This document will explain how to setup a secure canhazdb cluster.

Generating certificates

To run a secure cluster, we first need to generate some public/private certificates.

For this example, I'll create a folder in my documents.

cd ~/Documents
mkdir canhazdb-example

Let's use the script to create our certificates.

Replace the IP address with the correct IP address (the one your database will listen on).

Because of how containers work, using localhost with docker will not work.

openssl genrsa -out ca.privkey.pem 2048

openssl req \
  -x509 \
  -new \
  -nodes \
  -key \
  ca.privkey.pem \
  -days \
  1024 -out ca.cert.pem -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/"

openssl genrsa -out 2048

openssl req -new \
 -key \
 -out \
 -subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN="

openssl x509 \
 -req -in \
 -extfile <(printf "subjectAltName=IP:") \
 -CA ca.cert.pem \
 -CAkey ca.privkey.pem \
 -CAcreateserial \
 -out \
 -days 500

This command should create the following files in the current working directory.  ca.cert.pem  ca.privkey.pem

Starting the first node

The following command will start your first canhazdb node in your new cluster.

docker run -v `pwd`:/app/certs -p 7061:7061 -p 8061:8061 canhazdb/server \
  --host \
  --port 7061 \
  --join \
  --data-dir ./canhazdb/one \
  --tls-ca ./certs/ca.cert.pem \
  --tls-cert ./certs/ \
  --tls-key ./certs/

Once running, you can start doing GET, POST, PUT, PATCH, DELETE http requests using an HTTPS client that accepts certificates.

You will not be able to bypass TLS in your web browser, as the certificates are used for authentication aswell as encryption.

You can use Postman (or a similar tool) to query the below URL:

If using postman, make sure to add the client certificates in Postman's settings.

Adding an additional node

The following command will add an additional node node to your new cluster.

docker run -v `pwd`:/app/certs -p 7062:7062 -p 8062:8062 canhazdb/server \
  --host \
  --port 7062 \
  --join \
  --join \
  --data-dir ./canhazdb/two \
  --tls-ca ./certs/ca.cert.pem \
  --tls-cert ./certs/ \
  --tls-key ./certs/