0

The Setup

I currently have a server and a mongodb database running in the cloud (Oracle Cloud Infrastructure).

The Problem

My connection to the database is bound by a select number of static IP's. This means that I cannot connect to my database from every client.

Attempted Solution

Therefore, I want to use my server (which has a static IP) to stand-in as a reverse proxy for my mongodb traffic.

Based on a variety of stackoverflow posts, and namely this post about setting up nginx behind a reverse proxy and this post about forcing nginx to re-resolve requests.

I have been able to setup a config that should work.

  resolver 194.168.4.100 valid=15s;

server {
    set $mongo "<MY_OCID>.<MY_REGION>.oraclecloudapps.com:27017";
    listen 27017 so_keepalive=on;
    listen 27017 udp; #listen to UDP just in case
    proxy_connect_timeout 2s;
    proxy_pass    $mongo;
    proxy_timeout 10m;
  }

What is the Issue?

Using the proxied database does not work or connect.

I get the error: MongoNetworkError: Client network socket disconnected before secure TLS connection was established

After a lot of testing with trying to make requests mongosh and using tcpdump to access all the traffic, I have run into a roadblock.

Looking at the tcpdump logs, the only difference I can find the DNS resolution.

Without a proxy:

cache1.service.<service_provider>.net.domain > laptop.55079: [udp sum ok] 51937 q: A? 
<MY_OCID>.<MY_REGION>.oraclecloudapps.com. 3/0/1 
<MY_OCID>.<MY_REGION>.oraclecloudapps.com. A <IP>, 
<MY_OCID>.<MY_REGION>.oraclecloudapps.com. A <IP>, 
<MY_OCID>.<MY_REGION>.oraclecloudapps.com. A <IP>  ar: . OPT UDPsize=512 (145)

Which then resolves correctly and has a correct connection.

With a proxy:

cache1.service.<service_provider>.net.domain > laptop.39421: [udp sum ok] 62642 q: A? 
<MY_OCID>.<MY_REGION>.oraclecloudapps.com. 3/0/0 
<MY_OCID>.<MY_REGION>.oraclecloudapps.com. A <IP>, 
<MY_OCID>.<MY_REGION>.oraclecloudapps.com. A <IP>, 
<MY_OCID>.<MY_REGION>.oraclecloudapps.com. A <IP> (134)

This does not resolve. It is missing a single additional record.

All the IPs are resolved correctly though.

The Question

Does anyone know whether NGINX resolves the address differently than a normal request? I am unsure of if I will even be able to do this.

Additional Information

I know that Oracle Cloud requires TLS (optionally mTLS) authentication to work properly.

My errors, therefore, could be because my proxy is not connecting with an TLS connection, and merely passing the TCP data along. How would I go about setting up the right certificates with this setup? Is it possible?

  server {
    set $mongo "<MY_OCID>.<MY_REGION>.oraclecloudapps.com:27017";
    listen 27017 ssl so_keepalive=on;
    ssl_certificate /path/to/some/ssl/cert.pem
    ssl_certificate /path/to/some/ssl/cert.key
    proxy_connect_timeout 2s;
    proxy_pass    $mongo;
    proxy_timeout 10m;
  }

Could I self-sign a cert like this? or would I have to somehow acquire a cert from oracle?

Samuel Cobb
  • 1

0 Answers0