couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark J. Reed" <>
Subject Securing replication
Date Mon, 19 Jul 2010 21:25:30 GMT
I have a webapp acting as a security gateway/reverse proxy for other
webapps.  Its data therefore includes authorization data which itself
needs to be protected from unauthorized access.  Currently that data
lives in a localhost-only CouchDB, but I now want to distribute the
application across more than one server, so I'm going to have to open
up a hole to allow replication.  My current thoughts are:

1. Keep the Couch instances listening on localhost only, but open SSH
tunnels between them to use for the replication.
    Based on past experience with SSH tunneling, this seems somewhat
fragile, and probably more complex than is warranted.

2. Use iptables to lock down access on each server so that only the
other server can connect to the Couch instance.
   This is still moderately increases the complexity (there's an
external configuration to keep in synch with the Couch configs), but
it seems simpler and less likely to break than the SSH solution, while
still offering moderate security (in combination with configuring
Couch to require admin credentials).

Any other thoughts?  Advice welcome.

Mark J. Reed <>

View raw message