Heroku Exec (SSH Tunneling)
Last updated December 09, 2024
Table of Contents
Heroku Exec is a feature for creating secure TCP and SSH tunnels into a dyno. It supports SSH sessions, port forwarding, remote debugging, and inspection with popular Java diagnostic tools.
Heroku Exec is unavailable for Fir-generation apps. Use heroku run:inside
instead. See Heroku Generations for more Fir info.
Getting Started
You can use Heroku Exec by running:
$ heroku ps:exec
If you use Exec with a Private Spaces app, a custom buildpack is automatically added to your app, and you must redeploy. A redeploy is not required for apps in the Common Runtime.
$ git commit -m "Heroku Exec" --allow-empty
$ git push heroku main
After deploying your app, run the command again to connect to your web dyno.
$ heroku ps:exec
Establishing credentials... done
Connecting to web.1 on ⬢ your-app...
~ $
By default, Heroku Exec connects to your web.1
dyno, but you can optionally specify a dyno.
$ heroku ps:exec --dyno=web.2
Establishing credentials... done
Connecting to web.2 on ⬢ your-app...
~ $
If you run into problems connecting to a dyno, use the --status
flag to check the status of the Exec connection.
$ heroku ps:exec --status
=== limitless-savannah-19617 Heroku Exec status
Dyno Proxy Status Dyno Status
───── ──────────── ───────────
web.1 running up
web.2 running up
Port Forwarding
In addition to creating an interactive terminal session, the CLI can forward traffic on a local port to a port inside a dyno. In this example, 9090 is the local port and the dyno port.
$ heroku ps:forward 9090
Listening on 9090 and forwarding to web.1:9090...
Then connect your remote debugger, profiler, or even a browser to localhost:9090 to route your requests through a secure socket to port 9090 in the dyno. To stop port forwarding, use CTRL+C
.
SOCKS Proxy
You can also use a local SOCKS proxy to forward traffic on multiple ports. Start the proxy by running this command.
$ heroku ps:socks
With the proxy running, you can access any port inside the dyno. For example:
$ curl --socks5 localhost:1080 0.0.0.0:12345
Using Java Debugging Tools
To use Java debugging tools, you must first install the Heroku CLI Java plugin by running this command.
$ heroku plugins:install @heroku-cli/plugin-java
Then you can open a JConsole connection to a dyno by running this command locally.
$ heroku java:jconsole
The JConsole connection routes through a secure SOCKS proxy created with SSH, which ensures that all traffic is encrypted. But JConsole warns you that the connection is insecure because the JVM isn’t aware of the lower-level encryption.
Run heroku help java
for a list of more Java-related commands, such as:
heroku java:visualvm
heroku java:jmap
heroku java:jstack
When Heroku Exec is enabled, the default JAVA_TOOL_OPTIONS
environment variable changes to include options that enable JMX for all Java processes in your dyno. You can prevent this action by running:
$ heroku config:set HEROKU_DISABLE_JMX=1
This command disables commands like heroku java:visualvm
, which require JMX. But other commands such as ps:exec
and java:jmap
continue to work. If you want to selectively enable JMX, you can add the $HEROKU_JMX_OPTIONS
environment variable to the java
command used to run your app.
Remote Debugging
Many popular IDEs provide remote debugging capabilities through an SSH tunnel.
In all cases, you must first configure your application to enable remote debugging. For Node.js, you must add the --inspect=9090
to the node
command that starts your app. For example, your Procfile
can look like:
web: node --inspect=9090 index.js
For Java applications, you must provide the -agentlib
option to configure the Java Debug Wire Protocol (JDWP). For example:
web: java -agentlib:jdwp=transport=dt_socket,server=y,address=9090,suspend=n -jar target/myapp.jar
In both cases, the port 9090 is arbitrary.
After you change your Procfile
and redeploy your app, you can start port forwarding with the Heroku Exec client.
$ heroku ps:forward 9090
Finally, connect your IDE or remote debugger to localhost:9090
.
For more information on specific vendors, see the IDE documentation.
For most JetBrains products, including IntelliJ IDEA and WebStorm, select Edit Configurations and create a new Remote run configuration. Select port 9090 and localhost. Then start the configuration, set a break-point, and open your application.
Copying Files From a Dyno
To copy files from a dyno, run this command on your local machine, not on the dyno.
$ heroku ps:copy filename
This command copies the file in the dyno with the given name to a local file with the same name. You can use the -o
option to specify the name of the local file. This command isn’t available to one-off dynos and processes started with heroku run
.
Using with Docker
If you’re packaging your app with Docker and deploying via Container Registry, using Heroku Exec isn’t officially supported and requires a few additional setup steps.
Ensure that your Docker image has bash
, curl
, openssh
(tested with 7.2, 7.6, 8.x), ip
(found in the iproute2
package in Ubuntu-derived images), and either jq
or python
installed.
Create a heroku-exec.sh
file with this code, and include it in the /app/.profile.d
directory of your image.
[ -z "$SSH_CLIENT" ] && source <(curl --fail --retry 3 -sSL "$HEROKU_EXEC_URL")
The heroku-exec.sh
file must live in /app/.profile.d
, even though your WORKDIR
can be different. Here’s an example of a Dockerfile command that adds the file to the correct directory.
ADD ./.profile.d /app/.profile.d
Finally, ensure that the default shell is bash by including this line in your Dockerfile
.
RUN rm /bin/sh && ln -s /bin/bash /bin/sh
If you use Docker in a private space, you must add the heroku-exec.sh
script to your CMD
entry, as .profile.d
scripts aren’t run. For example:
CMD bash heroku-exec.sh && node index.js
Disabling the Feature
To disable the feature, run this command.
$ heroku features:disable runtime-heroku-exec
Then optionally remove the Heroku Exec buildpack from your app (Private Spaces only) by running this command.
$ heroku buildpacks:remove heroku/exec
Limitations
Connection
Each Heroku Exec connection lasts a maximum of 1 hour. After an hour, sometimes you must reconnect. Additionally, Heroku Exec isn’t supported in Shield Private Spaces.
Heroku Exec isn’t enabled for one-off or release phase dynos.
Environment Variables
The SSH session created by Heroku Exec doesn’t have the config vars set as environment variables (i.e., env
in a session doesn’t list config vars set by heroku config:set
).
Shield Private Spaces Compatibility
Due to the high-compliance requirements of apps running in Shield Private Spaces, Heroku Exec isn’t supported.