If you truely want to do what you described here is the way I do it. Using
ssl is probably simpler but I haven't done it and can't tell you how and ssh is
nice because it requires one more layer of security.
Add this line to your /etc/inittab
tw01:345:respawn:/usr/bin/ssh -2 -e none -p 22 -c blowfish -L
5432:127.0.0.1:5432 nonrootaccount@db_machine
If you haven't already, generate your ssh2 key using ssh-keygen -d
Put the ssh2 (/root/.ssh/id_dsa.pub) public key for your root account of the
web server in /home/nonrootaccount/.ssh/authorized_keys2 on the database
server
"init q" will cause your machine to reread /etc/inittab and, if everything
works, will start forwarding port 5432 of 127.0.0.1 to your database server
over the encrypted ssh link
Change the DataSource line to use an IP instead of "localhost". The driver
connects on Unix sockets for the name "localhost" and uses tcpip for anything
else.
ns_param DataSource 127.0.0.1::security
