How does the server and client connect to the mongo db such that the communication between client--mongo and server--mongo is secure? Is this something meteor already takes care of or is it already default?
Asked
Active
Viewed 194 times
0
-
just one thing to understand your question are you asking about the connection itself or about the update in the database and who can change the data in the server – zombie Oct 12 '16 at 19:33
-
the connection itself. i am NOT referring to using any kind of role based access to determine collection access. how is the communication secured such that replay attacks/eavesdropping and other attacks are prevented? does using https solve all our problems client side? if so, how do we secure server to db communication? – Simon Oct 12 '16 at 19:56
-
Every production Meteor app that handles user data should run with SSL. please read https://guide.meteor.com/security.html – zombie Oct 12 '16 at 20:09
-
So ssl between server and client. Then also ssl between db and server...? – Simon Oct 12 '16 at 21:08
-
between server and client yes, between db and server i don't know what you mean but for the projects that i made the db was on the server – zombie Oct 12 '16 at 21:16
-
If you are using https then the data is encrypted. Meteor uses sockets (or secure sockets) to communicate between client and server (ie database) over the connection that you have, either http or https. – Mikkel Oct 13 '16 at 10:10
-
I see. So it sounds like https will make all client interaction secure because minimongo makes a server call anyway to update actual data in the db? But what about server to db? I have the app and mongo on different servers. When the app server connects to Mom to through the credentials set in environment variables and it does a collection.find(), how do we secure the data the in transit between the app and mongo? – Simon Oct 13 '16 at 14:09
-
i see mongo supports ssl and the the mongodb node driver (which i think meteor uses...? also supports ssl. how can i enable ssl between server and mongo in meteor? https://docs.mongodb.com/manual/tutorial/configure-ssl/ http://mongodb.github.io/node-mongodb-native/2.2/tutorials/connect/ssl/ – Simon Oct 13 '16 at 14:29
1 Answers
0
mongo enterprise supports ssl connections.
meteor does use mongo node driver which also supports ssl connections.
so if you want server <---> db connection to be secure, we need to enable ssl on the mongo instance and the driver.
to do so with a self signed certificate as instructed in https://docs.mongodb.com/manual/tutorial/configure-ssl/:
For testing purposes, you can generate a self-signed certificate and private key on a Unix system with a command that resembles the following:
openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key
Once you have the certificate, concatenate the certificate and private key to a .pem file, as in the following example:
cat mongodb-cert.key mongodb-cert.crt > mongodb.pem
and run mongod with...
mongod --sslMode requireSSL --sslPEMKeyFile
When setting up the Meteor environment variables for mongo db connections...
set...
MONGO_URL=mongodb://localhost:27017/?ssl=true
