couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephan Wissel <>
Subject CouchDB behind Apache HTTP including authentication
Date Fri, 04 Jan 2013 02:58:09 GMT
We figured out how to use a sucessful login into Apache HTTP to
authenticate against CouchDB. Here is what we did:

in the couch configuration (local.ini) activated the
proxy_authentification_handler (don't stumble about the non-English

port = 5984
bind_address =
authentication_handlers = {couch_httpd_auth,
proxy_authentification_handler},  {couch_httpd_auth,

In the Apache configuration we use a redirect to connect to CouchDB (the
Apache also serves static content):

 # Redirection for CouchDB
    ProxyPass /mycouchapp http://localhost:5984 nocanon
    ProxyPassReverse /mycouchapp http://localhost:5984

    # Role mapping for couch
    RewriteMap role-map dbm:/var/couchdb/

    <Location /mycouchapp>
        # This example uses basic, but any Apache supported Auth should do
        AuthType Basic
        AuthName mycouchapp
        AuthUserFile /var/www/passwd/users
        AuthGroupFile /var/www/passwd/groups

        #Here we enforce authentication
        Order allow,deny
        Allow from all
        Require valid-user
        # Request headers for CouchDB from authenticated user
        RewriteEngine On
        RewriteCond %{LA-U:REMOTE_USER} (.+)
        RewriteRule . - [E=CUSER:%1]
        #Never figured why I need the condition again ;-)
        RewriteCond %{LA-U:REMOTE_USER} (.+)
        # Role lookup in the map file - needs to be maintained somehow
        RewriteRule . - [E=CROLE:${role-map:%1|guest}] env=CUSER
        RequestHeader set X-Auth-CouchDB-UserName "%{CUSER}e" env=CUSER
        RequestHeader set X-Auth-CouchDB-Roles "%{CROLE}e" env=CROLE

In the Apache defaults we also made sure that the CouchHeaders were purges
from requests, so
users can't spoof them:

    # Removal of eventually spoofed request headers
    RequestHeader unset X-Auth-CouchDB-UserName
    RequestHeader unset X-Auth-CouchDB-Roles
    RequestHeader unset X-Auth-CouchDB-Token

It might help someone struggling with that

Phone: +65 96673269
Blog <> Twitter <>
Google+ <>
 LinkedIn <>
 Sametime <> *Skype

P.S. If  someone adds me to the contributors group I can update the
respective Wiki page*

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message