mongodb中的--bindip配置选项有什么作用? [英] What does the --bindip configuration option in mongodb do?
问题描述
这是mongodb文档 https://docs.mongodb.com/manual/reference/configuration-options/它指定
mongos或mongod绑定以侦听的IP地址 来自应用程序的连接.您可以将mongos或mongod附加到任何 界面.将mongos或mongod附加到可公开访问的地方时 接口,请确保您已实施正确的身份验证,并且 防火墙限制以保护数据库的完整性.
要绑定到多个IP地址,请输入以逗号分隔的列表 值.
那
127.0.0.1.是默认配置
关于网络,我一无所知,所以我想知道是否有人可以向我解释这是什么更全面的含义.另外,如果我要更改此设置又意味着什么?为什么要绑定多个IP?最后,如果有人有线索,为什么127.0.0.1是默认选项?
(您可以跳过此编辑部分)
此问题背后的某些动机在于,尝试在docker上运行mongodb时收到以下警告:
2016-05-22T05:36:12.478+0000 I CONTROL [initandlisten] ** WARNING: Insecure configuration, access control is not enabled and no --bind_ip has been specified.
2016-05-22T05:36:12.478+0000 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted,
2016-05-22T05:36:12.478+0000 I CONTROL [initandlisten] ** and the server listens on all available network interfaces.
还有一些我会收到此错误的问题
2016-05-20T01:04:18.012+0000 I NETWORK [thread1] trying reconnect to 127.0.0.1:27017 (127.0.0.1) failed
2016-05-20T01:04:18.018+0000 I NETWORK [thread1] reconnect 127.0.0.1:27017 (127.0.0.1) ok
(如果您好奇解决方案
在bindIp
127.0.0.1 按照惯例是 localhost 的IP地址.并绑定到回送接口,该接口只能在同一台计算机上访问.
使用此地址作为默认地址是最佳做法,因为这样做可以避免意外将服务公开给公众.您必须做出有意识的选择来更改绑定IP,以使您的服务公开可用. 确保已采取适当的安全措施后,才应该执行此操作.
注意:这非常简化,跳过了高级主题
通常,一台计算机具有环回接口和一个或多个真实"网络接口.
假设您有一个内部"网络接口(由于将它们放入同一网络,因此只能由您的应用程序服务器访问),而您有一个外部"网络接口(可通过公共互联网访问以进行维护)目的).现在,如果您要将MongoDB实例绑定到所有接口(您将使用IP地址 0.0.0.0 ),那么您的MongoDB实例将可以通过公共互联网访问-这几乎不是理想的情况.攻击者可能会尝试强行使用您的密码,并最终可能会访问您的MongoDB实例.最好完全阻止来自公共互联网的任何访问.
您更希望MongoDB实例可用于您的应用程序服务器以及运行它的机器上.因此,您需要将MongoDB绑定到回送接口的IP( 127.0.0.1 )和专用网络的IP(通常是其中之一).
- 从
10.0.0.0到10.255.255.255的范围
- 从
172.16.0.0到172.31.255.255的范围
- 从
192.168.0.0到192.168.255.255的范围
让我们以我们的示例为例,说应用程序服务器和MongoDB实例均在 192.168.X.X 范围内的专用网络中,并且您已将MongoDB实例的IP地址指定为 192.168.0.1 .因此,您希望可以通过 192.168.0.1 访问MongoDB实例,以便应用程序服务器可以与之对话,并通过 127.0.0.1 来使用该服务器上的管理工具.机器MongoDB轻松运行.
因此,使用YAML配置语法,您将传递多个IP
注意请勿在多个IP上的逗号之间添加空格
# WARNING!!! WARNING!!! WARNING!!!
# DO NOT DO THIS UNLESS YOU HAVE CLIENT AUTHENTICATION ENABLED
# (or you really, really, really know what you are doing)
net:
bindIp: 127.0.0.1,192.168.0.1
关于警告
简而言之,这是MongoDB的说法:
伴侣,您有两个问题:您尚未配置安全性,并且只能从本地计算机访问MongoDB实例.前者不如后者严重.但是,您真的应该先配置安全性,然后再将MongoDB实例绑定到除"localhost"之外的其他IP上.
有一种隐含的除非您真的知道您在做什么!",因为iirc,如果您激活客户端身份验证或更改了身份验证,该警告就会消失. bindIp.
Here is the mongodb documentation https://docs.mongodb.com/manual/reference/configuration-options/ it specifies that
The IP address that mongos or mongod binds to in order to listen for connections from applications. You may attach mongos or mongod to any interface. When attaching mongos or mongod to a publicly accessible interface, ensure that you have implemented proper authentication and firewall restrictions to protect the integrity of your database.
To bind to multiple IP addresses, enter a list of comma separated values.
and that
127.0.0.1. is the default configuration
I'm clueless when it comes to networking so I wanted to know if someone could explain to me what this means in a more comprehensive way. Also, what would it mean if I were to change this? Why would I want to bind multiple IPs? and finally if anyone has a clue, why is 127.0.0.1 the default option?
Edit:
(You can skip this edit part)
Some of the motivation behind this question lies in getting these warnings while trying to run mongodb on docker:
2016-05-22T05:36:12.478+0000 I CONTROL [initandlisten] ** WARNING: Insecure configuration, access control is not enabled and no --bind_ip has been specified.
2016-05-22T05:36:12.478+0000 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted,
2016-05-22T05:36:12.478+0000 I CONTROL [initandlisten] ** and the server listens on all available network interfaces.
and also some issues where I'd get this error
2016-05-20T01:04:18.012+0000 I NETWORK [thread1] trying reconnect to 127.0.0.1:27017 (127.0.0.1) failed
2016-05-20T01:04:18.018+0000 I NETWORK [thread1] reconnect 127.0.0.1:27017 (127.0.0.1) ok
(more on that here if you are curious https://dba.stackexchange.com/questions/139075/replica-set-in-mongodb-using-docker-primary-has-error-and-stops-being-primary-w/139145#139145 but this issue is not the topic of this post!)
On bindIp
127.0.0.1 by convention is the IP address of localhost and is bound to the loopback interface, which is only accessible from the same machine.
Using this address as default is best practice, since doing so makes it impossible to accidentally expose a service to the public. You have to make the conscious choice to change the bind IP to make your service publicly available. Which you should only do after you made sure that you took proper security measures.
Note This is very simplified, skipping advanced topics
Typically, a machine has the loopback interface and one or more "real" network interfaces.
Say you have one network interface which is "internal" (only accessible by your application servers, since you put them into the same network) and you have one network interface which is "external" (reachable via the public internet for maintenance purposes). Now, if you would bind your MongoDB instance to all interfaces (you would use the IP address 0.0.0.0 to do that), your MongoDB instance would be accessible from the public internet – hardly a desired situation. Attackers could try to brute force your passwords and may eventually get access to your MongoDB instance. Better to prevent any access from the public internet at all.
What you would rather want to have that your MongoDB instance is accessible for your application servers and from the machine it runs on. So you would bind MongoDB to both the loopback interface's IP (127.0.0.1) and the IP of the private network, which in general would be one of
- the range from
10.0.0.0to10.255.255.255 - the range from
172.16.0.0to172.31.255.255 - the range from
192.168.0.0to192.168.255.255
Let us take our example and say both the application servers and the MongoDB instance are in a private network in the range 192.168.X.X and you have given the MongoDB instance the IP address 192.168.0.1. So you would want to have your MongoDB instance be accessible via 192.168.0.1 so that the application servers can talk to it and via 127.0.0.1 to use the administration tools from the machine MongoDB runs on effortlessly.
So with the YAML configuration syntax, you would pass multiple IPs
NOTE do not add space between commas on multiple IPs
# WARNING!!! WARNING!!! WARNING!!!
# DO NOT DO THIS UNLESS YOU HAVE CLIENT AUTHENTICATION ENABLED
# (or you really, really, really know what you are doing)
net:
bindIp: 127.0.0.1,192.168.0.1
On the warnings
In short, this is MongoDBs way of saying:
Mate, you have two problems: you have not configured security yet and your MongoDB instance is only accessible from the local machine. The former is not as severe because of the latter. But you really should configure security before you bind the MongoDB instance to other IPs than "localhost"!
There is sort of an implied "Unless you really know what you are doing!", because iirc, the warning vanishes if you either activate client authentication or change the bindIp.
这篇关于mongodb中的--bindip配置选项有什么作用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
