I'm using CloudFlare to get free SSL coverage for a domain I own on GoDaddy. That's great and if you haven't checked out those services you might find them handy to use. I do have a question though, I'd like to provide HTTPS/SSL encryption for data transmitted from my MongoLab DB to my Heroku App. Both of these are through Heroku. So,
(1) Do I need additional SSL encryption to protect the sensitive data I'll be transmitting between those two endpoints?
(2) How do I go about acquiring that?
(3) If yes to (1) and no good answer for (2), what's an alternative (nearly free) option to accomplish the same thing. I'm not wed to MongoDB for this project.
Thanks in advance and hope this question helps someone else out as well.
Apparently, Heroku maintains that if you provision a MongoLab DB through them (and not through MongoLab directly) and have your Heroku app in the same AWS region you're fine as no packet sniffing can occur.
Otherwise you can purchase separate SSL encryption.
I've also decided to encrypt the data going into my database as well.
Related
I am trying to set up an email server on ec2 (mostly just for fun) that won't let me set up a certificate. I am using Let's encrypts Certbot because it was what they recommended. I am also hosting a Google site (I am using Google Domains). Issue: My Google site is using *.mysite.com and www.mysite.com, and I think that this is interfering with my attempts to get a certificate. Any feedback would be helpful.
I have opened many a browser tab looking for this answer. I do not know what to search for. As I said above, any feedback would be helpful.
I do not own the actual mysite.com domain. It is just an example. Just want to avoid any confusion. Thanks!
So I possibly have a dumb question about MongoDB hosting. I'm learning the MERN stack and can't figure out how to host my app. Most of the tutorials I've seen use Heroku I believe, but it's just yet another service or thing to learn or manage. I've used Postman to verify the code works. And yes I've googled this, which only confused me more.
I have several Dreamhost domains, but can't find much info on using it to host MongoDB. Is it possible to use my current host or do I HAVE to point the DNS or whatever to another server/service, or just plain move my domain to a different provider?
Also, I've got a client/front-end directory and an api/server directory in my root folder. Is that standard practice, do I need to upload them to different hosts, merge them or what? I cannot for the life of me get the backend to work.
Edit/Update:Thank you for the response! Sorry im just now answering. It was a crazy week. The code itself works. I built a portfolio blog with a login/register system with express/mongodb to store users and posts. ALL my domains are on dreamhost and didn't want to spread out service providers if I could help it. I've built websites with PHP and SQL on there and it was easy. But from what I could find out MongoDB cannot be used on dreamhost servers. I ended up using heroku, which worked, although I haven't been able to point my DNS from my dreamhost domain to it yet. Currently it has a domain name of ***.herokuapp.com and is hosted on heroku. So that's where my problem is now, but still want to figure understand the why and how a little better. How is MongoDB different from SQL other than the relational aspect and why does it need something like heroku as opposed to dreamhost or blue host or godaddy?
So first thing first, you should know that MongoDb is hosted on an OS, now that can be your own system, cloud server or a service provider.
Domain name are nothing but just a pointer to your actual server. So you have to host your MondoDb somewhere, whether that be a service like Mongo Atlas or you have to spin up your own server on digitalocean, AWS, gcp etc.
For that need to see what are you actually doing, can't comment without having a look at your code. If you not comfortable sharing all the code online. You can personally chat with me.
In the beginning of the year, lots of MongoDB databases were hacked. This also included my database. Yesterday I noticed my brand new database with authorization enabled was hacked as well. The username and password is very secure (16+ characters password with random characters and symbols).
I've now decided to fully secure it, but I honestly don't know where to proceed. I already have:
security:
authorization: enabled
and that should be enough (after sudo service mongod restart). I only have 1 database and no admin user, but anonymous access from a remote connection is still allowed. I keep reading many places, that I should run mongod like mongod --auth, but that it's the same as enabling authorization as I've done above.
At this point I'm struggling to disable anonymous authentication on the server. What did I miss? Why can I authenticate without an account?
To enable security you'll want to follow the Security Checklist on the MongoDB Website.
Here you are provided with role based authorization and authentication instructions. It's also advised you disable listening to all ethernet interfaces and bind your MongoDB ports to the interfaces you'd like exposed.
For a guide to network hardening, you will want to review these instructions, but the most important aspect is to avoid unwanted network exposure. Consider using a firewall or security groups (if in cloud).
I'm trying to apply security best practices to an AWS RDS postgresql instance, but Amazon seems to have gone out of its way to prevent some fairly common and routine features around authentication. I don't seem to be able to authenticate against any external source, which sucks, since now I have to maintain db users completely separately from normal user management. But it seems that, despite the fact that I can use SSL to connect, none of the functionality that might actually validate a client's cert against the server's CA is accessible in RDS. Is this true? It seems like the easiest thing in the world to have amazon sign certs with it CA and then validate those certs against that CA when connections are established, yet I cannot find any mention of how to do it in the documentation or out on the web. Am I really confined ONLY to password authentication of db-internal users? This is almost hard to believe, but after days of research, is the only conclusion I have been able to support.
I've been looking at setting up a MongoDB as a Service on Mongo HQ/Compose.io or some other service.
From what I can gather the major security hole is the data in transit. Mongo doesn't support native driver SSL by default, and most DBaaS providers don't offer it standard.
It seems to me that it is a big security risk. Am I wrong here?
thanks.
Yes, That is correct. MongoDB does not support SSL by default and few DbaaS providers don't usually offer one. You might have to manage mongodb yourself. The easiest way I guess is to docker it up.
Btw, Did you check out CloudBoost.io (https://www.cloudboost.io). We have SSL on our API's and have all the features which MongoDB has and more.
P.S : I work at CloudBoost.io