psmod2
By:
psmod2

MongoDB Security - Is SSL required as Client and Server As One?

January 21, 2017 1.4k views
MongoDB Security

Hi,

I was just going these 10 recommendations for MongoDB security.

Number 8 mentions enabling SSL for data travelling between the Mongo client and Mongo Server. However with the case of my droplet, is this required?

Isn't the Mongo Server = my droplet. Mongo Client = the mongo installation?

I have a firewall IP restriction so only my node droplet can access that mongo droplet.

So with that is it safe to say SSL isn't required?

Thanks.

3 Answers

@psmod2

SSL is recommended for added security and allows you to encrypt communication between local and remote connections.

For example, if you happen to be using your database to store sensitive data, such as passwords, e-mail addresses, etc and that data happens to be in plain-text format (and in most cases it is -- even if the password is actually encrypted and then decrypted later on by your application), adding SSL to the mix adds another layer of security that prevent potential interception and decryption of the data during transit.

Without SSL, should the data be intercepted, what is passed is what is seen. There's no encryption beyond what your application may perform.

  • Thanks - however I'm still unclear.

    So i have:

    DROPLET 1 - MONGODB

    DROPLET 2- NODE APP
    I SSH to DROPLET1 - so any data between here would be encrypted as far as I understand.

    Nothing else is allowed to talk to DROPLET1 as per my firewall rules.

    So where would SSL sit in this equation/do i need it?

@psmod2

SSH may very well be encrypted, though if you're handling data, SSL handles the exchange between the visitors of your website and the server (i.e. visitor <=> Node app), as well as between servers (i.e. Node app <=> MongoDB).

So, for instance, someone visits your site at http://yoursite.com -- data exchanged between your app and the visitor is not encrypted. Likewise, when your Node app requests data from your MongoDB instance, data is not encrypted (unless MongoDB is setup to use SSL).

You have to specifically install an SSL certificate for your domain and then setup your application to use HTTPS instead of HTTP -- at the same time, you have to specifically configure MongoDB to run with an SSL certificate.

That being said, the actual question is should you use SSL on either? If you're handling user data and that data contains names, addresses, phone numbers, DOB's, e-mail addresses, IP's, etc -- yes. If you never handle user submitted data, I still would, though it's not a requirement.

  • Hi,

    Ok, think i get it now.

    So yes, the Visitor <=> Node app is using SSL - so does that mean that the request that goes from the Node app to the Mongo droplet, would automatically also be SSL?

    Or do i have to install the same SSL certificate on the Mongo droplet, and follow a guide like this: https://docs.mongodb.com/manual/tutorial/configure-ssl/

    Thanks.

@psmod2

MongoDB doesn't run with SSL by default, this is something you have to enable manually. If you will, take a look at the guide below and it'll cover how to enable SSL.

https://docs.mongodb.com/manual/tutorial/configure-ssl/

That being said, no, if you've not enabled SSL on the MongoDB instance, communication between the NodeJS app and MongoDB instance will not be encrypted.

Have another answer? Share your knowledge.