LibreChat
LibreChat copied to clipboard
danny-avila
Enhancement: Add support to TLS authentication on remote MongoDB
What features would you like to see added?
I am reaching out to propose an enhancement to the MongoDB connection functionality with regard to supporting TLS authentication, especially for remote MongoDB instances such as Amazon DocumentDB.
Currently, the codebase establishes a MongoDB connection using Mongoose without the option to configure TLS. This setup works fine for non-TLS connections but doesn't support scenarios where enhanced security is required, particularly when connecting to managed MongoDB services that often enforce TLS for data-in-transit encryption.
To address this, I propose we make these changes:
const USE_TLS = process.env.MONGO_TLS === 'true'; // Check if TLS should be used
const MONGO_CA_FILE = process.env.MONGO_CA_FILE; // CA file name
const opts = {
useNewUrlParser: true,
useUnifiedTopology: true,
bufferCommands: false,
tls: USE_TLS,
};
if (USE_TLS) {
// If using TLS, configure the SSL settings
opts.tlsCAFile = path.join(__dirname, '..', '..', '..', MONGO_CA_FILE);
}
The key changes include:
- Adding a new environment variable MONGO_TLS to flag the use of TLS.
- Introducing MONGO_CA_FILE for specifying the CA file name. I've defined the file path as the project root, but that may not be the right approach. What would you recommend here?
- Modifying the connectDb function to include these TLS options in the Mongoose connection settings.
These enhancements enable secure connections to services like Amazon DocumentDB, which require TLS, and do so in a way that maintains backward compatibility and simplicity of configuration.
Let me know what you think.
More details
All details are described above.
Which components are impacted by your request?
Other
Pictures
No response
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
Thanks for your suggestion! Enhanced security is always welcome.
If you would like to put in the PR for this along with documentation, I would be more than happy to test it and merge it.
I can also work on it myself when I get around to it!
Thanks for your suggestion! Enhanced security is always welcome.
If you would like to put in the PR for this along with documentation, I would be more than happy to test it and merge it.
I can also work on it myself when I get around to it!
I am interested in this as well. As MongoDB community edition does not support database level encryption, having the support of DocumentDB is a much more affordable way to reach those requirements.
Using the code mentioned in this issue, if you could give me some basic instructions for implementation I could attempt a PR/Doc for it if I can get it running. Would these changes be added to connectDb.js?
Thanks for your suggestion! Enhanced security is always welcome. If you would like to put in the PR for this along with documentation, I would be more than happy to test it and merge it. I can also work on it myself when I get around to it!
I am interested in this as well. As MongoDB community edition does not support database level encryption, having the support of DocumentDB is a much more affordable way to reach those requirements.
Using the code mentioned in this issue, if you could give me some basic instructions for implementation I could attempt a PR/Doc for it if I can get it running. Would these changes be added to
connectDb.js?
The following files are the only ones really making mongodb connections:
- api/cache/keyvMongo.js
- api/lib/db/connectDb.js
I was about to submit PR, when I understood that we can already use TLS (and hence use documentDb). All you need is to add parameters to mongo uri:
mongodb://somestuff.docdb.amazonaws.com:27017/yourdb?retryWrites=false&tls=true&tlsCAFile=../rds-combined-ca-bundle.pem
