Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
Reply-To: user@couchdb.apache.org
Received-SPF: neutral (athena.apache.org: local policy)
MIME-Version: 1.0
In-Reply-To: <1d3db2990904121637o271ef128j40c0b26fa8569546@mail.gmail.com>
References: <1d3db2990904112329h11eee7a4j8c2c029b8a4c9bec@mail.gmail.com>
	 <DC4519C9-03DA-4CDC-9EAE-A5339134E0E1@apache.org>
	 <1d3db2990904121637o271ef128j40c0b26fa8569546@mail.gmail.com>
Date: Tue, 5 May 2009 13:03:10 +1000
Message-ID: <55047b710905042003v2f72c72fyaa6c34955e88a7f@mail.gmail.com>
Subject: Re: auth using Nginx as proxy
From: Nicholas Orr <nicholas.orr@zxgen.net>
To: user@couchdb.apache.org
Content-Type: multipart/alternative; boundary=001e680f1050daba4704692184b2

--001e680f1050daba4704692184b2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Hmm...
I've made this mod to local.ini

[httpd]
bind_address = 209.x.76.x

So browsing to http://209.x.76.x:5984 results in this response
> {"couchdb":"Welcome","version":"0.9.0"}

No basic auth nothing. Just straight in.

Now I don't want want the world having access to couchdb... I do want access
to futon though, only for me though. So logical step is to put couch back to
127.0.0.1 and stick nginx in the middle to auth/proxy to couchdb

Changed local.ini back
[httpd]
;bind_address = 127.0.0.1

Added a server block to nginx.conf
server { listen 443; server_name futon; ssl on; ssl_certificate
/etc/nginx/ssl/futon.crt; ssl_certificate_key /etc/nginx/ssl/futon.key;
access_log /var/log/nginx/futon.access.log main; error_log
/var/log/nginx/futon.error.log; location / { proxy_pass
http://localhost:5984; proxy_redirect off; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for; #auth_basic "nginx"; #auth_basic_user_file
/etc/nginx/futon_users; } }

Note I have commented out auth for now - just want to make sure it works
first.

Now browsing to https://futon/ results in
> {"couchdb":"Welcome","version":"0.9.0"}

Good stuff!! No prompts to auth to nginx or couchdb.

Uncomment the auth stuff and restart nginx
Now I get a prompt to auth in realm "nginx" - which is expected.
Auth ok then I get a prompt to auth in realm "administrator" - not
expected...

I read the wiki page and down the bottom it mentions passing more headers.
Updated nginx conf is:

server { listen 443; server_name futon; ssl on; ssl_certificate
/etc/nginx/ssl/futon.crt; ssl_certificate_key /etc/nginx/ssl/futon.key;
access_log /var/log/nginx/futon.access.log main; error_log
/var/log/nginx/futon.error.log; location / { proxy_pass
http://localhost:5984; proxy_redirect off; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for; proxy_hide_header Authorization;
proxy_hide_header WWW-Authenticate; auth_basic "nginx"; auth_basic_user_file
/etc/nginx/futon_users; } }

Restart nginx. goto https://futon/ prompted to auth in realm "nginx". ok,
respons is
> {"error":"unauthorized","reason":"Name or password is incorrect."}

So what is going on here?

I don't see why I'd need to make the change in local.ini that is being
suggested as I don't want any auth at all on couchdb. I did make the change
to see what happens

[httpd] bind_address = 209.x.76.x authentication_handler = {couch_httpd,
null_authentication_handler}

response I got was: {"error":"unknown_error","reason":"undef"}

So that doesn't work anyway.

Right now the only way I see being able to connect to 127.0.0.1:5984 is via
a ssh tunnel - which works - however it is not ideal.

You guys that claim to have nginx proxy to couchdb - are you then using a
user/pass everywhere (in code running on localhost)? I don't want to do that
and seems entirely possible. Must be more nginx params to specify to achieve
it..

Nick

On Mon, Apr 13, 2009 at 9:37 AM, Samuel Wan <sam@samuelwan.com> wrote:

> Thanks Jan, both of your suggestions work as described.
>
> In case anyone else is interested, I wasn't able to suppress the
> authentication headers with either the Nginx directives
> "set_hide_header Authorization" or "set_hide_header WWW-Authenticate".
>
> -Sam
>
> On Sun, Apr 12, 2009 at 3:32 AM, Jan Lehnardt <jan@apache.org> wrote:
> > Hi,
> >
> > I think nginx passes on auth headers and the default auth handler
> > in CouchDB then tries to verify it which it can't because you don't
> > have any admins. What works, I think, to have the same username
> > and password combinations for CouchDB and the upstream proxy.
> >
> > If that's no feasible, I committed the `null_authentication_handler`
> > that just accepts everybody.
> >
> > in your `local.ini` set:
> >
> > [httpd]
> > authentication_handler = {couch_httpd, null_authentication_handler}
> >
> > Note that this is available only in trunk since r762574
> >
> > Cheers
> > Jan
> > --
> >
> >
> > On 12 Apr 2009, at 07:29, Samuel Wan wrote:
> >
> >> I have also set up nginx as a reverse proxy to couchdb, and also
> >> encountered the second login prompt mentioned by Alex Rudyk in his
> >> email quoted below. The second authentication prompt looks like this:
> >>
> >>      A username and password are being requested by http://<ip
> >> address>. The site says: "administrator"
> >>
> >> I've confirmed that the proxy works without the auth turned on (except
> >> for the known couch.js subdirectory URL issue). I've also confirmed
> >> that the default.ini and couchdb.ini files don't have admin
> >> username/passwords activated.
> >>
> >> Here is my nginx configuration.
> >>
> >>       location /couchdb {
> >>               rewrite /couchdb/(.*) /$1 break;
> >>               proxy_pass http://localhost:5984;
> >>               proxy_redirect     off;
> >>               proxy_set_header   Host             $host;
> >>               proxy_set_header   X-Real-IP        $remote_addr;
> >>               proxy_set_header   X-Forwarded-For
> >>  $proxy_add_x_forwarded_fo$
> >>               auth_basic "Restricted";
> >>               auth_basic_user_file htpasswd;
> >>       }
> >>
> >> Does the auth_basic directive pass along some kind of authentication
> >> request to the proxied CouchDB server? It seems that the CouchDB
> >> authentication is getting triggered even though I haven't modified the
> >> local.ini or default.ini files.
> >>
> >> -Sam
> >>
> >> ---------------------
> >> From    "Alex Rudyk" <alex.ru...@gmail.com>
> >> Subject Basic auth using Nginx as proxy
> >> Date    Mon, 12 Jan 2009 03:13:06 GMT
> >>
> >> I am trying to setup basic auth for couchdb that is proxied by Nginx.
> >> I setuped nginx proxy and it works very well but when I am adding basic
> >> auth
> >> for nginx it pass Nginx basic auth module, but browser show "enter user
> >> name
> >> and password" dialog once again with real "administrator" that I think
> is
> >> goes from couchdb new default_authentication_handler. My nginx realm
> name
> >> is
> >> "Restricted".
> >> Here is nginx config file:
> >>
> >> server {
> >>     listen        8088;
> >>   server_name   couchdb;
> >>     location / {
> >>       proxy_pass http://127.0.0.1:5984;
> >>               proxy_redirect off;
> >>               proxy_set_header   Port             $proxy_port;
> >>               proxy_set_header   X-Real-IP        $remote_addr;
> >>               proxy_set_header   X-Forwarded-For
> >> $proxy_add_x_forwarded_for;
> >>
> >>       auth_basic            "Restricted";
> >>               auth_basic_user_file  htpasswd;
> >>
> >>       }
> >> }
> >>
> >> Does any body have some ideas how to fix this?
> >>
> >
> >
>

--001e680f1050daba4704692184b2--