networking – What does the –bindip configuration option in mongodb do?

networking – What does the –bindip configuration option in mongodb do?

On bindIp

127.0.0.1 by convention is the IP address of localhost and is bound to the loopback interface, which is only accessible from the same machine.

Using this address as default is best practice, since doing so makes it impossible to accidentally expose a service to the public. You have to make the conscious choice to change the bind IP to make your service publicly available. Which you should only do after you made sure that you took proper security measures.

Note This is very simplified, skipping advanced topics

Typically, a machine has the loopback interface and one or more real network interfaces.

Say you have one network interface which is internal (only accessible by your application servers, since you put them into the same network) and you have one network interface which is external (reachable via the public internet for maintenance purposes). Now, if you would bind your MongoDB instance to all interfaces (you would use the IP address 0.0.0.0 to do that), your MongoDB instance would be accessible from the public internet – hardly a desired situation. Attackers could try to brute force your passwords and may eventually get access to your MongoDB instance. Better to prevent any access from the public internet at all.

What you would rather want to have that your MongoDB instance is accessible for your application servers and from the machine it runs on. So you would bind MongoDB to both the loopback interfaces IP (127.0.0.1) and the IP of the private network, which in general would be one of

  • the range from 10.0.0.0 to 10.255.255.255
  • the range from 172.16.0.0 to 172.31.255.255
  • the range from 192.168.0.0 to 192.168.255.255

Let us take our example and say both the application servers and the MongoDB instance are in a private network in the range 192.168.X.X and you have given the MongoDB instance the IP address 192.168.0.1. So you would want to have your MongoDB instance be accessible via 192.168.0.1 so that the application servers can talk to it and via 127.0.0.1 to use the administration tools from the machine MongoDB runs on effortlessly.

So with the YAML configuration syntax, you would pass multiple IPs

NOTE do not add space between commas on multiple IPs

# WARNING!!! WARNING!!! WARNING!!!
# DO NOT DO THIS UNLESS YOU HAVE CLIENT AUTHENTICATION ENABLED
# (or you really, really, really know what you are doing)
net:
  bindIp: 127.0.0.1,192.168.0.1

On the warnings

In short, this is MongoDBs way of saying:

Mate, you have two problems: you have not configured security yet and your MongoDB instance is only accessible from the local machine. The former is not as severe because of the latter. But you really should configure security before you bind the MongoDB instance to other IPs than localhost!

There is sort of an implied Unless you really know what you are doing!, because iirc, the warning vanishes if you either activate client authentication or change the bindIp.

In my case i change bindIp to 0.0.0.0 in /etc/mongod.conf

sudo nano /etc/mongod.conf

# network interfaces
net:
  port: 27017
  bindIp: 0.0.0.0

networking – What does the –bindip configuration option in mongodb do?

Leave a Reply

Your email address will not be published.