couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <>
Subject Re: sponsoring secure vhost/rewrites
Date Wed, 04 May 2011 06:11:59 GMT
On Tue, May 3, 2011 at 10:00 AM, Martin Hilbig <> wrote:
> hi,
> i want to program and rent couchapps. i want couchdb/bigcouch to be my db,
> app and webserver.
> i dont want a middlelayer like a(n) (apache) proxy, just to filter out
> clients which try cheating by using no Host header or ../../../ url
> trickery.
> can this be accomplished already? sadly i didnt find anything and i remember
> @janl telling me that vhosts and rewrites arent meant to be security
> features. why is that so?
> my naive thoughts of a secure vhost handling which makes proxies obsolete:
> * the vhost handler should redirect clients with no Host header to a
> "default" vhost or send a 403/404.

You can't do that, it would remove the ability to access to couchdb
until vhosts are on the same port or couch db api prefixed. You can
however change the way welcome works, there is a patch in jira for

> * requests containing (to many) .. or starting with _ in the resource should
> also get redirected/404/403ed too.
> what other requests can you think of to circumvent the vhost
> handler/rewriter?

To sandbox couchapps ypu may ned more works, to filter db access & co.

> are the 2 points above already possible today? please redirect me to docs.
> where should i start hacking, when i want to implent them myself?

hacking couch_httpd_vhosts.erl or you can change the redirect function
to adapt it to your own use:

%%    [httpd]
%%    redirect_vhost_handler = {Module, Fun}
%% The function take 2 args : the mochiweb request object and the target
%%% path.

> is anyone willing to implement them for me (or see how far she gets) in 10h
> = 100eurs? yea this means i want those points so hard i would throw in 10h
> hours or 100eurs or 100$ to get someone (at least) started on them. is this
> okay or inappropriate here or is there a better place for couchdb job offers
> (maybe the user@ list)?
> have fun
> martin

10$/h isn't so much :) I'm working on a new couchapp engine, that will
be probably released this monthand rework the way vhosts are work. In
the the mean time don't hesitate to play with the code :)

- benoƮt

View raw message