对于 AI 代理:可在 https://www.mongodb.com/zh-cn/docs/llms.txt 获取文档索引—通过在任何 URL 路径后添加 .md 可获取所有页面的 Markdown 版本。
Docs 菜单

Configure TLS Encryption for mongot

MongoDB Search and Vector Search use two internal communication channels between mongot and mongod:

  • Sync source connections (mongotmongod/mongos): mongot reads data and metadata from the replica set to build and maintain search indexes. You can configure TLS for this connection in the syncSource section of the mongot configuration file.

  • Query Server connections (mongodmongot): mongod forwards MongoDB Search and Vector Search queries and index management commands to mongot over gRPC. You configure TLS for this connection in the server.grpc.tls section of the mongot configuration file.

mongot connects to the replica set as a MongoDB client to sync data for indexing. To encrypt this connection, configure the scramAuth.tls block in the syncSource.replicaSet section of your mongot configuration file.

Example: Enable TLS for the sync source in the mongot configuration file
syncSource:
replicaset:
hostAndPort: "localhost:27017" #Replace with the mongod host and port.
scramAuth:
username: "mongot"
passwordFile: "/etc/mongot/secrets/passwordFile"
tls:
enabled: true
tlsCertificateKeyFile: "/path/to/mongot-client.pem"
tlsCertificateKeyFilePasswordFile: "etc"
caFile: "/path/to/ca.pem"

If you don't specify caFile in the scramAuth.tls configuration, mongot uses the system keystore to verify the server certificate. Specify a CA file to control the certificates that mongot trusts.

If mongot connects to a sharded cluster through a mongos router, you must also set syncSource.router.tls to true.

mongod connects to mongot over gRPC to send MongoDB Search and Vector Search queries. To encrypt this connection, configure server.grpc.tls in your mongot configuration file.

The Query Server supports the following TLS modes:

模式
说明

"disabled"

Disable TLS. mongod connects to mongot without encryption. This is the default value.

"TLS"

Enable TLS. mongot presents a server certificate to mongod. mongod validates the certificate using the --tlsCAFile option.

"mTLS"

Enable Mutual TLS. Both mongot and mongod present certificates and authenticate each other before any search traffic flows.

To enable TLS on the Query Server, set server.grpc.tls.mode to "TLS" and specify the path to the mongot certificate and private key PEM file:

server:
grpc:
address: "<host>:<port>"
tls:
mode: "TLS"
certificateKeyFile: "/etc/mongot-tls/mongot-combined.pem"

To enable mutual TLS on the Query Server, set server.grpc.tls.mode to "mTLS". Specify the certificate key file and CA file so that mongot can authenticate to mongod:

server:
grpc:
address: "<host>:<port>"
tls:
mode: "mTLS"
certificateKeyFile: "/etc/mongot-tls/mongot-combined.pem"
caFile: "/etc/mongot-tls/ca.pem"