Enable MongoDB Bind IP and Authentication
By default, FileCloud installs the Mongo database server on the same machine as the web server without any authentication settings.
However, you may need to enable authentication for the following reasons:
- Added security
- Hosting the database server on a different machine than the web server.
Follow the steps here to enable authentication for MongoDB.
Set Up a Database User
A DB user has to be first created in MongoDB and this user can be later used in FileCloud for secure database access.
Assuming we will add a user with following details:
User Name | Password |
---|---|
dbuser | passw0rd1 |
Use a command line mongo client and execute the following commands to create the required DB user.
The following command lists all the databases in the system (depending on the configuration one or more dbs may not exist (or new ones may be present). So it is important to set authentication for each of the DB in the system. (Ignore the "local" database that shows up when you type "show databases")
For MongoClient v3.0 and above
use admin db.createUser( { user:"dbuser", pwd:"passw0rd1", roles:[ "root" ] })
For Mongo Client v 2.4
> show databases admin 0.078GB tonidoauditdb 0.078GB tonidoclouddb 0.078GB tonidos3storage 0.078GB tonidosettings 0.078GB tonidostoragedb 0.078GB tonidosyncdb 0.078GB > use admin; > db.addUser('dbuser','passw0rd1') > use tonidoauditdb; > db.addUser('dbuser','passw0rd1') > use tonidoclouddb; > db.addUser('dbuser','passw0rd1') > use tonidostoragedb; > db.addUser('dbuser','passw0rd1') > use tonidosyncdb; > db.addUser('dbuser','passw0rd1') > use tonidosettings; > db.addUser('dbuser','passw0rd1')
Upon executing all the above commands, 'dbuser' is added as a valid database user.
FC Push Service Configuration
In FileCloud version 23.1, a Push service has been added to allow clients (in particular, FileCloud Desktop) to receive server-initiated notifications (for example, file upload, share). Upgrading to FileCloud 23.1 or higher on systems running with MongoDB replica set or standalone MongoDB require the push service env file to be updated based on the MongoDB configuration.
To configure the Push service in Linux:
Open and edit the .env file from path: /opt/fcpushservice/
vi /opt/fcpushservice/.env
Update the MongoDB connection string:
FCPS_DB_DSN=mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017
Restart the fcpushservice.
systemctl restart fcpushservice
- Open the file xampp\pushservice\.env for edit.
Update the MongoDB connection string to:
FCPS_DB_DSN=mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017
Restart the Push service in the FileCloud control panel.
Changing the MongoDB IP binding
To change the MongoDB IP binding:
- Open the mongodb configuration file:
Linux: /etc/mongodb.conf
Windows: C:\xampp\mongodb\bin\mongodb.conf - Find bind_ip and change its value to the IP or hostname that you want MongoDB to listen to.
For example, if you want MongoDB to listen on the hostname mongosrv1.myfilecloud.com set bind_ip as follows:bind_ip = mongosrv1.myfilecloud.com
Configure Settings DB URL
FileCloud's settings database is where all the information is bootstrapped from. The default implicit URL for this database is "mongodb://127.0.0.1". Set this URL explicitly to reflect the fact that a database user needs to be used and the database server resides on different server. To do this, edit the configuration file WWWROOT/config/cloudconfig.php and add the following line:
define("TONIDOCLOUD_SETTINGS_DBSERVER", "mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017");
In the above example, we assumed the database server is installed on a different machine (i.e., mongosrv1.myfilecloud.com) than the webserver. In collocated scenarios, 127.0.0.1 can be used as well.
Note: If you use special characters in the password, make sure to URI encode them. For example: using 'password@2090' as the password, you will need to specify it like
Configure Other DB URLs In Config File
If you have never updated the database URLs in the admin UI, follow this sub-section. If not, skip to the next sub-section.
Other database URLs required for FileCloud needs to be changed to reflect the database user as well.
To do this, edit the configuration file WWWROOT/config/cloudconfig.php and update the following lines:
// ... Cloud Database define("TONIDOCLOUD_DBSERVER", "mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017"); // ... Audit Database define("TONIDOCLOUD_AUDIT_DBSERVER", "mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017"); // ... Settings Database define("TONIDOCLOUD_SETTINGS_DBSERVER", "mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017");
and configuration file WWWROOT/config/localstorageconfig.php and update the following line:
// ... Cloud Database define("TONIDO_LOCALSTORAGE_DBSERVER", "mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017");
Configure Other DB URLs In Settings DB
If you have updated the database URLs in the admin UI, then changing the values in the config files as described above will not work.
In this case use a mongodb client and update the URLs with the following information.
Database: tonidosettings Collection: sites Records: { "name" : "TONIDOCLOUD_DBSERVER", "value" : "mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017" }, { "name" : "TONIDOCLOUD_AUDIT_DBSERVER", "value" : "mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017" }, { "name" : "TONIDO_LOCALSTORAGE_DBSERVER", "value" : "mongodb://dbuser:passw0rd1@mongosrv1.myfilecloud.com:27017" }
Encrypting the DB User's Password
You may optionally encrypt the DB User's password so that it does not appear in cloudconfig.php.
To encrypt the password:
- Generate a secure key for encryption.
First run the tool genkey to create a random password.In a command line enter:
For Windows:cd c:\xampp\htdocs\resources\tools\security PATH=%PATH%;C:\xampp\php
For Linux:
cd /var/www/html/resources/tools/security
Then, for both Windows and Linux, enter the genkey.php script to generate the secure key you will use to encrypt the plain ext password. Since genkey.php outputs to the screen by default, direct the output to the file securekey.key:
php genkey.php > securekey.key
- Use the fcencrypt.php script with the key generated in the previous step (securekey.key) to encrypt the plain text password ("aSecretPassword" in the example below).
At the command prompt, enter the first line. The encrypted message is returned.
php fcencrypt.php --message "aSecretPassword" --key "securekey.key" Encrypted message: PgxQKdMU+k5756194hlIcUcp5Qod7oXe2XgaQNO+qri9nHIoTBVYBA7PuLthEu7Eq+Mx4vZ/vQ==
- Copy and save the encrypted message, which you will use as your encrypted password.
- Save the key file and the encrypted password in cloudconfig.
- Open the cloudconfig.php file
Windows Location: XAMPP DIRECTORY/htdocs/config/cloudconfig.php
Linux Location: /var/www/html/config/cloudconfig.php Enter settings for storing the encrypted password:
define('TONIDOCLOUD_ENCRYPTION_KEYFILE', 'c:\xampp\htdocs\resources\tools\security\securekey.key'); define('TONIDOCLOUD_MONGODB_ENCRYPTED_PASSWORD', 'PgxQKdMU+k5756194hlIcUcp5Qod7oXe2XgaQNO+qri9nHIoTBVYBA7PuLthEu7Eq+Mx4vZ/vQ==');
Where the value for TONIDOCLOUD_ENCRYPTION_KEYFILE is the location of your securekey.key tool and the value for TONIDOCLOUD_MONGODB_ENCRYPTED_PASSWORD is your encrypted password.
:
- Open the cloudconfig.php file
Replace occurrences of the plain text password in cloudconfig with the placeholder %tonidocloud_mongodb_password% in the settings:
FC_MONGODB_URI_OPTIONS
AUTOBACKUP_MONGODUMP_PARAMS
For example, instead of:define("AUTOBACKUP_MONGODUMP_PARAMS", '--host 127.0.0.1 --username dbuser --password aSecretPassword --authenticationDatabase admin');
enter:
define("AUTOBACKUP_MONGODUMP_PARAMS", '--host 127.0.0.1 --username dbuser --password %tonidocloud_mongodb_password% --authenticationDatabase admin');
Enable MongoDB Security
Now that FileCloud is updated with the security info, enable security in MongoDB. To do this open the file mongodb.conf that can be typically found in the following location:
Windows | C:\xampp\mongodb\bin\mongodb.conf |
---|---|
Linux | /etc/mongodb.conf |
Edit this file and add/update with the following line. If the line is already there, ensure it is not commented.
# Turn on/off security. Off is currently the default #noauth = true auth = true
If you are using a version of MongoDB that creates a YAML conf file, you might need to enable authentication using the following format.
security: authorization: enabled
For MongoDB replica set cluster configurations:
- Run the below command to generate a key file.
This key will be used for internal replicaset authentication:openssl rand -base64 741 >"/var/lib/mongodb/mongodb-keyfile"
- Copy the file /var/lib/mongodb/mongodb-keyfile to the other 2 database nodes.
- Run the below commands to set permission and ownership.
chmod 400 /var/lib/mongodb/mongodb-keyfile chown mongodb. /var/lib/mongodb/mongodb-keyfile
Add the below lines to /etc/mongod.conf
security: authorization: enabled keyFile: /var/lib/mongodb/mongodb-keyfile
Restart services
Finally, it is necessary to restart both MongoDB and Apache to get the security in-place.
Note
- In case of any issues, disable security in mongodb and fix the problems.
- To disable security, mongodb auth has to be disabled and the database URLs has to be reverted back.