couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Johnson <>
Subject Replication and security advice sought
Date Mon, 07 Feb 2011 15:44:37 GMT

I am creating an application in which individual Company sites input data into individual
CouchDB databases running on site specific servers which is then replicated to a single central
system at head office (running on a separate server). The central system holds configuration
data for each sites local system.

I therefore need to replicate data between the site databases and the central database and
the Company has no internal secure network and so it will have to do all this via the public
internet. Replication will always be initiated from the site based systems.

For the applications to function, Couch only needs to listen on localhost (nice and private)
but in order to replicate, unless I have missed something, the central system will have to
listen on its public IP address or they will not receive the replication requests. By contrast
the site based systems can listen only on localhost because the application is on the local
server and they will initiate the replication with the remote database.

I am not a proxy or firewall expert by any means, so I am looking for some fairly detailed
advice and guidance as to how to make the process secure in the simplest fashion.

I have scoured the internet and I have found basic advice that would have me use a proxy or
a firewall to control access but there is a comment that Couch 1.0.1 enhanced replication
to run over https which lead me to wonder if you could simply use Couch security and pass
the replication commands with the necessary login information over https.

If the proxy is the best route, then the central system application is web based and users
access that over the public internet on port 80, the central couchdb runs on the same server
as the application and is currently listening on its default port 5984. Each site has a technically
identical set up on separate servers. To me this means I will need to set up a proxy n the
central server that will allow http requests on port 5984 from localhost and forward http
requests on port 5984 from a defined set of other ip addresses to localhost:5984. It must
also allow http requests on port 80 from any incoming ip address.

All servers are Ubuntu Linux 10.04.1 LTS, web servers are apache 2.2.14, couchdb is 1.0.1.

Advice and guidance would be very gratefully received, but please bear in mind that whilst
I am a pretty good application developer, my networking knowledge generally and proxy / firewall
knowledge specifically is limited to principals and not practice so if you could explain the
details of any suggestions in detail at a "put this line in this file" type level I would
be eternally grateful.

Many thanks to you all in advance.

Bob Johnson
View raw message