How to connect to MongoDB using RoboMongo hosted on your VPS like digital ocean, vultr, AWS etc.


So I finally decided to take my server online but not without a few hiccups.

The problem is I wanted to begin with mLabs but somehow my firewall was blocking it. So I decided to host it on my server and connect directly into it.

Installing it was not a problem. If you are used to Ubuntu or a linux OS, you would be very familiar with it. Although you would need to add few firewall rules as you don’t want everyone to access your instance remotely. So at the end we will add our own IP to the firewall rule.

 

Step 1 — Adding the MongoDB Repository

MongoDB is already included in Ubuntu package repositories, but the official MongoDB repository provides most up-to-date version and is the recommended way of installing the software. In this step, we will add this official repository to our server.

Ubuntu ensures the authenticity of software packages by verifying that they are signed with GPG keys, so we first have to import they key for the official MongoDB repository.

  • sudo apt-key adv –keyserver hkp://keyserver.ubuntu.com:80 –recv EA312927

After successfully importing the key, you will see:

Output
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Next, we have to add the MongoDB repository details so apt will know where to download the packages from.

Issue the following command to create a list file for MongoDB.

  • echo “deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.2 multiverse” | sudo tee /etc/apt/sources.list.d/mongodb-org-3.2.list

After adding the repository details, we need to update the packages list.

  • sudo apt-get update

Step 2 — Installing and Verifying MongoDB

Now we can install the MongoDB package itself.

  • sudo apt-get install -y mongodb-org

This command will install several packages containing latest stable version of MongoDB along with helpful management tools for the MongoDB server.

In order to properly launch MongoDB as a service on Ubuntu 16.04, we additionally need to create a unit file describing the service. A unit file tells systemd how to manage a resource. The most common unit type is a service, which determines how to start or stop the service, when should it be automatically started at boot, and whether it is dependent on other software to run.

We’ll create a unit file to manage the MongoDB service. Create a configuration file named mongodb.service in the /etc/systemd/system directory using nano or your favorite text editor.

  • sudo nano /etc/systemd/system/mongodb.service

Paste in the following contents, then save and close the file.

/etc/systemd/system/mongodb.service
[Unit]
Description=High-performance, schema-free document-oriented database
After=network.target

[Service]
User=mongodb
ExecStart=/usr/bin/mongod --quiet --config /etc/mongod.conf

[Install]
WantedBy=multi-user.target

This file has a simple structure:

  • The Unit section contains the overview (e.g. a human-readable description for MongoDB service) as well as dependencies that must be satisfied before the service is started. In our case, MongoDB depends on networking already being available, hence network.target here.
  • The Service section how the service should be started. The User directive specifies that the server will be run under the mongodb user, and the ExecStart directive defines the startup command for MongoDB server.
  • The last section, Install, tells systemd when the service should be automatically started. The multi-user.target is a standard system startup sequence, which means the server will be automatically started during boot.

Next, start the newly created service with systemctl.

  • sudo systemctl start mongodb

While there is no output to this command, you can also use systemctl to check that the service has started properly.

  • sudo systemctl status mongodb
Output
● mongodb.service - High-performance, schema-free document-oriented database
   Loaded: loaded (/etc/systemd/system/mongodb.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2016-04-25 14:57:20 EDT; 1min 30s ago
 Main PID: 4093 (mongod)
    Tasks: 16 (limit: 512)
   Memory: 47.1M
      CPU: 1.224s
   CGroup: /system.slice/mongodb.service
           └─4093 /usr/bin/mongod --quiet --config /etc/mongod.conf

The last step is to enable automatically starting MongoDB when the system starts.

  • sudo systemctl enable mongodb

The MongoDB server now configured and running, and you can manage the MongoDB service using the systemctl command (e.g. sudo systemctl mongodb stop, sudo systemctl mongodb start).

Step 3 — Adjusting the Firewall (Optional)

Assuming you have followed the initial server setup tutorial instructions to enable the firewall on your server, MongoDB server will be inaccessible from the internet.

If you intend to use the MongoDB server only locally with applications running on the same server, it is a recommended and secure setting. However, if you would like to be able to connect to your MongoDB server from the internet, we have to allow the incoming connections in ufw.

To allow access to MongoDB on its default port 27017 from everywhere, you could use sudo ufw allow 27017. However, enabling internet access to MongoDB server on a default installation gives unrestricted access to the whole database server.

in most cases, MongoDB should be accessed only from certain trusted locations, such as another server hosting an application. To accomplish this task, you can allow access on MongoDB’s default port while specifying the IP address of another server that will be explicitly allowed to connect.

  • sudo ufw allow from your_other_server_ip/32 to any port 27017

You can verify the change in firewall settings with ufw.

  • sudo ufw status

You should see traffic to 27017 port allowed in the output.If you have decided to allow only a certain IP address to connect to MongoDB server, the IP address of the allowed location will be listed instead of Anywhere in the output.

Output
Status: active

To                         Action      From
--                         ------      ----
27017                      ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
27017 (v6)                 ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)

More advanced firewall settings for restricting access to services are described in UFW Essentials: Common Firewall Rules and Commands.

 

Now we have successfully installed the DB on our server. The second part is how to access it. 

You can’t just use the direct IP and login. What we will do is SSH into our VPS and connect as a localhost. Simple 🙂

 

In the “Connection” panel:
Address – localhost
Port – 27017

 

in the “SSH” panel:
Address – <your_ip_or_fqdn>:22
and use a private key auth or your password.

 

This will connect via port 22 and redirect traffic sent to port 27017

Mongo on your droplet is set to respond only to traffic from localhost which is where the ssh tunnel comes in handy. Running db.serverCmdLineOpts() from the mongoshell will tell you what it is bound to.

 

There is another “LESS” secure way to connect which I don’t recommend. But if you are dev testing your app to your remote server, this might be the way to go.

You need to change the Bind IP option

Bind IP is a MongoDB option that restricts connections to specifics IPs.

Have a look at your mongod configuration file, most of the time bind.ip is set to 127.0.0.1 for obvious security reasons. You can:

  1. Add your desired IP by concatenating a list of comma separated values to bind MongoDB to multiple IP addresses.
  2. Remove or comment (with # character) the bind_ip line. But be aware that all remote connection will be able to connect your MongoDB server!

More about bind_ip configuration option: https://docs.mongodb.com/manual/reference/configuration-options/#net.bindIp

Bind IP can also be set as a command argument: http://docs.mongodb.org/manual/reference/program/mongod/#cmdoption–bind_ip

SSH into your server:

nano /etc/mongod.conf

Comment your bindIp snippet in the file. This is how it should look now:

network interfaces
net:
port: 27017
# bindIp: 127.0.0.1

 

You can also add your specific IP to bind IP. This actually is the better way to do it. As you will only be able to access it from your machine/IP. Change it to look like this:

network interfaces
net:
port: 27017
# bindIp: 127.0.0.1,your_ip_address_goes_here