最新消息:20210917 已从crifan.com换到crifan.org

【已解决】给MongoDB限制IP访问

MongoDB crifan 6333浏览 0评论

已经知道了,想要限制特定的IP去访问连接mongo的话,是去修改配置文件:

vi /etc/mongod.conf

修改其中的bindIP

但是此处,需要搞清楚:

如何确定mongo的客户端的IP

mongo how check client ip

database – how to get connected clients in MongoDB – Stack Overflow

Mongodb list current connection – Database Administrators Stack Exchange

然后去本地去连接了远程的mongo了:

但是结果mongo shell中都还是无法打印出正在连接的ip

<code>[root@naturling-general-01 ~]# mongo
MongoDB shell version: 3.2.19
connecting to: test
&gt; db.currentOp().inprog
&gt; db.currentOp().inprog
&gt; db.currentOp(true).inprog
&gt; db.currentOp(true).inprog
</code>

进去对应数据库,也不行:

<code>&gt; use gridfs
switched to db gridfs
&gt; db.currentOp(true).inprog
</code>

去看服务端mongod的log:

<code>2018-04-08T17:32:04.543+0800 I NETWORK  [initandlisten] waiting for connections on port 27017
2018-04-08T17:32:12.235+0800 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:35930 #1 (1 connection now open)
2018-04-08T17:32:12.237+0800 I ACCESS   [conn1] Unauthorized: not authorized on admin to execute command { getLog: "startupWarnings" }
2018-04-08T17:32:12.239+0800 I ACCESS   [conn1] Unauthorized: not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 }
2018-04-08T17:32:38.469+0800 I ACCESS   [conn1] Unauthorized: not authorized on admin to execute command { currentOp: 1.0 }
2018-04-08T17:32:56.056+0800 I NETWORK  [initandlisten] connection accepted from 112.4.64.141:49881 #2 (2 connections now open)
2018-04-08T17:32:56.208+0800 I ACCESS   [conn2] Successfully authenticated as principal gridfs on gridfs
2018-04-08T17:32:56.289+0800 I NETWORK  [initandlisten] connection accepted from 112.4.64.141:49882 #3 (3 connections now open)
2018-04-08T17:32:56.426+0800 I ACCESS   [conn3] Successfully authenticated as principal gridfs on gridfs
2018-04-08T17:32:56.513+0800 I NETWORK  [conn3] end connection 112.4.64.141:49882 (2 connections now open)
2018-04-08T17:32:56.513+0800 I NETWORK  [conn2] end connection 112.4.64.141:49881 (1 connection now open)
2018-04-08T17:33:01.485+0800 I NETWORK  [initandlisten] connection accepted from 112.4.64.141:49913 #4 (2 connections now open)
2018-04-08T17:33:01.588+0800 I ACCESS   [conn4] Successfully authenticated as principal gridfs on gridfs
2018-04-08T17:33:01.669+0800 I NETWORK  [initandlisten] connection accepted from 112.4.64.141:49914 #5 (3 connections now open)
2018-04-08T17:33:01.765+0800 I ACCESS   [conn5] Successfully authenticated as principal gridfs on gridfs
2018-04-08T17:33:01.864+0800 I NETWORK  [conn4] end connection 112.4.64.141:49913 (2 connections now open)
2018-04-08T17:33:01.865+0800 I NETWORK  [conn5] end connection 112.4.64.141:49914 (1 connection now open)
2018-04-08T17:33:05.178+0800 I NETWORK  [initandlisten] connection accepted from 112.4.64.141:49936 #6 (2 connections now open)
2018-04-08T17:33:05.301+0800 I ACCESS   [conn6] Successfully authenticated as principal gridfs on gridfs
2018-04-08T17:33:05.382+0800 I NETWORK  [initandlisten] connection accepted from 112.4.64.141:49937 #7 (3 connections now open)
2018-04-08T17:33:05.473+0800 I ACCESS   [conn7] Successfully authenticated as principal gridfs on gridfs
2018-04-08T17:33:07.218+0800 I NETWORK  [conn7] end connection 112.4.64.141:49937 (2 connections now open)
2018-04-08T17:33:07.219+0800 I NETWORK  [conn6] end connection 112.4.64.141:49936 (1 connection now open)
2018-04-08T17:33:09.472+0800 I ACCESS   [conn1] Unauthorized: not authorized on admin to execute command { currentOp: 1.0 }
2018-04-08T17:33:22.720+0800 I ACCESS   [conn1] Unauthorized: not authorized on admin to execute command { currentOp: 1.0, $all: true }
2018-04-08T17:34:11.478+0800 I NETWORK  [initandlisten] connection accepted from 112.4.64.141:50339 #8 (2 connections now open)
2018-04-08T17:34:11.614+0800 I ACCESS   [conn8] Successfully authenticated as principal gridfs on gridfs
2018-04-08T17:34:11.633+0800 I ACCESS   [conn8] Unauthorized: not authorized on admin to execute command { getLog: "startupWarnings" }
2018-04-08T17:34:11.713+0800 I ACCESS   [conn8] Unauthorized: not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 }
2018-04-08T17:34:23.127+0800 I ACCESS   [conn1] Unauthorized: not authorized on admin to execute command { currentOp: 1.0, $all: true }
2018-04-08T17:34:38.914+0800 I ACCESS   [conn1] Unauthorized: not authorized on admin to execute command { currentOp: 1.0, $all: true }
2018-04-08T17:36:42.435+0800 I NETWORK  [conn1] end connection 127.0.0.1:35930 (1 connection now open)
</code>

可以看出,先后3次的client的连接,都显示出了对应的ip(和端口)了:

112.4.64.141:49882

112.4.64.141:49913

112.4.64.141:49937

->从而确定了,此处的client的IP是:

112.4.64.141

【已解决】用工具或网站查询自己本地的网络的IP地址

另外的要加的IP:

同事的公司的IP:

112.4.64.138

【已解决】MongoDB开启访问控制后currentOp出错:not authorized on admin to execute command

Configuration File Options — MongoDB Manual 3.6

对于:

net.bindIp

好像就是IP的列表,逗号隔开即可

所以接着去添加IP的限制:

<code>vi /etc/mongod.conf
     26 # network interfaces
     27 net:
     28   port: 12345
     29   bindIp: 127.0.0.1, 112.4.64.141 # Listen to specific IP
</code>

结果竟然重启mongod出错:

【已解决】添加了IP限制的mongod重启出错:Job for mongod.service failed because the control process exited with error code

【总结】

mongod的配置中的:

  • bindIp:主要指的是,mongod去监听listen哪个IP(的哪个port)端口

    • 所以此处的IP都指的是:服务器本身的IP

      • 典型的是:

        • 127.0.0.1

          • 等价于:localhost

          • 新版mongo默认值就是127.0.0.1

        • 服务器的内网/局域网/私有 IP

          • 比如此处的:172.16.141.197

            • 可以通过ifconfig或阿里云ECS服务器控制后台中找到

    • 而不是外网的,作为mongo的client的IP的限制

      • 这点很容易搞混淆

      • 也有很多人,包括我,之前搞错了,以为是用来限制,只允许特定外网IP能访问mongo的呢

    • 如果有多个IP,用逗号隔开

      • 比如:

        • bindIp: 127.0.0.1,172.16.141.197

      • 要注意:逗号中间不能有空格,否则会报错:

        • getaddrinfo(” 112.4.64.141″) failed: Name or service not known

而想要实现:

限制外网访问mongo,只允许特定的IP进来访问mongo的话,则:

Mongo的配置中,是无法实现这个效果的。

只能换用其他办法,比如:

通过设置防火墙,添加:

只允许某些IP,入网方向,能够访问mongo的对应的端口

从而禁止掉其他的IP访问mongo

而此处的阿里云的ECS服务器中,可以通过设置安全组,实现和防火墙一样的效果。

具体设置办法:

进去阿里云控制后台-》云服务器 ECS-》安全组-〉你的ECS服务器所在的区域-》对应的ECS服务器-〉配置规则:

增加2个规则:

(1)规则1: 允许特定的IP(单个IP,某个IP地址段(内的所有的IP),某几个IP)允许访问某端口

(2)规则2:禁止掉,其他的IP访问该端口

举例如下:

授权策略
协议类型
端口范围
授权类型
授权对象
描述
优先级
允许
自定义 TCP
12345/12345
地址段访问
112.4.64.141
允许外网特定IP访问MongoDB数据库
1
拒绝
自定义 TCP
12345/12345
地址段访问
0.0.0.0/0
禁止外网别的IP访问MongoDB数据库
2

详见:

【记录】通过阿里云ECS服务器安全组限制访问mongo的IP和端口

转载请注明:在路上 » 【已解决】给MongoDB限制IP访问

发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
92 queries in 0.190 seconds, using 23.42MB memory