0

I'm currently using Compose.io to host my MongoDB - however its costs $31, my DB isn't so big and I don't really use any specific features.

I've decided to create a droplet on DigitalOcean and then use their one click install for MongoDB.

With Compose.io, I simply use a a connection URL like mongodb://USERNAME:PASSWORD@aws-xxxx.com:xxx/myDB along with a ssl certificate. However with DigitalOcean, it looks like SSH'ing into the droplet then connecting is the best approach (rather than creating an open access bind_url.

So i want to ask:

  • Is this SSH process quite intensive/time consuming in terms of would it simply SSH once then remain connected, until the node app (website) was closed?

  • I'm thinking of using npm install tunnel-ssh. Is this recommended?

Any tips/advice/security notes would be appreciated.

Thanks.

userMod2
  • 8,312
  • 13
  • 63
  • 115
  • Do you have a specific question that *isn't* covered by the DO docs? https://www.digitalocean.com/community/tutorials/how-to-securely-configure-a-production-mongodb-server – Paul Jan 15 '17 at 20:20
  • @Paul - I wanted to understand overhead and recommend node packages to achieve – userMod2 Jan 15 '17 at 22:14

1 Answers1

1

Compose definitely offers a lot of security features that would take quite a bit of configuration to replicate. If this is a production database I would consider $31/month a good value. But speaking directly to your questions:

OpenSSH can be configured to keep the tunnel alive. The settings can be configured on both the client and server configuration file.

Keep SSH session alive

OpenSSH is very efficient an doesn't impose much overhead. Resource-wise it's not a concern. SSH2 implemented in native javascript is not going to perform as well as the OpenSSH binary. So I wouldn't use 'tunnel-ssh' without a convincing reason.

If you store your key with your application when somebody roots your application server they will also have your key. So make sure the user that you tunnel with has reduced privileges on the server, just what they need to access MongoDB and no more.

You might also consider just running your application and MongoDB on the same droplet. Don't expose MongoDB to the network. I wouldn't recommend this for production, but it's fine for low key scenarios. Keep in mind, if someone roots your server or application they will also have full access to the DB. Make sure you have a backup strategy.

Community
  • 1
  • 1
Antonius Bloch
  • 2,311
  • 2
  • 14
  • 14
  • Hi, thanks for that. So regarding the Compose security features, I see: SSL, private VLAN and replica sets as the features I'd need to implement - any others you think I'm missing? – userMod2 Jan 15 '17 at 22:18
  • Sounds about right. This checklist can probably help: https://docs.mongodb.com/manual/administration/security-checklist/ – Antonius Bloch Jan 16 '17 at 08:05
  • tunnel-ssh is the most decent npm module I can find. What's wrong exactly with it? I can't find OpenSSH in npm. – userMod2 Jan 21 '17 at 00:01