- Guides
- Installing
- Contributing
Cluster
This document will explain how to setup a secure canhazdb cluster.
Generating certificates
To run a secure cluster, we first need to generate some public/private certificates.
For this example, I'll create a folder in my documents.
cd ~/Documents
mkdir canhazdb-example
Let's use the script to create our certificates.
Replace the IP address 192.168.1.6
with the correct IP address (the one your database will listen on).
Because of how containers work, using localhost
with docker will not work.
openssl genrsa -out ca.privkey.pem 2048
openssl req \
-x509 \
-new \
-nodes \
-key \
ca.privkey.pem \
-days \
1024 -out ca.cert.pem -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"
openssl genrsa -out 192.168.1.6.privkey.pem 2048
openssl req -new \
-key 192.168.1.6.privkey.pem \
-out 192.168.1.6.csr.pem \
-subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=192.168.1.6"
openssl x509 \
-req -in 192.168.1.6.csr.pem \
-extfile <(printf "subjectAltName=IP:192.168.1.6") \
-CA ca.cert.pem \
-CAkey ca.privkey.pem \
-CAcreateserial \
-out 192.168.1.6.cert.pem \
-days 500
This command should create the following files in the current working directory.
192.168.1.6.cert.pem 192.168.1.6.csr.pem 192.168.1.6.privkey.pem ca.cert.pem ca.cert.srl ca.privkey.pem
Starting the first node
The following command will start your first canhazdb node in your new cluster.
docker run -v `pwd`:/app/certs -p 7061:7061 -p 8061:8061 canhazdb/server \
--host 192.168.1.6 \
--port 7061 \
--join 192.168.1.6:7061 \
--data-dir ./canhazdb/one \
--tls-ca ./certs/ca.cert.pem \
--tls-cert ./certs/192.168.1.6.cert.pem \
--tls-key ./certs/192.168.1.6.privkey.pem
Once running, you can start doing GET, POST, PUT, PATCH, DELETE http requests using an HTTPS client that accepts certificates.
You will not be able to bypass TLS in your web browser, as the certificates are used for authentication aswell as encryption.
You can use Postman (or a similar tool) to query the below URL:
https://192.168.1.6:8060/exampleCollection
If using postman, make sure to add the client certificates in Postman's settings.
Adding an additional node
The following command will add an additional node node to your new cluster.
docker run -v `pwd`:/app/certs -p 7062:7062 -p 8062:8062 canhazdb/server \
--host 192.168.1.6 \
--port 7062 \
--join 192.168.1.6:7061 \
--join 192.168.1.6:7062 \
--data-dir ./canhazdb/two \
--tls-ca ./certs/ca.cert.pem \
--tls-cert ./certs/192.168.1.6.cert.pem \
--tls-key ./certs/192.168.1.6.privkey.pem