 5432 from the bastion host.

Security Best Practices

  • Dedicated user — Create a dedicated SSH user for Meza AI (e.g., meza)
  • Restricted shell — Consider using a restricted shell or ForceCommand
  • Limit access — Restrict the SSH user to only port forwarding
  • Monitor access — Enable logging of SSH connections

Creating a Restricted SSH User

For maximum security, create a user that can only forward ports:

# Create user with no shell
sudo useradd -m -s /bin/false meza

# Create .ssh directory
sudo mkdir -p /home/meza/.ssh
sudo chmod 700 /home/meza/.ssh

# Add Meza AI public key
echo "ssh-rsa AAAA..." | sudo tee /home/meza/.ssh/authorized_keys
sudo chmod 600 /home/meza/.ssh/authorized_keys
sudo chown -R meza:meza /home/meza/.ssh

Add this to /etc/ssh/sshd_config to restrict the user:

Match User meza
    AllowTcpForwarding yes
    X11Forwarding no
    AllowAgentForwarding no
    ForceCommand /bin/false

Troubleshooting

SSH Connection Failed

  • Verify the bastion host is accessible from the internet
  • Check the SSH public key is correctly added to authorized_keys
  • Ensure port 22 (or custom SSH port) is open in firewalls
  • Verify the SSH username is correct

Database Connection Failed (After SSH Success)

  • Verify the database hostname/IP is reachable from the bastion host
  • Check the database port is correct
  • Test connectivity from bastion: nc -zv db.internal 5432
  • Ensure no internal firewalls block the connection

What's Next?

🏢

Accounts Model

Configure your data model

🛡️

Security

Security best practices