Mongo Tunnel¶

The production MongoDB database is hosted on a separate server (103.3.62.250) and is not directly reachable from the internet. Access is bridged through an SSH tunnel that runs as a Docker service called mongo-tunnel.

How It Works¶

backend-workflow ──┐
                   ├──► mongo-tunnel:27017 ──SSH──► 103.3.62.250:9823 ──► localhost:27017 (MongoDB)
backend-streamsearch ┘

The mongo-tunnel container:

Starts an Alpine container
Copies the SSH private key from a read-only mount to /tmp/id_ed25519 (with chmod 600)
Writes a pinned known_hosts entry for [103.3.62.250]:9823
Opens an SSH local-forward: 0.0.0.0:27017 → localhost:27017 on the remote host
Runs with ServerAliveInterval=30 and ServerAliveCountMax=3 to detect and recover from dead connections

SSH Connection Details¶

Item	Value
Remote host	`103.3.62.250`
SSH port	`9823`
SSH user	`zygy`
SSH key (on VPS)	`/home/zygy/.ssh/id_ed25519`
MongoDB port forwarded	`27017` → `localhost:27017` on remote
Docker service hostname	`mongo-tunnel`

SSH Key Setup¶

The SSH private key must exist on the VPS at /home/zygy/.ssh/id_ed25519. It is mounted into the container as read-only at /root/.ssh/id_ed25519_ro.

To verify the key is in place on the VPS:

ssh zygy@172.237.81.37
ls -la /home/zygy/.ssh/id_ed25519

On key rotation

If you rotate this SSH key, you must:

Generate a new ed25519 key pair: ssh-keygen -t ed25519 -f id_ed25519_new -C "mongo-tunnel"
Send the public key to whoever manages the MongoDB server (103.3.62.250) and ask them to add it to ~zygy/.ssh/authorized_keys
Replace /home/zygy/.ssh/id_ed25519 on the VPS with the new private key
Restart the mongo-tunnel service: docker-compose restart mongo-tunnel

Pinned Host Key¶

The SSH connection uses strict host key checking with a pinned known_hosts entry. This prevents man-in-the-middle attacks.

Pinned host key (written by scripts/mongo-tunnel.sh):

[103.3.62.250]:9823 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuCwn8B428WPqzzoL9tnRzvIl896J0KnGLkGY3/TCXP

Fingerprint: SHA256:cBNFjmNMxwNo1YXwfp+rIeHnqe2aLDLjM8y56grk6vw

To verify this fingerprint against the MongoDB server:

ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
# Run this on 103.3.62.250

If the host key changes

If the MongoDB server is reprovisioned and its host key changes, the mongo-tunnel service will refuse to connect (this is intentional security behaviour). You must update the pinned key in scripts/mongo-tunnel.sh with the new value, rebuild the image, and redeploy.

MongoDB Connection String¶

Services connect to MongoDB using the environment variable:

MONGO_URI=mongodb://zygy:<password>@mongo-tunnel:27017

This is set in the root .env file. The backend-workflow and backend-streamsearch services require this variable; the mongo-tunnel service must be healthy before they can start.

Troubleshooting¶

Check tunnel is running¶

ssh zygy@172.237.81.37
docker-compose ps mongo-tunnel
docker-compose logs mongo-tunnel

Test MongoDB connectivity through the tunnel¶

# From inside another container on app-network
docker exec -it backend-workflow sh
# If mongosh/mongo is available:
mongosh "mongodb://zygy:<password>@mongo-tunnel:27017"

Tunnel keeps restarting¶

Common causes:

SSH key missing or wrong permissions — check /home/zygy/.ssh/id_ed25519 exists and chmod 600
Remote host key changed — update the pinned key in scripts/mongo-tunnel.sh
SSH user not authorized on remote — contact the MongoDB server team to verify zygy's public key is in authorized_keys
Remote host unreachable — try ssh -p 9823 zygy@103.3.62.250 from the VPS directly