Skip to content

DOCSP-35939: tls #2894

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
May 1, 2024
Merged

DOCSP-35939: tls #2894

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
4c67a95
DOCSP-35939: tls
rustagir Apr 22, 2024
65b632e
Merge branch '4.1' of github.com:mongodb/laravel-mongodb into DOCSP-3…
rustagir Apr 22, 2024
c92f572
merge
rustagir Apr 22, 2024
6d022bb
merge
rustagir Apr 22, 2024
603089f
CC PR fixes
rustagir Apr 22, 2024
a320a48
JM tech review
rustagir Apr 23, 2024
e8266bc
Merge branch '4.1' of github.com:mongodb/laravel-mongodb into DOCSP-3…
rustagir Apr 30, 2024
d9687ed
merge and fix JM tech comments
rustagir Apr 30, 2024
dcffaaa
tlsinsecure clarification
rustagir May 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions docs/fundamentals/connection.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ Connections

/fundamentals/connection/connect-to-mongodb
/fundamentals/connection/connection-options
/fundamentals/connection/tls

.. contents:: On this page
:local:
Expand All @@ -23,3 +24,4 @@ and specify connection behavior in the following sections:

- :ref:`laravel-connect-to-mongodb`
- :ref:`laravel-fundamentals-connection-options`
- :ref:`laravel-tls`
202 changes: 202 additions & 0 deletions docs/fundamentals/connection/tls.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,202 @@
.. _laravel-tls:

========================
Enable and Configure TLS
========================

.. facet::
:name: genre
:values: reference

.. meta::
:keywords: code example, security, connection options, ssl

.. contents:: On this page
:local:
:backlinks: none
:depth: 2
:class: singlecol

Overview
--------

In this guide, you can learn how to use the TLS protocol to secure
your connection to a MongoDB deployment. To configure your connection to
use TLS, enable the TLS option and provide your certificates for
validation in your application's ``config/database.php`` file.

.. tip::

To learn more about TLS, see the Uncyclopedia entry on
:wikipedia:`Transport Layer Security <w/index.php?title=Transport_Layer_Security&oldid=1184063676>`.

Enable TLS
----------

In your application's ``config/database.php`` file, you can enable TLS
on a connection to your MongoDB deployment in one of the following ways:

- Setting the ``tls`` option to ``true`` in your connection string
- Setting the ``tls`` option to ``true`` in the ``options`` property of
your ``mongodb`` connection entry

Select from the following :guilabel:`Connection String` and
:guilabel:`Connection Options` tabs to see a corresponding code sample:

.. tabs::

.. tab:: Connection String
:tabid: connection string tls true

.. code-block:: php
:emphasize-lines: 5

'connections' => [

'mongodb' => [
'driver' => 'mongodb',
'dsn' => 'mongodb://<hostname>:<port>/?tls=true',
'database' => 'myDB',
]
]

.. tab:: Connection Options
:tabid: options tls true

.. code-block:: php
:emphasize-lines: 8

'connections' => [

'mongodb' => [
'driver' => 'mongodb',
'dsn' => '<connection string>',
'database' => 'myDB',
'options' => [
'tls' => true,
],
]
]

To view a full list of connection options, see
:ref:`laravel-fundamentals-connection-options`.

.. note::

If your connection string uses a DNS SRV record by including
the ``mongodb+srv`` prefix, TLS is enabled on your connection by
default.

Configure Certificates
----------------------

To successfully initiate a TLS request, your application must present
cryptographic certificates to prove its identity. Your application's
certificates must be stored as PEM files to enable TLS when connecting.

.. important::

For production use, we recommend that your MongoDB deployment use valid
certificates generated and signed by the same certificate authority.
For testing, your deployment can use self-signed certificates.

The following list describes the components that your client must
present to establish a TLS-enabled connection:

.. list-table::
:header-rows: 1
:widths: 30 70

* - TLS Component
- Description

* - Certificate Authority (CA)
- One or more certificate authorities to
trust when making a TLS connection. You can pass this file's path
to the ``tlsCAFile`` option.

* - Client Certificate
- A digital certificate that allows the server to verify the identity
of your application to establish an encrypted network connection.
You can pass this file's path to the ``tlsCertificateKeyFile`` option.

* - Certificate Key
- The client certificate private key file. This key is often
included within the certificate file itself. If you must
provide this item, the certificate and key should be concatenated
in one file that you can pass to the ``tlsCertificateKeyFile``
option.

* - Passphrase
- The password to decrypt the private client key if it is
encrypted. You can pass this file's path to the
``tlsCertificateKeyFilePassword`` option.

Reference Certificates
----------------------

You must reference your certificates when configuring your ``mongodb``
connection so that the server can validate them before the client connects.

We recommend that you reference your certificates and set other TLS
options in the ``options`` property of your connection configuration
instead of in the connection string. This improves code readability in
your application.

Set the following options in the ``options`` property to reference your
certificates:

- ``tlsCAFile``
- ``tlsCertificateKeyFile``
- ``tlsCertificateKeyFilePassword``

.. note::

For **testing purposes**, you can set the following options to
disable validation:

- ``tlsAllowInvalidCertificates``
- ``tlsAllowInvalidHostnames``
- ``tlsInsecure``
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quoting https://www.php.net/manual/en/mongodb-driver-manager.construct.php:

Specifying true for this option has the same effect as specifying true for both the "tlsAllowInvalidCertificates" and "tlsAllowInvalidHostnames" URI options. Defaults to false.

There should be no reason for the user to specify all three options. The improvement here would be to note that tlsInsecure implies the other two options.

Sorry for missing this earlier. This change should probably be applied to whatever content this was copied/adapted from (assuming other driver docs would be affected).


Specifying these options in a production environment might
your application insecure. To learn more, see the :manual:`Connection
Options </reference/connection-string/#connection-options>`
reference in the Server manual.

The following example configures a connection with TLS enabled:

.. code-block:: php

'connections' => [

'mongodb' => [
'driver' => 'mongodb',
'dsn' => '<connection string>',
'database' => 'myDB',
'options' => [
'tls' => true,
'tlsCAFile' => '<path to CA certificate>',
'tlsCertificateKeyFile' => '<path to private client certificate>',
'tlsCertificateKeyFilePassword' => '<path to client key passphrase>',
]
]
]

.. note::

You can alternatively reference your certificates by setting options
in the ``driverOptions`` property in your connection configuration.
To learn more about these options, see the
`MongoDB\Driver\Manager::__construct()
<https://www.php.net/manual/en/mongodb-driver-manager.construct.php>`__
API documentation.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion:

In the referenced link, it's not clear to me which settings are safe to use. The driverOptions settings, such as such as ca_file, pem_file, and pem_pwd, on the page are described as "deprecated alias for the [option name] URI option" .

I think it could be helpful to mention which settings to recommend since it's not clear on the linked page. Maybe @GromNaN can provide more guidance here.

Copy link
Member

@GromNaN GromNaN Apr 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd ask @jmikola. I don't know this option. I learned about this feature by reading your doc.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The URI options prefixed with tls supersede the driverOptions. There are very few options that are only supported through driverOptions (e.g. crl_file), and I don't think any of those are relevant to these docs.

I think the right call is to remove any discussion of driverOptions. You can still link to the Manager constructor as canonical documentation for URI options, though. In that case, you can drop a link to it in the "Additional Information" section below (probably above the server docs, since it will be more relevant to PHP).

driverOptions property

Is this actually a property in the Laravel configuration? If you're referring to the Manager constructor, then the proper terminology would be "driverOptions parameter" (not "property").

But this may be a moot point since the entire note can be removed.


Additional Information
----------------------

To learn more about enabling TLS on a connection, see the
following Server manual documentation:

- :manual:`TLS/SSL (Transport Encryption) </core/security-transport-encryption/>`
- :manual:`TLS/SSL Configuration for Clients </tutorial/configure-ssl-clients/>`