MongoDB not accessible from cloudflare Proxied

I have installed and using MongoDB in my cloud hosting. While after i moved my domain into Cloudflare DNS, I’m not able to access the mongodb. Rest of all files and msql are be accessible.

When i disabled the Proxied option and enable DNS Only. Its works all fine.

Do I need to add any other settings to access mongodb from xcloudflare proxied

please help.

Hi @Ajith_Prakash,

Per the Cloudflare FAQ:

By default, only A and CNAME records that handle web traffic (HTTP and HTTPs) can be proxied to Cloudflare. All other DNS records should be toggled to a gray cloud.

The MongoDB Wire Protocol is a binary protocol and not suitable for HTTP/HTTPS proxying.

You should use the “DNS Only” option and secure your deployment using available measures in the MongoDB Security Checklist. At a minimum you should enable & configure access control, enable TLS for network encryption, and limit network exposure via your firewall settings. Ideally your database deployment should only be directly accessible from a limited range of originating IPs (members of the same MongoDB deployment, application servers, and administrative hosts).

Regards,
Stennie

We setup a firewall rule like below in our MongoDB Server

sudo firewall-cmd --permanent --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“MONGODB_SERVER_IP_HERE” port protocol=“tcp” port=“27017” accept’

After we are able to connect our mongo db server remotely but while we enable the PROXIED options from cloudflare we couldn’t establish the connection.

We have to enable the PROXIED option then only we are covered by CLOUDFLARE CDN and WAF

please provide a support. we are not able to see any similar public post, cloud flare community

Hi @Ajith_Prakash,

Per the earlier note I quoted from the Cloudflare FAQ:

By default, only A and CNAME records that handle web traffic (HTTP and HTTPs) can be proxied to Cloudflare

The MongoDB Wire Protocol is a binary protocol and not suitable for use with HTTP/HTTPS proxying, CDNs (Content Delivery Networks), or Cloudflare’s WAF (Web Application Firewall).

All of the options you are asking about are for web application security using HTTP or HTTPS protocols with text payloads that can be cached and/or inspected. You likely won’t find similar public discussion because this is not an applicable configuration for a database deployment.

You should use Cloudflare’s “DNS Only” option and secure your database deployment using available measures in the MongoDB Security Checklist .

Regards,
Stennie

thanks @Stennie, for your reply.

As per Cloud Flare, If we connect mongo db using a non proxied sub domain will work.

But we are using a PHP library to connect the mongo db with our application but the library is only supporting IP address to connect mongo db, is any option to connect mongo db via a subdomain hostname. (eg: mongo.example.com)

So it help me to use Primary Domain as proxied and subdomain (DNS only) can be connect to mongo along with the security which you mentioned.

thanks
Ajith

Hi @Ajith_Prakash,

You can use hostnames or IPs in a standard MongoDB Connection String, but hostnames are more common for production applications.

If you’re having trouble working out the connection syntax, please provide more information:

  • type of MongoDB deployment (standalone, replica set, or sharded cluster)
  • specific MongoDB PHP driver version you are using
  • version of PHP used
  • code snippet showing how you are connecting to MongoDB (with any user/host/password details replaced with placeholders)
  • specific error message or outcome of running your code snippet

Thanks,
Stennie