Return-Path: Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: (qmail 3744 invoked from network); 17 Jul 2010 00:09:10 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 17 Jul 2010 00:09:10 -0000 Received: (qmail 69919 invoked by uid 500); 17 Jul 2010 00:09:08 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 69860 invoked by uid 500); 17 Jul 2010 00:09:08 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 69852 invoked by uid 99); 17 Jul 2010 00:09:08 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 17 Jul 2010 00:09:08 +0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of jchris@gmail.com designates 209.85.212.180 as permitted sender) Received: from [209.85.212.180] (HELO mail-px0-f180.google.com) (209.85.212.180) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 17 Jul 2010 00:09:00 +0000 Received: by pxi3 with SMTP id 3so2405061pxi.11 for ; Fri, 16 Jul 2010 17:07:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:content-type:mime-version :subject:from:in-reply-to:date:content-transfer-encoding:message-id :references:to:x-mailer; bh=0VMuVG3UVIlfbdQJ5GCIgBDBZTy+Zi14d+jpaJH1aDE=; b=KXzkWWWtWiCF8ziuG8aIuidwiPoVqLi25BOrqqeY/eFnnrmxQq1FeBsW2XatwJ4kN0 l4S3XCKYDLsTQOVIQ8bInyehvaTmGK05wncrdy0ip0fxYUuSmdkYxfvTjRgl31NT9Si6 YhxLC0uxxqEFuVMu+h0ZXzBdAnEBwExjxn4xs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer; b=MVm7WQGdTcQ+8C7ygd3sE6BAXnwLdByYkRYLbaripykqVmfrMAoCR0xFQmzJs42dNV ujWgCS6QstX4QJQ8CIpQblcuu3ZFlQ2xLfWMGNM/+hRtXTyctid0/4Y7gcrSYPi1+2uQ /dj2H29/aleK0QCwo3DLFeorRroJtlIY2TtKQ= Received: by 10.142.177.21 with SMTP id z21mr2540902wfe.2.1279325258627; Fri, 16 Jul 2010 17:07:38 -0700 (PDT) Received: from [192.168.1.102] (c-98-248-172-14.hsd1.ca.comcast.net [98.248.172.14]) by mx.google.com with ESMTPS id 33sm3221038wfg.21.2010.07.16.17.07.35 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 16 Jul 2010 17:07:37 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1081) Subject: Re: Read only public but read write internal? From: J Chris Anderson In-Reply-To: <41895B48-8CD7-4800-A745-D57A18E757F5@gmail.com> Date: Fri, 16 Jul 2010 17:07:34 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <41895B48-8CD7-4800-A745-D57A18E757F5@gmail.com> To: user@couchdb.apache.org X-Mailer: Apple Mail (2.1081) X-Virus-Checked: Checked by ClamAV on apache.org On Jul 16, 2010, at 4:49 PM, Chris Dawson wrote: > I want to run a couchdb node which allows public read access so that = replication can occur but then protect writes behind an application = server. Should I set up a firewall or proxy rule that disallows = anything but GETs on the public IP and then have an application server = running on the localhost interface which has full HTTP verbs allowed? = Or is there another topology I should consider? >=20 best is set up a validation function so that writes are only allowed by = users with a certain role, then you can give that role to your app = server's user. (or maybe even skip the app server altogether and write = the rest as a couchapp, but that's another story). http://books.couchdb.org/relax/design-documents/validation-functions > Thanks > Chris >=20 > Chris Dawson > 971-533-8335