Enable MongoDB Bind IP and Authentication

By default, FileCloud installs the Mongo database server on the same machine as the web server without any authentication settings.

However, you may need to enable authentication for the following reasons:

  • Added security 
  • Hosting the database server on a different machine than the web server. 

Follow the steps here to enable authentication for MongoDB.

Set Up a Database User

A DB user has to be first created in MongoDB and this user can be later used in FileCloud for secure database access.
Assuming we will add a user with following details:

User NamePassword
dbuserpassw0rd1

Use a command line mongo client and execute the following commands to create the required DB user. 


The following command lists all the databases in the system (depending on the configuration one or more dbs may not exist (or new ones may be present). So it is important to set authentication for each of the DB in the system. (Ignore the "local" database that shows up when you type "show databases")

 

For MongoClient v3.0 and above

use admin
db.createUser( { user:"dbuser", pwd:"passw0rd1", roles:[ "root" ] })

For Mongo Client v 2.4

Mongo Client
> show databases
admin            0.078GB
tonidoauditdb    0.078GB
tonidoclouddb    0.078GB
tonidos3storage  0.078GB
tonidosettings   0.078GB
tonidostoragedb  0.078GB
tonidosyncdb     0.078GB
 
> use admin;
> db.addUser('dbuser','passw0rd1')
> use tonidoauditdb;
> db.addUser('dbuser','passw0rd1')
> use tonidoclouddb;
> db.addUser('dbuser','passw0rd1')
> use tonidostoragedb;
> db.addUser('dbuser','passw0rd1')
> use tonidosyncdb;
> db.addUser('dbuser','passw0rd1')
> use tonidosettings;
> db.addUser('dbuser','passw0rd1')

Upon executing all the above commands, 'dbuser' is added as a valid database user.

FC Push Service Configuration

In FileCloud version 23.1, a Push service has been added to allow clients (in particular, FileCloud Desktop) to receive server-initiated notifications (for example, file upload, share). Upgrading to FileCloud 23.1 or higher on systems running with MongoDB replica set or standalone MongoDB require the push service env file to be updated based on the MongoDB configuration.

To configure the Push service in Linux:

  1. Open and edit the .env file from path: /opt/fcpushservice/

    vi /opt/fcpushservice/.env
  2. Update the MongoDB connection string:

    FCPS_DB_DSN=mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017
  3. Restart the fcpushservice.

    systemctl restart fcpushservice
To configure the Push service in Windows:

  1. Open the file xampp\pushservice\.env for edit.
  2. Update the MongoDB connection string to:

    FCPS_DB_DSN=mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017
  3. Restart the Push service in the FileCloud control panel.

Changing the MongoDB IP binding

To change the MongoDB IP binding:

  1. Open the mongodb configuration file:
    Linux: /etc/mongodb.conf
    Windows: C:\xampp\mongodb\bin\mongodb.conf
  2. Find bind_ip and change its value to the IP or hostname that you want MongoDB to listen to.
    For example, if you want MongoDB to listen on the hostname mongosrv1.myfilecloud.com set bind_ip as follows:
    bind_ip = mongosrv1.myfilecloud.com


Configure Settings DB URL 

FileCloud's settings database is where all the information is bootstrapped from. The default implicit URL for this database is "mongodb://127.0.0.1". Set this URL explicitly to reflect the fact that a database user needs to be used and the database server resides on different server. To do this, edit the configuration file WWWROOT/config/cloudconfig.php and add the following line:

Override Settings DB URL
define("TONIDOCLOUD_SETTINGS_DBSERVER", "mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017");

In the above example, we assumed the database server is installed on a different machine (i.e., mongosrv1.myfilecloud.com) than the webserver. In collocated scenarios, 127.0.0.1 can be used as well.

Note: If you use special characters in the password, make sure to URI encode them. For example: using 'password@2090' as the password, you will need to specify it like 

mongodb://dbuser:password%402090@localhost:27017

Configure Other DB URLs In Config File

If you have never updated the database URLs in the admin UI, follow this sub-section. If not, skip to the next sub-section.

Other database URLs required for FileCloud needs to be changed to reflect the database user as well.
To do this, edit the configuration file WWWROOT/config/cloudconfig.php and update the following lines:

Update DB URLs in cloudconfig.php
// ... Cloud Database
define("TONIDOCLOUD_DBSERVER", "mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017");
// ... Audit Database
define("TONIDOCLOUD_AUDIT_DBSERVER", "mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017");	
// ... Settings Database
define("TONIDOCLOUD_SETTINGS_DBSERVER", "mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017");

and configuration file WWWROOT/config/localstorageconfig.php and update the following line:

Update DB URLs in localstorageconfig.php
// ... Cloud Database
define("TONIDO_LOCALSTORAGE_DBSERVER", "mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017");


Configure Other DB URLs In Settings DB

If you have updated the database URLs in the admin UI, then changing the values in the config files as described above will not work.

In this case use a mongodb client and update the URLs with the following information.

Update settings database with a mongo client
Database: tonidosettings
Collection: sites
Records:  {
	"name" : "TONIDOCLOUD_DBSERVER",
	"value" : "mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017"
	}, {
	"name" : "TONIDOCLOUD_AUDIT_DBSERVER",
	"value" : "mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017"
	}, {
	"name" : "TONIDO_LOCALSTORAGE_DBSERVER",
	"value" : "mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017"
}


Encrypting the DB User's Password

You may optionally encrypt the DB User's password so that it does not appear in cloudconfig.php. 

To encrypt the password:

  1. Generate a secure key for encryption.
    First run the tool genkey to create a random password. 
    1. In a command line enter:
      For Windows:

      cd c:\xampp\htdocs\resources\tools\security
      PATH=%PATH%;C:\xampp\php

      For Linux:

      cd /var/www/html/resources/tools/security

       

    2. Then, for both Windows and Linux, enter the genkey.php script to generate the secure key you will use to encrypt the plain  ext password. Since genkey.php outputs to the screen by default, direct the output to the file securekey.key:

      php  genkey.php > securekey.key
  2. Use the fcencrypt.php script with the key generated in the previous step (securekey.key) to encrypt the plain text password ("aSecretPassword" in the example below).

    1. At the command prompt, enter the first line. The encrypted message is returned.

      php fcencrypt.php --message "aSecretPassword" --key "securekey.key"
      Encrypted message: PgxQKdMU+k5756194hlIcUcp5Qod7oXe2XgaQNO+qri9nHIoTBVYBA7PuLthEu7Eq+Mx4vZ/vQ==
    2. Copy and save the encrypted message, which you will use as your encrypted password.

  3. Save the key file and the encrypted password in cloudconfig.
    1. Open the cloudconfig.php file
      Windows Location: XAMPP DIRECTORY/htdocs/config/cloudconfig.php
      Linux Location: /var/www/config/cloudconfig.php
    2. Enter settings for storing the encrypted password: 

      define('TONIDOCLOUD_ENCRYPTION_KEYFILE', 'c:\xampp\htdocs\resources\tools\security\securekey.key');
      define('TONIDOCLOUD_MONGODB_ENCRYPTED_PASSWORD', 'PgxQKdMU+k5756194hlIcUcp5Qod7oXe2XgaQNO+qri9nHIoTBVYBA7PuLthEu7Eq+Mx4vZ/vQ==');

      Where the value for TONIDOCLOUD_ENCRYPTION_KEYFILE is the location of your securekey.key tool and the value for TONIDOCLOUD_MONGODB_ENCRYPTED_PASSWORD is your encrypted password.
      :

  4. Replace occurrences of the plain text password in cloudconfig with the placeholder %tonidocloud_mongodb_password%  in the settings:

    • FC_MONGODB_URI_OPTIONS

    • AUTOBACKUP_MONGODUMP_PARAMS

      For example, instead of:

      define("AUTOBACKUP_MONGODUMP_PARAMS", '--host 127.0.0.1 --username dbuser --password aSecretPassword --authenticationDatabase admin');

      enter:

      define("AUTOBACKUP_MONGODUMP_PARAMS", '--host 127.0.0.1 --username dbuser --password %tonidocloud_mongodb_password% --authenticationDatabase admin');



Enable MongoDB Security

Now that FileCloud is updated with the security info, enable security in MongoDB. To do this open the file mongodb.conf that can be typically found in the following location:

WindowsC:\xampp\mongodb\bin\mongodb.conf
Linux/etc/mongodb.conf

Edit this file and add/update with the following line. If the line is already there, ensure it is not commented.

Enable MongoDB security in Windows and mongodb v2.x on Linux
# Turn on/off security.  Off is currently the default
#noauth = true
auth = true

If you are using a version of MongoDB that creates a YAML conf file, you might need to enable authentication using the following format.

Enable MongoDB v3.x on Linux
security:
  authorization: enabled


For MongoDB replica set cluster configurations:

  1. Run the below command to generate a key file. 
    This key will be used for internal replicaset authentication:
    openssl rand -base64 741 >"/var/lib/mongodb/mongodb-keyfile"
  2. Copy the file /var/lib/mongodb/mongodb-keyfile to the other 2 database nodes.

  3. Run the below commands to set permission and ownership.
    chmod 400 /var/lib/mongodb/mongodb-keyfile
    chown mongodb. /var/lib/mongodb/mongodb-keyfile
  4. Add the below lines to /etc/mongod.conf 


    security:
     authorization: enabled
     keyFile: /var/lib/mongodb/mongodb-keyfile


Restart services

Finally, it is necessary to restart both MongoDB and Apache to get the security in-place.


Note

  • In case of any issues, disable security in mongodb and fix the problems.
  • To disable security, mongodb auth has to be disabled and the database URLs has to be reverted back.