已经知道了,想要限制特定的IP去访问连接mongo的话,是去修改配置文件:
vi /etc/mongod.conf
修改其中的bindIP
但是此处,需要搞清楚:
如何确定mongo的客户端的IP
mongo how check client ip
database – how to get connected clients in MongoDB – Stack Overflow
Mongodb list current connection – Database Administrators Stack Exchange
然后去本地去连接了远程的mongo了:
但是结果mongo shell中都还是无法打印出正在连接的ip
<code>[root@naturling-general-01 ~]# mongo MongoDB shell version: 3.2.19 connecting to: test > db.currentOp().inprog > db.currentOp().inprog > db.currentOp(true).inprog > db.currentOp(true).inprog </code>
进去对应数据库,也不行:
<code>> use gridfs switched to db gridfs > db.currentOp(true).inprog </code>
去看服务端mongod的log:
<code>2018-04-08T17:32:04.543+0800 I NETWORK [initandlisten] waiting for connections on port 27017
2018-04-08T17:32:12.235+0800 I NETWORK [initandlisten] connection accepted from 127.0.0.1:35930 #1 (1 connection now open)
2018-04-08T17:32:12.237+0800 I ACCESS [conn1] Unauthorized: not authorized on admin to execute command { getLog: "startupWarnings" }
2018-04-08T17:32:12.239+0800 I ACCESS [conn1] Unauthorized: not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 }
2018-04-08T17:32:38.469+0800 I ACCESS [conn1] Unauthorized: not authorized on admin to execute command { currentOp: 1.0 }
2018-04-08T17:32:56.056+0800 I NETWORK [initandlisten] connection accepted from 112.4.64.141:49881 #2 (2 connections now open)
2018-04-08T17:32:56.208+0800 I ACCESS [conn2] Successfully authenticated as principal gridfs on gridfs
2018-04-08T17:32:56.289+0800 I NETWORK [initandlisten] connection accepted from 112.4.64.141:49882 #3 (3 connections now open)
2018-04-08T17:32:56.426+0800 I ACCESS [conn3] Successfully authenticated as principal gridfs on gridfs
2018-04-08T17:32:56.513+0800 I NETWORK [conn3] end connection 112.4.64.141:49882 (2 connections now open)
2018-04-08T17:32:56.513+0800 I NETWORK [conn2] end connection 112.4.64.141:49881 (1 connection now open)
2018-04-08T17:33:01.485+0800 I NETWORK [initandlisten] connection accepted from 112.4.64.141:49913 #4 (2 connections now open)
2018-04-08T17:33:01.588+0800 I ACCESS [conn4] Successfully authenticated as principal gridfs on gridfs
2018-04-08T17:33:01.669+0800 I NETWORK [initandlisten] connection accepted from 112.4.64.141:49914 #5 (3 connections now open)
2018-04-08T17:33:01.765+0800 I ACCESS [conn5] Successfully authenticated as principal gridfs on gridfs
2018-04-08T17:33:01.864+0800 I NETWORK [conn4] end connection 112.4.64.141:49913 (2 connections now open)
2018-04-08T17:33:01.865+0800 I NETWORK [conn5] end connection 112.4.64.141:49914 (1 connection now open)
2018-04-08T17:33:05.178+0800 I NETWORK [initandlisten] connection accepted from 112.4.64.141:49936 #6 (2 connections now open)
2018-04-08T17:33:05.301+0800 I ACCESS [conn6] Successfully authenticated as principal gridfs on gridfs
2018-04-08T17:33:05.382+0800 I NETWORK [initandlisten] connection accepted from 112.4.64.141:49937 #7 (3 connections now open)
2018-04-08T17:33:05.473+0800 I ACCESS [conn7] Successfully authenticated as principal gridfs on gridfs
2018-04-08T17:33:07.218+0800 I NETWORK [conn7] end connection 112.4.64.141:49937 (2 connections now open)
2018-04-08T17:33:07.219+0800 I NETWORK [conn6] end connection 112.4.64.141:49936 (1 connection now open)
2018-04-08T17:33:09.472+0800 I ACCESS [conn1] Unauthorized: not authorized on admin to execute command { currentOp: 1.0 }
2018-04-08T17:33:22.720+0800 I ACCESS [conn1] Unauthorized: not authorized on admin to execute command { currentOp: 1.0, $all: true }
2018-04-08T17:34:11.478+0800 I NETWORK [initandlisten] connection accepted from 112.4.64.141:50339 #8 (2 connections now open)
2018-04-08T17:34:11.614+0800 I ACCESS [conn8] Successfully authenticated as principal gridfs on gridfs
2018-04-08T17:34:11.633+0800 I ACCESS [conn8] Unauthorized: not authorized on admin to execute command { getLog: "startupWarnings" }
2018-04-08T17:34:11.713+0800 I ACCESS [conn8] Unauthorized: not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 }
2018-04-08T17:34:23.127+0800 I ACCESS [conn1] Unauthorized: not authorized on admin to execute command { currentOp: 1.0, $all: true }
2018-04-08T17:34:38.914+0800 I ACCESS [conn1] Unauthorized: not authorized on admin to execute command { currentOp: 1.0, $all: true }
2018-04-08T17:36:42.435+0800 I NETWORK [conn1] end connection 127.0.0.1:35930 (1 connection now open)
</code>可以看出,先后3次的client的连接,都显示出了对应的ip(和端口)了:
112.4.64.141:49882
112.4.64.141:49913
112.4.64.141:49937
->从而确定了,此处的client的IP是:
112.4.64.141
另外的要加的IP:
同事的公司的IP:
112.4.64.138
【已解决】MongoDB开启访问控制后currentOp出错:not authorized on admin to execute command
Configuration File Options — MongoDB Manual 3.6
对于:
net.bindIp
好像就是IP的列表,逗号隔开即可
所以接着去添加IP的限制:
<code>vi /etc/mongod.conf 26 # network interfaces 27 net: 28 port: 12345 29 bindIp: 127.0.0.1, 112.4.64.141 # Listen to specific IP </code>
结果竟然重启mongod出错:
【总结】
mongod的配置中的:
bindIp:主要指的是,mongod去监听listen哪个IP(的哪个port)端口
所以此处的IP都指的是:服务器本身的IP
典型的是:
127.0.0.1
等价于:localhost
新版mongo默认值就是127.0.0.1
服务器的内网/局域网/私有 IP
比如此处的:172.16.141.197
可以通过ifconfig或阿里云ECS服务器控制后台中找到
而不是外网的,作为mongo的client的IP的限制
这点很容易搞混淆
也有很多人,包括我,之前搞错了,以为是用来限制,只允许特定外网IP能访问mongo的呢
如果有多个IP,用逗号隔开
比如:
bindIp: 127.0.0.1,172.16.141.197
要注意:逗号中间不能有空格,否则会报错:
getaddrinfo(” 112.4.64.141″) failed: Name or service not known
而想要实现:
限制外网访问mongo,只允许特定的IP进来访问mongo的话,则:
Mongo的配置中,是无法实现这个效果的。
只能换用其他办法,比如:
通过设置防火墙,添加:
只允许某些IP,入网方向,能够访问mongo的对应的端口
从而禁止掉其他的IP访问mongo
而此处的阿里云的ECS服务器中,可以通过设置安全组,实现和防火墙一样的效果。
具体设置办法:
进去阿里云控制后台-》云服务器 ECS-》安全组-〉你的ECS服务器所在的区域-》对应的ECS服务器-〉配置规则:
增加2个规则:
(1)规则1: 允许特定的IP(单个IP,某个IP地址段(内的所有的IP),某几个IP)允许访问某端口
(2)规则2:禁止掉,其他的IP访问该端口
举例如下:
授权策略 | 协议类型 | 端口范围 | 授权类型 | 授权对象 | 描述 | 优先级 |
允许 | 自定义 TCP | 12345/12345 | 地址段访问 | 112.4.64.141 | 允许外网特定IP访问MongoDB数据库 | 1 |
拒绝 | 自定义 TCP | 12345/12345 | 地址段访问 | 0.0.0.0/0 | 禁止外网别的IP访问MongoDB数据库 | 2 |
详见:
【记录】通过阿里云ECS服务器安全组限制访问mongo的IP和端口
转载请注明:在路上 » 【已解决】给MongoDB限制IP访问