Remote Access and Authentication

To allow remote access, you will need to enable authentication on MongoDB. This will allow you to connect to your database remotely with Mongo Compass.

Add Mongo Credentials

First step will be to create Mongo users, so that the database cannot be accessed without a password.

In putty, open mongo command line with

mongo

While mongo is running in the command line prompt, you can run mongo commands. Use this one to change to the admin database to manage users

use admin

Run these command to add mongo users. Make sure to set a different password for each, save them somewhere to use later, and note the database name (in this example its called tcgengine).

It is best to use a complex random password ex: "ha28SjfhsZX4Mcn2asd", and save those somewhere secure. Don't use a password you frequently use online.

Important: Mongo Users are not the same than your actual users in the database. You don't need a mongo user for each real user. Mongo users are just a list of apps credentials who can connect to mongo. I usually only create 3 users, not more. One root user, one for the NodeJS app, and one read-only user to use in mongo compass.

Create a Root user

db.createUser({user:"root", pwd:"123456789", roles:[{role: "dbAdminAnyDatabase", db: "admin"}, {role: "readWriteAnyDatabase", db: "admin"}] })

Create a user for your app

db.createUser({user: "api", pwd: "123456789", roles: [{role: "readWrite", db: "tcgengine"}]})

And finally I also like to create a read-only user

db.createUser({user: "viewer", pwd: "123456789", roles: [{role: "read", db: "tcgengine"}]})

If you made a mistake you can delete a user with

db.dropUser("viewer")

Use Ctrl-C at anytime to quit mongo and return to regular ubuntu command line.

Enable Authentication

On your server open the file: /etc/mongod.conf

Change the Binding IP to

bindIp: 127.0.0.1,10.11.12.13

With the second IP after the coma being the IP of your server where the API and mongo are installed. This will allow remote access to your MongoDB.

Add these lines in the mongod.conf file

security:
  authorization: "enabled"

This will prevent connecting without a username/password. You will instead need to use one of the users you created during Mongo Installation.

Important: Changing the binding IP will allow anyone to try to connect directly to your database from anywhere, as long as they have the password. It can be useful for development if you want to read your database from Mongo Compass, but it is also an increased security risk. If you allow remote connection you should also setup your server firewall properly so that it blocks requests that don't come from your IP for the MongoDB port. See the Firewall section below.

Restart mongo to enable your conf changes

systemctl restart mongod

Make sure you didn't break anything by changing the config

systemctl status mongod

Update API config.js

For NodeJS app access, In WinSCP, open the config.js file to edit a few things

Change mongo_user to "api" (or any other mongo user you created for your app)

Change mongo_pass to the password your set for your api user

Change mongo_db to the database name you granted access to your mongo users.

Now also restart your NodeJS app to make sure it can still connect to Mongo. When testing something you can start the app normally with node server.js to see the errors in console instead of using forever. When everything is working, you can start the app with forever.

Access from Mongo Compass

You can also connect to your database from your PC, in Mongo Compass, using a string similar to this one

mongodb://[user]:[password]@[hosturl]:27017/[database]?authSource=admin

For Example

mongodb://root:123456789@survival-engine.com:27017/tcgengine?authSource=admin

The host URL can either be a domain or IP address.

If you already setup your ufw firewall previously, you may not be able to connect to it from Compass since port 27017 is not open (see below). You should be able to connect to mongo from the NodeJS app even if the port is blocked on the firewall, since they are on the same server.

Firewall setup

It’s good to block the port you don’t use on your server, from the command line, you can run

ufw allow ssh
ufw allow http
ufw allow https
ufw enable

http will open port 80, and https will open port 443, and ssh will open port 22

And to check the status of your firewall:

ufw status

Be sure to always run allow ssh before enabling the firewall, otherwise you will lose your putty connection and won’t be able to connect anymore.

If you also want to open a direct access to MongoDB (to use in Mongo Compass), you can enable port 27017 but only for your IP address.

ufw allow from 1.2.3.4 to any port 27017

Important to replace 1.2.3.4 by your own external IP address.

27017 is the default port for Mongo so no need to change it.

It will open port 27017 but only for requests coming from your IP address. This can be really useful to read the Database on your PC for development, you can turn off the access when going live.

The firewall will not block local access, so your API should be able to access your database if installed on the same server. If for some reason your MongoDB isn't on the same server as your nodejs API, you will also need to allow the api server IP on your the ufw firewall.