couchdb-marketing mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Giovanni Lenzi <g.le...@smileupps.com>
Subject Re: SmileUpps Features (Was: How do CouchApps fit into the CouchDB story? (Was: CouchDB Articles, Pills and Tutorials Ideas))
Date Tue, 05 May 2015 14:36:59 GMT
> otherwise, again, the system is insecure (I helped build it that way).
To tell the truth, with handlers renaming or as soon as an attacker doesn't
know your db name, the system can still be secured withouth any proxy. However,
if proxy is really a concern, a fix to use CouchDB only, could eventually
be creating a new "default _rewrite path" parameter within couchdb
configuration, to be used as "default path" in case of request without or
with an incorrect "Host Header"

Jan, trust me... All I'm doing here is to bring help with marketing,
tutorials and CouchDB improvements... I hope this can be recognized


2015-05-05 15:57 GMT+02:00 Jan Lehnardt <jan@apache.org>:

>
> > On 05 May 2015, at 15:50, Giovanni Lenzi <g.lenzi@smileupps.com> wrote:
> >
> >> CouchDB has no way of blocking requests to _changes that have no filter
> > parameter
> > Why? _rewrite handler is used to allow only requests complying with your
> > api, and therefore preventing requests to changes withouth a filter. You
> > can have a look to rewrites.json file for this.
> >
> > I agree proxy is a best practice as a load balancer and to forward only
> > requests to allowed vhosts, like Smileupps, Iriscouch or Cloudant all are
> > doing, even if it's not strictly mandatory for security.
> >
> > Anyway, I was not interested here, in raising this kind of technical
> > discussion. My starting e-mail only wanted to be constructive, by
> proposing
> > a way to push content around CouchDB and Couchapps, to help everyone
> > understand what they really can and cannot do.
>
> I’m sorry to derail this, but I want to make sure I understand your system
> before I can argue for or against your claims :)
>
> Your point that CouchApps can be a platform is well taken, thank you for
> that!
>
> You equally can’t force a client to use a _request handler, only if you
> block requests without a Host: header in a proxy in front of CouchDB,
> otherwise, again, the system is insecure (I helped build it that way).
>
> Best
> Jan
> --
>
>
> >
> >
> > 2015-05-05 15:21 GMT+02:00 Jan Lehnardt <jan@apache.org>:
> >
> >>
> >>> On 05 May 2015, at 15:14, Giovanni Lenzi <g.lenzi@smileupps.com>
> wrote:
> >>>
> >>>> That happens in a proxy outside of CouchDB then?
> >>>
> >>> No, it happens in the changes filter of the design document.
> >>
> >> You cannot force a client to use a filter. CouchDB has no way of
> blocking
> >> requests to _changes that have no filter parameter. If you are not doing
> >> that in a proxy, your system is not secure.
> >>
> >> Best
> >> Jan
> >> --
> >> Professional Support for Apache CouchDB:
> >> http://www.neighbourhood.ie/couchdb-support/
> >>
> >>
>
> --
> Professional Support for Apache CouchDB:
> http://www.neighbourhood.ie/couchdb-support/
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message