解析服务器:是否可以为 mongodb 连接提供根证书?
parse-server: Is it possible to provide it root certificate for mongodb connection?
我们正在 Mongo Cloud Manager 上设置 mongodb,这意味着它们是 dns-hostnames 所有者。对于 SSL 连接,我为副本集中的所有服务器创建了一个自授权、自签名的证书。
当为解析服务器提供 mongo 连接字符串时,我得到这个:
error: Uncaught internal server error. { [MongoError: self signed certificate in certificate chain]
name: 'MongoError',
message: 'self signed certificate in certificate chain' } Error: self signed certificate in certificate chain
at Error (native)
at TLSSocket. (_tls_wrap.js:1013:38)
at emitNone (events.js:67:13)
at TLSSocket.emit (events.js:166:7)
at TLSSocket._init.ssl.onclienthello.ssl.oncertcb.TLSSocket._finishInit (_tls_wrap.js:582:8)
at TLSWrap.TLSSocket._init.ssl.onclienthello.ssl.oncertcb.ssl.onnewsession.ssl.onhandshakedone (_tls_wrap.js:424:38)
我很确定(好吧,希望)如果我能以某种方式为 Parse 的 mongodb 客户端提供我自己生成的根证书,应该可以解决这些问题。
问题是 - 如果可以为解析服务器提供 mongodb SSL 连接证书,如果可以 - 如何?
好吧,我最近习惯于提供自己的答案,所以这里是另一个。
解决方案是正确 obtain/generate 客户端证书,以便您手头有 client.crt 和 client.key,拥有根证书和任何中间证书并设置 replSet ssl 设置。
正如您在下面看到的,我需要在 'databaseOptions' 中设置 'replSet'。在我这边的解析服务器上进行了一些逆向工程。
请注意,如果该区域的解析服务器代码发生更改,则此解决方案将停止工作。
无论如何,以下来自 parse-server-example 的修改 index.js 帮助我解决了这个问题。
我的补充是围绕 MONGODB_CERTIFICATE 环境变量。
// Example express application adding the parse-server module to expose Parse
// compatible API routes.
var express = require('express');
var ParseServer = require('parse-server').ParseServer;
var path = require('path');
var fs = require('fs');
var databaseUri = process.env.DATABASE_URI || process.env.MONGODB_URI;
if (!databaseUri) {
console.log('DATABASE_URI not specified, falling back to localhost.');
}
var parseSettings = {
databaseURI: databaseUri || 'mongodb://localhost:27017/dev',
cloud: process.env.CLOUD_CODE_MAIN || __dirname + '/cloud/main.js',
appId: process.env.APP_ID || 'myAppId',
masterKey: process.env.MASTER_KEY || '', //Add your master key here. Keep it secret!
serverURL: process.env.SERVER_URL || 'http://localhost:1337/parse', // Don't forget to change to https if needed
liveQuery: {
classNames: ["Posts", "Comments"] // List of classes to support for query subscriptions
}
}
// This allows to provide mongo client with certificates for mongodb replica set
// this is handy when you have your own self-authotized/signed certificates in mongo db
if (process.env.MONGODB_CRT_FOLDER) {
// MONGODB_CRT_FOLDER - certificates folder e.g. /my/certificates
// if the path is relative to the project just start it without '/'
// The folder is must contain
// 1. client.key (hard coded name)
// 2. client.crt (hard coded name)
// 3. one or more intermediate certificates and a root certificate for the certificate chain
// MONGODB_CERTIFICATES - the names of the certificates in the certficate chain seperated by comma
var crtFolder = process.env.MONGODB_CRT_FOLDER + '/';
if (!process.env.MONGODB_CRT_FOLDER.startsWith('/'))
crtFolder = __dirname + '/' + crtFolder;
var certificatesFiles = process.env.MONGODB_CERTIFICATES.split(',');
var certificates = [];
var i;
for (i in certificatesFiles) {
certificates.push(fs.readFileSync( crtFolder + '/' + certificatesFiles[i]))
}
parseSettings.databaseOptions = {
replSet: {
ssl: true,
sslValidate: true,
sslCA: certificates,
sslCert: fs.readFileSync( crtFolder + 'client.crt'),
sslKey: fs.readFileSync( crtFolder + 'client.key')
}
};
}
var api = new ParseServer(parseSettings);
// Client-keys like the javascript key or the .NET key are not necessary with parse-server
// If you wish you require them, you can set them as options in the initialization above:
// javascriptKey, restAPIKey, dotNetKey, clientKey
var app = express();
// Serve static assets from the /public folder
app.use('/public', express.static(path.join(__dirname, '/public')));
// Serve the Parse API on the /parse URL prefix
var mountPath = process.env.PARSE_MOUNT || '/parse';
app.use(mountPath, api);
// Parse Server plays nicely with the rest of your web routes
app.get('/', function(req, res) {
res.status(200).send('Make sure to star the parse-server repo on GitHub!');
});
// There will be a test page available on the /test path of your server url
// Remove this before launching your app
app.get('/test', function(req, res) {
res.sendFile(path.join(__dirname, '/public/test.html'));
});
var port = process.env.PORT || 1337;
var httpServer = require('http').createServer(app);
httpServer.listen(port, function() {
console.log('parse-server-example running on port ' + port + '.');
});
// This will enable the Live Query real-time server
ParseServer.createLiveQueryServer(httpServer);
请注意,您必须 npm install --save 'fs' 和 'path'。
我们正在 Mongo Cloud Manager 上设置 mongodb,这意味着它们是 dns-hostnames 所有者。对于 SSL 连接,我为副本集中的所有服务器创建了一个自授权、自签名的证书。 当为解析服务器提供 mongo 连接字符串时,我得到这个:
error: Uncaught internal server error. { [MongoError: self signed certificate in certificate chain] name: 'MongoError', message: 'self signed certificate in certificate chain' } Error: self signed certificate in certificate chain at Error (native) at TLSSocket. (_tls_wrap.js:1013:38) at emitNone (events.js:67:13) at TLSSocket.emit (events.js:166:7) at TLSSocket._init.ssl.onclienthello.ssl.oncertcb.TLSSocket._finishInit (_tls_wrap.js:582:8) at TLSWrap.TLSSocket._init.ssl.onclienthello.ssl.oncertcb.ssl.onnewsession.ssl.onhandshakedone (_tls_wrap.js:424:38)
我很确定(好吧,希望)如果我能以某种方式为 Parse 的 mongodb 客户端提供我自己生成的根证书,应该可以解决这些问题。 问题是 - 如果可以为解析服务器提供 mongodb SSL 连接证书,如果可以 - 如何?
好吧,我最近习惯于提供自己的答案,所以这里是另一个。 解决方案是正确 obtain/generate 客户端证书,以便您手头有 client.crt 和 client.key,拥有根证书和任何中间证书并设置 replSet ssl 设置。 正如您在下面看到的,我需要在 'databaseOptions' 中设置 'replSet'。在我这边的解析服务器上进行了一些逆向工程。 请注意,如果该区域的解析服务器代码发生更改,则此解决方案将停止工作。
无论如何,以下来自 parse-server-example 的修改 index.js 帮助我解决了这个问题。 我的补充是围绕 MONGODB_CERTIFICATE 环境变量。
// Example express application adding the parse-server module to expose Parse
// compatible API routes.
var express = require('express');
var ParseServer = require('parse-server').ParseServer;
var path = require('path');
var fs = require('fs');
var databaseUri = process.env.DATABASE_URI || process.env.MONGODB_URI;
if (!databaseUri) {
console.log('DATABASE_URI not specified, falling back to localhost.');
}
var parseSettings = {
databaseURI: databaseUri || 'mongodb://localhost:27017/dev',
cloud: process.env.CLOUD_CODE_MAIN || __dirname + '/cloud/main.js',
appId: process.env.APP_ID || 'myAppId',
masterKey: process.env.MASTER_KEY || '', //Add your master key here. Keep it secret!
serverURL: process.env.SERVER_URL || 'http://localhost:1337/parse', // Don't forget to change to https if needed
liveQuery: {
classNames: ["Posts", "Comments"] // List of classes to support for query subscriptions
}
}
// This allows to provide mongo client with certificates for mongodb replica set
// this is handy when you have your own self-authotized/signed certificates in mongo db
if (process.env.MONGODB_CRT_FOLDER) {
// MONGODB_CRT_FOLDER - certificates folder e.g. /my/certificates
// if the path is relative to the project just start it without '/'
// The folder is must contain
// 1. client.key (hard coded name)
// 2. client.crt (hard coded name)
// 3. one or more intermediate certificates and a root certificate for the certificate chain
// MONGODB_CERTIFICATES - the names of the certificates in the certficate chain seperated by comma
var crtFolder = process.env.MONGODB_CRT_FOLDER + '/';
if (!process.env.MONGODB_CRT_FOLDER.startsWith('/'))
crtFolder = __dirname + '/' + crtFolder;
var certificatesFiles = process.env.MONGODB_CERTIFICATES.split(',');
var certificates = [];
var i;
for (i in certificatesFiles) {
certificates.push(fs.readFileSync( crtFolder + '/' + certificatesFiles[i]))
}
parseSettings.databaseOptions = {
replSet: {
ssl: true,
sslValidate: true,
sslCA: certificates,
sslCert: fs.readFileSync( crtFolder + 'client.crt'),
sslKey: fs.readFileSync( crtFolder + 'client.key')
}
};
}
var api = new ParseServer(parseSettings);
// Client-keys like the javascript key or the .NET key are not necessary with parse-server
// If you wish you require them, you can set them as options in the initialization above:
// javascriptKey, restAPIKey, dotNetKey, clientKey
var app = express();
// Serve static assets from the /public folder
app.use('/public', express.static(path.join(__dirname, '/public')));
// Serve the Parse API on the /parse URL prefix
var mountPath = process.env.PARSE_MOUNT || '/parse';
app.use(mountPath, api);
// Parse Server plays nicely with the rest of your web routes
app.get('/', function(req, res) {
res.status(200).send('Make sure to star the parse-server repo on GitHub!');
});
// There will be a test page available on the /test path of your server url
// Remove this before launching your app
app.get('/test', function(req, res) {
res.sendFile(path.join(__dirname, '/public/test.html'));
});
var port = process.env.PORT || 1337;
var httpServer = require('http').createServer(app);
httpServer.listen(port, function() {
console.log('parse-server-example running on port ' + port + '.');
});
// This will enable the Live Query real-time server
ParseServer.createLiveQueryServer(httpServer);
请注意,您必须 npm install --save 'fs' 和 'path'。