- 安全 >
- Security Hardening >
- MongoDB Configuration Hardening
MongoDB Configuration Hardening¶
On this page
HTTP Status Interface¶
警告
Ensure that the HTTP status interface, the REST API, and the JSON API are all disabled in production environments to prevent potential data exposure and vulnerability to attackers.
3.2 版后已移除: HTTP interface for MongoDB
在 2.6 版更改: The mongod and mongos instances run with the HTTP interface disabled by default. See net.http.enabled setting.
The HTTP status interface provides a web-based interface that includes a variety of operational data, logs, and status reports regarding the mongod or mongos instance. The HTTP status interface is disabled by default and is not recommended for production use.
The net.http.enabled setting enables HTTP status interface. When enabled without the net.http.RESTInterfaceEnabled setting, the HTTP interface is entirely read-only and limited in scope.
The HTTP interface uses the port that is 1000 greater than the primary mongod port. By default, the HTTP interface port is 28017, but is indirectly set using the net.port option which allows you to configure the primary mongod port.
The HTTP status interface does not include support for authentication other than MONGODB-CR.
While MongoDB Enterprise does support Kerberos authentication, Kerberos is not supported in HTTP status interface in any version of MongoDB.
在 3.0 版更改: Neither the HTTP status interface nor the REST API support the SCRAM-SHA-1 challenge-response user authentication mechanism introduced in version 3.0.
警告
If you enable the interface, you should only allow trusted clients to access this port. See Firewalls.
REST API¶
警告
Ensure that the HTTP status interface, the REST API, and the JSON API are all disabled in production environments to prevent potential data exposure and vulnerability to attackers.
The REST API to MongoDB provides additional information and write access on top of the HTTP status interface. While the REST API does not provide any support for insert, update, or remove operations, it does provide administrative access, and its accessibility represents a vulnerability in a secure environment.
3.2 版后已移除: HTTP interface for MongoDB
The REST interface is disabled by default and is not recommended for production use.
The net.http.RESTInterfaceEnabled setting for mongod enables a fully interactive administrative REST interface, which is disabled by default. Enabling the REST API enables the HTTP interface, even if the HTTP interface option is disabled, and makes the HTTP interface fully interactive.
The REST API does not include support for authentication other than MONGODB-CR.
警告
If you enable the interface, you should only allow trusted clients to access this port. See Firewalls.
在 3.0 版更改: Neither the HTTP status interface nor the REST API support the SCRAM-SHA-1 challenge-response user authentication mechanism introduced in version 3.0.
bind_ip¶
The net.bindIp setting (or the --bind_ip command line option) for mongod and mongos instances limits the network interfaces on which MongoDB programs will listen for incoming connections.