连接到 VPC 外部的 AWS DocumentDB 时连接超时

Question

我正在尝试创建一个可以使用 DocumentDB 的非常简单的节点应用程序。我没有使用 Cloud9 也没有 Lambda，我在本地编码。我正在关注此链接https://docs.aws.amazon.com/documentdb/latest/developerguide/connect-from-outside-a-vpc.html 和此链接https://docs.aws.amazon.com/documentdb/latest/developerguide/connect-ec2.html

我使用以下入站规则创建了一个安全性较差的 EC2 实例

port range	protocol	source	security group
22	TCP	0.0.0.0/0	demoEC2

此demoEC2 安全组具有以下入站规则

type	protocol	port range	source
SSH	TCP	22	0.0.0.0/0

然后我创建了一个 DocumentDB 集群，其中包含 1 个可用实例，该实例属于具有以下入站规则的安全组

type	protocol	port range	source
custom tcp	TCP	27017	demoEC2

之后，我打开终端并创建了一个隧道：

ssh -i "mykeypair.pem" -L 27017:<CLUSTER ENDPOINT>:27017 ec2-user@<EC2 PUBLIC IPV4 DNS> -N

为了测试我的隧道是否正常工作，我使用 mongoshell 进行连接：

> mongo "mongodb://<MASTER USERNAME>:<MASTER PASSWORD>@localhost:27017/<DATABASE>" --tls --tlsAllowInvalidHostnames --tlsCAFile rds-combined-ca-bundle.pem
MongoDB shell version v4.2.13
connecting to: mongodb://localhost:27017/<DATABASE>?compressors=disabled&gssapiServiceName=mongodb
2021-07-29T10:10:59.309+0200 W  NETWORK  [js] The server certificate does not match the host name. Hostname: localhost does not match docdb-2021-07-27-10-32-49.ctuxybn342pe.eu-central-1.docdb.amazonaws.com docdb-2021-07-27-10-32-49.cluster-ctuxybn342pe.eu-central-1.docdb.amazonaws.com docdb-2021-07-27-10-32-49.cluster-ro-ctuxybn342pe.eu-central-1.docdb.amazonaws.com , Subject Name: C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS,CN=docdb-2021-07-27-10-32-49.ctuxybn342pe.eu-central-1.docdb.amazonaws.com
Implicit session: session { "id" : UUID("63340995-54ad-471b-aa8d-85763f3c7281") }
MongoDB server version: 4.0.0
WARNING: shell and server versions do not match

Warning: Non-Genuine MongoDB Detected

This server or service appears to be an emulation of MongoDB rather than an official MongoDB product.

Some documented MongoDB features may work differently, be entirely missing or incomplete, or have unexpected performance characteristics.

To learn more please visit: https://dochub.mongodb.org/core/non-genuine-mongodb-server-warning.

rs0:PRIMARY>

但是，当我尝试在我的节点应用程序中连接时：

const mongoose = require('mongoose');
const fs = require('fs');
const path = require('path');

const username = ...
const password = ...
const database = ...

const connstring = `mongodb://${username}:${password}@localhost:27017/${database}?tls=true&replicaSet=rs0&readPreference=secondaryPreferred`;
const certFile = path.resolve(__dirname, './rds-combined-ca-bundle.pem');
const certFileBuf = fs.readFileSync(certFile); //I tried this one in tlsCAFile option as well

mongoose.connect(connstring,
    {
        tlsCAFile: certFile,
        useNewUrlParser: true,
        tlsAllowInvalidHostnames: true,
    }
).then(() => console.log('Connection to DB successful'))
    .catch((err) => console.error(err, 'Error'));

一段时间后我收到连接超时错误：

> > node .\index.js
(node:12388) [MONGODB DRIVER] Warning: Current Server Discovery and Monitoring engine is deprecated, and will be removed in a future version. To use the new Server Discover and Monitoring engine, pass option { useUnifiedTopology: true } to the MongoClient constructor.
MongoNetworkError: failed to connect to server [<CLUSTER ENDPOINT WITHOUT HAVING .cluster->:27017] on first connect [MongoNetworkTimeoutError: connection timed out
    at connectionFailureError (D:\projects\documentdb-connect\node_modules\mongoose\node_modules\mongodb\lib\core\connection\connect.js:345:14)
    at TLSSocket.<anonymous> (D:\projects\documentdb-connect\node_modules\mongoose\node_modules\mongodb\lib\core\connection\connect.js:313:16)
    at Object.onceWrapper (events.js:421:28)
    at TLSSocket.emit (events.js:315:20)
    at TLSSocket.Socket._onTimeout (net.js:481:8)
    at listOnTimeout (internal/timers.js:549:17)
    at processTimers (internal/timers.js:492:7)]
    at Pool.<anonymous> (D:\projects\documentdb-connect\node_modules\mongoose\node_modules\mongodb\lib\core\topologies\server.js:441:11)
    at Pool.emit (events.js:315:20)
    at D:\projects\documentdb-connect\node_modules\mongoose\node_modules\mongodb\lib\core\connection\pool.js:564:14
    at D:\projects\documentdb-connect\node_modules\mongoose\node_modules\mongodb\lib\core\connection\pool.js:1013:9
    at D:\projects\documentdb-connect\node_modules\mongoose\node_modules\mongodb\lib\core\connection\connect.js:32:7
    at callback (D:\projects\documentdb-connect\node_modules\mongoose\node_modules\mongodb\lib\core\connection\connect.js:283:5)
    at TLSSocket.<anonymous> (D:\projects\documentdb-connect\node_modules\mongoose\node_modules\mongodb\lib\core\connection\connect.js:313:7)
    at Object.onceWrapper (events.js:421:28)
    at TLSSocket.emit (events.js:315:20)
    at TLSSocket.Socket._onTimeout (net.js:481:8)
    at listOnTimeout (internal/timers.js:549:17)
    at processTimers (internal/timers.js:492:7) Error

既然我可以使用 mongoshell 连接，我认为隧道正在工作，我什至可以在其上进行一些插入，但为什么 Mongoose 无法连接？我也尝试使用 MongoClient（const MongoClient = require('mongodb').MongoClient 和 MongoClient.connect(same everything)），但没有成功，我仍然遇到同样的超时错误。

Answer 1

原来我需要做的就是通过选项传递用户名和密码，而不是在连接字符串中：

const connstring = `mongodb://localhost:27017/${database}`;
const certFile = path.resolve(__dirname, './rds-combined-ca-bundle.pem');
const certFileBuf = fs.readFileSync(certFile);

mongoose.connect(connstring,
    {
        tls: true,
        tlsCAFile: certFile,
        useNewUrlParser: true,
        tlsAllowInvalidHostnames: true,
        auth: {
            username,
            password
        }
    }
)