Like many people, you store sensitive information in your database. And like some, your database server is on a different host from one or more of your webservers. How do you secure the necessary network connections?

The obvious answer is SSL/TLS. But that requires you to a) use a custom MySQL binary, and b) manage yet another set of certificates. And it requires setting extra parameters when connecting to the database in your code.

A less obvious answer is to use the ssh's built-in port forwarding to tunnel the connection. Here's how.

Note that the commands and scripts in this document assume that you are connecting to a MySQL database named "db" on remotehost.com, port 3306, using username "dbuser" and password "PASS". You will need to change these values to match your own setup.