MongoDB instance for production

mongodbmongodb-3.2

I am seeking advice before releasing my mongodb server into production from deployment mode.

Just to point out the server is working fine on development mode.

Scenario: Let's say I have two server Ubuntu 16.04 instances, where instance A is the (application instance), and instance B is the (mongo db 3.2 database).

For this instance B I don't think that I need scale/sharding/replicas, the idea is to let mongo occupy this instance all by itself to store secured users' credentials and some api data. (if you object, I am listing 🙂 )

How they communicate: Instance B only talks to Instance A through port 27077 since it's not recommended to use the default port 27017. Moreover in the config file of mongo I bind the A's static ip.

Just to point out only three ports are allows in that instance B, ssh and 2 mongo db port 27077 and 28017

First Question: In order for this communication to be secure, would it
be a better idea to use HTTPS port 443 instead of that basic TCP port 27077
, then disable the HTTP interface in the mongo.conf file? Is that enough to make the communication secured?

Authentication & Authorization: I create two user roles on the database, where one is the total admin and the other with basic rights which might prevent me from doing something stupid one day. For example deleting the wrong collection so and so.

Second Question: What would be the best way to always make sure the
mongo server is always responsive or running? (for example if the
server was rebooted, I need to make sure that the mongo is still
running) or (to avoid mongodb.lock file) because I had that issue before.

Third Question: Since I am not doing replica set, what would be the
best way to create a backup?

If you have any order advice, I am listening and thank you for your time.

Best Answer

First Question: In order for this communication to be secure, would it be a better idea to use HTTPS port 443 instead of that basic TCP port 27077 , then disable the HTTP interface in the mongo.conf file? Is that enough to make the communication secured?

--yes enough.As port and ip security is there apart from that you can use iptables for more security. As currently you are just preventing mongo attack only.

What would be the best way to always make sure the mongo server is always responsive or running? (for example if the server was rebooted, I need to make sure that the mongo is still running) or (to avoid mongodb.lock file) because I had that issue before.

-- if you are running it as service then lock file issue will not be there.in case you are using directly from bin then put it in rc.d simple. advised you to create a script to check your server status and configure alerts accordingly.

BACKUP: As you are not using replica then simply mongodump will be advisable but you can also start your single machine as replica means without any secondary you will have oplog for incremental backup. You can start instance with replset option or change in config file. then below command.

>rs.initiate()

it will give you something like :

{
    "info2" : "no configuration specified. Using a default configuration for the set",
    "me" : "machine:27017",
    "ok" : 1
}

check one oplog.rs will be there in local database.

Related Question