Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
Reply-To: user@couchdb.apache.org
Received-SPF: neutral (athena.apache.org: local policy)
From: Robert Johnson <robert@rowanshire.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Subject: Replication and security advice sought
Date: Mon, 7 Feb 2011 15:44:37 +0000
Message-Id: <91F25BBC-5FEB-4FE4-8693-F608AEDF4F48@rowanshire.net>
To: user@couchdb.apache.org
Mime-Version: 1.0 (Apple Message framework v1082)

Hello

I am creating an application in which individual Company sites input =
data into individual CouchDB databases running on site specific servers =
which is then replicated to a single central system at head office =
(running on a separate server). The central system holds configuration =
data for each sites local system.

I therefore need to replicate data between the site databases and the =
central database and the Company has no internal secure network and so =
it will have to do all this via the public internet. Replication will =
always be initiated from the site based systems.

For the applications to function, Couch only needs to listen on =
localhost (nice and private) but in order to replicate, unless I have =
missed something, the central system will have to listen on its public =
IP address or they will not receive the replication requests. By =
contrast the site based systems can listen only on localhost because the =
application is on the local server and they will initiate the =
replication with the remote database.

I am not a proxy or firewall expert by any means, so I am looking for =
some fairly detailed advice and guidance as to how to make the process =
secure in the simplest fashion.

I have scoured the internet and I have found basic advice that would =
have me use a proxy or a firewall to control access but there is a =
comment that Couch 1.0.1 enhanced replication to run over https which =
lead me to wonder if you could simply use Couch security and pass the =
replication commands with the necessary login information over https.

If the proxy is the best route, then the central system application is =
web based and users access that over the public internet on port 80, the =
central couchdb runs on the same server as the application and is =
currently listening on its default port 5984. Each site has a =
technically identical set up on separate servers. To me this means I =
will need to set up a proxy n the central server that will allow http =
requests on port 5984 from localhost and forward http requests on port =
5984 from a defined set of other ip addresses to localhost:5984. It must =
also allow http requests on port 80 from any incoming ip address.

All servers are Ubuntu Linux 10.04.1 LTS, web servers are apache 2.2.14, =
couchdb is 1.0.1.

Advice and guidance would be very gratefully received, but please bear =
in mind that whilst I am a pretty good application developer, my =
networking knowledge generally and proxy / firewall knowledge =
specifically is limited to principals and not practice so if you could =
explain the details of any suggestions in detail at a "put this line in =
this file" type level I would be eternally grateful.

Many thanks to you all in advance.

Bob Johnson=