Connecting to PROOF via the tunnel

Introduction
Setting up the SSH tunnel
Connecting to PROOF via the tunnel

Introduction

A potential problem in connecting to a PROOF cluster may come from the fact that the master stays behind a firewall, so that direct connections to it are not allowed. For example, the CAF machines at CERN are reachable only within the CERN domain; direct connections - e.g. from home - are not possible.

SSH tunnels can be used to circumvent this problem. This technology allows to create an underlying connection between a port on a local machine and the wished entry point on the target machine (the master, in our case) using a third party machine to which the client can connect.

Setting up the SSH tunnel

To setup the channel we need to know:

the name of master machine and the port on which the PROOF related daemons accept connections; in our example 'proofmaster.domain.org' and '1093', respectively;
the name of a third party machine open to the outside world and from which direct connections to the master are possible; hereafter we name it 'open.domain.org'
a local port number available fo outside connections; e.g. '3000'.

To setup the SSH channel between the local port 3000 and port 1093 on proofmaster.domain.org just execute

ssh -N -f -4 -L 3000:proofmaster.domain.org:1093 open.domain.org

This is a brief (incomplete) explanation of the ssh options used:

-N: do not expect to execute a remote command (we are just forwarding ports);
-f: run into the background (only needed if we want to continue using the current window);
-4: use IPv4 addresses only (to prevent problems with machines non supporting IPv6; may not be needed; it depends on the setup);
-L: define the end-points of the tunnel

The user credentials on open.domain.org are of course required to execute successfully this command.