问题描述

arangod.conf 在使用 /server.pem 处的自签名证书在端口 8529 上运行 TLS 1.2 是什么样的?当前文档只列出了启动服务器的参数，没有列出等效的arangod.conf.

What does arangod.conf look like for running TLS 1.2 on port 8529 with a self-signed certificate at /server.pem? The current documentation lists only the parameters for starting the server, but not the equivalent arangod.conf.

[database]
directory = /var/lib/arangodb3

[server]
endpoint = ssl://0.0.0.0:8529
authentication = true
threads = 0
statistics = true
uid = arangodb
enter code here

[scheduler]
threads = 0

[javascript]
startup-directory = /usr/share/arangodb3/js
app-path = /var/lib/arangodb3-apps

[log]
level = info
file = /var/log/arangodb3/arangod.log

[cluster]
data-path = /var/lib/arangodb3/cluster
log-path = /var/log/arangodb3/cluster
arangod-path = @SBINDIR@/arangod@PROGRAM_SUFFIX@
dbserver-config = @SYSCONFDIR@/arangod.conf

[ssl]
keyfile = /server.pem
protocol = 5

当我开始时，什么都不起作用.

And when I start, nothing works.

我也尝试过，试图镜像文档，

I also tried, attempting to mirror the documentation,

[ssl]
keyfile = /server.pem /tmp/vocbase
protocol = 5

但仍然没有运气.

推荐答案

我在 Ubuntu 16.04 的 8530 端口上运行 SSL 所遵循的步骤是:

The steps I follow to get SSL running on port 8530 on Ubuntu 16.04 are:

• 修改/etc/arangodb3/arangod.conf:endpoint = ssl://0.0.0.0:8530
• 生成您的自签名 SSL 证书，我使用 openssl
• 你应该得到一个 server.pem 文件，其中包含你的 server.crt 和 server.key
• 修改你的/etc/init.d/arangodb3文件:
  找到看起来像这样的行，大约第 50 行:
  $DAEMON --uid arangodb --gid arangodb --pid-file "$PIDFILE" --temp.path "/var/tmp/arangod" --log.foreground-tty false --supervisor $@
将其更新为如下所示:
$DAEMON --uid arangodb --gid arangodb --pid-file "$PIDFILE" --temp.path "/var/tmp/arangod" --log.foreground-tty false --ssl.keyfile/etc/arangodb3/server.pem --supervisor $@
• 重新启动arangodb3服务以使用新的ssl证书，您现在应该可以通过端口8530连接

• Modify /etc/arangodb3/arangod.conf: endpoint = ssl://0.0.0.0:8530
• Generate your self signed SSL cert, I use openssl
• You should end up with a server.pem file which contains both your server.crt and server.key
• Modify your /etc/init.d/arangodb3 file:
Find the line that looks like this, about line 50:
$DAEMON --uid arangodb --gid arangodb --pid-file "$PIDFILE" --temp.path "/var/tmp/arangod" --log.foreground-tty false --supervisor $@
Update it to something like this:
$DAEMON --uid arangodb --gid arangodb --pid-file "$PIDFILE" --temp.path "/var/tmp/arangod" --log.foreground-tty false –-ssl.keyfile /etc/arangodb3/server.pem --supervisor $@
• Restart the arangodb3 service to use the new ssl cert, you should be able to connect via port 8530 now

您可以在端口 8529 上执行 SSL，但我更喜欢使用端口 8530，因为这样我可以阻止 8529 访问以确保只有 SSL 流量到服务器.

You could do SSL on port 8529, but I prefer to use port 8530 because then I can block 8529 access to ensure there is only SSL traffic to the server.

如果您想阻止 Web 浏览器在访问 8530 上的服务器时抱怨 SSL 证书不受信任，只需在浏览到该站点后手动在客户端上安装证书即可.

If you want to stop your web browser complaining about the untrusted SSL certs when you hit the server on 8530, just manually install the certificate on your client once you browse to the site.