如何在Ubuntu 20.04上为MongoDB配置远程访问

An earlier version of this tutorial was written by Melissa Anderson.

本教程的早期版本由Melissa Anderson编写。

介绍 (Introduction)

MongoDB, also known as Mongo, is an open-source document database used commonly in modern web applications. By default, it only allows connections that originate on the same server where it’s installed. If you want to manage MongoDB remotely or connect it to a separate application server, there are a few changes you’d need to make to the default configuration.

MongoDB ，也称为Mongo ，是现代Web应用程序中常用的开源文档数据库。 默认情况下，它仅允许源自安装该服务器的同一服务器上的连接。 如果要远程管理MongoDB或将其连接到单独的应用程序服务器，则需要对默认配置进行一些更改。

In this tutorial, you will configure a MongoDB installation to securely allow access from a trusted remote computer. To do this, you’ll update your firewall rules to provide the remote machine access to the port on which MongoDB is listening for connections and then update its configuration file to change its IP binding setting. Then, as a final step, you’ll test that your remote machine is able to make the connection to your database successfully.

在本教程中，您将配置MongoDB安装以安全地允许从受信任的远程计算机进行访问。 为此，您将更新防火墙规则以提供对MongoDB正在侦听连接的端口的远程计算机访问权限，然后更新其配置文件以更改其IP绑定设置。 然后，作为最后一步，您将测试远程计算机是否能够成功建立与数据库的连接。

先决条件 (Prerequisites)

To complete this tutorial, you’ll need:

要完成本教程，您需要：

• A server running Ubuntu 20.04. This server should have a non-root administrative user and a firewall configured with UFW. Set this up by following our initial server setup guide for Ubuntu 20.04.

  运行Ubuntu 20.04的服务器。 此服务器应具有非root用户管理权限，并应使用UFW配置防火墙。 请遵循我们针对Ubuntu 20.04的初始服务器设置指南进行设置 。

• MongoDB installed on your server. This tutorial assumes that you have MongoDB 4.4 or newer installed. You can install this version by following our tutorial on How To Install MongoDB on Ubuntu 20.04.

  服务器上安装了MongoDB。 本教程假定您已安装MongoDB 4.4或更高版本。 您可以按照关于如何在Ubuntu 20.04上安装MongoDB的教程进行安装 。

• A second computer from which you’ll access your MongoDB instance. For simplicity, this tutorial assumes that this machine is another Ubuntu 20.04 server, with a non-root administrative user and a UFW firewall configured following our initial server setup guide for Ubuntu 20.04. However, Steps 1 and 2, which describe the actual procedure for enabling remote connectivity on the database server, will work regardless of what operating system the remote machine is running.

  从第二台计算机访问MongoDB实例。 为简单起见，本教程假定该计算机是另一台Ubuntu 20.04服务器，并具有非root用户管理，并且已按照我们针对Ubuntu 20.04的初始服务器设置指南配置了UFW防火墙。 但是，步骤1和步骤2描述了在数据库服务器上启用远程连接的实际过程，无论远程计算机运行什么操作系统，都可以使用。

Lastly, while it isn’t required to complete this tutorial, we strongly recommend that you secure your MongoDB installation by creating an administrative user account for the database and enabling authentication. To do this, follow our tutorial on How To Secure MongoDB on Ubuntu 20.04.

最后，虽然不需要完成本教程，但我们强烈建议您通过为数据库创建管理用户帐户并启用身份验证来保护MongoDB安装。 为此，请遵循有关如何在Ubuntu 20.04上保护MongoDB的教程。

步骤1 —调整防火墙 (Step 1 — Adjusting the Firewall)

Assuming you followed the prerequisite initial server setup tutorial and enabled a UFW firewall on your server, your MongoDB installation will be inaccessible from the internet. If you intend to use MongoDB only locally with applications running on the same server, this is the recommended and secure setting. However, if you would like to be able to connect to your MongoDB server from a remote location, you have to allow incoming connections to the port where the database is listening by adding a new UFW rule.

假设您已遵循必备的初始服务器设置教程，并在服务器上启用了UFW防火墙 ，则将无法从Internet访问MongoDB安装。 如果您打算仅将MongoDB与在同一服务器上运行的应用程序一起在本地使用，则这是建议的安全设置。 但是，如果您希望能够从远程位置连接到MongoDB服务器，则必须通过添加新的UFW规则来允许进入数据库正在侦听的端口的传入连接。

Start by checking which port your MongoDB installation is listening on with the lsof command. This command typically returns a list with every open file in a system, but when combined with the -i option, it lists only network-related files or data streams.

首先使用lsof命令检查您的MongoDB安装正在侦听哪个端口。 该命令通常返回系统中每个打开的文件的列表，但是与-i选项结合使用时，它仅列出与网络相关的文件或数据流。

The following command will redirect the output produced by lsof -i to a grep command that searches for a string named mongo:

以下命令会将lsof -i产生的输出重定向到grep命令，该命令搜索名为mongo的字符串：

• sudo lsof -i | grep mongo
  须藤lsof -i | grep mongo

This example output shows that MongoDB is listening for connections on its default port, 27017:

此示例输出显示MongoDB正在其默认端口27017上监听连接：

   
   

    
    Output
   
   
mongod    82221         mongodb   11u  IPv4 913411      0t0  TCP localhost:27017 (LISTEN)

In most cases, MongoDB should only be accessed from certain trusted locations, such as another server hosting an application. One way to configure this is to run the following command on your MongoDB server, which opens up access on MongoDB’s default port while explicitly only allowing the IP address of the other trusted server.

在大多数情况下，仅应从某些受信任的位置(例如托管应用程序的另一台服务器)访问MongoDB。 一种配置方法是在您的MongoDB服务器上运行以下命令，该命令打开对MongoDB默认端口的访问，同时显式只允许其他受信任服务器的IP地址。

Run the following command, making sure to change trusted_server_ip to the IP address of the trusted remote machine you’ll use to access your MongoDB instance:

运行以下命令，确保将trusted_server_ip更改为用于访问MongoDB实例的受信任的远程计算机的IP地址：

Note: If the previous command’s output showed your installation of MongoDB is listening on a non default port, use that port number in place of 27017 in this command.

注意 ：如果上一个命令的输出显示您的MongoDB安装正在侦听非默认端口，请在该命令中使用该端口号代替27017 。

• sudo ufw allow from trusted_server_ip to any port 27017

  sudo ufw允许从trusted_server_ip到任何端口27017

In the future, if you ever want to access MongoDB from another machine, run this command again with the new machine’s IP address in place of trusted_server_ip.

将来，如果您想从另一台计算机访问MongoDB，请使用新计算机的IP地址代替trusted_server_ip再次运行此命令。

You can verify the change in firewall settings with ufw:

您可以使用ufw验证防火墙设置的更改：

• sudo ufw status
  sudo ufw状态

The output will show that traffic to port 27017 from the remote server is now allowed:

输出将显示现在允许从远程服务器到端口27017流量：

   
   

    
    Output
   
   
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
27017                      ALLOW       trusted_server_ip
OpenSSH (v6)               ALLOW       Anywhere (v6)

You can find more advanced firewall settings for restricting access to services in UFW Essentials: Common Firewall Rules and Commands.

您可以在UFW Essentials：通用防火墙规则和命令中找到用于限制对服务的访问的更多高级防火墙设置。

Next, you’ll bind MongoDB to the server’s public IP address so you can access it from your remote machine.

接下来，将MongoDB绑定到服务器的公共IP地址，以便可以从远程计算机访问它。

第2步—配置公共bindIP (Step 2 — Configuring a Public bindIP)

At this point, even though the port is open, MongoDB is currently bound to 127.0.0.1, the local loopback network interface. This means that MongoDB is only able to accept connections that originate on the server where it’s installed.

此时，即使端口已打开，MongoDB当前也已绑定到本地回送网络接口127.0.0.1 。 这意味着MongoDB仅能接受源自其安装服务器上的连接。

To allow remote connections, you must edit the MongoDB configuration file — /etc/mongod.conf — to additionally bind MongoDB to your server’s publicly-routable IP address. This way, your MongoDB installation will be able to listen to connections made to your MongoDB server from remote machines.

要允许远程连接，必须编辑MongoDB配置文件/etc/mongod.conf ，以将MongoDB附加绑定到服务器的公共可路由IP地址。 这样，您的MongoDB安装将能够侦听从远程计算机到MongoDB服务器的连接。

Open the MongoDB configuration file in your preferred text editor. The following example uses nano:

在您首选的文本编辑器中打开MongoDB配置文件。 以下示例使用nano ：

• sudo nano /etc/mongod.conf
  须藤nano /etc/mongod.conf

Find the network interfaces section, then the bindIp value:

找到“ network interfaces部分，然后找到bindIp值：

/etc/mongod.conf

/etc/mongod.conf

. . .
# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1

. . .

Append a comma to this line followed by your MongoDB server’s public IP address:

在此行后面加上逗号，然后加上您的MongoDB服务器的公用IP地址：

/etc/mongod.conf

/etc/mongod.conf

. . .
# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1,mongodb_server_ip

. . .

Save and close the file. If you used nano, do so by pressing CTRL + X, Y, then ENTER.

保存并关闭文件。 如果您使用过nano ，请按CTRL + X ， Y ，然后按ENTER 。

Then, restart MongoDB to put this change into effect:

然后，重新启动MongoDB以使此更改生效：

• sudo systemctl restart mongod
  sudo systemctl重新启动mongod

Following that, your MongoDB installation will be able to accept remote connections from whatever machines you’ve allowed to access port 27017. As a final step, you can test whether the trusted remote server you allowed through the firewall in Step 1 can reach the MongoDB instance running on your server.

之后，您的MongoDB安装将能够接受来自您允许访问端口27017任何计算机的远程连接。 最后，您可以测试在步骤1中通过防火墙允许的受信任的远程服务器是否可以访问服务器上运行的MongoDB实例。

步骤3 —测试远程连接 (Step 3 — Testing Remote Connectivity)

Now that you configured your MongoDB installation to listen for connections that originate on its publicly-routable IP address and granted your remote machine access through your server’s firewall to Mongo’s default port, you can test that the remote machine is able to connect.

现在，您已经将MongoDB安装配置为侦听源自其公共可路由IP地址的连接，并通过服务器的防火墙授予了远程计算机对Mongo的默认端口的访问权限，您可以测试远程计算机是否可以连接。

Note: As mentioned in the Prerequisites section, this tutorial assumes that your remote machine is another server running Ubuntu 20.04. The procedure for enabling remote connections outlined in Steps 1 and 2 should work regardless of what operating system your remote machine runs, but the testing methods described in this Step do not work universally across operating systems.

注意 ：如前提条件部分所述，本教程假定您的远程计算机是另一台运行Ubuntu 20.04的服务器。 无论您的远程计算机运行什么操作系统，步骤1和2中概述的启用远程连接的过程都应该起作用，但是此步骤中描述的测试方法不能在所有操作系统上通用。

One way to test that your trusted remote server is able to connect to the MongoDB instance is to use the nc command. nc, short for netcat, is a utility used to establish network connections with TCP or UDP. It’s useful for testing in cases like this because it allows you to specify both an IP address and a port number.

测试您的受信任的远程服务器是否能够连接到MongoDB实例的一种方法是使用nc命令。 nc ( netcat的缩写)是用于与TCP或UDP建立网络连接的实用程序。 在这样的情况下进行测试非常有用，因为它允许您同时指定IP地址和端口号。

First, log into your trusted server using SSH:

首先，使用SSH登录到受信任的服务器：

• ssh sammy@trusted_server_ip

  ssh sammy @受信任的服务器_ip

Then run the following nc command, which includes the -z option. This limits nc to only scan for a listening daemon on the target server without sending it any data. Recall from the prerequisite installation tutorial that MongoDB is running as a service daemon, making this option useful for testing connectivity. It also includes the v option which increases the command’s verbosity, causing netcat to return some output which it otherwise wouldn’t.

然后运行以下nc命令，其中包括-z选项。 这将nc限制为仅扫描目标服务器上的侦听守护程序，而不发送任何数据。 从必备的安装教程中回想起MongoDB作为服务守护程序运行，使此选项对测试连接很有用。 它还包括v选项，该选项增加了命令的详细程度，从而使netcat返回某些本来不会的输出。

Run the following nc command from your trusted remote server, making sure to replace mongodb_server_ip with the IP address of the server on which you installed MongoDB:

从受信任的远程服务器上运行以下nc命令，确保将mongodb_server_ip替换为安装MongoDB的服务器的IP地址：

• nc -zv mongodb_server_ip 27017

  nc -zv mongodb_server_ip 27017

If the trusted server can access the MongoDB daemon, its output will indicate that the connection was successful:

如果受信任的服务器可以访问MongoDB守护程序，则其输出将指示连接成功：

   
   

    
    Output
   
   
Connection to mongodb_server_ip 27017 port [tcp/*] succeeded!

Assuming you have a compatible version of the mongo shell installed on your remote server, you can at this point connect directly to the MongoDB instance installed on the host server.

假设您在远程服务器上安装了兼容版本的mongo shell，此时可以直接连接到主机服务器上安装的MongoDB实例。

One way to connect is with a connection string URI, like this:

一种连接方式是使用连接字符串URI ，如下所示：

• mongo "mongodb://mongo_server_ip:27017"

  mongo“ mongodb：// mongo_server_ip ：27017”

Note: If you followed the recommended How To Secure MongoDB on Ubuntu 20.04 tutorial, you will have closed off access to your database to unauthenticated users. In this case, you’d need to use a URI that specifies a valid username, like this:

注意 ：如果遵循建议的“ 如何在Ubuntu 20.04上保护MongoDB的安全”教程，则将关闭未经身份验证的用户对数据库的访问。 在这种情况下，您需要使用一个指定有效用户名的URI，如下所示：

• mongo "mongodb://username@mongo_server_ip:27017"

  mongo“ mongodb：// 用户名 @ mongo_server_ip ：27017”

The shell will automatically prompt you to enter the user’s password.

Shell将自动提示您输入用户密码。

With that, you’ve confirmed that your MongoDB server can accept connections from the trusted server.

这样，您已经确认MongoDB服务器可以接受来自受信任服务器的连接。

结论 (Conclusion)

You can now access your MongoDB installation from a remote server. At this point, you can manage your Mongo database remotely from the trusted server. Alternatively, you could configure an application to run on the trusted server and use the database remotely.

现在，您可以从远程服务器访问MongoDB安装。 此时，您可以从受信任的服务器远程管理Mongo数据库。 或者，您可以将应用程序配置为在受信任的服务器上运行并远程使用数据库。

If you haven’t configured an administrative user and enabled authentication, anyone who has access to your remote server can also access your MongoDB installation. If you haven’t already done so, we strongly recommend that you follow our guide on How To Secure MongoDB on Ubuntu 20.04 to add an administrative user and lock things down further.

如果您尚未配置管理用户并启用身份验证，那么有权访问您的远程服务器的任何人都可以访问您的MongoDB安装。 如果您还没有这样做，我们强烈建议您按照有关如何在Ubuntu 20.04上保护MongoDB的指南进行操作，以添加管理用户并将其进一步锁定。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-configure-remote-access-for-mongodb-on-ubuntu-20-04