mirror of
https://github.com/bigchaindb/bigchaindb.git
synced 2024-10-13 13:34:05 +00:00
425397f644
- Added NGINX deployment to frontend both BDB and MDB. - Nginx is configured with a whitelist (which is read from a ConfigMap) to allow only other MDB nodes in the closter to communicate with it. - Azure LB apparently does not support proxy protocol and hence whitelisting fails as nginx always observer the LB IP instead of the real IP in the TCP stream. - Whitelisting source IPs for MongoDB - Removing deprecated folder - Better log format - Intuitive port number usage - README and examples - Addressed a typo in PYTHON_STYLE_GUIDE.md - Azure LB apparently does not support proxy protocol and hence whitelisting fails as nginx always observer the LB IP instead of the real IP in the TCP stream. - Whitelisting source IPs for MongoDB - Removing deprecated folder - Multiple changes: - Better log format - Intuitive port number usage - README and examples - Addressed a typo in PYTHON_STYLE_GUIDE.md - Documentation - add the k8s directory to the ignore list in codecov.yml
71 lines
2.4 KiB
Markdown
71 lines
2.4 KiB
Markdown
## Custom Nginx container for a Node
|
|
|
|
### Need
|
|
|
|
* Since, BigchainDB and MongoDB both need to expose ports to the outside
|
|
world (inter and intra cluster), we need to have a basic DDoS mitigation
|
|
strategy to ensure that we can provide proper uptime and security these
|
|
core services.
|
|
|
|
* We can have a proxy like nginx/haproxy in every node that listens to
|
|
global connections and applies cluster level entry policy.
|
|
|
|
### Implementation
|
|
* For MongoDB cluster communication, we will use nginx with an environment
|
|
variable specifying a ":" separated list of IPs in the whitelist. This list
|
|
contains the IPs of exising instances in the MongoDB replica set so as to
|
|
allow connections from the whitelist and avoid a DDoS.
|
|
|
|
* For BigchainDB connections, nginx needs to have rules to throttle
|
|
connections that are using resources over a threshold.
|
|
|
|
|
|
### Step 1: Build the Latest Container
|
|
|
|
Run `docker build -t bigchaindb/nginx .` from this folder.
|
|
|
|
Optional: Upload container to Docker Hub:
|
|
`docker push bigchaindb/nginx:<tag>`
|
|
|
|
### Step 2: Run the Container
|
|
|
|
Note that the whilelist IPs must be specified with the subnet in the CIDR
|
|
format, eg: `1.2.3.4/16`
|
|
|
|
```
|
|
docker run \
|
|
--env "MONGODB_FRONTEND_PORT=<port where nginx listens for MongoDB connections>" \
|
|
--env "MONGODB_BACKEND_HOST=<ip/hostname of instance where MongoDB is running>" \
|
|
--env "MONGODB_BACKEND_PORT=<port where MongoDB is listening for connections>" \
|
|
--env "BIGCHAINDB_FRONTEND_PORT=<port where nginx listens for BigchainDB connections>" \
|
|
--env "BIGCHAINDB_BACKEND_HOST=<ip/hostname of instance where BigchainDB is
|
|
running>" \
|
|
--env "BIGCHAINDB_BACKEND_PORT=<port where BigchainDB is listening for
|
|
connections>" \
|
|
--env "MONGODB_WHITELIST=<a ':' separated list of IPs that can connect to MongoDB>" \
|
|
--name=ngx \
|
|
--publish=<port where nginx listens for MongoDB connections as specified above>:<correcponding host port> \
|
|
--publish=<port where nginx listens for BigchainDB connections as specified
|
|
above>:<corresponding host port> \
|
|
--rm=true \
|
|
bigchaindb/nginx
|
|
```
|
|
|
|
For example:
|
|
```
|
|
docker run \
|
|
--env "MONGODB_FRONTEND_PORT=17017" \
|
|
--env "MONGODB_BACKEND_HOST=localhost" \
|
|
--env "MONGODB_BACKEND_PORT=27017" \
|
|
--env "BIGCHAINDB_FRONTEND_PORT=80" \
|
|
--env "BIGCHAINDB_BACKEND_HOST=localhost" \
|
|
--env "BIGCHAINDB_BACKEND_PORT=9984" \
|
|
--env "MONGODB_WHITELIST="192.168.0.0/16:10.0.2.0/24" \
|
|
--name=ngx \
|
|
--publish=80:80 \
|
|
--publish=17017:17017 \
|
|
--rm=true \
|
|
bigchaindb/nginx
|
|
```
|
|
|