Question

MongoDB Security - Is SSL required as Client and Server As One?

Hi,

I was just going these 10 recommendations for MongoDB security.

Number 8 mentions enabling SSL for data travelling between the Mongo client and Mongo Server. However with the case of my droplet, is this required?

Isn’t the Mongo Server = my droplet. Mongo Client = the mongo installation?

I have a firewall IP restriction so only my node droplet can access that mongo droplet.

So with that is it safe to say SSL isn’t required?

Thanks.


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

@psmod2

MongoDB doesn’t run with SSL by default, this is something you have to enable manually. If you will, take a look at the guide below and it’ll cover how to enable SSL.

https://docs.mongodb.com/manual/tutorial/configure-ssl/

That being said, no, if you’ve not enabled SSL on the MongoDB instance, communication between the NodeJS app and MongoDB instance will not be encrypted.

@psmod2

SSH may very well be encrypted, though if you’re handling data, SSL handles the exchange between the visitors of your website and the server (i.e. visitor <=> Node app), as well as between servers (i.e. Node app <=> MongoDB).

So, for instance, someone visits your site at http://yoursite.com – data exchanged between your app and the visitor is not encrypted. Likewise, when your Node app requests data from your MongoDB instance, data is not encrypted (unless MongoDB is setup to use SSL).

You have to specifically install an SSL certificate for your domain and then setup your application to use HTTPS instead of HTTP – at the same time, you have to specifically configure MongoDB to run with an SSL certificate.

That being said, the actual question is should you use SSL on either? If you’re handling user data and that data contains names, addresses, phone numbers, DOB’s, e-mail addresses, IP’s, etc – yes. If you never handle user submitted data, I still would, though it’s not a requirement.

@psmod2

SSL is recommended for added security and allows you to encrypt communication between local and remote connections.

For example, if you happen to be using your database to store sensitive data, such as passwords, e-mail addresses, etc and that data happens to be in plain-text format (and in most cases it is – even if the password is actually encrypted and then decrypted later on by your application), adding SSL to the mix adds another layer of security that prevent potential interception and decryption of the data during transit.

Without SSL, should the data be intercepted, what is passed is what is seen. There’s no encryption beyond what your application may perform.