问题
What does arangod.conf look like for running TLS 1.2 on port 8529 with a self-signed certificate at /server.pem? The current documentation lists only the parameters for starting the server, but not the equivalent arangod.conf.
[database]
directory = /var/lib/arangodb3
[server]
endpoint = ssl://0.0.0.0:8529
authentication = true
threads = 0
statistics = true
uid = arangodb
enter code here
[scheduler]
threads = 0
[javascript]
startup-directory = /usr/share/arangodb3/js
app-path = /var/lib/arangodb3-apps
[log]
level = info
file = /var/log/arangodb3/arangod.log
[cluster]
data-path = /var/lib/arangodb3/cluster
log-path = /var/log/arangodb3/cluster
arangod-path = @SBINDIR@/arangod@PROGRAM_SUFFIX@
dbserver-config = @SYSCONFDIR@/arangod.conf
[ssl]
keyfile = /server.pem
protocol = 5
And when I start, nothing works.
I also tried, attempting to mirror the documentation,
[ssl]
keyfile = /server.pem /tmp/vocbase
protocol = 5
But still no luck.
回答1:
The steps I follow to get SSL running on port 8530 on Ubuntu 16.04 are:
- Modify /etc/arangodb3/arangod.conf:
endpoint = ssl://0.0.0.0:8530 - Generate your self signed SSL cert, I use openssl
- You should end up with a
server.pemfile which contains both yourserver.crtandserver.key - Modify your /etc/init.d/arangodb3 file:
Find the line that looks like this, about line 50:$DAEMON --uid arangodb --gid arangodb --pid-file "$PIDFILE" --temp.path "/var/tmp/arangod" --log.foreground-tty false --supervisor $@
Update it to something like this:$DAEMON --uid arangodb --gid arangodb --pid-file "$PIDFILE" --temp.path "/var/tmp/arangod" --log.foreground-tty false –-ssl.keyfile /etc/arangodb3/server.pem --supervisor $@ - Restart the arangodb3 service to use the new ssl cert, you should be able to connect via port 8530 now
You could do SSL on port 8529, but I prefer to use port 8530 because then I can block 8529 access to ensure there is only SSL traffic to the server.
If you want to stop your web browser complaining about the untrusted SSL certs when you hit the server on 8530, just manually install the certificate on your client once you browse to the site.
来源:https://stackoverflow.com/questions/40315135/arangod-conf-for-ssl