解析服务器:是否可以为 mongodb 连接提供根证书?

parse-server: Is it possible to provide it root certificate for mongodb connection?

我们正在 Mongo Cloud Manager 上设置 mongodb,这意味着它们是 dns-hostnames 所有者。对于 SSL 连接,我为副本集中的所有服务器创建了一个自授权、自签名的证书。 当为解析服务器提供 mongo 连接字符串时,我得到这个:

error: Uncaught internal server error. { [MongoError: self signed certificate in certificate chain] name: 'MongoError', message: 'self signed certificate in certificate chain' } Error: self signed certificate in certificate chain at Error (native) at TLSSocket. (_tls_wrap.js:1013:38) at emitNone (events.js:67:13) at TLSSocket.emit (events.js:166:7) at TLSSocket._init.ssl.onclienthello.ssl.oncertcb.TLSSocket._finishInit (_tls_wrap.js:582:8) at TLSWrap.TLSSocket._init.ssl.onclienthello.ssl.oncertcb.ssl.onnewsession.ssl.onhandshakedone (_tls_wrap.js:424:38)

我很确定(好吧,希望)如果我能以某种方式为 Parse 的 mongodb 客户端提供我自己生成的根证书,应该可以解决这些问题。 问题是 - 如果可以为解析服务器提供 mongodb SSL 连接证书,如果可以 - 如何?

好吧,我最近习惯于提供自己的答案,所以这里是另一个。 解决方案是正确 obtain/generate 客户端证书,以便您手头有 client.crt 和 client.key,拥有根证书和任何中间证书并设置 replSet ssl 设置。 正如您在下面看到的,我需要在 'databaseOptions' 中设置 'replSet'。在我这边的解析服务器上进行了一些逆向工程。 请注意,如果该区域的解析服务器代码发生更改,则此解决方案将停止工作。

无论如何,以下来自 parse-server-example 的修改 index.js 帮助我解决了这个问题。 我的补充是围绕 MONGODB_CERTIFICATE 环境变量。

// Example express application adding the parse-server module to expose Parse
// compatible API routes.

var express = require('express');
var ParseServer = require('parse-server').ParseServer;
var path = require('path');
var fs = require('fs');

var databaseUri = process.env.DATABASE_URI || process.env.MONGODB_URI;

if (!databaseUri) {
  console.log('DATABASE_URI not specified, falling back to localhost.');
}

var parseSettings = {
  databaseURI: databaseUri || 'mongodb://localhost:27017/dev',
  cloud: process.env.CLOUD_CODE_MAIN || __dirname + '/cloud/main.js',
  appId: process.env.APP_ID || 'myAppId',
  masterKey: process.env.MASTER_KEY || '', //Add your master key here. Keep it secret!
  serverURL: process.env.SERVER_URL || 'http://localhost:1337/parse',  // Don't forget to change to https if needed
  liveQuery: {
    classNames: ["Posts", "Comments"] // List of classes to support for query subscriptions
  }
}

// This allows to provide mongo client with certificates for mongodb replica set
// this is handy when you have your own self-authotized/signed certificates in mongo db
if (process.env.MONGODB_CRT_FOLDER) {
  // MONGODB_CRT_FOLDER - certificates folder e.g. /my/certificates
  // if the path is relative to the project just start it without  '/'
  // The folder is must contain 
  //   1. client.key (hard coded name)
  //   2. client.crt (hard coded name)
  //   3. one or more intermediate certificates and a root certificate for the certificate chain
  // MONGODB_CERTIFICATES - the names of the certificates in the certficate chain seperated by comma
  var crtFolder = process.env.MONGODB_CRT_FOLDER + '/';
  if (!process.env.MONGODB_CRT_FOLDER.startsWith('/'))  
    crtFolder = __dirname + '/' + crtFolder;

  var certificatesFiles = process.env.MONGODB_CERTIFICATES.split(',');
  var certificates = [];
  var i;
  for (i in certificatesFiles) {
    certificates.push(fs.readFileSync( crtFolder + '/' + certificatesFiles[i]))
  }

  parseSettings.databaseOptions = {
    replSet: {
      ssl: true,
      sslValidate: true,
      sslCA: certificates,
      sslCert: fs.readFileSync( crtFolder + 'client.crt'),
      sslKey: fs.readFileSync( crtFolder + 'client.key')
    }
  };
}


var api = new ParseServer(parseSettings);
// Client-keys like the javascript key or the .NET key are not necessary with parse-server
// If you wish you require them, you can set them as options in the initialization above:
// javascriptKey, restAPIKey, dotNetKey, clientKey

var app = express();

// Serve static assets from the /public folder
app.use('/public', express.static(path.join(__dirname, '/public')));

// Serve the Parse API on the /parse URL prefix
var mountPath = process.env.PARSE_MOUNT || '/parse';
app.use(mountPath, api);

// Parse Server plays nicely with the rest of your web routes
app.get('/', function(req, res) {
  res.status(200).send('Make sure to star the parse-server repo on GitHub!');
});

// There will be a test page available on the /test path of your server url
// Remove this before launching your app
app.get('/test', function(req, res) {
  res.sendFile(path.join(__dirname, '/public/test.html'));
});

var port = process.env.PORT || 1337;
var httpServer = require('http').createServer(app);
httpServer.listen(port, function() {
    console.log('parse-server-example running on port ' + port + '.');
});

// This will enable the Live Query real-time server
ParseServer.createLiveQueryServer(httpServer);

请注意,您必须 npm install --save 'fs' 和 'path'。