canhazdb

Cluster

Edit this pageLast updated: 2021-07-01

This document will explain how to setup a secure canhazdb cluster.

Generating certificates

To run a secure cluster, we first need to generate some public/private certificates.

For this example, I'll create a folder in my documents.

cd ~/Documents
mkdir canhazdb-example

Let's use the script to create our certificates.

Replace the IP address 192.168.1.6 with the correct IP address (the one your database will listen on).

Because of how containers work, using localhost with docker will not work.

openssl genrsa -out ca.privkey.pem 2048

openssl req \
  -x509 \
  -new \
  -nodes \
  -key \
  ca.privkey.pem \
  -days \
  1024 -out ca.cert.pem -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"

openssl genrsa -out 192.168.1.6.privkey.pem 2048

openssl req -new \
 -key 192.168.1.6.privkey.pem \
 -out 192.168.1.6.csr.pem \
 -subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=192.168.1.6"

openssl x509 \
 -req -in 192.168.1.6.csr.pem \
 -extfile <(printf "subjectAltName=IP:192.168.1.6") \
 -CA ca.cert.pem \
 -CAkey ca.privkey.pem \
 -CAcreateserial \
 -out 192.168.1.6.cert.pem \
 -days 500

This command should create the following files in the current working directory.

192.168.1.6.cert.pem  192.168.1.6.csr.pem  192.168.1.6.privkey.pem  ca.cert.pem  ca.cert.srl  ca.privkey.pem

Starting the first node

The following command will start your first canhazdb node in your new cluster.

docker run -v `pwd`:/app/certs -p 7061:7061 -p 8061:8061 canhazdb/server \
  --host 192.168.1.6 \
  --port 7061 \
  --join 192.168.1.6:7061 \
  --data-dir ./canhazdb/one \
  --tls-ca ./certs/ca.cert.pem \
  --tls-cert ./certs/192.168.1.6.cert.pem \
  --tls-key ./certs/192.168.1.6.privkey.pem

Once running, you can start doing GET, POST, PUT, PATCH, DELETE http requests using an HTTPS client that accepts certificates.

You will not be able to bypass TLS in your web browser, as the certificates are used for authentication aswell as encryption.

You can use Postman (or a similar tool) to query the below URL:

https://192.168.1.6:8060/exampleCollection

If using postman, make sure to add the client certificates in Postman's settings.

Adding an additional node

The following command will add an additional node node to your new cluster.

docker run -v `pwd`:/app/certs -p 7062:7062 -p 8062:8062 canhazdb/server \
  --host 192.168.1.6 \
  --port 7062 \
  --join 192.168.1.6:7061 \
  --join 192.168.1.6:7062 \
  --data-dir ./canhazdb/two \
  --tls-ca ./certs/ca.cert.pem \
  --tls-cert ./certs/192.168.1.6.cert.pem \
  --tls-key ./certs/192.168.1.6.privkey.pem