DEV Community

Liran Tal
Liran Tal

Posted on

Securing a Node.js + RethinkDB + TLS setup on Docker containers


We use RethinkDB at work across different projects. It isn’t used for any sort of big-data applications, but rather as a NoSQL database, which spices things up with real-time updates, and relational tables support.

Node.js Ecosystem

RethinkDB features an officially supported Node.js driver, as well as a community-maintained driver as well called rethinkdbdash which is promises-based, and provides connection pooling.
There is also a database migration tool called rethinkdb-migrate that aids in managing database changes such as schema changes, database seeding, tear up and tear down capabilities.

RethinkDB Docker Setup

We’re going to use the official RethinkDB docker image from the docker hub and make use of docker-compose.yml to spin it up (later on you can add additional services to this setup).

A fair example for docker-compose.yml:

version: '2'
    image: rethinkdb:latest
      - "8181:8080"
      - "48015:28015"
      - ./tls:/tls
Enter fullscreen mode Exit fullscreen mode

RethinkDB SSL Setup

The compose file mounts a local tls directory as a mapped volume inside the container. The tls/ directory will contain our cert files, and the compose file is reflecting this.


To setup a secure connection we need to facilitate it using certificates so an
initial technical step:

cd tls/
openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem -days 3650 -subj '/’
cp cert.pem ca.pem
Enter fullscreen mode Exit fullscreen mode

Important notes:

  • The canonical name, which is the CN value is set to the domain to which the RethinkDB driver will connect to. Set here to as an example, in your local development environment should probably be set to just localhost.
  • Copying the cert to the certificate authority is actually an extra step required for slaves joining the cluster, so this isn’t mandatory.

Start RethinkDB with SSL

Update the compose file to include a command configuration that starts the RethinkDB process with all the required SSL configuration

command: ["rethinkdb", "--tls-min-protocol", "TLSv1", "--tls-ciphers", "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES256-SHA", "--canonical-address", "", "--http-tls-key", "/tls/key.pem", "--http-tls-cert", "/tls/cert.pem", "--driver-tls-key", "/tls/key.pem", "--driver-tls-cert", "/tls/cert.pem", "--bind" ,"all"]
Enter fullscreen mode Exit fullscreen mode

Important notes:

  • The first command arguments — tls-min-protocol and — tls-ciphers are for working with older SSL versions (applicable to Mac OS setups)
  • Notice the — canonical-address argument is also set to, and you might want to change that to localhost if you created the self-signed cert with a CN=localhost

You’ll notice there isn’t any cluster related configuration but you can add them as well if you need to so they can join the SSL connection: — cluster-tls — cluster-tls-key /tls/key.pem — cluster-tls-cert /tls/cert.pem — cluster-tls-ca /tls/ca.pem

Node.js Driver Setup

The RethinkDB drivers support an ssl optional object which either sets the certificate using the ca property, or sets the rejectUnauthorized property to accept or reject self-signed certificates when connecting.
A snippet for the ssl configuration to pass to the driver:

ssl: {
  rejectUnauthorized: false
  // ca: fs.readFileSync(__dirname + '../tls/cert.pem').toString().trim()
Enter fullscreen mode Exit fullscreen mode

RethinkDB Password Setup

Now that the connection is secured, it only makes sense to connect using a user/password which are not the default.

Security Alert! RethinkDB ships with a default user and no password set which is insecure to say the least and was one of the main reasons for hundred of thousands of MongoDBs getting pwned on AWS a while back.

Enter fullscreen mode Exit fullscreen mode

To set it up, update the compose file to also include the — initial-password argument so you can set the default admin user’s password. For example:

command: ["rethinkdb", "--initial-password", "changeMe"]
Enter fullscreen mode Exit fullscreen mode

Of course you need to append this argument to the rest of the command line options in the above compose file.

Preferably, don’t store the password on the Dockerfile but rather use an environment variable or another method that doesn’t expose secrets.
Enter fullscreen mode Exit fullscreen mode

Now, update the Node.js driver settings to use a user and password to connect:

  user: 'admin',
  password: 'changeMe'
Enter fullscreen mode Exit fullscreen mode

Congratulations! You’re now eligible to “Ready for Production stickers.

Don’t worry, I already mailed them to your address.

Top comments (0)